Skip to content
Connect2id
Connect2id server

Connect2id server 18.0 supports CIBA, native IdP apps and session binding via UA fingerprints and DPoP

We are excited to announce the release of CIBA support in the Connect2id server 18.0, enabling cross-device login and authorisation with a wide range of applications.

Banks and fintechs can utilise a decoupled flow of CIBA to authorise transactions, step-up authentication and approve logins in the bank’s mobile app. Mobile network operators can use the flow for SIM-based login into services, their own or of subscribed partners. In healthcare, to approve access to medical records and to authenticate remotely for telehealth examinations and procedures.

The cross-device capability of the CIBA flow opens up new opportunities, but also a new, different set of risks that aren’t present in the typical same-device OAuth 2.0 flow. These risks arise from the “gap” between client device and user device (where a CIBA request is authorised, typically in a mobile app). Securing the “gap” requires measures forced by the practical reality of the application context and how much of that context can be cryprographically or otherwise bound.

The CIBA "gap"
Features Challenges
  • Enables login from devices without browsers (TVs, IoT) or at locations where the user isn't present (call centres)
  • Reduced phishing risk (no credentials entered in the client)
  • Control over the authentication factors and experience (via native IdP app)
  • Client and IdP app operate on different devices
  • The client relies on user input or inference to hint the user identity to the IdP
  • If the client passes an incorrect identity hint to the IdP - risk of the IdP notifying the wrong user, or unauthorised access (if the wrong user unwittingly approves)

Connect2id spent time to devise a hardened CIBA flow, which the user must pre-authorise in their IdP app, and utilises a one-time use, cryptographically secured login_hint_token to authenticate the channel between the client device and the IdP app. The token size is deliberately kept small, for efficient presentation as QR-code, or transmission over NFC.

CIBA login_hint_token shown on a user device
CIBA login_hint_token optimised for QR code display on user devices

The back-channel authorisation flow supported by the Connect2id server follows the core CIBA specification and the FAPI 1.0 CIBA profile. It incorporates security measures, some recommended by the OAuth WG, others devised by Connect2id, from analysing usage patterns and attacks reported by early CIBA adopters over the course of 3 years. We wish to thank Pieter Kasselman, who initiated and led the effort at the OAuth WG to collect and classify reported CIBA attacks, together with measures to effectively address them.

To support native IdP apps, which play a key role in CIBA, the session store of the Connect2id server was updated. Native IdP apps can now have their own, properly isolated user sessions, alongside the web sessions for the IdP web domain and the sessions for the native client groups (for OpenID Connect native SSO). The session ID serves to determine the IdP app instance(s) of the resolved login_hint_token, id_token_hint or login_hint subject in CIBA requests, and then together with a callback token, to submit the authorisation to the Connect2id server. For extra assurance the user sessions of native IdP apps can be bound via DPoP to a non-extractable private key in the Android Keystore or iOS Keychain.

The server documentation was expanded to cover the new standard CIBA endpoint and the plugin
SPIs to resolve login_hints and invoke a native IdP app where the user authentication and consent take place. Examples how to register clients for the CIBA grant can be found here. A general CIBA Connect2id server guide for architects and developers is being prepared. If you need help in devising a secure and well-integrated CIBA solution for your business you are welcome to talk to us. The lead time for such consulting work is currently at 45 to 60 days.

The work on CIBA has not completed with this release. On the contrary, there is a substantial roadmap ahead.

Besides CIBA, another notable new feature of Connect2id server 18.0 is the ability to bind the user sessions for the IdP web domain to a fingerprint of the user agent (browser), and make this a factor in the SSO decision-making.

Connect2id server 17.x deployments can upgrade to this new release seamlessly, by letting the server on startup automatically create the requisite tables, and add new columns where required:

  • On startup, a Connect2id server with an SQL database is going to automatically create a new login_hint_tokens table, and new CIBA and DPoP related columns (see release notes below), unless the default value of the dataSource.createTableIfMissing property is overridden and set to false, in which case database schema must be updated manually by a database administrator.

  • Similarly, a Connect2id server with a DynamoDB database is automatically going to create a new login_hint_tokens table, unless the table has already been created.

There are no breaking configuration changes, save for the native SSO configuration, where the property names were replaced from op.sso.device.* to op.sso.nativeClientGroup.*, necessitated by the addition of native IdP app session support, and the need to be clearly differentiate between these sessions and native client group (NCG) sessions.

The use of a general token for the STS web API is deprecated. Consider configuring a separate token for each template, for example op.sts.privateKeyJWT.apiAccessTokenSHA256.

If you are upgrading from a Connect2id server version 16.x or earlier, check the 17.0 release announcement and notes first.

As always, you find more information about this Connect2id server release in the notes below.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 18.0

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 18.0: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 71211b7d35f5f2536ffeccf2e963b4a370f07acfb8927c29664f1324627c5b57

Connect2id server 18.0 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d2337514795ca3775cf8f7ad2c0bb8f41446546684054487f9d6a2e343959ac4

Multi-tenant edition

Apache Tomcat package with Connect2id server 18.0: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a8f11a84556659df68024d7c289427d989893040e6f56d4a18cc32560241d102

Connect2id server 18.0 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8856c75289aaec8b6af798fd98615e879a4da8032d2234c25ff1d35761aed9f3

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

18.0 (2024-04-02)

Summary

  • Implements support for OpenID Connect Client-Initiated Backchannel Authentication (CIBA) Flow - Core 1.0.

    The CIBA poll mode for token delivery is supported. The ping and push modes may be implemented in a future release.

    All three login hint types are supported: login_hint_token, id_token_hint and login_hint. A Connect2id server deployment can be configured to accept only those login hint types that are allowed by policy and required by the use cases of client applications.

    To support CIBA login hint tokens the STS endpoint of the Connect2id server is given the capability to issue them. To mint a login_hint_token the STS endpoint requires the presence of a native IdP app session for the subject (end-user). The token is single-use, cryptographically secured and has a length and encoding optimised for presentation in QR codes on user devices.

    The CIBA id_token_hint support is identical to that for regular OpenID authentication requests.

    To support CIBA login_hint the Connect2id server receives a new LoginHintResolver SPI to resolve login hints to subject identifiers. A plugin that delegates the resolution to a web endpoint (webhook) is provided.

    Signed CIBA requests are supported.

    The CIBA binding_message request parameter is supported. Deployments can configure a regular expression to enforce compliance of the message to a given pattern. The default pattern allows combinations of four to sixteen alphanumeric and space characters.

    The CIBA user_code request parameter is supported, however its use is discouraged. A login_hint_token should be used to pre-authorise a CIBA request from a native IdP app.

    CIBA requests that are authenticated and pass initial validation are directed to a CIBARequestHandler SPI to perform the end-user authentication and authorisation. A handler would typically message the native IdP app instance(s) for the subject (end-user) resolved from the login_hint_token, id_token_hint or login_hint. If end-user is successfully authenticated and consent was obtained the handler submits the authorisation to a CIBA authorisation sessions API, to continue the flow. If the end-user couldn’t be authenticated or consent was not given the CIBA request is left to time out, according to the expires_in parameter of the authentication request acknowledgement return the client.

  • Adds support for subject (end-user) sessions for native IdP apps. An OpenID provider may utilise a native app to provide a user authentication factor during sign-in, to authorise CIBA requests and for other purposes. Such subject sessions have a ctx (context) value NIA (native IdP app), to differentiate them for web and NCG (native client group) sessions.

  • Subject (end-user) sessions receive a new optional jkt (JWK thumbprint) field to enable a session to be bound to a private JWK. The thumbprint is a BASE64URL-safe encoded SHA-256 hash. For web sessions the private key may be a non-extractable Web Crypto API key. For native app sessions the private key may be a non-extractable Android Keystore or iOS Keychain key. A future Connect2id server release will incorporate changes to support DPoP-style binding of subject sessions in the authorisation session API, in the CIBA flow and in the OpenID Connect SSO for native apps flow.

  • Enables binding of subject (end-user) sessions to a fingerprint of the web browser or native app used to establish the session. The thumbprint is a BASE64URL-safe encoded SHA-256 hash. The authorisation session (login) web API is updated to automatically check the current user agent fingerprint against the value stored when the session was created. If the fingerprint values don’t match the subject session is ended, triggering an authentication prompt.

    The user agent fingerprint binding of subject sessions can replace plugins that use the WebSSOEligibilityChecker SPI to add a custom user agent fingerprint check after the regular Connect2id server checks that determine whether a web-based OpenID authentication request or an OAuth 2.0 authorisation request is eligible for single sign-on (SSO).

  • The subject (end-user) sessions of OpenID relying parties using OpenID Connect SSO for Native Apps 1.0 will now bear the context value NCG (native client group), replacing the value native. The op.sso.device.* configuration properties are replaced by op.sso.nativeClientGroup.*. This breaking change is made to differentiate the sessions for native client groups and those for a native IdP app.

  • Adds support for the optional dpop_bound_access_tokens client metadata parameter, specified in RFC 9449, section 5.2. When a client is registered with a value of true it must always use DPoP. The default value is false.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.ciba.enable – New optional configuration property to enable / disable CIBA support. Disabled by default.

    • op.ciba.tokenDeliveryModes – New optional configuration property listing the enabled CIBA token delivery modes. Only the poll mode is supported. The default value is all supported.

    • op.ciba.hintTypes – New optional configuration property listing the enabled CIBA hint types. Supported hint types: login_hint_token,
      id_token_hint and login_hint. The default value is all supported.

    • op.ciba.requestJWSAlgs – New optional configuration property listing the enabled JWS algorithms for signed CIBA requests. Supported JWS algorithms: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384 and ES512. The default value is all supported.

    • op.ciba.bindingMessagePattern – New optional configuration property for a regular expression pattern for matching legal CIBA binding messages. Messages that don’t match the pattern will be rejected with an invalid_binding_message error. The pattern must be BASE64 encoded to prevent character escaping issues. The default unencoded pattern is [\w ]{4,16}, allowing combinations of four to sixteen alphanumeric and space characters.

    • op.ciba.supportUserCode – New optional configuration property to enable / disable support for the CIBA user_code parameter. The default value is true.

    • op.ciba.defaultRequestLifetime – New optional configuration property for the default lifetime of CIBA requests (auth_req_id), in seconds. Applied when a CIBA request doesn’t specify a requested_expiry parameter. Must not be shorter than 60 seconds. The default value is 600 seconds (10 minutes).

    • op.ciba.maxRequestLifetime – New optional configuration property for the maximum allowed lifetime of the requested_expiry parameter of CIBA requests (auth_req_id), in seconds. Must not be shorter than the default lifetime of CIBA requests. The default value is the default request lifetime.

    • op.sts.jar.apiAccessTokenSHA256.* – New optional configuration property, specifying an access token for the STS web API to mint OAuth 2.0 JWT-secured Authorisation Requests (JAR), also called request objects in OpenID Connect. The value of the configuration property is the SHA-256 hash (in hexadecimal format) of the token. The hashed storage is intended to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified minting of JARs by the STS web API is disabled.

      Additional access tokens, to facilitate token roll-over or for other needs, can be configured by appending a dot (.) with a unique label to the property name, e.g. as op.sts.jar.apiAccessTokenSHA256.1=abc....

      Replaces the deprecated general purpose op.sts.apiAccessTokenSHA256 STS web API access token configuration.

    • op.sts.privateKeyJWT.apiAccessTokenSHA256.* – New optional configuration property, specifying an access token for the STS web API to mint private key JWTs (private_key_jwt) for client authentication. The value of the configuration property is the SHA-256 hash (in hexadecimal format) of the token. The hashed storage is intended to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified minting of private key JWTs by the STS web API is disabled.

      Additional access tokens, to facilitate token roll-over or for other needs, can be configured by appending a dot (.) with a unique label to the property name, e.g. as op.sts.privateKeyJWT.apiAccessTokenSHA256.1=abc....

      Replaces the deprecated general purpose op.sts.apiAccessTokenSHA256 STS web API access token configuration.

    • op.sts.loginHintToken.apiAccessTokenSHA256.* – New optional configuration property, specifying an access token for the STS web API to mint login hint tokens (login_hint_token) for CIBA. The value of the configuration property is the SHA-256 hash (in hexadecimal format) of the token. The hashed storage is intended to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified minting of login hint tokens by the STS web API is disabled.

      Additional access tokens, to facilitate token roll-over or for other needs, can be configured by appending a dot (.) with a unique label to the property name, e.g. as op.sts.loginHintToken.apiAccessTokenSHA256.1=abc....

    • op.sts.loginHintToken.allowDirectIssue – New optional configuration property to allow direct issue of login hint tokens (login_hint_token) for CIBA, bypassing the requirement for an access token (op.sts.loginHintToken.apiAccessTokenSHA256.*). If true a valid native IdP app session ID (sub_sid) is sufficient to authorise the issue. The default value is false.

    • op.sts.apiAccessTokenSHA256 – The general master access token for the STS web API is deprecated for removal. Configure purpose specific op.sts.*.apiAccessTokenSHA256.* tokens instead.

    • op.sso.nativeClientGroup.enable – Replaces the optional op.sso.device.enable configuration property for OpenID Connect SSO for Native Apps 1.0 introduced in Connect2id server 16.0 (breaking change).

    • op.sso.nativeClientGroup.sessionMaxLifetime – Replaces the optional op.sso.device.sessionMaxLifetime configuration property for OpenID Connect SSO for Native Apps 1.0 introduced in Connect2id server 16.0 (breaking change).

    • op.sso.nativeClientGroup.sessionAuthLifetime – Replaces the optional op.sso.device.sessionAuthLifetime configuration property for OpenID Connect SSO for Native Apps 1.0 introduced in Connect2id server 16.0 (breaking change).

    • op.sso.nativeClientGroup.sessionMaxIdleTime – Replaces the optional op.sso.device.sessionMaxIdleTime configuration property for OpenID Connect SSO for Native Apps 1.0 introduced in Connect2id server 16.0 (breaking change).

  • /WEB-INF/sessionStore.properties

    • sessionStore.nativeIdPAppQuotaPerSubject – New optional configuration property for the maximum number of concurrent native IdP app sessions a subject (end-user) may have. Must not exceed 5 concurrent sessions. Zero disables native IdP app sessions. The default value is 1.

  • /WEB-INF/infinispan-*.xml

    • Adds a new login_hint_tokens table. In existing Connect2id server deployments with an SQL RDBMS or DynamoDB the server will automatically create the table on startup. For SQL databases the automatic table creation is enabled by default and can be turned off by setting the dataSource.createTableIfMissing Java system property to false.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • Adds new dpop_bound_access_tokens, backchannel_token_delivery_mode, backchannel_client_notification_endpoint, backchannel_authentication_request_signing_alg and backchannel_user_code_parameter columns to the clients table. Adds new jkt and fpt column to the subject_sessions table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the news column (with an appropriate default value) on startup. For SQL databases the automatic column addition is enabled by default and can be turned off by setting the dataSource.createTableIfMissing Java system property to false.

  • /WEB-INF/infinispan-multitenant-stateless-redis-sentinel3-mysql.xml

    • Removes the deprecated multi-tenant stateless Redis sentinel / MySQL configuration.

  • /WEB-INF/loginHintResolverWebAPI.properties – New properties file specifying the default configuration of the web-based resolver (webhook) for CIBA login hints (login_hint) (implements the LoginHintResolver SPI). Can be overridden with Java system properties.

    • op.loginHintResolver.webAPI.enable – New optional configuration property, enables / disables the login hint resolver. Disabled (false) by default.

    • op.loginHintResolver.webAPI.url – New configuration property for the endpoint URL of the web-based resolver. Required when the resolver is enabled.

    • op.loginHintResolver.webAPI.apiAccessToken – New configuration property for the access token of type Bearer for the login hint resolver. Required when the resolver is enabled.

    • op.loginHintResolver.webAPI.connectTimeout – New optional configuration property for the HTTP connect timeout, in milliseconds. The default value is zero, implies none or determined by the underlying HTTP client.

    • op.loginHintResolver.webAPI.readTimeout – New optional configuration property for the HTTP response read timeout, in milliseconds. The default value is zero, implies none or determined by the underlying HTTP client.

Web API

  • /.well-known/openid-configuration

    • backchannel_token_delivery_modes_supported – New optional metadata field listing the supported CIBA token delivery modes. Omitted if CIBA is disabled.

    • backchannel_authentication_endpoint – New optional metadata field for the CIBA request endpoint URL. Omitted if CIBA is disabled.

    • backchannel_authentication_request_signing_alg_values_supported – New optional metadata field listings the supported JWS algorithms for signed CIBA requests. Empty if none. Omitted if CIBA is disabled.

    • backchannel_user_code_parameter_supported – New optional metadata field indicating the support for the CIBA user_code request parameter. Omitted if CIBA is disabled.

  • /clients

    • Supports registration of clients with the optional dpop_bound_access_tokens metadata field to require a DPoP proof JWT at the token endpoint (RFC 9449).

    • Supports registration of clients with the optional backchannel_token_delivery_mode, backchannel_authentication_request_signing_alg and backchannel_user_code_parameter metadata fields for CIBA use.

  • /ciba

    • New endpoint to receive back-channel authentication requests (CIBA). Supports signed CIBA requests. Supports all three CIBA hint types: login_hint_token, id_token_hint and login_hint. Supports the optional binding_message, user_code and requested_expiry parameters.

  • /token

    • Requires clients to submit a DPoP proof JWT when registered with a dpop_bound_access_tokens client metadata value true (RFC 9449).

    • Adds CIBA grant support using the poll mode (polling with immediate response).

  • /authz-sessions/rest/v3/

    • The authorisation session start request object receives a new optional fpt (user agent fingerprint) parameter, as a BASE64URL-safe encoded SHA-256 hash. When the authorisation session is started with a fingerprint for the user agent and there is a current subject (end-user) session with a fpt value that doesn’t match, the Connect2id server ends the current subject session and returns an authentication prompt. In all other cases the authorisation session proceeds as usual.

      The subject session fpt may be set when the session is created. After that the fpt value cannot be modified, i.e. it remains immutable until the session is ended or expires.

  • /sts/rest/v1/

    • New login_hint_token template for the STS (Secure Token Service) endpoint to issue login hint tokens for CIBA requests. Intended for end-users to securely pre-authorise a CIBA request from their native IdP app. The issued login hint token is single-use, opaque and bound to the subject session that the native IdP app has with the Connect2id server. The STS API allows setting of the login hint token lifetime and inclusion of custom data as a JSON Object, for example to specify the application context of the login hint token.

  • /ciba-sessions/rest/v1

    • New integration endpoint for handling CIBA requests.

    • /ciba-sessions/rest/v1/authorize – Protected resource for authorising pending CIBA requests (auth_req_id) after successful end-user authentication and consent, typically performed by a native IdP app. The resource is accessed by a callback token issued by the CIBARequestHandler SPI.

  • /authz-store/rest/v3/auth-req-ids

    • New protected resource, the GET method returns the current CIBA auth_req_ids for which an end-user authorisation was received and its tokens have not been requested by the client yet.

  • /authz-store/rest/v3/inspection

    • New optional auth_req_id form parameter, inspects the pending authorisation for the specified CIBA request ID. Returns 404 if the request ID is invalid / expired. Must not be used together with another form parameter.

  • /session-store/rest/v2

    • The subject session object receives a new optional jkt (JWK thumbprint) field to bind the session to a private JWK. The thumbprint is a BASE64URL-safe encoded SHA-256 JSON Web Key (JWK) hash (RFC 7638).

    • The subject session object receives a new optional fpt (web browser or native app fingerprint) field to bind the session to a fingerprint of the user agent. The thumbprint is a BASE64URL-safe encoded SHA-256 hash.

    • Introduces new subject session object ctx (context) values NCG (native client group) and NIA (native IdP app). The device value introduced in Connect2id server 16.0 is deprecated and replaced by NCG.

  • /monitor/v1/metrics

    • cibaEndpoint.successfulRequests – New meter of successful CIBA requests.

    • cibaEndpoint.invalidRequests – New meter of CIBA requests failed with an invalid_request, unknown_user_id, invalid_binding_message or missing_user_code error.

    • cibaEndpoint.invalidClientErrors – New meter CIBA requests failed with an invalid_client error.

    • cibaEndpoint.unauthorizedClientErrors – New meter of CIBA requests failed with an unauthorized_client error.

    • cibaEndpoint.serverErrors – New meter of CIBA requests failed with a server_error error.

    • tokenEndpoint.ciba.successfulRequests, tokenEndpoint.ciba.invalidClientErrors, tokenEndpoint.ciba.unauthorizedClientErrors, tokenEndpoint.ciba.invalidGrantErrors, tokenEndpoint.ciba.invalidScopeErrors, tokenEndpoint.ciba.serverErrors – New token endpoint meters for the CIBA grant. The CIBA-specific authorization_pending, expired_token and access_denied errors count as invalid_grant errors.

    • tokenEndpoint.ciba.handlerTimer – New token endpoint timer for handling CIBA grants.

    • authzStore.authRequestIDIssues – New meter for the issue of CIBA authentication request IDs.

    • authzStore.numGenericCodes – New gauge for the number of currently active OAuth 2.0 authorisation codes and CIBA authentication request IDs. Replaces the deprecated authzStore.numAuthzCodes gauge.

    • authzStore.numAuthzCodes – Deprecates the gauge, which will now mirror the new authzStore.numGenericCodes gauge.

    • authzStore.cibaExchanges – New meter for the successful CIBA authentication request ID for token exchanges.

    • loginHintTokenStore.numTokens – New gauge for the number of stored login hint tokens.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.11

    • LoginHintResolver – New SPI to resolve a login_hint request parameter to a subject identifier at the OpenID provider.

    • CIBARequestHandler – New SPI to handle the end-user authentication and consent for validated CIBA requests.

Resolved issues

  • Replaces the Connect2id server integration web APIs expired_client_secret error code with a client_metadata_conflict code (issue server/1061).

  • Restores the HTTP POST entity body size checking at the token endpoint, limits the maximum size to 50 thousand characters (issue server/1062).

  • Adds HTTP POST entity body size checking at the PAR endpoint, limits the maximum size to 50 thousand characters (issue server/1068).

  • The logs of SPI implementation loading must record the canonical (full) class name, not the simple name (issue server/1063).

  • The Connect2id server must load and initialise all available AuthorizationRequestValidator SPI implementations. The rule that at most one may be configured as enabled is not affected (issue server/1065).

  • The Connect2id server must load and initialise all available PARValidator SPI implementations. The rule that at most one may be configured as enabled is not affected (issue server/1066).

  • The Connect2id server must load and initialise all available CustomTokenResponseComposer SPI implementations. The rule that at most one may be configured as enabled is not affected (issue server/1064).

  • The Connect2id server must load and initialise all available TokenIntrospectionResponseComposer SPI implementations. The rule that at most one may be configured as enabled is not affected (issue server/1067).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.11

  • Upgrades to com.nimbusds:oauth2-authz-store:28.8

  • Upgrades to com.nimbusds:session-store:22.1

  • Upgrades to com.nimbusds:common:3.7

  • Upgrades to com.thetransactioncompany:java-property-utils:2.1

  • Updates to com.nimbusds:oauth2-grant-handlers:1.4