Connect2id server 14.9
This release ships an enhancement for Connect2id server
deployments with an AWS
DynamoDB. The purge
thread that wakes up periodically to scan the subject (end-user) sessions table
for expired entries and then delete them, will now automatically limit the rate
of read and write capacity
unit consumption to 10% of the provisioned for the
The rate limiting moderates the use of capacity units when the purge thread is running. With a DynamoDB table in provisioned mode the rate limiting ensures the scan (and delete) requests will not potentially starve regular API requests of database capacity. In on-demand mode the rate limiting smooths potential peaks in capacity use and thus can help reduce your AWS bill.
The default configuration can be overridden with a dynamodb.purgeMaxReadCapacity Java system property, by setting it to an absolute capacity unit value, or to a percentage (evaluated using the reported provisioned read capacity every time before the purge thread runs).
Example override to use at most 20 read capacity units / second for purges:
Example override to rate limit the consumption to 15% of the current read capacity units for the table:
Note that when automatic DynamoDB TTL expiration is enabled for the sessions
table the Connect2id server will not run the purge thread (as all sessions are
being expired within DynamoDB) and the
have no effect then.
Check the release notes below for more information.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.9: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 14.9 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 14.9: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 14.9 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Connect2id server deployments with an AWS DynamoDB receive rate limiting of the paged scan and delete requests that purge the database of expired subject sessions. This enhancement guards regular requests to DynamoDB from potentially being starved of their provisioned database read and write capacity when a purge scan is taking place. Moderating the purge scans may also smooth spikes in DynamoDB consumption over time and thus enable the provisioned capacity to be lowered to save costs.
Note, in deployments where native DynamoDB TTL expiration is enabled for the subject sessions, by setting the "dynamodb.enableTTL.sessionStore.sessionMap" Java system property to
true, the sessions will be expired automatically by DynamoDB and the Connect2id server doesn't need to run purge scans on the sessions table. The TTL expiration suits Connect2id server deployments that have no OpenID relying parties registered to receive logout and session expiration notifications. Such notifications can be generated only when the sessions are expired by the Connect2id server itself.
- Upgrades the dynamodb schema to v2.1.
Scan and delete requests that purge the
sub_sessionstable of expired subject sessions are rate limited to 10% of the reported provisioned read capacity for the table. For example, if the table is provisioned with 100 read capacity units, the consumed purge scan read and delete operations will be rate-limited to 10 capacity units.
To specify a different value set the "dynamodb.purgeMaxReadCapacity" Java system property to the desired maximum read capacity units that may be consumed during a purge, as an absolute value, e.g.
20, or as a percentage of the current provisioned read capacity of the table, e.g.
20%. Any write capacity consumed to delete expired items is bounded by the "dynamodb.purgeMaxReadCapacity" and will always stay below it. The default value of "dynamodb.purgeMaxReadCapacity" is
10%, as explained above.
The expired entry reaper in Connect2id server deployments with an AWS Dynamo database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved DynamoDB item. This may occur in DynamoDB items manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending item logged. This is now done with a
DS0152log error (issue dynamodb-store/21).
*.dynamoDB.deleteTimermetrics must include DynamoDB delete requests performed as part of purges of expired items (issue dynamodb-store/22).
Removes legacy comma separator support in
Updates to com.nimbusds:oauth2-oidc-sdk:11.6
Updates to com.nimbusds:nimbus-jose-jwt:9.37.1
Updates to com.nimbusds:oauth2-authz-store:24.7.3
Updates to com.nimbusds:oidc-session-store:16.7.5
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.2