Issuer aliases in Connect2id server 12.3
The September release of the Connect2id server brings support for issuer aliases. An issuer alias URL can be configured to migrate a Connect2id server deployment seamlessly and over time from one issuer identifier URL to another. Issuer aliases can also be used to identify an OpenID provider / OAuth 2.0 authorisation server by multiple URLs.
Check the new guide for how to configure and switch between issuer aliases in a Connect2id server deployment.
Download
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.3: Connect2id-server.zip
SHA-256: 6bd77fc1d3ba1a0222c222ca8b194ec2c37164b6585c96c871725bc4279c7509
Connect2id server 12.3 WAR package: c2id.war
SHA-256: 2050dea95db72dfb57ab4f99fef4356068f262d19698aa1c196ba398f01bfbd6
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.3: Connect2id-server-mt.zip
SHA-256: 44c87b33cef26e754d1702b99651fd594dd5b1ec3d70c94fb0f8919136aabf91
Connect2id server 12.3 WAR package: c2id-multi-tenant.war
SHA-256: d12ba4fa77de3cf836e43a5f6e646a7dfe8b9aeed4e8271c4504a3632e612ec5
Questions?
Contact Connect2id support.
Release notes
12.3 (2021-09-17)
Summary
Supports issuer URL aliases. An issuer alias URL can be configured to migrate
a Connect2id server deployment seamlessly and over time from one issuer identifier URL (op.issuer) to another. Issuer aliases can also be used when an OpenID provider / OAuth 2.0 authorisation server is known by multiple URLs.The allowed issuer aliases, if any, are configured in a new optional
op.issuerAliases.*property.A Connect2id server endpoint or API will process a request under an issuer alias when the HTTP request header "Issuer" is present and set to a value matching a configured alias. If no "Issuer" header is specified the default issuer configured in
op.issuerwill be assumed. The defaultop.issuerwill also be assumed when the "Issuer" header is explicitly set to it. If the "Issuer" header is set to an issuer URL that isn't configured the Connect2id server will return an HTTP 400 error with a message.The "Issuer" header must be set by the reverse HTTP proxy or similar trusted internal infrastructure. It must not be settable by client applications. Connect2id server deployments must scrub the incoming client application HTTP requests from any "Issuer" headers.
Issuer aliases are supported in the regular as well as the multi-tenant Connect2id server edition.
Configuration
/WEB-INF/oidcProvider.properties
- op.issuer.aliases.* -- New optional configuration property for setting
one or more issuer alias URLs of the OpenID provider / OAuth 2.0
authorisation server. Can be used to migrate from one issuer URL
(
op.issuer) to another, or to operate an OpenID provider / OAuth 2.0 authorisation server that is known by multiple URLs. Blank if none.
- op.issuer.aliases.* -- New optional configuration property for setting
one or more issuer alias URLs of the OpenID provider / OAuth 2.0
authorisation server. Can be used to migrate from one issuer URL
(
Web API
- The standard OAuth 2.0 / OpenID Connect endpoints and Connect2id server
specific web APIs will process a request under a configured issuer alias
(
op.issuerAliases.*) when the HTTP request includes an "Issuer" header set to the issuer alias URL. The header value must match the configured issuer alias URL exactly. If the "Issuer" header is set to an issuer URL that isn't configured the Connect2id server will return an HTTP 400 "Bad Request" error with an appropriate message.
Resolved issues
- Updates log message OP6205 for reporting internal token handler errors to include the client ID, authentication method and grant (issue server/693).
Dependency changes
Updates to com.nimbusds:tenant-manager:6.0.2
Updates to com.nimbusds:tenant-registry:6.0
Updates to com.nimbusds:oidc-session-store:14.6
Updates to com.nimbusds:oauth2-authz-store:17.5
Updates to com.nimbusds:nimbus-jose-jwt:9.14
Updates to org.cryptomator:siv-mode:1.4.3
Updates to com.unboundid:unboundid-ldapsdk:6.0.1
Updates to com.google.code.gson:gson:2.8.8