Skip to content
Connect2id
Connect2id server

Connect2id server 19.11

Connect2id server 19.11 introduces a small but useful configuration improvement for service-oriented deployments, restores interoperability following the 19.10 security update, and enhances the jwks-gen.jar tool to support Microsoft Entra ID external MFA provider requirements.

Optional authorisation endpoint

The op.authz.endpoint configuration property is now optional.

This enables deployments that don’t need to handle front-channel authorisation requests to disable the OAuth 2.0 authorisation endpoint entirely. The change is relevant for setups that rely exclusively on back-channel grants, such as:

  • client credentials – for service-to-service access without a user
  • password – for legacy or tightly controlled environments where the client directly collects user credentials
  • token exchange – to obtain tokens on behalf of another token or identity
  • CIBA – for decoupled user authentication flows without browser redirects
  • JWT bearer – to exchange a trusted JWT assertion for an access token
  • SAML 2.0 bearer – to exchange a SAML 2.0 assertion for an access token

When the authorisation endpoint is disabled:

  • The Connect2id server no longer exposes the authorisation endpoint.
  • The authorization_code grant type is no longer advertised in the OpenID provider metadata. Related OpenID Connect metadata parameters are also omitted.

This results in a cleaner configuration and a more accurate representation of the server’s capabilities.

Nonce validation update to restore client library interop

Connect2id server 19.10 introduced validation for the nonce parameter in OpenID authentication requests, as part of a broader defence strategy against browser-swap attacks. While effective from a security perspective, the original restriction to BASE64 URL-safe characters can be too strict in practice.

Following customer feedback, the validator has been updated to also accept:

  • Characters from the standard BASE64 set
  • The dot (.) character

This restores compatibility with OpenID Connect client libraries that generate nonce values outside the URL-safe subset, while still maintaining reasonable validation boundaries.

JWK generator update for Microsoft Entra ID MFA interop

The Connect2id server JWK set generator has been updated to support deployments acting as an external MFA provider for Microsoft Entra ID.

Recent interoperability requirements from Entra ID mandate a very specific structure for the published JWK set used to validate ID token signatures. In particular, only RSA signing keys must be present, each including a self-signed X.509 certificate (x5c) and its SHA-1 thumbprint (x5t).

To help with these requirements, the JWK generator now supports additional options:

  • -noEC -noEdDSA -noEnc — ensure only RSA signing keys are included
  • -x5cSelfSigned — generate a self-signed X.509 certificate for each key
  • -x5cSubject — set the certificate subject (typically the issuer domain)
  • -x5cValidityDays — define the certificate validity period
  • -x5t — include the SHA-1 thumbprint of the certificate

A typical command to generate a compliant JWK set:

java -jar jwks-gen.jar op \
  -noEC -noEdDSA -noEnc \
  -x5cSelfSigned \
  -x5cSubject <domain> \
  -x5cValidityDays <days> \
  -x5t \
  -b64 jwkSet.json.b64

The resulting BASE64URL-encoded JWK set can then be used as a static key configuration for the Connect2id server.

The release notes below have more information.

Download 19.11

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.11: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: af4117589205e003efc8457883cbcef092b1d7c44e08b7404c745b1fabc996d7

Connect2id server 19.11 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d9dec2219070b0948fb6e91d6b90e8cae6b9d1b1ced58b6483530c078708108a

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.11: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1227ab89bad4f3d38a14f0781418d6295286e5b7bd67610872b59fee9eda2782

Connect2id server 19.11 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 98db15bf3b0329d2d5f3888de0e4f799cd13cfe641e2529c64b81dd5faeec24e

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.11 (2026-04-18)

Summary

  • The op.authz.endpoint configuration property is now optional, enabling Connect2id server deployments that do not require front-channel authorisation requests to disable the OAuth 2.0 authorisation endpoint entirely. This is useful for service-oriented setups that rely solely on back-channel grants, such as client_credentials or urn:ietf:params:oauth:grant-type:token-exchange, simplifying configuration. When the endpoint is disabled, the server no longer advertises support for the authorization_code grant type and related parameters in its OpenID Provider metadata.

  • The nonce parameter validator introduced in 19.10 has been updated following customer reports of compatibility issues with certain OpenID Connect client libraries. The original validation restricted values to the BASE64 URL-safe character set, which proved too strict in practice. The updated validator now also accepts characters from the standard BASE64 set, as well as the dot (.), restoring interoperability while maintaining appropriate input validation safeguards.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.endpoint – Made optional to allow deployments with the OAuth 2.0 authorisation endpoint disabled. When disabled, support for the authorization_code grant type and all related parameters is no longer advertised in the OpenID Provider metadata.

Resolved issues

  • Updates the nonce parameter validator introduced in 19.10 to also allow characters from the BASE64 set, as well as the dot (.). Previously, only characters from the BASE64 URL-safe set were accepted, which caused compatibility issues with some OpenID Connect client libraries (issue server / 1183).

  • The Connect2id server now validates that configured *.apiAccessTokenSHA256.* token hashes are exactly 256 bits in length. If a hash has an invalid length, the server aborts startup with an error. Previously, such misconfigurations would only surface as 401 Unauthorized responses when accessing the API. This change ensures configuration errors are detected earlier (issue common / 64).

  • A client registration request with all unsupported OAuth 2.0 grant types must result in an invalid_client_metadata error, not in the special-case grant-less client metadata (issue server / 1185).

  • Prevent registrations of clients with an OAuth 2.0 grant types consisting of
    refresh_token only (issue server / 1186).

Dependency changes

  • Updates to com.nimbusds:commons:3.9.1

  • Updates to commons-codec:commons-codec:1.21.0