Connect2id server 13.4.1
This is a maintenance release of the Connect2id server.
It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.
The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.
There is more information about the resolved issues in the notes below.
The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 13.4.1 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 13.4.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).
Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the
op.authz.includeClientInfoInAuthPromptconfiguration property is set to
trueand the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).
The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).
Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).
Updates to com.nimbusds:nimbus-jose-jwt:9.30.1
Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2