Connect2id server 14.5
Connect2id server 14.5 ships several small updates to its APIs and fixes v14.x issues reported in August.
This release also receives an enhanced
redirect_uri validation, to prevent
clients from registering or using redirection URIs with query parameters that
may lead to authorisation response parameter pollution, as discussed on the
24th of August at the OAuth Security Workshop
in London. The extra
redirect_uri check is
in the underlying OAuth 2.0 / OpenID Connect SDK
and will basically block clients from registering (or using) redirection URIs
with query parameters that shadow the authorisation
state or the JARM
response. If a client for some reason is
registered with a
redirect_uri that contains one of these query parameters it
will be forced to re-register with a compliant URI.
More information about what's new or was fixed in v14.5 can be found in the release notes below.
We are currently in the process of reworking our 10 year old connect2id.com website design. Our aim is to make it better, not worse, and to find out what people actually think or want to have improved we've set up this anonymous form. Your feedback will be highly appreciated.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.5: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 14.5 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 14.5: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 14.5 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
- Prevents registration of clients with "redirect_uris" that include a "code", "state" or "response" query parameter. OAuth 2.0 generally allows a client "redirect_uri" to include query parameters, which may be used, for instance, to process authorisation responses from multiple OAuth 2.0 servers or OpenID providers. This is a security measure that follows a recent recommendation that clients must not include query parameters in a registered "redirect_uri" with names used by the OAuth 2.0 authorisation response.
The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.max_age" member of type array to represent the maximum authentication age in OpenID authentication requests.
The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.acr_values" member of type array to represent the Authentication Context Class Reference values in OpenID authentication requests.
The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.login_hint" member of type string to represent the login hint in OpenID authentication requests.
Rejects OAuth 2.0 authorisation and OpenID authentication requests with a "redirect_uri" that includes a "code", "state" or "response" query parameter with an "invalid_request" error. Redirection URIs with query parameters that match the name of an OAuth 2.0 authorisation response parameter are deemed unsafe. Clients that use such query parameters in a "redirect_uri" must re-register with a new compliant redirection URI.
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.59
- The CustomTokenResponseComposer SPI extends Lifecycle.
Alters the Oracle "clients" table definition of the "jwks" column from VARCHAR2(4000) to CLOB (issue server/910).
Logs the IDTokenIssueEventListener SPI and AccessTokenIssueEventListener SPI enabled status (issue server/915).
Isolates expended rotated self-contained (JWT) refresh tokens by subject (end-user) session ID when the refresh token is issued in a OAuth 2.0 authorisation code grant. For clients with multiple instances per subject (end-user) where the consent is transient (long_lived=false) (issue authz-store/223).
Logs the OP8041 INFO message only when there are explicit OpenID Connect Federation 1.0 clients reaped (issue server/916).
Removes redundant Infinispan externalisers used in the OpenID Connect Federation 1.0 explicit client index (issue server/917).
Fixes an HTTP 500 Internal Server Error at the authorisation session web API when receiving an OpenID authentication request with certain illegal JSON in the claims parameter that produced an OAuth 2.0 "error_description" with an illegal double-quote character according to RFC 6749, section 5.2 (issue server/919).
Upgrades to com.nimbusds:c2id-server-sdk:4.59
Updates to com.nimbusds:oauth2-oidc-sdk:10.14.2
Updates to com.nimbusds:oauth2-authz-store:24.6
Updates to net.minidev:json-smart:2.4.11
Updates to com.google.crypto.tink:tink:1.10.0