Connect2id server 12.7
This Connect2id server update introduces two new features in its integration APIs:
The monitoring endpoint gets a new "authzEndpoint.invalidRequests" meter. It counts invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint.
The authorisation endpoint also gets support for the optional
error_uri
response parameter. Login handlers can set this parameter to point to a human-readable web page when denying an authorisation request.
This release also fixes a bug that caused login handlers to receive an HTTP 500
status code instead of a 400 when including illegal characters in the
error_description
for authorisation error. Underlying frameworks and
libraries also received updates. More information can be found in the release
notes below.
Download 12.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: ce9aceb0ab3969cf95cef114a2a9ab2d31ee3ce1fb4f95fdf3dba26e491802b4
Connect2id server 12.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 019b2f9d68b924b07dd40ac0a5ac796ce35fbba76e09a28a513e87d24db90c7d
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: dc88c173b24c396e85681a9933273d6cf5c4464146209efaab4168774a5e2109
Connect2id server 12.7 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: 15b3d233d550d938cc947cb32b024b63f9d7bffa26677e2518107e9847d39812
Questions?
Contact Connect2id support.
Release notes
12.7 (2022-03-01)
Web API
/authz-sessions/rest/v3/
- The DELETE call for returning an authorisation response error to the OAuth 2.0 client adds support for an "error_uri" query parameter. See RFC 6749, section 5.2.
/monitor/v1/metrics
- Adds new "authzEndpoint.invalidRequests" meter of invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint. Covers authorisation error responses with the "invalid_request" and other codes (save for "access_denied" metered by "authzEndpoint.failedSubjectAuthentications" and "authzEndpoint. consentDenials") as well as non-redirecting errors.
Resolved issues
- The authorisation session API DELETE /authz-sessions/rest/v3/{sid} call must return an HTTP 400 Bad Request when illegal characters are present in a OAuth 2.0 error code or description, as specified in RFC 6749, section 5.2. Previously illegal characters would produce a HTTP 500 Internal Server Error (issue server/730).
Dependency changes
Updates to com.nimbusds:nimbus-jose-jwt:9.20
Updates to com.nimbusds:oauth2-authz-store:17.8
Updates to com.nimbusds:oidc-session-store:14.9
Updates to com.nimbusds:common:2.46
Updates to javax.servlet:javax.servlet-api:4.0.1
Updates to org.apache.commons:commons-lang3:3.12.0
Updates to javax.ws.rs:javax.ws.rs-api:2.1.1
Updates to org.glassfish.jersey.containers:jersey-container-servlet:2.35
Updates to com.google.code.gson:gson:2.9.0
Updates to commons-codec:commons-codec:1.15
Updates to io.prometheus:simpleclient:0.15.0
Updates to io.prometheus:simpleclient_servlet:0.15.0
Updates to io.prometheus:simpleclient_dropwizard:0.15.0
Updates to Log4j 2.17.2