Skip to content
Connect2id
Connect2id server

Connect2id server 19.10 protects OAuth redirects against browser-swap attacks

Connect2id server 19.10 strengthens protection against browser-swap attacks by adding validation of state and nonce parameters to prevent redirect failures and intermediary filtering. It also enables signalling of required signed request objects for FAPI deployments.

New browser-swap attack protections

Connect2id continues the rollout of security measures to mitigate potential vectors of browser swap attacks.

In version 19.6, the default lifetime of authorisation codes was reduced to make it harder for phished codes to be redeemed.

Version 19.10 introduces validation of the state parameter, to reject authorisation requests with malicious state values that may disrupt the delivery of the response to the client redirect_uri. This includes rejecting state values that would result in excessively long redirect URIs or that contain patterns likely to trigger intermediary filtering, such as Web Application Firewalls (WAFs).

The nonce parameter in OpenID authentication requests is also validated. Although typically short and opaque, unusually large or malformed values can similarly interfere with response delivery, particularly in hybrid flows using the response types code id_token, id_token, and code id_token token.

These measures reduce the risk of authorisation responses being blocked, altered, or dropped in transit, a condition that can be exploited in browser-swap attack scenarios.

Future Connect2id server releases will continue to strengthen protections, including support for client instance attestation based on the emerging OAuth standard for client attestation.

OpenID provider metadata update for FAPI deployments

Deployments such as FAPI compliant environment that require signed request objects can now advertise this requirement through the require_signed_request_object OpenID provider metadata parameter. This parameter is defined in section 10.5 of RFC 9101 and enables clients to determine upfront whether signed request objects are mandatory.

Reduced footprint of Dropwizard Metrics dependencies

The unused transitive RabbitMQ client dependency of Dropwizard Metrics has been removed, reducing the Connect2id server WAR footprint. The dependency pulled in the Netty library, where a number of CVEs were recently discovered. Removing the unused dependency eliminates these findings and simplifies dependency management.

Detailed information about the new release is available the notes below.

Download 19.10

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.10: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a0d4129a16151440a3eeba334e3eb2b6e21a346b2d5301cb271bb6c6aeeec9fc

Connect2id server 19.10 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 52b17acad28767716b1a643e19763d63ef663aee8c5f2ecc2a599bae0d669902

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.10: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 921cc31b7c0d6feaf5fc56c2121629a31388de2e1c23316052f94b5b97ce0d79

Connect2id server 19.10 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3bb5e6c3cbc3dcd4f27a9f79407dd750ee6795dd8f32a5ba4360a13d45cd35e3

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.10 (2026-04-14)

Summary

  • Deployments configured to require signed request objects now advertise this requirement through the require_signed_request_object parameter in the OpenID provider / OAuth 2.0 authorisation server metadata.

  • Introduces length and pattern validation for the state parameter in OAuth 2.0 authorisation requests to reduce the risk of failed delivery of authorisation responses, which may be exploited as a vector for browser swap attacks.

  • Introduces validation of the nonce parameter in OpenID authentication requests, limiting its length to 128 characters and restricting characters to the BASE64URL set.

  • The client registration endpoint now enforces a maximum length of 1024 characters for the redirect_uris and post_logout_redirect_uris metadata parameters, preventing overly long URIs that may be rejected by browsers or intermediary infrastructure after appending authorisation response parameters such as iss and state.

Web API

  • /.well-known/openid-configuration

    • require_signed_request_object – New optional OpenID provider metadata parameter, as defined in RFC 9101. When true all clients must be registered with a JWS algorithm for signed request objects, and all authorisation requests must include a signed request object (JWT), either passed via the request parameter or by reference via
      request_uri. This requirement also applies to pushed authorisation requests (PAR).

      Controlled by the op.authz.alwaysRequireSignedRequestJWT configuration property. Defaults to false if not set.

  • /par

    • Enforces limits on the state parameter to reduce the risk of failed redirects due to excessive URL length or intermediary filtering:

      • For response modes that append state to the client redirect_uri, the maximum allowed length is 1024 characters. The resulting redirection URI, after appending the state parameter, must not exceed 2048 characters.

      • For the form_post response mode, where state is returned in the HTTP response body, the maximum allowed length is 8192 characters.

      The server also rejects state values that are malformed or that contain patterns likely to be blocked or altered by intermediaries such as Web Application Firewalls (WAFs).

      Requests that fail the state parameter check are rejected with an invalid_request error.

    • Enforces a limit of 128 characters of the nonce parameter in OpenID authentication requests. The server also rejects nonce values that contain characters outside the BASE64 URL-safe set.

      Requests that fail the nonce parameter check are rejected with an invalid_request error.

  • /authz-sessions/rest/v3/

    • Enforces limits on the state parameter to reduce the risk of failed redirects due to excessive URL length or intermediary filtering:

      • For response modes that append state to the client redirect_uri, the maximum allowed length is 1024 characters. The resulting redirection URI, after appending the state parameter, must not exceed 2048 characters.

      • For the form_post response mode, where state is returned in the HTTP response body, the maximum allowed length is 8192 characters.

      The server also rejects state values that are malformed or that contain patterns likely to be blocked or altered by intermediaries such as Web Application Firewalls (WAFs).

      Requests that fail the state parameter check are rejected with a non-redirecting invalid_request error.

    • Enforces a limit of 128 characters of the nonce parameter in OpenID authentication requests. The server also rejects nonce values that contain characters outside the BASE64 URL-safe set.

      Requests that fail the nonce parameter check are rejected with an invalid_request error.

  • /clients/

    • Enforces a maximum allowed length of 1024 characters for the redirect_uris and post_logout_redirect_uris client metadata parameters. Longer URIs are rejected with an HTTP 400 (Bad Request) error and appropriate error description.

Resolved issues

  • Updates the Connect2id server packaging scripts to change the default Apache Tomcat server.xml configuration so that servlet container-generated error pages do not expose report / stack trace details (issue server / 1179).

  • Excludes com.rabbitmq:amqp-client as transitive dependency of io.dropwizard.metrics:metrics-graphite. Connect2id server does not support Graphite reporting via RabbitMQ and the dependency is unused (issue server / 1182).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:10.8

  • Updates to com.nimbusds:c2id-server-jwkset:3.0

  • Updates to com.nimbusds:c2id-server-key-store:1.9

  • Updates to Log4j 2.25.4

  • Updates to net.thisptr:jackson-jq:1.6.1

  • Excludes com.rabbitmq:amqp-client from io.dropwizard.metrics:metrics-graphite