Connect2id server 19.13

Connect2id server 19.13 introduces dedicated timeouts for bootstrapped web sessions and a new authorisation code age metric.

Dedicated timeouts for bootstrapped web sessions

Since version 19.6, Connect2id server has supported web session bootstrap, enabling mobile users to move between native and web experiences without repeated authentication.

Until now, bootstrapped web sessions inherited the default session timeout settings configured for all subject sessions.

Version 19.13 introduces dedicated timeout settings for bootstrapped web sessions:

• op.webSessionBootstrap.maxLifetime
• op.webSessionBootstrap.maxIdleTime

These settings allow deployments to apply shorter lifetimes and idle timeouts to bootstrapped sessions without affecting existing web login flows. For example, a deployment may choose to allow regular browser sessions to persist for days while limiting bootstrapped sessions to a much shorter lifetime.

New authorisation code age histogram

The release also adds a new authzStore.codeAgeAtExchange histogram metric.

The metric records the age of OAuth 2.0 authorisation codes at the time they are redeemed at the token endpoint. By observing real-world client behaviour, deployments can determine how quickly their clients typically exchange codes and use that data to tune the authzStore.code.lifetime setting.

Many deployments configure authorisation code lifetimes conservatively because they lack visibility into client behaviour. The new metric removes much of that guesswork by providing direct operational data.

Reducing authorisation code lifetimes is one of the practical measures available today to reduce exposure to browser-swap attacks. In these attacks, an attacker obtains an unredeemed authorisation code after a legitimate user completes authentication and consent. Shorter code lifetimes reduce the time window in which a stolen code remains useful.

Download 19.13

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.13: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 78c5fdbc7609b39e7a7ebd8be95da9ea819ae807181c05f066b17d3efdec2fa8

Connect2id server 19.13 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: f3905b155e31552e4ea5aa3a48710f33096af1532a69e9d4a42fe60bd310376a

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.13: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: cdf19bcc08be5f9975c8c9a2388d1419fb6ecc07e7ccebe3a858a9af009b983e

Connect2id server 19.13 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1e083c6757bb3b3fbc2285962bce2db4fca83a09ca9fadf8b9992f22d92de826

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.13 (2026-06-16)

Summary

• Connect2id server deployments that allow native applications to bootstrap web sessions with the IdP can now configure dedicated timeout settings for the bootstrapped sessions, instead of relying on the default sessionStore.maxLifetime and sessionStore.maxIdleTime properties that apply to all sessions.

• Adds a authzStore.codeAgeAtExchange histogram metric to monitor the age of OAuth 2.0 authorisation codes at the time of exchange. The metric can help deployments tune the authzStore.code.lifetime setting based on observed client behaviour, allowing the authorisation code lifetime to be reduced without affecting legitimate clients and thereby narrowing the window for browser-swap and similar attacks.

Configuration

• /WEB-INF/oidcProvider.properties

  • op.webSessionBootstrap.maxLifetime – New optional configuration property to specify the maximum lifetime of bootstrapped web sessions. A negative value implies no time limit. Must not be zero. The default value is 1440 minutes (1 day).

  • op.webSessionBootstrap.maxIdleTime – New optional configuration property to specify the maximum idle time of bootstrapped web sessions. A negative value implies no time limit. Must not be zero. The default value is 60 minutes (1 hour).

Web API

• /monitor/v1/metrics

  • authzStore.codeAgeAtExchange – New histogram of the age of authorisation codes at the time of exchange, in seconds. Uses a uniform reservoir.

Resolved issues

• The Connect2id server must reject configurations with a non-positive op.webSessionBootstrap.tokenLifetime value (issue server / 1202).

• The Connect2id server must reject configurations with a non-positive op.webSessionBootstrap.maxAgeIDToken value (issue server / 1203).

• The Connect2id server must assing an indefinite (-1) authentication lifetime to bootstrapped web sessions (issue server / 1204).

• Fixes a regression introduced in 7.10.1 (2019-04-25) that caused the op.logout.backChannel.httpReadTimeout configuration property to be ignored after the underlying HTTP client for back-channel logout notifications was replaced (issue server / 1205).

Dependency changes

• Updates to com.nimbusds:oauth2-authz-store:28.16