Connect2id server 15.1

This mini update of the Connect2id server addresses three issues reported last week.

The optional op.reg.rejectNonTLSRedirectionURIs configuration property that enables the HTTPS requirement for redirection URLs in the OAuth 2.0 code flow to be relaxed gets extended to cover native applications as well. Previously it affected web applications only. The relaxing of the HTTPS redirection_uri requirement is intended primarily for testing and development purposes and should not be used in production.

Registration of native (mobile and desktop) applications as OAuth 2.0 clients and OpenID relying parties and what types of redirection URIs are accepted is explained here.

This release also addresses two issues related to the processing of requests at the authorisation endpoint. The parsing of requests was hardened to ignore query parameters with illegal escape sequences so that they won't produce an unchecked exception and an HTTP 500 Server Error in the API. A bug that affected the correct application of configured scope value to claims mappings in prompt=none requests and requests that get cleared entirely from stored consent was also fixed.

A slightly more detailed information can be found the release notes below.

Download 15.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.1:

GPG signature:

SHA-256: 9057fca2e7b37ef9fb19fdae1fde468f82ba9cc90d03d760de3006b69e53a928

Connect2id server 15.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: fc7c74fd689d40080f319fc68d06f64e5d3d7fd9afb80acac024ab45c1936c05

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.1:

GPG signature:

SHA-256: 6e6796cc4609a03cc29d8784746a4518685260dc0637c6c777735125366f60e1

Connect2id server 15.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3f819529e02ac7e4d66796cd5a5801f8bceb712b8511598065c9fd2695bd0c90


For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.1 (2024-01-08)


  • /WEB-INF/

    • op.reg.rejectNonTLSRedirectionURIs -- The configuration property is extended to apply to native applications (OAuth 2.0 clients registered with application_type set to native). Previously it applied only to web applications (clients registered with application_type set to web). The default value remains true (non-TLS web host URLs rejected).

Resolved issues

  • Configured custom scope value to claim name mappings (*) must be observed when processing prompt=none and equivalent OpenID authentication requests (issue server/961).

  • Processing of OAuth 2.0 authorisation and OpenID authentication requests is hardened to ignore query parameters with illegal escape sequences in the query parameter name or value. Previously such illegal escape sequences in the query string would produce an unchecked exception resulting in an HTTP 500 Server Error in the authorisation session start (POST) request (issue server/958).

  • Logs an OP1202 INFO message whenever the SSO for an end-user is disabled due to the requesting client matching the optional op.sso.disableForSelectedClients configuration (issue server/959).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.9.1