Connect2id server 14.11

This Connect2id server release modifies the logout endpoint to allow post-logout redirections without an ID token hint (id_token_hint). It suffices for the client application that initiates the logout request to include its client_id only.

Example logout request with a post_logout_redirect_uri:

POST /logout HTTP/1.1
Content-Type: application/x-www-form-urlencoded


The SQL database connector received an upgrade and a performance fix for INSERT / UPDATE / MERGE queries.

There is more information about the resolved issues and changes in the release notes below.

Download 14.11

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.11:

GPG signature:

SHA-256: 114fcb67882dcb3b49ed4c2655ee34c5ea06679b55059ddc70523c309bdfbcc9

Connect2id server 14.11 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8154f5dccd3a51409219d10190a26a68870a46fb78320aeee18dc29f17ca235a

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.11:

GPG signature:

SHA-256: 9b6ad435160c7db499691b2b03df858419fc4bdbc469ee555554b9801ace3d68

Connect2id server 14.11 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 67be25ddc6e36a2b86dbde89f326dd89ced8c887792bc7d1766e638c5991466b


For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.11 (2023-12-08)


  • /logout-sessions/rest/v1/

    • Logout requests initiated by an OpenID Relying Party (RP) with a post_logout_redirect_uri parameter will be allowed to proceed if the RP includes its client_id parameter. Previously such redirections were allowed to proceed only when a valid id_token_hint was provided in the request. With this change RPs that wish to perform a post-logout redirection have the choice to include an ID token hint, their client ID, or both, in order to enable the Connect2id server to validate the URI by checking it against the registered post_logout_redirect_uris metadata parameter for the RP.

Resolved issues

  • The client registration endpoint must allow registration of native applications with a localhost or loopback IP frontchannel_logout_uri (issue server/950).

  • The SQL database connector must not serialise the jOOQ Query to an intermediate String unless when dealing with Oracle (N)CLOB chunking. By using direct Query execution a PreparedStatement can be correctly inferred (issue sql-store/35).

  • Updates SQLStore.write() to switch from the deprecated jOOQ mergeInto() to an insertInto() for PostgreSQL and Oracle databases (issue sql-store/34).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.7.1

  • Updates to com.nimbusds:oauth2-authz-store:24.8.1

  • Updates to com.nimbusds:oidc-session-store:16.8.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.37.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.4.3

  • Upgrades to

  • Updates to net.minidev:json-smart:2.5.0

  • Updates to

  • Updates to BouncyCastle 1.77

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.11

  • Updates to com.nimbusds:tenant-registry:8.3.1