Skip to content
Connect2id
Connect2id server

Connect2id server 19.14

Connect2id server 19.14 introduces more precise logout error reporting and configurable validation of OAuth 2.0 state parameter patterns.

Dedicated id_token_hint_sub_mismatch logout error

The release introduces a dedicated id_token_hint_sub_mismatch error code for relying party-initiated logout requests where the subject (sub) in the supplied ID token hint doesn’t match the current OpenID Provider session subject.

Note that this situation can legitimately occur in OpenID providers that support multiple concurrent sessions, or session switching between user identities. The new error code enables applications to distinguish this case from other invalid ID token hint errors and provide more specific user feedback.

Configurable state parameter validation

Version 19.14 adds an op.authz.allowUnsafeStatePatterns configuration property to permit state parameter patterns that are normally rejected because they may trigger Web Application Firewall (WAF) rules and prevent the authorisation response from reaching the client.

The validation remains enabled by default as a defence against specially crafted state values that could facilitate browser-swap attacks.

Download 19.14

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.14: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a17227da1dadc1bed9b091acc7ac0372d4a09f1569ac9e1ef43287662ed04eec

Connect2id server 19.14 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: b06a518273c9a00b3d66e5f3cf4b5c8ebdf848bcce4b680378a82ac35f916eed

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.14: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 483670ebf9e0af2f38e6f6ca33a366d77437b432d44a5383866775e714eb55ca

Connect2id server 19.14 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 6c71741ab3533967b3e0ab7e42da59918daf4b2f04c55d6190082e3c07042f0a

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

19.14 (2026-06-30)

Summary

  • Introduces a dedicated id_token_hint_sub_mismatch error code for relying party-initiated logout requests where the subject (sub) in the ID token hint (id_token_hint) doesn’t match the current OpenID provider session subject. Note, this condition can legitimately occur in deployments that support multiple concurrent sessions or session switching between identities, such as when a user initiates logout for a primary work account while currently signed in to an administrator account at the OpenID provider. The new error code enables applications to distinguish this case from other invalid ID token hint errors and provide more specific user feedback.

  • Introduces an optional configuration property to permit OAuth 2.0 state parameter patterns that are normally rejected because they may trigger Web Application Firewall (WAF) rules and prevent the authorisation response from being delivered to the client. The check is enabled by default as a defence against specially crafted state values that could facilitate browser-swap attacks.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.allowUnsafeStatePatterns – New optional configuration property to permit OAuth 2.0 state parameter patterns that are normally rejected because they may trigger Web Application Firewall (WAF) rules and prevent the authorisation response from being delivered to the client. The default value is false.

Web API

  • /logout-sessions/rest/v1/

    • Introduces a dedicated id_token_hint_sub_mismatch error code for relying party-initiated logout requests rejected because the subject in the ID token hint (id_token_hint) doesn’t match the current OpenID provider session subject. Previously, this condition produced the general invalid_id_token_hint error code.

Resolved issues

  • Improves the resilience of OpenID Connect back-channel logout notification dispatch. An unexpected synchronous failure while preparing or scheduling a logout token delivery for one relying party is now logged and no longer prevents delivery attempts to the remaining relying parties in the subject session (issue server / 1200).

Dependency changes

  • Updates to net.thisptr:jackson-jq:1.6.2

  • Updates to com.fasterxml.jackson.core:jackson-annotations:2.22

  • Updates to com.fasterxml.jackson.core:jackson-databind:2.22.0