MITREid Connect 1.3
The MITREid Connect project started back in 2011 as a research project at The MITRE Corporation, where I worked at the time. We had several years experience with the identity federation protocol OpenID 2.0 under our belt at MITRE, and we wanted to investigate a newly proposed version, OpenID Connect. OpenID Connect (OIDC) was being built on top of the similarly nascent OAuth 2.0 delegation protocol. Both of these went on to become fully ratified standards, but at the time it was a bit of a gamble to back these incomplete technologies. Nevertheless, we saw the value that they could offer, and we realized that the best thing we could do was to take the engineer’s approach: build the blasted thing and see what works.
Our previous implementation of OpenID was hacked together and extremely over-fit to the MITRE environment. For this new project, we wanted to build something that was sustainable, maintainable, and deployable beyond the confines and constraints of MITRE’s immediate use case. We built the MITREid Connect project as open source from the start, but that’s an interesting story more fit for a future post.
Today, the project has released its latest major version, 1.3.0, and here I’ll go over a bit of what’s new in this release.
The new version supports the Proof Key for Code Exchange, or PKCE (pronounced pixie) specification. This clever extension to OAuth makes the deployment of mobile applications, which have their own unique set of challenges, much more secure. Many developers who are deploying mobile applications in the field have requested PKCE support, and we’re happy to say that now both the server and the client library support this function. Both the S256 hash-based calculation and the plaintext version of PKCE are supported, though the more secure S256 is preferred and recommended.
The device flow is an extension to OAuth designed to let users authorize a client running on one device while authenticated through a browser on another device. This is most often used in cases where the client application is on a device that doesn’t have a regular browser, like a set top box. The server code now fully supports the draft spec as another supported flow, and it’s enabled out of the box. The spec is nearly completed, and we intend to track it through final publication.
Modular Data Export
Another area where it was difficult to inject custom functionality is the data import and export API. This API is used during major upgrades and migrations to move data from one instance to another without getting tied up with database schemas and the like. Everything in the server’s runtime state is dumped out to a JSON file which can then be read in by a new instance, whether it’s a copy of the same version or an instance of a new version. Previously, this JSON had been processed by a single monolithic data service which didn’t have any means available for developers to extend its functionality. Now, the service has a set of plugins that can handle extended data constructs and customizations. And since this is all handled at the service layer in the application, it’s still agnostic of the underlying database schema in use.
Software Statements and Assertions Processing
Assertions are cryptographically-protected data constructs that make a statement about an object from one entity to another. The JSON Web Token (JWT) format is a means of building JSON-based assertions, and the MITREid Connect server has used JWT as the format for its access and refresh tokens for a very long time. The server has also supported some limited processing of assertions for getting OAuth tokens directly, but the new release has made this into a configurable service. This way, deployments can add their own functionality for assertion processing throughout the application.
One particularly important use for the new assertion processing modules is in the support of software statements. Software statements are assertions used in dynamic client registration that allow developers to lock down certain fields on dynamically registered objects. Previously, the MITREid Connect server ignored such statements, but the new version makes use of the pluggable assertion processing framework to parse and validate them.
Improved Data Layer
Some of the best improvements happened under the hood. The data layer was tweaked to help with performance and consistency. While most of these changes won’t be noticeable to most users or developers, the biggest change is that ID tokens are no longer stored in the database. These tokens are now treated properly as directed assertions from the IdP to the RP, which can be discarded by the client once it’s done. This architectural change should drastically reduce the data footprint of the server and strain on token cleanup services. Speaking of token cleanup services, these are now handled with a page-based timeout mechanism to prevent a long running cleanup operation from overwhelming the server.
As is usual with a major release like this, all of the dependent libraries have been updated as well. The server and client now run on Spring 4.3 and Spring Security 4.2. Underlying libraries like the Nimbus JWT/JOSE library, GSON and Guava utilities, database connectors, and most of the other components have been pulled to the latest versions. This helps address known security problems in these libraries as well as provide new functionality. The target build platform is now Java 8 as well, and while the project hasn’t been rewritten to take full advantage of the new features in Java 8, new code going into the project (and importantly, customizations and overlays) can make use of these enhancements.
MITREid Connect 1.3.0 is a recommended upgrade for anyone running previous editions, but especially if you’re running anything in the 1.1 series or older. New features, cleaner code, and increased security would individually be compelling reasons to upgrade, and this release gives you all three. You’ll be able to upgrade a running system by exporting the old data from the existing server, starting up the new server with the new database schema, and importing the data export to the new server.
Need a hand upgrading your current instance? Looking for a customized version of the software? Just need support for the project in your organization? Get in touch with my company and we’ll see if we can help you out directly. And of course, there’s always the GitHub issue tracker and the project mailing list for general project questions.