Skip to content
Connect2id
Connect2id server

Connect2id server 19.12

Connect2id server 19.12 introduces a new low-level plugin interface (SPI) for intercepting OAuth 2.0 authorisation and OpenID authentication requests before they are processed. It also refines the state parameter validation introduced in 19.10.

Authorisation request interception SPI

Connect2id server 19.12 upgrades the server SDK to v5.16, adding a new SPI for intercepting authorisation requests.

The interceptor is invoked for OAuth 2.0 authorisation requests and OpenID authentication requests before the server performs its normal request processing. It can inspect and optionally modify the received request parameters at this early stage.

This makes the SPI useful for cases where the request must be adjusted before parsing, validation, JAR handling, client lookup or later custom validation can take place.

Typical uses include:

  • Mapping non-standard parameters such as audience to resource (RFC 8707), where this is required by a deployment.
  • Translating legacy comma-separated scope values to the standard space-delimited form.
  • Adjusting non-standard prompt values.

The interceptor can also be used for early diagnostic logging of received or transformed request parameters, with appropriate redaction. This can help troubleshoot client interoperability issues, gateway rewrites and malformed requests before they are rejected by the Connect2id server in later processing.

The SPI is invoked for both regular authorisation requests and pushed authorisation requests (PAR). For PAR, the interceptor is invoked at the PAR endpoint. When the continued request with a PAR request_uri is later received at the authorisation endpoint, the interceptor is not invoked again.

State validation update to restore client library interop

Connect2id server 19.10 introduced validation for the state parameter in OAuth 2.0 authorisation requests. The validation was added to reduce the risk of failed authorisation response delivery caused by excessive URL length, malformed values or patterns likely to be blocked by intermediaries such as Web Application Firewalls. Preventing authorisation response delivery failure at client redirect_uris is important, as part of a broader defence strategy against browser-swap attacks.

Following feedback from 19.10 and 19.11 deployments, the pattern checks have now been relaxed.

The updated validation keeps the important safeguards against excessive length and clearly problematic input, while avoiding overly strict pattern rejection for values generated by existing client libraries.

Requests rejected because of a disallowed state value are now also logged at INFO level under OP6607. When a pattern check is triggered, the log message includes the pattern that caused the rejection, making the reason easier to diagnose.

The release notes below have more information.

Download 19.12

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.12: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5cc0a8e6c130fc5c41ccfab9f12c51bb6ce0a5e76ed85826dad039499a4aaa2e

Connect2id server 19.12 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: fce80424410817f50f93c6159f965dca725c4f85f14a656c1370e96d573532b0

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.12: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 32a3112c10d8c6a3b26c6f626ce1dddd4248b8e2806dbbb04344da56e31d67cc

Connect2id server 19.12 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 4be75621bdf65137373a2750ad4e2fa3903b5c3a32b975ba6d4e82086056546d

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.12 (2026-04-29)

Summary

  • New AuthorizationRequestInterceptor SPI, a low-level plugin hook for intercepting and optionally modifying OAuth 2.0 authorisation and OpenID authentication request parameters before they are processed by the Connect2id server. Unlike the existing AuthorizationRequestValidator and PARValidator SPIs, which operate after initial parsing and client resolution, the interceptor runs on the raw incoming parameters, making it suitable for request normalisation, compatibility fixes and early diagnostic logging that must occur before standard validation can take place.

    Example use cases include mapping non-standard parameters such as audience to resource, translating legacy comma-separated scope values to the standard space-delimited form, and adjusting non-standard prompt values. This enables Connect2id server deployments to support older or non-conforming clients.

    The interceptor can also be used to log raw or transformed requests (with appropriate redaction) to aid troubleshooting of interoperability issues.

  • The state parameter validation introduced in 19.10 has been refined following interoperability feedback. While the original checks aimed to prevent malformed or WAF-sensitive values that could lead to browser-swap attack vectors, some of the pattern restrictions proved too strict for certain client implementations. The updated validation relaxes these pattern checks to restore compatibility, while continuing to enforce safeguards against excessive length and clearly problematic input.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.16

    • AuthorizationRequestInterceptor – New SPI for intercepting and optionally modifying the parameters of OAuth 2.0 authorisation / OpenID authentication requests before they are processed.

      The SPI is invoked for both regular authorisation requests and pushed authorisation requests (PAR). For PAR the SPI is invoked at the PAR endpoint; when the continued request with a PAR request_uri is received at the authorisation endpoint the SPI is not invoked.

Resolved issues

  • Adds DEBUG level logging of the raw posted form parameters at the PAR endpoint, under OP6604. Provides similar logging to the DEBUG level logging at the authorisation endpoint, under OP2110 (issue server / 1187).

  • Adds DEBUG level logging of the resolved JWT-secured authorisation requests (JAR) at the PAR and authorisation endpoints, under OP6606 (issue server / 1192).

  • Updates the state parameter validator introduced in 19.10 to relax the disallowed pattern checks, which caused compatibility issues with some client libraries (issue server / 1188).

  • Adds INFO level logging of authorisation requests rejected due to a state parameter that is not allowed, under OP6607. The log message includes the triggered pattern for parameters that failed the pattern check (issue server / 1193).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.16

  • Updates to org.bouncycastle:bcprov-jdk18on:1.84

  • Updates to org.bouncycastle:bcpkix-jdk18on:1.84