Connect2id server 12.7

This Connect2id server update introduces two new features in its integration APIs:

• The monitoring endpoint gets a new “authzEndpoint.invalidRequests” meter. It counts invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint.

• The authorisation endpoint also gets support for the optional error_uri response parameter. Login handlers can set this parameter to point to a human-readable web page when denying an authorisation request.

This release also fixes a bug that caused login handlers to receive an HTTP 500 status code instead of a 400 when including illegal characters in the error_description for authorisation error. Underlying frameworks and libraries also received updates. More information can be found in the release notes below.

Download 12.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ce9aceb0ab3969cf95cef114a2a9ab2d31ee3ce1fb4f95fdf3dba26e491802b4

Connect2id server 12.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 019b2f9d68b924b07dd40ac0a5ac796ce35fbba76e09a28a513e87d24db90c7d

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: dc88c173b24c396e85681a9933273d6cf5c4464146209efaab4168774a5e2109

Connect2id server 12.7 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 15b3d233d550d938cc947cb32b024b63f9d7bffa26677e2518107e9847d39812

Questions?

Contact Connect2id support.

Release notes

12.7 (2022-03-01)

Web API

• /authz-sessions/rest/v3/

  • The DELETE call for returning an authorisation response error to the OAuth 2.0 client adds support for an “error_uri” query parameter. See RFC 6749, section 5.2.

• /monitor/v1/metrics

  • Adds new “authzEndpoint.invalidRequests” meter of invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint. Covers authorisation error responses with the “invalid_request” and other codes (save for “access_denied” metered by “authzEndpoint.failedSubjectAuthentications” and “authzEndpoint. consentDenials”) as well as non-redirecting errors.

Resolved issues

• The authorisation session API DELETE /authz-sessions/rest/v3/{sid} call must return an HTTP 400 Bad Request when illegal characters are present in a OAuth 2.0 error code or description, as specified in RFC 6749, section 5.2. Previously illegal characters would produce a HTTP 500 Internal Server Error (issue server/730).

Dependency changes

• Updates to com.nimbusds:nimbus-jose-jwt:9.20

• Updates to com.nimbusds:oauth2-authz-store:17.8

• Updates to com.nimbusds:oidc-session-store:14.9

• Updates to com.nimbusds:common:2.46

• Updates to javax.servlet:javax.servlet-api:4.0.1

• Updates to org.apache.commons:commons-lang3:3.12.0

• Updates to javax.ws.rs:javax.ws.rs-api:2.1.1

• Updates to org.glassfish.jersey.containers:jersey-container-servlet:2.35

• Updates to com.google.code.gson:gson:2.9.0

• Updates to commons-codec:commons-codec:1.15

• Updates to io.prometheus:simpleclient:0.15.0

• Updates to io.prometheus:simpleclient_servlet:0.15.0

• Updates to io.prometheus:simpleclient_dropwizard:0.15.0

• Updates to Log4j 2.17.2