Connect2id server 15.1
This mini update of the Connect2id server addresses three issues reported last week.
configuration property that enables the HTTPS requirement for redirection URLs
in the OAuth 2.0 code flow to be relaxed gets extended to cover native
applications as well. Previously it affected web applications only. The
relaxing of the HTTPS
redirection_uri requirement is intended primarily for
testing and development purposes and should not be used in production.
Registration of native (mobile and desktop) applications as OAuth 2.0 clients and OpenID relying parties and what types of redirection URIs are accepted is explained here.
This release also addresses two issues related to the processing of requests at
the authorisation endpoint. The
parsing of requests was hardened to ignore query parameters with illegal escape
sequences so that they won't produce an unchecked exception and an HTTP 500
Server Error in the
bug that affected the correct application of configured scope value to claims
requests and requests that get cleared entirely from stored consent was also
A slightly more detailed information can be found the release notes below.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 15.1 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 15.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 15.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
- op.reg.rejectNonTLSRedirectionURIs -- The configuration property is
extended to apply to native applications (OAuth 2.0 clients registered
native). Previously it applied only to web applications (clients registered with
web). The default value remains
true(non-TLS web host URLs rejected).
- op.reg.rejectNonTLSRedirectionURIs -- The configuration property is extended to apply to native applications (OAuth 2.0 clients registered with
Configured custom scope value to claim name mappings (
op.claims.map.*) must be observed when processing
prompt=noneand equivalent OpenID authentication requests (issue server/961).
Processing of OAuth 2.0 authorisation and OpenID authentication requests is hardened to ignore query parameters with illegal escape sequences in the query parameter name or value. Previously such illegal escape sequences in the query string would produce an unchecked exception resulting in an HTTP 500 Server Error in the authorisation session start (POST) request (issue server/958).
OP1202INFO message whenever the SSO for an end-user is disabled due to the requesting client matching the optional
op.sso.disableForSelectedClientsconfiguration (issue server/959).
- Updates to com.nimbusds:oauth2-oidc-sdk:11.9.1