Skip to content
Connect2id
Connect2id server

Connect2id server 17.2

This release of the Connect2id server updates the plugin for verifying client registration requests that include a signed software statement JWT, such as the software statements to register Open Banking clients. The plugin can now be configured using an op.ssv.jwtTypes property to check the typ (type) header of the JWTs.

Example configuration that requires all software statements to have the ssa+jwt type header:

# The accepted "typ" (type) JWT header values of the software statements, as
# comma and / or space separated list. If blank or omitted the JWT type
# checking will accept software statements with no "typ" header or the header
# value "JWT".
op.ssv.jwtTypes=ssa+jwt

Explicit JWT typing is recommended to prevent JWT confusion, either accidental or malicious, as explained in JSON Web Token Best Current Practices (RFC 8725), section 3.11.

This release also fixes a NPE bug that affected the cancellation of login requests in the authorisation session API.

More information can be found in the release notes below.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 17.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 17.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 35977c88f509c987f356862a550b66c3705698976cf5c408127542e9d9348e90

Connect2id server 17.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d176f11453ec209cdfcd117adc2a7b4cb68e25aa5393819fb960c499803e27ef

Multi-tenant edition

Apache Tomcat package with Connect2id server 17.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f09ade9ec1afcff41b1ec69abf06d904ec5c0e0e38bd6abb08487ae82579d054

Connect2id server 17.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: a437cd988f74c9a0eaa3e0dc9973f2a55976b935c8f31d2e03e9a663ba7bb192

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

17.2 (2025-03-25)

Summary

  • Upgrades the software statement verifier (SSV) plugin (implements the RegistrationInterceptor SPI) to support strict JWT type checking. Explicit JWT typing is recommended to prevent accidental or malicious JWT confusion. See JSON Web Token Best Current Practices (RFC 8725), section 3.11.

Configuration

  • /WEB-INF/softwareStatementVerifier.properties

    • op.ssv.jwtTypes – New optional configuration property. Specifies the accepted typ (type) JWT header values of the software statements, as comma and / or space separated list. If blank or omitted the JWT type checking will accept software statements with no typ header or the header value JWT.

Resolved issues

  • Fixes an NPE affecting HTTP DELETE /authz-sessions/rest/v3/{sid} requests when the Connect2id server is configured with the optional op.authz.includeSubjectSessionInFinalResponse=true and the authorisation is cancelled before the subject authentication is submitted (at the auth step) (issue server/1071).

Dependency changes

  • Updates to com.nimbusds:software-statement-verifier:2.3.1

  • Updates to com.h2database:h2:2.3.232

  • Updates to org.postgresql:postgresql:42.7.4