Connect2id server 17.2
This release of the Connect2id server updates the
plugin
for verifying client registration requests that include a signed software
statement JWT, such
as the software statements to register Open
Banking clients. The
plugin can now be configured using an op.ssv.jwtTypes
property to check the
typ
(type) header of the JWTs.
Example configuration that requires all software statements to have the
ssa+jwt
type header:
# The accepted "typ" (type) JWT header values of the software statements, as
# comma and / or space separated list. If blank or omitted the JWT type
# checking will accept software statements with no "typ" header or the header
# value "JWT".
op.ssv.jwtTypes=ssa+jwt
Explicit JWT typing is recommended to prevent JWT confusion, either accidental or malicious, as explained in JSON Web Token Best Current Practices (RFC 8725), section 3.11.
This release also fixes a NPE bug that affected the cancellation of login requests in the authorisation session API.
More information can be found in the release notes below.
Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.
Download 17.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 17.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 35977c88f509c987f356862a550b66c3705698976cf5c408127542e9d9348e90
Connect2id server 17.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: d176f11453ec209cdfcd117adc2a7b4cb68e25aa5393819fb960c499803e27ef
Multi-tenant edition
Apache Tomcat package with Connect2id server 17.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: f09ade9ec1afcff41b1ec69abf06d904ec5c0e0e38bd6abb08487ae82579d054
Connect2id server 17.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: a437cd988f74c9a0eaa3e0dc9973f2a55976b935c8f31d2e03e9a663ba7bb192
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
17.2 (2025-03-25)
Summary
- Upgrades the software statement verifier (SSV) plugin (implements the
RegistrationInterceptor
SPI) to support strict JWT type checking. Explicit JWT typing is recommended to prevent accidental or malicious JWT confusion. See JSON Web Token Best Current Practices (RFC 8725), section 3.11.
Configuration
-
/WEB-INF/softwareStatementVerifier.properties
op.ssv.jwtTypes
– New optional configuration property. Specifies the acceptedtyp
(type) JWT header values of the software statements, as comma and / or space separated list. If blank or omitted the JWT type checking will accept software statements with notyp
header or the header valueJWT
.
Resolved issues
- Fixes an NPE affecting HTTP DELETE
/authz-sessions/rest/v3/{sid}
requests when the Connect2id server is configured with the optionalop.authz.includeSubjectSessionInFinalResponse=true
and the authorisation is cancelled before the subject authentication is submitted (at theauth
step) (issue server/1071).
Dependency changes
-
Updates to com.nimbusds:software-statement-verifier:2.3.1
-
Updates to com.h2database:h2:2.3.232
-
Updates to org.postgresql:postgresql:42.7.4