OpenID Connect articles

Connect2id server 7.5.2

Posted on 2018-08-02

This week we have another patch release of the Connect2id server to properly clean up resources allocated by the back-channel logout token dispatcher on server shutdown. See the release notes for details.


To download a ZIP package of Connect2id server 7.5.2:

SHA-256: 048bb5c1e6483891c980a1670f19ac4e3746b65fd1a9e7c7ad6d5423bf939321

As WAR package only:

SHA-256: ab513eccb19f68fd1194ad6870f882a56cab4f621c985e847f2f6c561286b288


Get in touch with Connect2id support.

Release notes

7.5.2 (2018-08-02)

Resolved issues

  • Forces close of all pooled HTTP connections in the back-channel logout token dispatcher on Connect2id server shutdown, works around Netty issue 6891 which prevented clean up of a ThreadLocal (issue server/393).

Connect2id server 7.5.1

Posted on 2018-07-30

This is a maintenance release of the Connect2id server which fixes a bug introduced in version 7.5 that prevented the server from receiving client X.509 certificates used for self-signed certificate authentication (self_signed_tls_client_auth) at the token endpoint. Further details in the release notes.


To download a ZIP package of Connect2id server 7.5.1:

SHA-256: 1f6c38de8ea72e5c94e32cf28d9963ff46cf3f939776e4a7d5dbabe389cf936d

As WAR package only:

SHA-256: 4b20b1c26a686ecaaf346e83b405f28ce70d5e6a7623b8d27f05aa1917353817


Get in touch with Connect2id support.

Release notes

7.5.1 (2018-07-30)

Resolved issues

  • Fixes a bug introduced in Connect2id server 7.5 which prevented receiving client X.509 certificates set by a TLS termination proxy via the HTTP header configured in op.tls.clientX509CertHeader. The bug affected token requests by OAuth 2.0 clients / OpenID relying parties registered for self-signed certificate mutual TLS authentication (self_signed_tls_client_auth) (issue server/390).

Connect2id server 7.5 enables publishing of custom OpenID provider metadata

Posted on 2018-07-26

Support for custom OP / AS metadata

With Connect2id server 7.5 you can now include custom fields in the OpenID provider and OAuth 2.0 authorisation server metadata. To do that set the new op.customMetadata configuration property:

op.customMetadata = {"custom-param-1":"val-1","custom-param-2":"val-2"}

The custom-param-1 and custom-param-2 fields will then get published alongside the standard ones.

The JSON object can also be given an additional BASE64 encoding, to make it easier to pass the value in Connect2id server deployments configured via Java system properties set from a command line shell:

op.customMetadata = eyJjdXN0b20tcGFyYW0tMSI6InZhbC0xLCJjdXN0b20tcGFyYW0tMiI6InZhbC0yfQ==

Block client X.509 certificates at the token endpoint

The configuration was also extended to enable blocking of client certificates at the token endpoint, if for some reason issuing of client certificate bound access tokens, as per draft-ietf-oauth-mtls, is not desired. The default setting is to bind the tokens.


To download a ZIP package of Connect2id server 7.5:

SHA-256: b41c853d8a1dfd1a97e88154a019e09b84dd4c9f7f85e8130e7f80cefbd85835

As WAR package only:

SHA-256: 994378b93455692b3b3196179b2d82483520aed71b49db74d5fa60ca0b795e72


Get in touch with Connect2id support.

Release notes

7.5 (2018-07-26)


  • /WEB-INF/

    • op.customMetadata — New configuration property for setting custom OpenID provider / OAuth 2.0 Authorisation server metadata to be included for publishing at the .well-known/openid-configuration and .well-known/oauth-authorization-server endpoints. If set the metadata must be represented as a JSON object string containing the custom fields, and can be optionally BASE64 encoded to ease passing the configuration property from a command line shell.

    • op.tls.blockClientX509Certs — New configuration property for blocking client X.509 certificates received at the token endpoint. Can be used to prevent binding of issued access tokens to client X.509 certificates received with a token request when such binding isn’t desired.

Dependency changes

  • Upgrades to org.asynchttpclient:async-http-client:2.5.2

  • Upgrades to com.zaxxer:HikariCP:2.7.9

  • Upgrades to org.mariadb.jdbc:mariadb-java-client:2.2.6

  • Upgrades to org.postgresql:postgresql:42.2.4

Connect2id server 7.4

Posted on 2018-07-17

Following last week’s release of Connect2id server 7.3 which brought support for the OpenID Connect front and back-channel logout extensions we now have a small update to the logout session web API.

If your deployment only needs to handle logout requests initiated by the OpenID provider (i.e. no logout requests received from OpenID relying parties), the API will be enabled without having to declare a logout page (end-session endpoint) in the server configuration. This should make more sense to developers and integrators of the Connect2id server.

You can find further information in the release notes below.


To download a ZIP package of Connect2id server 7.4:

SHA-256: 2752304c12e1e8236f9917d4ffa3f151e1a53ce1c5d79c0fe73477c8752b2b96

As WAR package only:

SHA-256: f7cc07756f9ee4737ad53b55746480bc7fcdb6fc19d75b1b6fdf169d4e591538


Get in touch with Connect2id support.

Release notes

7.4 (2018-07-16)


  • /logout-sessions/rest/v1/

    • Updates the logout session web API so that OpenID provider (OP) initiated logout requests are accepted for processing without a configured OpenID Connect end-session endpoint URL (see op.logout.endpoint and OpenID Connect Session Management 1.0, section 5. RP-Initiated Logout (draft 28)). The API change was made because a logout (end-session) HTML page is not technically required for OP-initiated logout requests, only for RP-initiated ones (issue server/383).