JAR update in Connect2id server 9.2

This new release of the Connect2id server updates the JAR implementation and fixes four bugs.

The implementation of JWT-secured authorisation requests (JAR) in OAuth 2.0 was updated after a minor change in the underlying draft (see version 21) which made the client_id a required query parameter. Having the client_id easily accessible (outside the JWT) makes it easier to retrieve the registration of the requesting client, particularly for JARs passed inline and symmetrically encrypted using the client_secret, and for JARs passed by URI which aren't indexed.

This release also adds to new optional JAR-related configuration properties:

  • op.authz.oAuthRequestJWTPolicy -- sets a policy for merging unsecured query parameters for generic OAuth 2.0 requests. The standard policy (per JAR specification) is to only use the JWT-secured parameters in a authorisation request and ignore all parameters passed in the query strings.

  • op.authz.openIDRequestJWTPolicy -- set a policy for merging unsecured query parameters for OpenID authentication requests. The standard policy here is different (per OpenID Connect) - unsecured query parameters will be merged, with the JWT-secured ones having precedence. By setting the policy to "STRICT" any present unsecured parameters will be ignored when composing the final request.

The OAuth 2.0 & OpenID Connect SDK was also updated for the latest v21 JAR draft. The new examples will show you how easy it is to compose a JAR from a client application.

If you still find JAR a bit too cumbersome to use consider making plain pushed authorisation requests (PAR). They offer comparable security, such as source authentication and keeping the parameters unexposed to the browser, while completely sparing the need to deal with JWS and perhaps JWE.

Download

To download a ZIP package of Connect2id server 9.2:

https://connect2id.com/assets/products/server/download/9.2/Connect2id-server.zip

SHA-256: f21392c832d8114a158074f6989cab89508958726747f6d6f52a16593ed033e7

As WAR package only:

https://connect2id.com/assets/products/server/download/9.2/c2id.war

SHA-256: 0ea053b68dbaa1e21360c49e725131929d099b0b15f38de29fcf31a3763316b3

Questions?

Contact Connect2id support.


Release notes

9.2 (2020-04-21)

Summary

  • Updates support for "JWT Secured Authorization Request (JAR)" to draft-ietf-oauth-jwsreq-21. client_id becomes the sole required query parameter for JAR requests, in addition to the query parameter for the JWT itself (request for a JWT passed inline or request_uri for a JWT passed by URI reference).

  • Adds new "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests). The default policy is to accept only the JWT-secured parameters, with unsecured query parameters being ignored.

  • Adds new "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request. The default policy is merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence.

Configuration

  • /WEB-INF/oidcProvider.properties

    • New "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests).

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored. This is the default policy for OAuth 2.0 authorisation requests.

      • MERGE_UNSECURED -- Merge unsecured authorisation request query parameters, with the JWT-secured parameters having precedence.

    • New "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request.

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored.

      • MERGE_UNSECURED -- Merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence. This is the default policy for OpenID authentication requests.

Resolved issues

  • Adds missing AccessTokenKeyExternalizer and AccessTokenAuthorizationExternalizer declarations for "authzStore.idAccessTokenMap" in the infinispan-*.xml configs (issue server/545).

  • Fixes handling of GeneralException instances thrown from ClaimSource SPIs when no error code and HTTP status code is specified. The correct response is to return an HTTP status code 500 instead of an empty UserInfo (issue server/547).

  • Fixes "userInfoEndpoint.serverErrors" metering on a ClaimsSource SPI throwing an unchecked Exception or a GeneralException (with no parameters) instance (issue server/548).

  • Fixes the supply of optional claims data to ClaimsSource SPI implementations for OpenID claims requests for ID tokens (issue server/549).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.4

  • Updates to com.nimbusds:nimbus-jose-jwt:8.14.1