Connect2id server 14.1

This is a mini Connect2id server update to the 14.0 release that appeared on Tuesday. It fixes an incorrect server SDK dependency declaration, which means 14.1 is the version to upgrade to (and not 14.0) from 13.x or older versions.

Support for OpenID Connect Federation 1.0 is bumped to the most recent stable 29 draft, in particular the new policy language.

There is also a new config to disable the automatic inclusion of X.509 certificate chains (x5c) in the JWS headers of signed authorisation responses (JARM).

If the configured Connect2id server signing keys have certificates, the server will automatically include them in the JWS header, unless the server is instructed not to do so. This will result in smaller JARM JWTs:


This configuration works similarly to the existing op.idToken.includeX5C and authzStore.accessToken.includeX5C configs.

More information can be found in the release notes below. If you have questions or need assistance with the new release contact us.

Download 14.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.1:

GPG signature:

SHA-256: c491ca76c1b8949f3a4df5147ec739eefb7057454091b26dc781b719eb3ee487

Connect2id server 14.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ad70418441faf02a3895d0a2ac01365f679ff22208b9ed8aedfd26e84b83d261

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.1:

GPG signature:

SHA-256: 9fd68c5ca04ad91ad6939f56efbb48ce14879928fde062e7993bd24e9e5cfacb

Connect2id server 14.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: ad70418441faf02a3895d0a2ac01365f679ff22208b9ed8aedfd26e84b83d261


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.1 (2023-06-30)


  • Upgrades OpenID Connect Federation 1.0 policy support to draft 29.


  • /WEB-INF/

    • op.authz.responseJWTIncludeX5C -- New optional configuration property of type boolean to enable / disable inclusion of the X.509 certificate chain ("x5c") header parameter in signed OAuth 2.0 authorisation responses (JARM) when the signing JWK is provisioned with a certificate. The default value is true (enabled).

Resolved issues

  • The com.nimbusds:c2id-server-sdk dependency must not be SNAPSHOT, but 4.58 (issue server/898).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.58

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.10.1

  • Updates to io.dropwizard.metrics:metrics-core:4.2.19