Blog »

Connect2id server 14.9

2023-11-13

This release ships an enhancement for Connect2id server deployments with an AWS DynamoDB. The purge thread that wakes up periodically to scan the subject (end-user) sessions table for expired entries and then delete them, will now automatically limit the rate of read and write capacity unit consumption to 10% of the provisioned for the sub_sessions table.

The rate limiting moderates the use of capacity units when the purge thread is running. With a DynamoDB table in provisioned mode the rate limiting ensures the scan (and delete) requests will not potentially starve regular API requests of database capacity. In on-demand mode the rate limiting smooths potential peaks in capacity use and thus can help reduce your AWS bill.

The default configuration can be overridden with a dynamodb.purgeMaxReadCapacity Java system property, by setting it to an absolute capacity unit value, or to a percentage (evaluated using the reported provisioned read capacity every time before the purge thread runs).

Example override to use at most 20 read capacity units / second for purges:

dynamodb.purgeMaxReadCapacity=20

Example override to rate limit the consumption to 15% of the current read capacity units for the table:

dynamodb.purgeMaxReadCapacity=15%

Note that when automatic DynamoDB TTL expiration is enabled for the sessions table the Connect2id server will not run the purge thread (as all sessions are being expired within DynamoDB) and the dynamodb.purgeMaxReadCapacity will have no effect then.

Check the release notes below for more information.

Download 14.9

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: e64d17123bf28407252f8699b029421d888e8e0351478b45c96981fc5bafa6c1

Connect2id server 14.9 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e4a74dfd5d2ffe1d326adaff2a735672abc2214c95b2fed0ca1681a787344f56

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a416855669d1e18b0e5e83941c500c8a98abb83fe24591f46b32b99ac95aac82

Connect2id server 14.9 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9d5efad8de9e16ca4e5d6e200c6bcbdadbfba41f238ce6b8cf6da53217d2ba4a

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.9 (2023-11-13)

Summary

  • Connect2id server deployments with an AWS DynamoDB receive rate limiting of the paged scan and delete requests that purge the database of expired subject sessions. This enhancement guards regular requests to DynamoDB from potentially being starved of their provisioned database read and write capacity when a purge scan is taking place. Moderating the purge scans may also smooth spikes in DynamoDB consumption over time and thus enable the provisioned capacity to be lowered to save costs.

    Note, in deployments where native DynamoDB TTL expiration is enabled for the subject sessions, by setting the "dynamodb.enableTTL.sessionStore.sessionMap" Java system property to true, the sessions will be expired automatically by DynamoDB and the Connect2id server doesn't need to run purge scans on the sessions table. The TTL expiration suits Connect2id server deployments that have no OpenID relying parties registered to receive logout and session expiration notifications. Such notifications can be generated only when the sessions are expired by the Connect2id server itself.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Upgrades the dynamodb schema to v2.1.

  • /WEB-INF/infinispan-*-{stateless|replication}-dynamodb.xml

    • Scan and delete requests that purge the sub_sessions table of expired subject sessions are rate limited to 10% of the reported provisioned read capacity for the table. For example, if the table is provisioned with 100 read capacity units, the consumed purge scan read and delete operations will be rate-limited to 10 capacity units.

      To specify a different value set the "dynamodb.purgeMaxReadCapacity" Java system property to the desired maximum read capacity units that may be consumed during a purge, as an absolute value, e.g. 20, or as a percentage of the current provisioned read capacity of the table, e.g. 20%. Any write capacity consumed to delete expired items is bounded by the "dynamodb.purgeMaxReadCapacity" and will always stay below it. The default value of "dynamodb.purgeMaxReadCapacity" is 10%, as explained above.

Resolved issues

  • The expired entry reaper in Connect2id server deployments with an AWS Dynamo database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved DynamoDB item. This may occur in DynamoDB items manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending item logged. This is now done with a DS0152 log error (issue dynamodb-store/21).

  • The *.dynamoDB.deleteTimer metrics must include DynamoDB delete requests performed as part of purges of expired items (issue dynamodb-store/22).

  • Removes legacy comma separator support in Scope.parse(String) (issue oidc-sdk/445).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.6

  • Updates to com.nimbusds:nimbus-jose-jwt:9.37.1

  • Updates to com.nimbusds:oauth2-authz-store:24.7.3

  • Updates to com.nimbusds:oidc-session-store:16.7.5

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.2