Skip to content
Connect2id
Connect2id server

Connect2id server 15.7

This Connect2id server release enabled support for issue of DPoP bound access tokens, for the JWT as well as the SAML 2.0 bearer grants. With the next major 16.0 release, the server is also going to support the dpop_bound_access_tokens client metadata parameter, so that a client can be required to always use DPoP in its registration.

This release also updates two of the Connect2id server SPIs.

The SPI for ID token issue events receives a new IDTokenIssueEvent.getLocalSubject() method to access the local (system) end-user ID, which can be useful in cases when the ID token sub (subject) is a pairwise identifier.

The SPI for customising token responses receives new methods to access the OpenID claims source and a generic JWT signer.

More information about this new release can be found in the customary notes below.

If you are an authentication provider and have come across Microsoft’s May announcement to allow the plugin of External Authentication Method (EAM) providers into Entra ID, check out our new guide how to achieve this with the Connect2id server. If there is sufficient feedback and demand we’ll consider creating an official maintained Connect2id server plugin for Entra EAM.

Download 15.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5ae6d0051302f7734aa09081bad943a2a56d32409b08a8acec6239b387bbab24

Connect2id server 15.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 872123f8df4ed3ccc7d57cf8ce1f9bd2ba524cadcc61412ea82e8a091bbe4859

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c32dbe7d03dde79848b7690c81d24eba1bb2e8a17559043a420b5816e8ae3419

Connect2id server 15.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1a7d7fc290bdcc4bc32401a564bf964c735ba578a211fe32c7a3df1b37e059a1

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

15.7 (2024-06-03)

Summary

  • Enables issue of DPoP access tokens (RFC 9449) for the JWT and SAML 2.0 bearer OAuth 2.0 grants.

  • Updates the CustomTokenResponseComposer SPI to provide access the OpenID claims source and a generic JWT signer.

  • Updates the IDTokenIssueEvent in the IDTokenIssueEventListener SPI to provide access to the local subject, useful in cases when the ID token sub (subject) is a pairwise identifier.

Web API

  • /token

    • Enables support for issue of DPoP-bound access tokens (RFC 9449) for the following OAuth 2.0 grants:

      • urn:ietf:params:oauth:grant-type:jwt-bearer (RFC 7523)

      • urn:ietf:params:oauth:grant-type:saml2-bearer (RFC 7522)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.5

    • The CustomTokenResponseComposer SPI is updated, adding methods to the TokenResponseContext to access the OpenID claims source and a generic JWT signer.

    • IDTokenIssueEvent, part of the IDTokenIssueEventListener SPI, provides access to the local ID token subject, useful in cases when the ID token sub (subject) claim is a pairwise identifier.

Resolved issues

  • The Connect2id server must accept signed request objects (JARs) with the JWT typ (type) header values oauth-authz-req+jwt (see RFC 9101) and JWT (issue server/999).

  • The logout JWT in OpenID Connect back-channel logout notifications must include an exp (expiration time) claim. The expiration for the logout JWTs is set 5 minutes into future (issue server/1000).

  • Improves the parse performance of JSON numbers in JWT claims sets (issue nimbus-jose-jwt/546).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.5

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.12

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.5

  • Updates to com.nimbusds:nimbus-jose-jwt:9.39.3

  • Updates to com.google.code.gson:gson:2.11.0

  • Updates to commons-codec:commons-codec:1.17.0