Skip to content
Connect2id
Connect2id server

Connect2id server 18.2

CIBA improvements

This Connect2id server release refines the internal web API for handling CIBA, where the native IdP app, after obtaining the user’s consent for a CIBA request, posts the authorised scope and other token related parameters. The asynchronous nature of the CIBA flow demands that back-channel authorisation requests eventually expire. The CIBA request is typically given a few minutes to be authorised or denied by the user (ignoring it is a valid action too). The Connect2id server communicates this time both to the requesting client and the native IdP app, using an expires_in parameter.

Example CIBA request acknowledgement, informing the client that the request will expire in 5 minutes (300 seconds):

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "auth_req_id" : "uo-EOVpCEZ8kGOQOn4ovDw.MDE3NzM3Y2MtZGEzMy00MDA4LTk3OWItMT...
  "expires_in"  : 300
}

The native IdP app, when dealing with a CIBA request, should take into account its expiration. If the user takes no action within that time, the IdP app should discard the request. If the IdP app submits an authorisation back to the Connect2id server for an expired CIBA request, the server will return an HTTP 401 Unauthorized error. That’s because the callback token minted for the native IdP app to submit the result has its expiration tied to the CIBA request. Starting with this release the Connect2id server will distinguish between a callback token that has expired (due to the request expiring) and a token that is otherwise invalid:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="invalid_token", error_description="Expired token" 
Content-Type: application/json

{
  "error"             : "invalid_token",
  "error_description" : "Unauthorized: Expired token"
}

Optimised SQL queries

Connect2id server deployments with an Oracle database should now see better performance and less database load in write operations, such as session creation and updates. The Oracle-specific MERGE INTO query was refactored to force use of bind vars in the ON condition.

Deployments with PostgreSQL should see a reduction of the INSERT query sizes, after a change to remove the redundant key values in DO UPDATE SET subqueries.

Docker image updates

The minimal Docker image received these updates:

  • The underlying Ubuntu distro was bumped to 24.04 LTS (Noble)
  • The Ubuntu packages are updated as part of the image build. Note that the packages can be updated, to receive security fixes and other updates, after the container is started, by running the appropriate apt-get commands.
  • Apache Tomcat now runs under its own tomcat user.
  • The Apache Tomcat version will be hidden in Tomcat generated HTTP error response.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 18.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 18.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84f454cf0a674ea6a52934bdf03dc2196c18c68fa7ae80a869b69d6022afad94

Connect2id server 18.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 58ca91e89ed93c62d265f9f846c667b1bb90fa3acc71b837262ec2d3f06c794f

Multi-tenant edition

Apache Tomcat package with Connect2id server 18.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a7a12fedea41d8ff543b23a1c91dd62fbea9bcd80c390cdd1e68aac1195fcf8c

Connect2id server 18.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 048900d7055afec1bb31ea0acf799f1ae0fd8371b2799f18ffd09e21b7365443

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

18.2 (2025-05-20)

Web API

  • /ciba-sessions/rest/v1

    • The authorize resource is updated to return an “Expired token” instead of a general “Invalid token” error description in HTTP 403 Unauthorized errors (with a WWW-Authenticate header) when the callback token is expired.

Resolved issues

  • Refactors the Oracle database “MERGE INTO” queries to use bind variables in the “ON” condition. Intended as performance improvement (issue sql-store/39, server/1083).

  • Reduces the size of PostgreSQL “INSERT INTO ON CONFLICT” queries by removing the key values in the “DO UPDATE SET” subquery (issue sql-store/39).

Dependency changes

  • Updates to com.nimbusds:c2id-server-jwkset:2.0.3

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.24

  • Upgrades to com.nimbusds:nimbus-jose-jwt:10.3

  • Updates to com.nimbusds:tenant-registry:9.0.2

  • Updates to com.nimbusds:c2id-server-key-store:1.7.4

  • Updates to com.nimbusds:oauth2-authz-store:28.8.1

  • Updates to com.nimbusds:session-store:22.1.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:8.4

  • Upgrades to org.jooq.pro-java-17:jooq:3.20.4