Blog »

Connect2id server 11.2

2021-03-07

New SPI for custom validation of authorisation requests

This update of the Connect2id server introduces a new plugin interface (SPI) for carrying out additional validation of authorisation requests, after all standard checks, such as the client_id and the client being registered for the response_type, have passed. The SPI can also be used to modify parameters of the received request, before passing it on for further processing.

The SPI can be used to enforce compliance with some OAuth 2.0 security profile and mimics the PAR validator SPI that appeared in Connect2id server 8.0. The PAR validator was also updated to enable optional modification of the requests.

The new authorisation request validator SPI is documented here.

Note, the existing web based API for plugging in the user auth, consent and UI is equally capable of carrying out any additional validation and shaping of the authorisation requests. The new SPI is provided for convenience and enables easy sharing of code with the PAR validator.

Upgraded JWT assertion grant handler

The shipped JWT assertion OAuth 2.0 grant handler was upgraded with a new setting for setting access token data from selected client metadata parameters.

For more information and a list of fixed issues check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.2: Connect2id-server.zip

SHA-256: e7093549087bd75495f8484e6350046678616d6e5a76060208dbb855acada6a0

Connect2id server 11.2 WAR package: c2id.war

SHA-256: 0c0ffa88552d408914d869570dd6e0af87931957d6d156148369db5dbea9db48

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.2: Connect2id-server-mt.zip

SHA-256: bafe2bcee8de47904837bd7784c9879bc214afecaf43410953869b690b0910b3

Connect2id server 11.2 WAR package: c2id-multi-tenant.war

SHA-256: 31777defa880716fb349bf89fe9a27d1d85ca3f88fb9462934d61d0887402b88

Questions?

Contact Connect2id support.

Release notes

11.2 (2021-03-07)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.30

  • com.nimbusds.openid.connect.provider.spi.authz.AuthorizationRequestValidator

    • New SPI for performing additional custom validation as well as modification of received OAuth 2.0 authorisation / OpenID authentication requests. The validator has access to the registered client information for the client_id in the authorisation request. If the validator rejects the request it can set a standard or custom error code and also optionally disable redirection back to the client redirect_uri.

      The loading of an AuthorizationRequestValidator SPI implementation is logged at INFO level under OP2113. The cause for rejection of a request is also logged at INFO level, under OP2114.

      Note, to perform additional custom validation of pushed authorisation requests use the PARValidator SPI.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • Adds new PARValidator.validatePushedAuthorizationRequest method that also enables optional modification of received Pushed Authorisation Request (PAR). This method has a default implementation that calls the existing validate only method. Existing plugins need not be updated.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html

  • com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedJWTGrantHandler

    • Upgrades the included OAuth 2.0 self-issued JWT bearer grant handler plugin, see https://bitbucket.org/connect2id/self-issued-jwt-bearer-grant-handler .

      • New op.grantHandler.selfIssuedJWTBearer.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token data field, empty set if none. To specify a member within a field that is a JSON object member use dot (.) notation.

      • The op.grantHandler.selfIssuedJWTBearer.enable configuration property receives a default value false (disabled).

      • Lets op.grantHandler.selfIssuedJWTBearer.accessToken.audienceList also apply to identifier-based access tokens.

      • Makes the /WEB-INF/selfIssuedJWTBearerHandler.properties configuration file optional.

Resolved issues

  • Adjusts DynamoDB item output of the "clm" and "cls" attributes to the long_lived_authorizations table to prevent false HMAC check errors when a dynamodb.hmacSHA256Key is configured (issue authz-store/179).

  • Updates revocation_journal DynamoDB parsing to include the illegal string on a parse exception (issue authz-store/180).

  • Updates OP2209 logging to include the JSON string in the exception message when ID token minting fails due to an "aud" (audience) parse error (issue server/644).

  • Authorisation and token requests with a parameter included more than once, save for "resource", must result in a invalid_request error (issue oidc-sdk/345).

  • Fixes new RSASSASigner(RSAKey) conversion to PrivateKey with a Hardware Security Module (HSM) (issue nimbus-jose-jwt/404).

  • Updates JSON parsing in the OAuth 2.0 SDK to catch non-documented and unexpected exceptions (issue oauth-oidc-sdk/347).

  • Allows OAuth 2.0 client metadata "software_version" of type JSON number and converts it to a JSON string in new and updated client registrations. This is done to accommodate non RFC 7591 compliant dynamic client registrations in the UK Open Banking profile (issue oauth-oidc-sdk/348).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.30

  • Updates to com.nimbusds:oauth2-authz-store:16.5.2

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.2.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.6.1

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1