Connect2id server 12.5

This release of the Connect2id server for OAuth 2.0 and OpenID Connect brings several API and configuration updates.

Front-channel logout with custom URI schemes

OpenID Connect Front-Channel Logout 1.0 is a minimal protocol that lets an OpenID relying party register a callback to receive a notification when a user logs out.

The logout spec is geared towards web applications, however it can also potentially be used with native (mobile) applications. Starting with this release clients can also be registered with custom URI schemes (other than HTTPS), to enable an IdP / SSO server to send logout notifications into native applications that cannot handle "universal" (also called claimed) HTTPS URLs.

Note, universal links have the advantage of providing a stronger guarantee of the application's identity because they require the OS to validate the application's web domain certificate.

Example registration setting login and logout callbacks for a native client with custom URIs:

POST /clients HTTP/1.1
Host: c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "application_type"                     : "native",
  "redirect_uris"                        : [ "org.example.myapp:login-callback" ],
  "frontchannel_logout_uri"              : "org.example.myapp:logout-callback",
  "frontchannel_logout_session_required" : true,
  "token_endpoint_auth_method"           : "none"
}

Example notification, where the iss parameter identifies the OpenID provider, and the sid identifies the session which was established when the user was signed into the application:

org.example.myapp:logout-callback?iss=https://c2id.com&sid=Ohgah5ukieso0ohB

Localhost redirection URLs for web client testing

A new op.reg.allowLocalhostRedirectionURIsForTest configuration property is added to allow registration of HTTP and HTTPS localhost redirection URIs for the purpose of testing and developing OAuth 2.0 web application clients.

The client registration standard prohibits web clients (application_type=web) from registering localhost redirection URIs. If you are developing a web application and want to test it as an OAuth client on your localhost one way to work around that (requires administrative OS control) is to define a host alias for the loopback interface, and then provision the host with a self-signed web server certificate (check our guide for that).

With this new setting a web client can be tested in a localhost environment without resorting to an alias workaround.

op.reg.allowLocalhostRedirectionURIsForTest=true

Example registration:

POST /clients HTTP/1.1
Host: c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "redirect_uris" : [ "http://localhost:8008/login-callback" ]
}

Remember, this setting must not be used in production!

Opting out of access token encryption with pairwise subjects

The consent object in the authorisation session API was updated to allow deployments to opt out of the access token encryption (for self-contained tokens that are JWTs) when the OpenID relying party is registered for pairwise subject identifiers and the token subject is also set to be pairwise.

Example consent:

{
  "scope"        : [ "read", "write" ],
  "audience"     : [ "https://api.example.com" ],
  "access_token" : { "encrypt"  : false,
                     "sub_type" : "PAIRWISE" }
}

Check out the release notes below for a detailed explanation of API change and the reasoning behind the default encryption policy.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5: Connect2id-server.zip

SHA-256: 9fbb8be83389372ff22d0c303b282b84ce55261af506f0cb28eee45b521366a1

Connect2id server 12.5 WAR package: c2id.war

SHA-256: d98eb7c092df4535933188aea49681b5a93e7d95054379b4974d248d3e93509a

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5: Connect2id-server-mt.zip

SHA-256: c63f009a3856c8ec8cc2703a88fb808207eeea2811006aa6469dd9956901e57e

Connect2id server 12.5 WAR package: c2id-multi-tenant.war

SHA-256: 65f406e4cd04313da28eded526af2ffaf26c4f5c3d8a67621ca32dd05f42591c

Questions?

Contact Connect2id support.


Release notes

12.5 (2021-11-29)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.reg.allowLocalhostRedirectionURIsForTest -- New configuration property to allow registration of HTTP and HTTPS localhost redirection URIs for the purpose of testing and developing OAuth 2.0 web application clients. The default value is false (not allowed). Must not be used in production!

Web API

  • /clients

    • Allows registration of a frontchannel_logout_uri with a custom URI scheme. Intended to support front-channel logout notifications to mobile applications (application_type=native) with a custom URI scheme. Previously only https URLs were allowed. The http URL scheme remains disallowed.
  • /authz-sessions/rest/v3/

    • Consent: The API is updated to support opting out of the additional encryption of self-contained (JWT-encoded) access tokens which the Connect2id server will apply when the OpenID relying party is registered for pairwise subjects (with subject_type=pairwise) and the access token subject is also set for a pairwise identifier (with access_token.sub_type=PAIRWISE). The default behaviour of the Connect2id server is to always apply encryption to the JWT-encoded access tokens when the OpenID relying party is registered for pairwise subjects, in order to prevent exposing of information about the underlying subject ID which would happen if the self-contained access token was only signed. When the token subject is made pairwise there is still a theoretical possibility for the OpenID relying party to perform some correlation between the end-users, by observing the variations of the pairwise identifier across multiple token audiences (resource servers), hence the strict default Connect2id policy to also encrypt access tokens with a pairwise subject. To opt out of the default encryption use access_token.encrypt=false in the consent object.
  • /direct-authz/rest/v2/

    • Direct authorisation request: The API is updated to support opting out of the additional encryption of self-contained (JWT-encoded) access tokens which the Connect2id server will apply when the OpenID relying party is registered for pairwise subjects (with subject_type=pairwise) and the access token subject is also set for a pairwise identifier (with access_token.sub_type=PAIRWISE). See the explanation about the related authorisation session web API change. To opt out of the default encryption use access_token.encrypt=false in the consent object.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.39

    • com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec

      • Refactors the class for Optional self-contained access token preference.

Resolved issues

  • Includes the JWK kid and crv (for EC keys) in the OP0102 log error message to ease key identification when a server JWK fails the signing JWK validation on startup (issue server/696).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.39

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.20

  • Updates to com.nimbusds:c2id-server-jwkset:1.26