Connect2id server 13.7

2023-03-30

This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.

New configuration properties

op.idToken.includeX5C -- this configuration makes it possible to control the inclusion of X.509 certificate (chains) in the JWT header of issued ID tokens. The X.509 certificate get automatically included by the Connect2id server when one is found in the configured signing keys. To disable this behaviour and issue leaner ID tokens set this configuration property to false.

op.idToken.includeX5C=false

op.reg.allowNonTLSLogoutURIsForTest -- the configuration allows the registration of OpenID relying parties as clients with a frontchannel_logout_uri or backchannel_logout_uri that is an insecure (plain) HTTP URL. This is intended to help with test and devops deployments that cannot issue HTTPS certificates. Unsecured logout URLs must not be used in production!

op.reg.allowNonTLSLogoutURIsForTest=true

You can find more information about the frontchannel_logout_uri and backchannel_logout_uri parameters in their respective specifications:

• OpenID Connect Front-Channel Logout 1.0
• OpenID Connect Back-Channel Logout 1.0

Bug fixes

This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.

Download 13.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6

Connect2id server 13.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673

Connect2id server 13.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

---

Release notes

13.7 (2023-03-30)

Configuration

• /WEB-INF/oidcProvider.properties

  • op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is true.

  • op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is false (not allowed). Must not be allowed in production!

Resolved issues

• The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).

Dependency changes

• Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1

• Updates to com.nimbusds:oauth2-authz-store:19.5.1

• Updates to net.minidev:json-smart:2.4.10

• Updates to com.google.crypto.tink:tink:1.8.0

• Updates to com.google.code.gson:gson:2.10.1

• Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2