Skip to content
Connect2id
Connect2id server

Connect2id server 17.1.1

This maintenance release of the Connect2id server fixes issues reported in the last month, including an OpenID Connect native SSO related regression introduced in v17.1.

The release notes below have more information.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 17.1.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 17.1.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a382a7fb466bc0d748e2692c492f0e86481ff229edbf36cd76ad55c3ef9c15ff

Connect2id server 17.1.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: efc52934aaf5728cb99b788917d9f7e59e9a512daa6c4805db4eabf512699de9

Multi-tenant edition

Apache Tomcat package with Connect2id server 17.1.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 8a365452922f76a2c90f64600ba64794b8a102f38290fb65e12ad789a6ab621e

Connect2id server 17.1.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: e71ef4055135a6493d17f0a7177f95ca99a7bb19988563a581fd4006f626fbb1

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

17.1.1 (2025-02-26)

Resolved issues

  • The URN for ID tokens in OpenID Connect Native SSO 1.0 must be urn:openid:params:token-type:id_token (issue oidc-sdk/492).

  • Updates JSON parsing to prevent parsing of JSON with excessive object nesting in the JSON Smart library. This addresses CVE 2024-57699 in JSON Smart (issue oidc-sdk/494).

  • The Redis configuration for the identifier-based access tokens database (authzStore.idAccessTokenMap) in WEB-INF/infinispan-*-stateless-redis-*.xml should use the redisCache{Host|Port|Password} properties, not redisMap{Host|Port|Password} (issue server/1054).

  • Fixes NPE in the OIDC SDK OIDCScopeValue.resolveClaimNames(Scope, Map) when the OIDCScope.Value specifies null associated claim names. The NPE was triggered when processing authorisations from OAuth 2.0 grant handler SPIs that include the offline_access scope value (issue oidc-sdk/499, server/1057).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.23.1

  • Updates to com.nimbusds:c2id-server-jwkset:2.0.2

  • Updates to com.nimbusds:nimbus-jose-jwt:10.0.2

  • Updates to net.minidev:json-smart:2.5.2

  • Updates to com.google.code.gson:gson:2.12.1

  • Updates to Dropwizard Metrics 4.2.28

  • Updates to commons-io:commons-io:2.17.0

  • Updates to org.apache.commons:commons-lang3:3.17.0