Blog »

Connect2id server 14.3

2023-08-07

This Connect2id server release fixes a bug in earlier 14.x versions that caused marshalling errors in deployments configured with a Redis store for cached and short-lived objects.

The optional op.reg.clientIDByteLength configuration property was updated to limit the possible lengths to 48 bytes. The preferred_client_id registration parameter is also bounded now, to 80 characters, and when exceeded will cause the client registration endpoint to return an HTTP 400 Bad Request with an invalid_client_metadata error.

The underlying OAuth 2.0 / OpenID Connect SDK dependency was updated and now includes support for RAR (RFC 9396). CustomTokenResponseComposer SPI plugins that implement RAR should be recompiled for potential conflicts with the new RAR API in the SDK, and updated when feasible to utilise the new type-safe RAR classes when adding an authorization_details parameter to the a token response.

Built-in RAR support is on the Connect2id server roadmap and will be included in a future release.

You can find more information about this new release in the notes below.

Download 14.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: f0093e81657e540659c9240049a6ccb305d7e8508be9c22b0ffe8adc20b13d8f

Connect2id server 14.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a8c79fc998bde94f46eed07688db1b578ab0a71f67002dcedd003e8d2c3bec82

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a6853a25f1dd621b8615513d2d289224759c99659517c207bb93301c1da8c2bc

Connect2id server 14.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 49c664dd9f0456876e33a4fea3985f07c5b694059502810c8599e2ef69a660ae

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.3 (2023-08-07)

Summary

  • Connect2id server 14.x deployments with a Redis store should update to this release which fixes an issue related to ProtoBuf marshalling.

  • The OAuth 2.0 / OpenID Connect SDK dependency was updated to v10.13.2 which includes native OAuth 2.0 Rich Authorisation Requests (RAR) (RFC 9396) support. CustomTokenResponseComposer SPI plugins that implement RAR should be recompiled and updated if feasible to utilise the new type-safe methods of AccessTokenResponse when adding an "authorization_details" parameter to the response.

    Built-in RAR support is on the Connect2id server roadmap and will be included in a future release.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.reg.clientIDByteLength -- Updates the configuration property check, the length of generated client identifiers must not exceed 48 bytes.

Resolved issues

  • The client registration endpoint must return HTTP 400 Bad Request on a preferred_client_id that exceeds the max number of characters (80) that can be stored (issue server/901).

  • Fixes the authorisation code ProtoBuf marshalling in replication cluster and Redis based Connect2id server deployments (issue server/902).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.13.2

  • Updates to com.nimbusds:oauth2-authz-store:24.5.2

  • Updates Infinispan to 14.0.13.Final

  • Updates to org.slf4j:slf4j-api:2.0.7