Connect2id server 14.0 RC3 with Oracle Database support

2023-03-15

This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.

The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.

In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.

More information can be found in the release notes below.

Download 14.0-rc.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: acaf4e2bb79b666c4cb0e99ce36c0b2c77ad423fcf29d595c28b62ff50fb1e71

Connect2id server 14.0-rc.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 39fbb7f6ae88a3d165c0b5f93ebdb8eec3e146b53c5b458d6fb5610b4dccbdfe

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.0-rc.3 (2023-03-11)

Summary

  • Upgrades to Infinispan 14.0.

  • Adds Oracle 12c r1+ Database support.

  • Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.

Configuration

  • /WEB-INF/infinispan-*.xml

    • Upgrades the XML schema to Infinispan 14.0.

  • /WEB-INF/infinispan-stateless-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-stateless-redis-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-replication-oracle.xml

    • New Infinispan configuration for replication clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.

    • New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.

  • /WEB-INF/infinispan-*-ldap.xml

    • The LDAP backend database XML configurations are removed and no longer supported.

  • /WEB-INF/sql

    • New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).

Resolved issues

  • The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).

  • The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.52.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1.1

  • Updates to com.nimbusds:tenant-manager:7.4.1

  • Updates to com.nimbusds:tenant-registry:8.2

  • Updates to com.nimbusds:oauth2-authz-store:20.1

  • Updates to com.nimbusds:oidc-session-store:16.1

  • Upgrades to com.nimbusds:common:2.50

  • Upgrades to com.nimbusds:infinispan-cachestore-common:3.1

  • Upgrades to Infinispan 14.0.6.Final

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6

  • Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0

Connect2id server 14.0 RC2 with Oracle Database support

2023-03-06

This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.

The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.

In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.

More information can be found in the release notes below.

Download 14.0-rc.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 314af2180aedc3c27d8363dfb517e105b0f924763395c22af9ebf924a35b1dbe

Connect2id server 14.0-rc.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: cf19afd1db69b93e0d9d48672f71360da641f5de8d379902e94534adb70b860f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.0-rc.2 (2023-03-06)

Summary

  • Upgrades to Infinispan 14.0.

  • Adds Oracle 12c r1+ Database support.

  • Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.

Configuration

  • /WEB-INF/infinispan-*.xml

    • Upgrades the XML schema to Infinispan 14.0.

  • /WEB-INF/infinispan-stateless-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-stateless-redis-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-replication-oracle.xml

    • New Infinispan configuration for replication clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.

  • /WEB-INF/infinispan-*-ldap.xml

    • The LDAP backend database XML configurations are removed and no longer supported.

  • /WEB-INF/sql

    • New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).

Resolved issues

  • The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).

  • The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.52.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1.1

  • Updates to com.nimbusds:tenant-manager:7.4.1

  • Updates to com.nimbusds:tenant-registry:8.2

  • Updates to com.nimbusds:oauth2-authz-store:20.1

  • Updates to com.nimbusds:oidc-session-store:16.1

  • Upgrades to com.nimbusds:common:2.50

  • Upgrades to com.nimbusds:infinispan-cachestore-common:3.1

  • Upgrades to Infinispan 14.0.6.Final

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6

  • Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0

Logout API updates in Connect2id server 13.6

2023-02-22

The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.

  • The logout end response message gets a new sub_session_closed parameter to provide a clear hint when the browser session should be deleted.

  • Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.

More information can be found in the release notes below.

Download 13.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00

Connect2id server 13.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94

Connect2id server 13.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.6 (2023-02-22)

Summary

  • Updates to the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.

    • The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.31

Connect2id server 13.5

2023-02-20

This Connect2id server release ships three new features.

  • Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.

  • The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.

  • Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom encoded_client_secret client metadata field.

This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.

Detailed information is available in the release notes below.

Download 13.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02

Connect2id server 13.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d

Connect2id server 13.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.5 (2023-02-20)

Summary

  • Single sign-on (SSO) can be disabled for selected clients.

  • New session store web API resource for modifying the authentication lifetime of an end-user session.

  • Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.

      Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.

      Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean true result. The default configuration property is no selector specified.

      Example JSON query to disable SSO for clients which registered a custom data JSON object containing a disable_sso member set to true: .data.disable_sso==true.

      The Connect2id server logs the configured JSON query at INFO level with the ID OP0090.

Web API

  • /session-store/rest/v2/

    • Adds a new /sessions/subject-auth-life resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from the sessionStore.authLifetime configuration property. Returns HTTP 204 No Content on success.

  • /clients/

    • Connect2id server deployments with a ClientSecretStoreCodec plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses the ClientSecretStoreCodec.decode method must return a DecodedSecret.withEncodedValue.

  • /monitor/v1/metrics

    • Adds new sessionStore.sessionAuthLifetimeUpdates meter.

Resolved issues

  • The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).

  • Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7

  • Upgrades to com.nimbusds:oidc-session-store:15.3

  • Adds net.thisptr:jackson-jq:1.0.0-preview.20220705

Connect2id server 13.4.1

2023-02-09

This is a maintenance release of the Connect2id server.

It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.

The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.

There is more information about the resolved issues in the notes below.

The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.

Download 13.4.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e

Connect2id server 13.4.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9

Connect2id server 13.4.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4.1 (2023-02-09)

Resolved issues

  • The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).

  • Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the op.authz.includeClientInfoInAuthPrompt configuration property is set to true and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).

  • The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).

  • Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.30.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2