Connect2id server 11.6.3

This is a maintenance and security update of the Connect2id server. It fixes several bugs and introduces a check to reject JWTs in request objects (JAR) and the id_token_hint parameter with excessively large JWT headers, or specially crafted JWT headers that can cause an internal server error (HTTP 500) when parsed.

Updating from other 11.x releases or earlier releases is recommended.

Check the release notes for more information.


Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.3:

SHA-256: 13830847cdaebe87ce708bc7cb076819c77ba510bc725418283a4ba3381c9890

Connect2id server 11.6.3 WAR package: c2id.war

SHA-256: 13830847cdaebe87ce708bc7cb076819c77ba510bc725418283a4ba3381c9890

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.3:

SHA-256: 4531ccc65d64ad5fe558fc24dfa600004ccb73074ce2566722bde57010a36622

Connect2id server 11.6.3 WAR package: c2id-multi-tenant.war

SHA-256: 83f106b9b446f8e08916b4e07c414c8f3634f591ee7b4d63c59a150cdf2ce9fd


Contact Connect2id support.

Release notes

11.6.3 (2021-06-22)

Resolved issues

  • Fixes JSON encoding issue that affected serialisation of the ~/7E character into objects and for persistence since v11.3 (issue common/62).

  • Fixes bug introduced in 11.3 (2021-03-31) that allowed OpenID authentication requests with response_type=id_token or response_type=id_token token to pass without a nonce (issue oidc-sdk/363).

  • Fixes a bug that prevented completion of plain OAuth 2.0 authorisation requests with prompt=none and resulted in a HTTP 500 server error. OpenID authentication requests were not affected (issue server/681).

  • Fixes leading JSON array bracket output for a GET on the clients endpoint with no registered clients. The bug was introduced in 11.6.1 (issue server/679).

  • Enforces a string length limit of 10K chars when parsing JWT headers (after the BASE64URL decoding). The 10K chars should be sufficient to accommodate JWT headers with an X.509 certificate chain in the "x5c" header parameter (issue nimbus-jose-jwt/424).

  • Prevents StackOverflowError when parsing a JWT header with a very large number of nested JOSE objects (issue nimbus-jose-jwt/425).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.9

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.10

  • Updates to com.nimbusds:common:2.45.2