The OAuth 2.0 token exchange in Connect2id server 13.3 supports refresh token and ID token issue

Connect2id server deployments with OAuth 2.0 token exchange (RFC 8693) will now be able to issue refresh tokens and ID tokens. Previously the token exchange plugin interface (SPI) was capable of only specifying access token issue. The persistence of the token exchange authorisation can also be controlled now, by setting its long-lived flag (which also determines when a refresh token gets issued whether it's going to be persisted, with long-lived set to true, or a stateless encrypted JWT, with long-lived set to false.

This token exchange upgrade makes it possible for Connect2id server deployments to experiment with the new OpenID Connect draft specification for native single sign-on (SSO) for Android, iOS and desktop applications. Built-in support for the native SSO is now on the Connect2id server roadmap and it will appear once the spec has become stable.

The new token exchange plugin capabilities can be found useful in other scenarios where a client needs to exchange a token of some kind (opaque or JWT) for a local Connect2id server issued access / refresh / ID token.

This release fixes two issues:

  • If you have clients using symmetrically encrypted ID tokens or UserInfo (by means of deriving a shared AES key from the client_secret) upgrading is strongly recommended, to ensure interoperability and correctness of the key derivation. The key derivation suffered from a poorly worded specification in OpenID Connect Core 1.0, addressed in a recent errata. The security of the encryption was never compromised, but depending on how the original spec was interpreted the decryption of JWE objects can unexpectedly fail with a different client library or OpenID Connect server.

    The key derivation issue was also fixed in v10.5.1 of the open source OAuth 2.0 / OpenID Connect SDK we maintain.

  • If you have a deployment with OpenID Connect Federation 1.0 upgrading is also suggested, so you can read the registrations of automatic clients via the clients API without entity URL encoding issues.

There is more information in the release notes.

Download 13.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.3:

GPG signature:

SHA-256: b503e2a247bb7bbe224f3f6ed3b7f0f27930edb50b501b1931ecc45173c99705

Connect2id server 13.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d10fccf8fb49a5095ce7a387728ecdebe0023c6fd2411f264567c25741296a49

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.3:

GPG signature:

SHA-256: cce4e3dad989af9db16fca3ec8e731be913066ce59f41a099e5f0e9e47cc5197

Connect2id server 13.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: bf5f9b7a7fa6a3d80fde32c3405fdfbb61d8d8095b9bd4d71703cc84fbe42377


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.3 (2023-01-23)


  • Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.

  • Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.

  • Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.


  • /token

    • Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).


  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52

    • The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.

    • The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to false. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set to true.

Resolved issues

  • The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).

  • The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.52

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.29

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4