Connect2id server 14.5

Connect2id server 14.5 ships several small updates to its APIs and fixes v14.x issues reported in August.

This release also receives an enhanced redirect_uri validation, to prevent clients from registering or using redirection URIs with query parameters that may lead to authorisation response parameter pollution, as discussed on the 24th of August at the OAuth Security Workshop in London. The extra redirect_uri check is implemented in the underlying OAuth 2.0 / OpenID Connect SDK and will basically block clients from registering (or using) redirection URIs with query parameters that shadow the authorisation response parameters code, state or the JARM response. If a client for some reason is registered with a redirect_uri that contains one of these query parameters it will be forced to re-register with a compliant URI.

More information about what's new or was fixed in v14.5 can be found in the release notes below.

We are currently in the process of reworking our 10 year old website design. Our aim is to make it better, not worse, and to find out what people actually think or want to have improved we've set up this anonymous form. Your feedback will be highly appreciated.

Download 14.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.5:

GPG signature:

SHA-256: 6ba96842a30c513cf2f29c6c49d196c54bfbec7094b874711712073c5c98b3b9

Connect2id server 14.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 7e8b27a0d9d3a0d75701ba115691732be3b61dec0c2edd2255722f70d80b305d

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.5:

GPG signature:

SHA-256: 794adc95c528813969298b77c3dd8a5ee4a2ecc1d4809ad10b0fa730b0269c8f

Connect2id server 14.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 5139564949e4317bc16461841aa56b64db97ace2de292688ed66785ad155a90d


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.5 (2023-09-03)


  • /clients

    • Prevents registration of clients with "redirect_uris" that include a "code", "state" or "response" query parameter. OAuth 2.0 generally allows a client "redirect_uri" to include query parameters, which may be used, for instance, to process authorisation responses from multiple OAuth 2.0 servers or OpenID providers. This is a security measure that follows a recent recommendation that clients must not include query parameters in a registered "redirect_uri" with names used by the OAuth 2.0 authorisation response.
  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.max_age" member of type array to represent the maximum authentication age in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.acr_values" member of type array to represent the Authentication Context Class Reference values in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.login_hint" member of type string to represent the login hint in OpenID authentication requests.

    • Rejects OAuth 2.0 authorisation and OpenID authentication requests with a "redirect_uri" that includes a "code", "state" or "response" query parameter with an "invalid_request" error. Redirection URIs with query parameters that match the name of an OAuth 2.0 authorisation response parameter are deemed unsafe. Clients that use such query parameters in a "redirect_uri" must re-register with a new compliant redirection URI.


  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.59

    • The CustomTokenResponseComposer SPI extends Lifecycle.

Resolved issues

  • Alters the Oracle "clients" table definition of the "jwks" column from VARCHAR2(4000) to CLOB (issue server/910).

  • Logs the IDTokenIssueEventListener SPI and AccessTokenIssueEventListener SPI enabled status (issue server/915).

  • Isolates expended rotated self-contained (JWT) refresh tokens by subject (end-user) session ID when the refresh token is issued in a OAuth 2.0 authorisation code grant. For clients with multiple instances per subject (end-user) where the consent is transient (long_lived=false) (issue authz-store/223).

  • Logs the OP8041 INFO message only when there are explicit OpenID Connect Federation 1.0 clients reaped (issue server/916).

  • Removes redundant Infinispan externalisers used in the OpenID Connect Federation 1.0 explicit client index (issue server/917).

  • Fixes an HTTP 500 Internal Server Error at the authorisation session web API when receiving an OpenID authentication request with certain illegal JSON in the claims parameter that produced an OAuth 2.0 "error_description" with an illegal double-quote character according to RFC 6749, section 5.2 (issue server/919).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.59

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.14.2

  • Updates to com.nimbusds:oauth2-authz-store:24.6

  • Updates to net.minidev:json-smart:2.4.11

  • Updates to