Connect2id server 13.4 supports Java 17, redirect_uri templates

The Connect2id server can now get deployed with a Java 11 or 17 runtime.

Java 17, the most recent long-term support (LTS) release, was made available in September 2021. With this Connect2id server update you have the choice to switch to the newer Java 17 runtime, as support for the free OpenJDK 11 version is going to end in October 2024 (longer paid support options are offered by Oracle and others).

Several cryptography related parts of the Connect2id server were updated for the Java 17 runtime where the secp256k1 elliptic curve for JWS is no longer available in the default Java 17 JCA provider. This curve is an alternative to the P-256 curve and is used where clients are registered for the ES256K JWS algorithm to secure ID tokens, UserInfo JWTs, JARs or JARMs. Whenever secp256k1 operations are needed the Connect2id server will use the alternative open source JCA provider developed by BouncyCastle.

The byte code and Java API use of the Connect2id server will remain Java 11 compatible at least until September 2023.

This release also adds a special new feature to enable OpenID Connect providers and OAuth 2.0 servers to use redirect_uri templates. Such templates can help in cases where a client may require a large number of redirection URIs which individual registration may be impractical.

You can find additional information about this release in the notes below.

Download 13.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4:

GPG signature:

SHA-256: ef7b160197e3fcc575b2d0224c3ed8ba7416c2822f9d3e4611a6105d2f73d7fe

Connect2id server 13.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e36671174ce53d2fe1b1d96b52d33368c95f1c08d52383da8ffcb17c738504cf

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4:

GPG signature:

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e

Connect2id server 13.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4 (2023-01-30)


  • Updates the Connect2id server to support the Java 17 runtime.

    Due to the secp256k1 elliptic curve no longer being available in the default Java Cryptography Architecture (JCA) provider the Connect2id server will use the alternative open source BouncyCastle JCA provider for the ES256K (secp256k1 curve) JWS algorithm when it's used to secure ID tokens, UserInfo JWTs, request objects (JAR), authorisation responses (JARM) or self-contained (JWT) access tokens.

    The Java 11 runtime support remains.

  • Adds support for registering OAuth 2.0 clients with redirect_uri templates, to enable Connect2id server deployments to set the redirection URI at the time when the authorisation request is processed.

    This can facilitate scenarios where the exact redirect_uri is not known at the time of client registration or where a client may require a multitude of redirection URIs that conform to a certain pattern. The redirect_uri templates apply to authorisation requests as well as pushed authorisation requests (PAR).

    Example template where the [param] is a placeholder for a parameter to be set when the Connect2id server processes the authorisation request:



  • /clients/

    • Supports registration of OAuth 2.0 web and native clients with templates in the redirect_uris parameter. The template is a URN with format urn:c2id:redirect_uri_template:[URI], where URI is the final redirection URI which must contain a single [param] placeholder. The [param] placeholder will be set by the Connect2id server when it processes authorisation requests from the client.
  • /authz-sessions/rest/v3/

    • Adds an optional redirect_uri_template_param parameter of type string to the authorisation session start request object. Used to set the [param] in a redirect_uri of an authorisation request where the URI is a template. The template URI must be registered just as any regular redirection URI in the client's record under the redirect_uris field.

      The [param] setting will apply to all authorisation requests, including JAR and PAR.

      If the Connect2id server doesn't set the [param] for some reason the redirect_uri will remain unchanged, which will later cause the redirection to fail because of the URN scheme.

Resolved issues

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.30

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.26.2

  • Updates to com.nimbusds:oauth2-authz-store:19.5