Connect2id server 11.6 with FAPI enhancements, login page API update

This week's release of the Connect2id server focuses on the FAPI security profile. It also optimises interaction with the login page API for developers.

New FAPI configurations

Six new configuration properties were added to facilitate conformance with the latest version (2021-03-12) of the FAPI Baseline and Advanced security profiles. The new settings can also be used in other security profiles or to establish some baseline security policy for all OAuth clients.

Here is an overview of the new configurations:

Always require an explicit redirect_uri in the authorisation requests. This is normally a requirement only for OpenID authentication.

Additional request object (JAR) specific checks:

Require the use of signed authorisation responses, with JARM (response_type=jwt) or by requesting an ID token in the front-channel (reponse_type=code id_token) to act as detached signature:

Note that the authorisation request validator and the PAR validator plugin interfaces (SPI) can be used to perform additional checks or as alternative method.

The FAPI deployment checklist was updated accordingly.

Login page API

The Connect2id server web API for handling user authentication and consent can now include selected authorisation request parameters, including parameters that are custom, in the authentication and consent prompt objects. This behaviour is switched on with two new configuration properties and is intended to save an HTTP GET call in cases when access to those parameters is required by the login page UI or logic.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server.zip

SHA-256: ef604a653452a76e6a2c06134c5f5aec110645308b588485ee93966de6b8fac1

Connect2id server 11.6 WAR package: c2id.war

SHA-256: 295c9d2e4037bec5f43676aae5caaf2c8b9a57bd958f25f27e5ac562fd825d35

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server-mt.zip

SHA-256: 49854e045c868428c1f8ef27567e2c6b1ca0c1d3cdcf940b7ce8a9610d9d17c3

Connect2id server 11.6 WAR package: c2id-multi-tenant.war

SHA-256: c9652c7610e94f2453f66adb47a1127e438bce7209011465c15bff7a9de72db0

Questions?

Contact Connect2id support.


Release notes

11.6 (2021-04-27)

Summary

  • Adds a set of new Connect2id server configuration properties for setting up OAuth 2.0 servers conforming to version 2021-03-12 of the FAPI 1.0 Advanced security profile. See Financial-grade API Security Profile 1.0 - Part 2: Advanced (2021-03-12).

  • Adds configuration properties for causing selected OAuth 2.0 authorisation request parameters, including custom parameters, to appear in the authentication or consent prompt in the authorisation web API. Intended to save HTTP GET calls to the authorisation session resource when access to those parameters is needed.

Configuration

  • /WEB-INF/oidProvider.properties

    • op.authz.alwaysRequireRedirectURI -- New configuration property to specify whether the redirect_uri parameter is required for all authorisation requests. The default value is false (required only for OpenID authentication requests).

    • op.authz.alwaysRequireSignedRequestJWT -- New configuration property to specify whether a JWS signed request JWT passed inline via "request" or by URL reference via "request_uri" will be required for all authorisation requests. The default value is false (not required unless the client is explicitly registered for it).

    • op.authz.requireRequestJWTNotBefore -- New configuration property to specify whether received request object JWTs must include a not before (nbf) claim. The default value is false.

    • op.authz.maxLifetimeRequestJWTExpiration -- New configuration property to specify the maximum accepted lifetime in seconds of an expiration (exp) claim in request JWTs. The lifetime is computed from the not before (nbf) claim if present, otherwise from the current time. The default value is -1 (not specified).

    • op.authz.maxAgeRequestJWTNotBefore -- New configuration property to specify the maximum accepted age in seconds of a not before (nbf) claim in request JWTs. The default value is -1 (not specified).

    • op.authz.alwaysRequireSignedResponse -- New configuration property to specify whether all authorisation requests must specify a JWT-secured response (JARM) or a "response_type" that includes an "id_token" to serve as a detached signature. The default value is false.

    • op.authz.requestParamsInAuthPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the authentication prompt, in a JSON object named "request". No parameters are included by default.

    • op.authz.requestParamsInConsentPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the consent prompt, in a JSON object named "request". No parameters are included by default.

Web API

  • /authz-sessions/rest/v3/

    • Authentication prompt: Adds new optional "request" member of type JSON object to the authentication prompt ("auth"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInAuthPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during authentication.

    • Consent prompt: Adds new optional "request" member of type JSON object to the consent prompt ("consent"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInConsentPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during consent.

Resolved issues

  • The "resource" parameter (RFC 8707) as URI string list must be included in the authorisation session object under "auth_req", fixes regression bug (issue serer/658).

  • The "prompt" parameter as string list must be included in the authorisation session object under "auth_req" for plain OAuth 2.0 requests (custom Connect2id server feature) (issue serer/660).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.4.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9

  • Updates to com.nimbusds:oauth2-authz-store:16.7.3

  • Updates to com.nimbusds:oidc-session-store:14.4.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.5

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.7

  • Updates to com.nimbusds:tenant-manager:5.0.2

  • Updates to com.nimbusds:tenant-registry:5.3.3

  • Updates to net.minidev:json-smart:2.4.6