Connect2id server 15.9

The user sessions of the Connect2id server can be used as a lightweight method to feed user attributes (JWT claims) into the issued ID tokens. Whenever a new IdP session gets created for a logged in user, attributes to include automatically in the ID tokens for the user can be saved in the claims field.

Example session with four saved claims:

{
  "sub"           : "alice",
  "auth_time"     : 1723187423,
  "creation_time" : 1723187423,
  "max_life"      : 302400,
  "auth_life"     : 302400,
  "max_idle"      : 10080,
  "rps"           : [ "eedi8jah", "ahp9xei5", "ioj6agah" ],
  "claims"        : { "email"  : "[email protected]",
                      "name"   : "Alice Adams",
                      "roles"  : [ "admin", "audit" ],
                      "office" : "B-397" }
}

This capability has existed since 2015 and can be disabled with op.authz.feedSubjectSessionClaimsIntoIDToken:

op.authz.feedSubjectSessionClaimsIntoIDToken=false

Starting with this 15.9 release, the op.authz.feedSubjectSessionClaimsIntoIDToken is deprecated for removal, and in its place a new configuration property introduced -- op.idToken.includeSubjectSessionClaims, to enable fine-grained control over the claims when necessary.

The default value of the new configuration property value is * (asterisk), meaning all claims. It thus preserves the default behaviour of the deprecated op.authz.feedSubjectSessionClaimsIntoIDToken property.

op.idToken.includeSubjectSessionClaims=*

To select only specific claims for automatic inclusion in the ID tokens simply list their names:

op.idToken.includeSubjectSessionClaims=email,roles

To disable all automatic inclusion set the value to an empty list:

op.idToken.includeSubjectSessionClaims=

Because the session is made available to the Connect2id server claims source plugins, its claims field can naturally be used to fulfil requests for individual consented claims to be delivered to client applications in the ID tokens or at the userinfo endpoint. This can simplify deployments and infrastructure, by loading all potential user attributes for release to clients at the time of user authentication, avoiding subsequent calls to services and databases to get them.

For example, taking the session claims above, the email and roles can be listed for automatic inclusion in all ID tokens, while any remaining claims found in the field will be made available to the claims source, for client applications to request them individually and explicitly.

We plan to include a ready plugin to handle such retrieval of claims stored in the user session in a future release of the Connect2id server. Note that because of the requirement for the user session to be still present (active), this is suitable only for client applications that don't require access to the user claims after user logout / IdP session expiration.

Download 15.9

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.9: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 655f6dfe53bbb7a2aa2712b8191a0fd41cacd3a1945f6f6fcbfca67c77658fda

Connect2id server 15.9 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ce8ba12064b81a4ecfb9172794b0c6a59192b012ca57827567e60f655256da52

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.9: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c49e894e535e2e8130e1d0df8a9637a63199eaf842e8670372d92a87da68bb4c

Connect2id server 15.9 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 29e7f7f9a26cbce8fc426c0bc9908e756d683a741193b379f2c5a1691456e9d4

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

15.9 (2024-08-08)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.idToken.includeSubjectSessionClaims -- New optional configuration property to control the automatic inclusion of members from the subject session claims JSON object in issued ID tokens. Applies to regular and prompt=none OpenID authentication requests as well as ID token refreshes. An * (asterisk) selects all members. The member names can alternatively be specified as comma and / or space separated list. An empty list disables the inclusion. The default value is * (include all).

    • op.authz.feedSubjectSessionClaimsIntoIDToken -- Deprecated for removal, use op.idToken.includeSubjectSessionClaims instead.

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:26.5.2

  • Upgrades to com.nimbusds:common:3.4

  • Updates to net.thisptr:jackson-jq:1.0.0-preview.20240207