Connect2id server 15.9
The user sessions
of the Connect2id server can be used as a lightweight
method to feed user attributes (JWT claims) into the issued ID
tokens. Whenever a new IdP session gets
created for a logged in user, attributes to include automatically in the ID
tokens for the user can be saved in the claims
field.
Example session with four saved claims:
{
"sub" : "alice",
"auth_time" : 1723187423,
"creation_time" : 1723187423,
"max_life" : 302400,
"auth_life" : 302400,
"max_idle" : 10080,
"rps" : [ "eedi8jah", "ahp9xei5", "ioj6agah" ],
"claims" : { "email" : "[email protected]",
"name" : "Alice Adams",
"roles" : [ "admin", "audit" ],
"office" : "B-397" }
}
This capability has existed since 2015 and can be disabled with op.authz.feedSubjectSessionClaimsIntoIDToken:
op.authz.feedSubjectSessionClaimsIntoIDToken=false
Starting with this 15.9 release, the op.authz.feedSubjectSessionClaimsIntoIDToken
is deprecated for removal, and in its place a new configuration property
introduced -- op.idToken.includeSubjectSessionClaims,
to enable fine-grained control over the claims when necessary.
The default value of the new configuration property value is *
(asterisk),
meaning all claims. It thus preserves the default behaviour of the deprecated
op.authz.feedSubjectSessionClaimsIntoIDToken
property.
op.idToken.includeSubjectSessionClaims=*
To select only specific claims for automatic inclusion in the ID tokens simply list their names:
op.idToken.includeSubjectSessionClaims=email,roles
To disable all automatic inclusion set the value to an empty list:
op.idToken.includeSubjectSessionClaims=
Because the session is made available to the Connect2id server claims
source plugins, its claims
field can naturally be used to fulfil requests for individual consented claims
to be delivered to client applications in the ID tokens or at the
userinfo endpoint. This can simplify
deployments and infrastructure, by loading all potential user attributes for
release to clients at the time of user authentication, avoiding subsequent
calls to services and databases to get them.
For example, taking the session claims
above, the email
and roles
can be
listed for automatic inclusion in all ID tokens, while any remaining claims
found in the field will be made available to the claims source, for client
applications to request them individually and explicitly.
We plan to include a ready plugin to handle such retrieval of claims stored in the user session in a future release of the Connect2id server. Note that because of the requirement for the user session to be still present (active), this is suitable only for client applications that don't require access to the user claims after user logout / IdP session expiration.
Download 15.9
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.9: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 655f6dfe53bbb7a2aa2712b8191a0fd41cacd3a1945f6f6fcbfca67c77658fda
Connect2id server 15.9 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: ce8ba12064b81a4ecfb9172794b0c6a59192b012ca57827567e60f655256da52
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.9: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c49e894e535e2e8130e1d0df8a9637a63199eaf842e8670372d92a87da68bb4c
Connect2id server 15.9 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 29e7f7f9a26cbce8fc426c0bc9908e756d683a741193b379f2c5a1691456e9d4
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.9 (2024-08-08)
Configuration
/WEB-INF/oidcProvider.properties
op.idToken.includeSubjectSessionClaims -- New optional configuration property to control the automatic inclusion of members from the subject session
claims
JSON object in issued ID tokens. Applies to regular andprompt=none
OpenID authentication requests as well as ID token refreshes. An*
(asterisk) selects all members. The member names can alternatively be specified as comma and / or space separated list. An empty list disables the inclusion. The default value is*
(include all).op.authz.feedSubjectSessionClaimsIntoIDToken -- Deprecated for removal, use
op.idToken.includeSubjectSessionClaims
instead.
Dependency changes
Updates to com.nimbusds:oauth2-authz-store:26.5.2
Upgrades to com.nimbusds:common:3.4
Updates to net.thisptr:jackson-jq:1.0.0-preview.20240207