Connect2id server 15.7
This Connect2id server release enabled support for issue of DPoP bound access tokens, for the JWT as well as the SAML 2.0 bearer grants. With the next major 16.0 release, the server is also going to support the dpop_bound_access_tokens client metadata parameter, so that a client can be required to always use DPoP in its registration.
This release also updates two of the Connect2id server SPIs.
The SPI for ID token issue
events receives
a new
IDTokenIssueEvent.getLocalSubject()
method to access the local (system) end-user ID, which can be useful in cases
when the ID token sub (subject) is a pairwise
identifier.
The SPI for customising token responses receives new methods to access the OpenID claims source and a generic JWT signer.
More information about this new release can be found in the customary notes below.
If you are an authentication provider and have come across Microsoft's May announcement to allow the plugin of External Authentication Method (EAM) providers into Entra ID, check out our new guide how to achieve this with the Connect2id server. If there is sufficient feedback and demand we'll consider creating an official maintained Connect2id server plugin for Entra EAM.
Download 15.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5ae6d0051302f7734aa09081bad943a2a56d32409b08a8acec6239b387bbab24
Connect2id server 15.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 872123f8df4ed3ccc7d57cf8ce1f9bd2ba524cadcc61412ea82e8a091bbe4859
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c32dbe7d03dde79848b7690c81d24eba1bb2e8a17559043a420b5816e8ae3419
Connect2id server 15.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a7d7fc290bdcc4bc32401a564bf964c735ba578a211fe32c7a3df1b37e059a1
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.7 (2024-06-03)
Summary
Enables issue of DPoP access tokens (RFC 9449) for the JWT and SAML 2.0 bearer OAuth 2.0 grants.
Updates the CustomTokenResponseComposer SPI to provide access the OpenID claims source and a generic JWT signer.
Updates the IDTokenIssueEvent in the IDTokenIssueEventListener SPI to provide access to the local subject, useful in cases when the ID token
sub(subject) is a pairwise identifier.
Web API
/token
Enables support for issue of DPoP-bound access tokens (RFC 9449) for the following OAuth 2.0 grants:
urn:ietf:params:oauth:grant-type:jwt-bearer(RFC 7523)urn:ietf:params:oauth:grant-type:saml2-bearer(RFC 7522)
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.5
The
CustomTokenResponseComposerSPI is updated, adding methods to theTokenResponseContextto access the OpenID claims source and a generic JWT signer.IDTokenIssueEvent, part of the IDTokenIssueEventListener SPI, provides access to the local ID token subject, useful in cases when the ID token
sub(subject) claim is a pairwise identifier.
Resolved issues
The Connect2id server must accept signed request objects (JARs) with the JWT
typ(type) header valuesoauth-authz-req+jwt(see RFC 9101) andJWT(issue server/999).The logout JWT in OpenID Connect back-channel logout notifications must include an
exp(expiration time) claim. The expiration for the logout JWTs is set 5 minutes into future (issue server/1000).Improves the parse performance of JSON numbers in JWT claims sets (issue nimbus-jose-jwt/546).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:5.5
Updates to com.nimbusds:oauth2-oidc-sdk:11.12
Updates to com.nimbusds:c2id-server-jwkset:1.30.5
Updates to com.nimbusds:nimbus-jose-jwt:9.39.3
Updates to com.google.code.gson:gson:2.11.0
Updates to commons-codec:commons-codec:1.17.0