MITREid Connect 1.3


The new version supports the Proof Key for Code Exchange, or PKCE (pronounced pixie) specification. This clever extension to OAuth makes the deployment of mobile applications, which have their own unique set of challenges, much more secure. Many developers who are deploying mobile applications in the field have requested PKCE support, and we’re happy to say that now both the server and the client library support this function. Both the S256 hash-based calculation and the plaintext version of PKCE are supported, though the more secure S256 is preferred and recommended.

Device Flow

The device flow is an extension to OAuth designed to let users authorize a client running on one device while authenticated through a browser on another device. This is most often used in cases where the client application is on a device that doesn’t have a regular browser, like a set top box. The server code now fully supports the draft spec as another supported flow, and it’s enabled out of the box. The spec is nearly completed, and we intend to track it through final publication.

Modular UI

One of the most valuable distinguishing features of MITREid Connect is how customizable it is. Just about anything can be overridden and replaced by custom functionality, which has let the server be deployed in a large number of different organizations. However, customizing the UI to add or remove functionality was always challenging because that was built as a single JavaScript application. In the new version, a couple of configuration variables control which portions of the UI are loaded at runtime, allowing greater flexibility for the front end. Additionally, a custom Bootstrap theme can now be compiled on deployment using the integrated LESS compiler. As an added bonus, this new approach has made the UMA server functionality a much cleaner construction than it was previously.

Modular Data Export

Another area where it was difficult to inject custom functionality is the data import and export API. This API is used during major upgrades and migrations to move data from one instance to another without getting tied up with database schemas and the like. Everything in the server’s runtime state is dumped out to a JSON file which can then be read in by a new instance, whether it’s a copy of the same version or an instance of a new version. Previously, this JSON had been processed by a single monolithic data service which didn’t have any means available for developers to extend its functionality. Now, the service has a set of plugins that can handle extended data constructs and customizations. And since this is all handled at the service layer in the application, it’s still agnostic of the underlying database schema in use.

Software Statements and Assertions Processing

Assertions are cryptographically-protected data constructs that make a statement about an object from one entity to another. The JSON Web Token (JWT) format is a means of building JSON-based assertions, and the MITREid Connect server has used JWT as the format for its access and refresh tokens for a very long time. The server has also supported some limited processing of assertions for getting OAuth tokens directly, but the new release has made this into a configurable service. This way, deployments can add their own functionality for assertion processing throughout the application.

Improved Data Layer

Some of the best improvements happened under the hood. The data layer was tweaked to help with performance and consistency. While most of these changes won’t be noticeable to most users or developers, the biggest change is that ID tokens are no longer stored in the database. These tokens are now treated properly as directed assertions from the IdP to the RP, which can be discarded by the client once it’s done. This architectural change should drastically reduce the data footprint of the server and strain on token cleanup services. Speaking of token cleanup services, these are now handled with a page-based timeout mechanism to prevent a long running cleanup operation from overwhelming the server.

Upgraded Libraries

As is usual with a major release like this, all of the dependent libraries have been updated as well. The server and client now run on Spring 4.3 and Spring Security 4.2. Underlying libraries like the Nimbus JWT/JOSE library, GSON and Guava utilities, database connectors, and most of the other components have been pulled to the latest versions. This helps address known security problems in these libraries as well as provide new functionality. The target build platform is now Java 8 as well, and while the project hasn’t been rewritten to take full advantage of the new features in Java 8, new code going into the project (and importantly, customizations and overlays) can make use of these enhancements.

Upgrade Paths

MITREid Connect 1.3.0 is a recommended upgrade for anyone running previous editions, but especially if you’re running anything in the 1.1 series or older. New features, cleaner code, and increased security would individually be compelling reasons to upgrade, and this release gives you all three. You’ll be able to upgrade a running system by exporting the old data from the existing server, starting up the new server with the new database schema, and importing the data export to the new server.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Justin Richer

Justin Richer


Justin Richer is a security architect and freelance consultant living in the Boston area. To get in touch, contact his company: