Connect2id server 13.2.1

This is a maintenance release of the Connect2id server.

Should I upgrade?

An upgrade to 13.2.1 is recommended if:

  • You have a deployment with a plugin for handling SAML 2.0 assertion grants. This special OAuth 2.0 grant type is used to let client applications exchange a SAML 2.0 assertion for an OAuth 2.0 access token (potentially including a refresh token as well). Prior versions of the Connect2id server contain a dependency in the XML parsing stack reported vulnerable to CVE-2022-40152. A malicious SAML assertion which triggers the vulnerability will cause an internal stack overflow exception and the token endpoint returning an HTTP 500 Internal Server Error instead of a proper HTTP 400 Bad Request response with an invalid_grant error.

  • You have a deployment enabled for OpenID Connect Federation 1.0. This release fixes two bugs that affect the clean up of expired federation clients.

In all other cases upgrading is not necessary.

There is more information in the release notes below.

Native SSO for Android and iOS apps

A new specification in development at the OpenID Connect working group is now on the Connect2id server roadmap for 2023.

A mobile app which signs-in a user with OpenID Connect to obtain an ID token will be able to share the user identity with apps belonging to the same vendor:

  • A mobile app by a vendor is installed and the user logs in with OpenID Connect.

  • If the user chooses to install other apps belonging to the same vendor she will be automatically signed into them, a concept called "native SSO".

We are currently also discussing possibilities for mobile apps to seamlessly sign-in the user with trusted web applications and sites. This scenario can occur when the app opens a link to a web site of the vendor. The aim is to save the user from having to perform an additional web-based SSO with the Connect2id server and improve the overall UX when moving between mobile app and web site.

If you have comments, suggestions or wish to try out this feature before it is finalised write to Connect2id support.

LDAP backend support will be removed in 2023

We would also like to inform you that LDAP backend support will be removed in 2023, with version 13.x likely remaining the last one to have it. If you use an LDAP directory server to persist Connect2id server data consider migrating to a different database. This change does not affect the Connect2id server connector for sourcing OpenID claims from LDAP directories, which will remain available and supported.

2023 will also see official support for Java 17, to enable Connect2id servers to be deployed with the newer Java 17 runtime (while keeping the software Java 11 compatible).

Download 13.2.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.2.1:

GPG signature:

SHA-256: 889853c37a402ed36b04f29ec7962ee866800383ae59e6951e17ee8ee0f7d038

Connect2id server 13.2.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: be1785b7eb1f73d53c65a897617bfb9ff5dc2170e255ee17b2733da28672d276

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.2.1:

GPG signature:

SHA-256: 39ae9507bf51ef3e3baaa8ea12f251976ab8cd82da2b0c2b0bf57db9f80ad2cf

Connect2id server 13.2.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3b7c9fdce414cd20b097bcee8fac70014cecb4b70ce99efe59a06032602f2179


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.2.1 (2023-01-19)

Resolved issues

  • Updates the Woodstox Core dependency used in the SAML 2.0 assertion grant SPI, to address a potential stack overflow vulnerability in the XML DTD parse code (CVE-2022-40152). Note that the CVE has been incorrectly filed to an XStream dependency (a different project). Connect2id server deployments that don't use a SAML 2.0 assertion grant plugin for exchanging SAML 2.0 tokens for OAuth 2.0 tokens are not affected (issue server/820).

  • Streaming registered OpenID Connect Federation 1.0 clients from the federation client index must observe the tenant ID (issue server/640).

  • Fixes NPE that prevented clean up of expired OpenID Connect Federation 1.0 automatic clients (issue server/657).

Dependency changes

  • Updates to com.fasterxml.woodstox:woodstox-core:5.4.0

  • Updates Dropwizard Metrics to 4.2.15