Blog »

Connect2id server 12.5.3

2021-12-17

This release of the Connect2id server fixes a bug that affected the override of a configuration property and updates several dependencies.

The extra web applications included in the ZIP package (sample login page, OpenID relying party, etc) also receive the Log4j security patch for the CVE-2021-45046 announced on Monday. The Connect2id server itself was patched for this CVE in the prior 12.5.2 release.

Maven Central is currently experiencing an overload, due to the enormous number of packages being updated, with release uploads timing out. This situation has made it difficult for us to publish updates to various open source components that we maintain. If the difficulties persist we will consider setting up a private repo for their distribution.

This release also marks a change in the Connect2id server Docker images and their naming:

  • The Docker image built from Connect2id-server.zip, which includes a complete package with the latest stable Apache Tomcat and the extra web applications will now be published under the c2id/c2id-server-demo tag. Previously this was c2id/c2id-server. This naming change is to make it clear that the image is chiefly intended for demo and evaluation purposes. For production consider using a purpose built image (see next).

    https://hub.docker.com/r/c2id/c2id-server-demo/tags

  • A new type of Docker image becomes available now, under the c2id/c2id-server-min tag. It builds from an official Apache Tomcat Docker image, with only c2id.war deployed in it. This makes for a minimal image containing only an instance of the Connect2id server and nothing else. In a OpenID provider / OAuth 2.0 server deployment it will be complemented with containers for the backend database, the front-end, etc.

    https://hub.docker.com/r/c2id/c2id-server-min/tags

    The minimal image can be tweaked, for example to reconfigure logging output.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server.zip

SHA-256: ec024cb187fe44d04a8feea204f0948a67668de31491f62c7fdbf919645af3a4

Connect2id server 12.5.3 WAR package: c2id.war

SHA-256: 380216996fce28034f1888870c97299c334d8da7a883fd5b52682694548e1d2b

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server-mt.zip

SHA-256: 83b80077461a4e56cf9db1cd4523a078f4459f7d0cf1ca0a7166fb7fda98d561

Connect2id server 12.5.3 WAR package: c2id-multi-tenant.war

SHA-256: 6cb80a9f267c949f4120199b4d9d0bd82a40dca2a13075d3972adcfe54089906

Questions?

Contact Connect2id support.

Release notes

12.5.3 (2021-12-16)

Resolved issues

  • Fixes op.checkSession.iframe and op.checkSession.cookieName configuration property parsing to support Java system property override (issue server/709).

Dependency changes

  • Updates to com.nimbusds:software-statement-verifier:2.2.2

  • Updates to org.apache.commons:commons-compress:1.21