Connect2id server 14.10

2023-11-22

This Connect2id server release improves the performance of expired entry purges in deployments with an SQL database. If you have an identity provider deployment that deals with a large number of sessions and identifier-based access tokens, objects that eventually expire, this upgrade will reduce the database traffic and load when the purge task runs.

The SQL connector also adds two Java system properties:

• dataSource.maxLifetime -- Overrides the maximum SQL connection lifetime (in the Hikari connection pool)

• dataSource.expiredQueryPageLimit -- Overrides the page limit in SQL select statements for expired records.

These two new properties are explained in the configuration docs for the supported SQL databases:

• MySQL
• PostgreSQL
• Microsoft SQL Server
• Oracle Database
• H2

The dataSource.maxLifetime configuration override can be useful to address situations where the backend SQL database is configured to close connections before their expiration in the Connect2id server pool (30 minutes).

The release notes below have more information.

Download 14.10

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c7143ea19bb1327809f6666a797e9e4558317812d06a8444401742d8d187e068

Connect2id server 14.10 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ae45fafe8922d349aab6a4a81e20d04b78800d1330c0bf0a682acaadf2876ba4

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: d1bc3923a24e37e86b1159506c4933f87e5f03a7cf9c6945a4a93d117a393cae

Connect2id server 14.10 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 4a2f5411aac6e0019c44d972bb677e529b7e2feb15f5a26625bd0f2c4a6f6b74

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

---

Release notes

14.10 (2023-11-22)

Summary

• Connect2id server deployments with an SQL database receive an optimised purge task and SQL query for expired records, such as records for expired subject sessions or identifier-based access tokens. The page limit in the SQL query to select expired records is made configurable, to enable further performance tuning.

  A Java system property to override the maximum lifetime of SQL connections in the connection pool is also made available.

Configuration

• /WEB-INF/infinispan-*-{mysql|oracle|postgres95|sqlserver}.xml

  • Upgrades the SQL store schema to v3.2.

  • dataSource.maxLifetime -- New optional Java system property to override the default maximum lifetime of SQL connections in the Hikari connection pool. The value is expressed in microseconds and must not be shorter than 30000 (30 seconds). The default value is 1800000 (30 minutes).

    This configuration can be used to address Hikari warnings (recorded in the Connect2id server log) "Failed to validate connection (Closed Connection)".

  • dataSource.expiredQueryPageLimit -- New optional Java system property to override the default page limit of SQL queries to select expired records, such as the records of expired subject sessions. The page limit value is 1000 records.

    This configuration can be used to optimise the retrieval of expired records by the Infinispan entry purge task.

  • Upgrades the SQL database connector and the sessionStore.sessionMap, authzStore.idAccessTokenMap, authzStore.expendedTokenMap, op.authSessionMap, clients.registrationsMap SQL definitions to select only expired records from the respective tables when the Infinispan purge task runs.

Resolved issues

• The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked exception is encountered during an SQL select or delete query. The exception must be swallowed and an appropriate error logged (issue sql-store/31, sql-store/32).

• The infinispan-replication-*.xml configurations must not use passivation for sessionStore.sessionMap and sessionStore.subjectMap as this is incompatible with shared cache stores (issue server/943).

• Reduces and aligns the memory max-count limits in the infinispan-*-local-h2.xml configurations (issue server/944).

• The page LIMIT in the SQL select query run by the purge task must be inlined (issue sql-store/29).

Dependency changes

• Updates to com.nimbusds:oauth2-authz-store:24.8

• Updates to com.nimbusds:oidc-session-store:16.8

• Updates to com.nimbusds:infinispan-cachestore-sql:7.4.1

• Updates to com.zaxxer:HikariCP:5.1.0

• Updates to Log4j 2.22.0