Connect2id server 13.7
This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.
New configuration properties
op.idToken.includeX5C
– this configuration makes it possible to control the inclusion of X.509
certificate (chains) in the JWT header of issued ID
tokens. The X.509 certificate get
automatically included by the Connect2id server when one is found in the
configured signing keys. To disable
this behaviour and issue leaner ID tokens set this configuration property to
false
.
op.idToken.includeX5C=false
op.reg.allowNonTLSLogoutURIsForTest
– the configuration allows the registration of OpenID relying parties as
clients with a frontchannel_logout_uri
or backchannel_logout_uri
that is an
insecure (plain) HTTP URL. This is intended to help with test and devops
deployments that cannot issue HTTPS certificates. Unsecured logout URLs must
not be used in production!
op.reg.allowNonTLSLogoutURIsForTest=true
You can find more information about the frontchannel_logout_uri
and
backchannel_logout_uri
parameters in their respective specifications:
Bug fixes
This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.
Download 13.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6
Connect2id server 13.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673
Connect2id server 13.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7 (2023-03-30)
Configuration
-
/WEB-INF/oidcProvider.properties
-
op.idToken.includeX5C – New optional configuration to control inclusion of the “x5c” (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is
true
. -
op.reg.allowNonTLSLogoutURIsForTest – New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is
false
(not allowed). Must not be allowed in production!
-
Resolved issues
- The JWK thumbprint (jkt) confirmation must be persisted in the “cnf” column of the “id_access_tokens” SQL table for identifier-based DPoP access tokens (issue authz-store/205).
Dependency changes
-
Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1
-
Updates to com.nimbusds:oauth2-authz-store:19.5.1
-
Updates to net.minidev:json-smart:2.4.10
-
Updates to com.google.crypto.tink:tink:1.8.0
-
Updates to com.google.code.gson:gson:2.10.1
-
Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2