Connect2id server 12.18
Connect2id server deployments can now mask or rewrite
selected OpenID provider metadata
fields published at the
/.well-known/openid-configuration endpoint, to minimise the amount of
metadata, or show fewer supported endpoints and capabilities, which cannot be
disabled by a simple configuration setting. This is done by creating a JSON
object to act as overlay, and saving it in the new
Sample overlay to hide the introspection endpoint:
With additional BASE64 encoding on top of the JSON text, for easier passing around via environment variables:
Note, the overlay will not alter the internal Connect2id server
configuration and the server will not check
the resulting JSON object for being a legal representation of OpenID provider
metadata according to the
One way to double check the published metadata is to run it through the
parse method of the
class in the OAuth 2.0 / OpenID Connect
For more information what's new or changed check the release notes below.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.18: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 12.18 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 12.18: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 12.18 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
- op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.
- Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.
- Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).
Updates to com.nimbusds:oauth2-authz-store:18.2.1
Updates to io.prometheus:simpleclient:0.16.0
Updates to io.prometheus:simpleclient_servlet:0.16.0
Updates to io.prometheus:simpleclient_dropwizard:0.16.0
Updates to Log4j 2.19.0