Connect2id server 15.1
This mini update of the Connect2id server addresses three issues reported last week.
The optional
op.reg.rejectNonTLSRedirectionURIs
configuration property that enables the HTTPS requirement for redirection URLs
in the OAuth 2.0 code flow to be relaxed gets extended to cover native
applications as well. Previously it affected web applications only. The
relaxing of the HTTPS redirection_uri requirement is intended primarily for
testing and development purposes and should not be used in production.
Registration of native (mobile and desktop) applications as OAuth 2.0 clients and OpenID relying parties and what types of redirection URIs are accepted is explained here.
This release also addresses two issues related to the processing of requests at
the authorisation endpoint. The
parsing of requests was hardened to ignore query parameters with illegal escape
sequences so that they won't produce an unchecked exception and an HTTP 500
Server Error in the
API. A
bug that affected the correct application of configured scope value to claims
mappings in prompt=none
requests and requests that get cleared entirely from stored consent was also
fixed.
A slightly more detailed information can be found the release notes below.
Download 15.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 9057fca2e7b37ef9fb19fdae1fde468f82ba9cc90d03d760de3006b69e53a928
Connect2id server 15.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: fc7c74fd689d40080f319fc68d06f64e5d3d7fd9afb80acac024ab45c1936c05
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 6e6796cc4609a03cc29d8784746a4518685260dc0637c6c777735125366f60e1
Connect2id server 15.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 3f819529e02ac7e4d66796cd5a5801f8bceb712b8511598065c9fd2695bd0c90
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.1 (2024-01-08)
Configuration
/WEB-INF/oidcProvider.properties
- op.reg.rejectNonTLSRedirectionURIs -- The configuration property is
extended to apply to native applications (OAuth 2.0 clients registered
with
application_typeset tonative). Previously it applied only to web applications (clients registered withapplication_typeset toweb). The default value remainstrue(non-TLS web host URLs rejected).
- op.reg.rejectNonTLSRedirectionURIs -- The configuration property is
extended to apply to native applications (OAuth 2.0 clients registered
with
Resolved issues
Configured custom scope value to claim name mappings (
op.claims.map.*) must be observed when processingprompt=noneand equivalent OpenID authentication requests (issue server/961).Processing of OAuth 2.0 authorisation and OpenID authentication requests is hardened to ignore query parameters with illegal escape sequences in the query parameter name or value. Previously such illegal escape sequences in the query string would produce an unchecked exception resulting in an HTTP 500 Server Error in the authorisation session start (POST) request (issue server/958).
Logs an
OP1202INFO message whenever the SSO for an end-user is disabled due to the requesting client matching the optionalop.sso.disableForSelectedClientsconfiguration (issue server/959).
Dependency changes
- Updates to com.nimbusds:oauth2-oidc-sdk:11.9.1