Skip to content
Connect2id
Connect2id server

Connect2id server 19.2

This Connect2id server release introduces DPoP proof time window metrics and control.

The DPoP token type was conceived as an alternative to the client X.509 certificate bound tokens, to cater for client applications that require the security of sender-constrained access tokens, but cannot use mutual TLS (mTLS). SPAs for instance face the issue that browsers lack a suitable JavaScript API - fetch/XHR doesn’t expose mTLS flows in a controllable way.

DPoP replaces the concept of the certificate with a self-signed JWT, called the DPoP proof.

For the proof to be considered valid, the Connect2id server ensures that the proof iat (issued-at time) is fairly recent (among other things). This time check is sensitive to clock differences between client and server. For instance, the client clock may have drifted ahead of the server clock, resulting in iat timestamps in the future.

New metrics are now made available to monitor the iats of received DPoP proofs, for the token and UserInfo endpoints combined.

  • dPoP.iatOffset – Histogram of the difference in seconds between the current system time and the iat claims of DPoP proofs.
  • dPoP.iatTooOld – Meters rejected DPoP proofs due to iat timestamps which were too old.
  • dPoP.iatInFuture – Meters rejected DPoP proofs due to iat timestamps where were too far ahead in the future.

There is also a new metric to monitor replay rejections:

  • dPoP.rejectedReplay – Meters DPoP proofs rejected due to replay.

The Connect server had a hard-wired configuration that allowed for the iat timestamps to be within ±120 seconds of the current system time. This time window can now be freely adjusted, with the help of these optional properties:

There is more information about the new release in the notes below.

Download 19.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 031bb66a199f828faee2c675c536df742c28c029b64e91d0da9afe7f6dd01314

Connect2id server 19.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 7480441977a508ea910561c1cde4428840768cd7b42ff5fd4fdf4a39e9419bf2

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c947b18d53ae26e4987b3a9b7cd9045059cf70ff851d638ca14183811d308f7a

Connect2id server 19.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 08cdf63036fc40a65997bcf37107db4571c6d5182b6d88d377f1290591fc4a8b

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.2 (2025-09-01)

Summary

  • New configuration properties for the DPoP proof validation, to control the accepted time window for the iat claim in a DPoP proof. Their purpose is to prevent unnecessary proof rejections due to time differences between clients and the Connect2id server. The default settings preserve the previous hard-wired behaviour, allowing the iat to be within ±120 seconds of the current system time.

  • New DPoP proof metrics: a histogram of the time offset between the server clock and the DPoP proof iat claims, meters for proofs rejected because the iat is too old, too far in the future, or due to replay.

Configuration

  • /WEB-INF/oidcProvider.properties

    • dpop.proofMaxClockSkew – New optional configuration property for the
      maximum permitted DPoP proof iat clock skew, in seconds. A proof with iat in the future is accepted if it is within this skew tolerance. Intended to prevent rejections due to client and Connect2id server system time differences. Must not exceed op.dpop.proofMaxAge. The default value is 120 seconds.

    • dpop.proofMaxAge – New optional configuration property for the maximum accepted DPoP proof iat age relative to the current system time, in seconds. Intended to limit replay by bounding how long a proof is valid after issue. Must not be shorter than op.dpop.proofMaxClockSkew. The default value is 120 seconds.

Web API

  • /monitor/v1/metrics

    • dPoP.iatOffset – New histogram of the difference between the server system time and DPoP proof iat claims. For DPoP proofs received at the token and UserInfo endpoints.

    • dPoP.iatTooOld – New meter of rejected DPoP proofs with an iat that is older than the configured op.dpop.proofMaxAge. For DPoP proofs received at the token and UserInfo endpoints.

    • dPoP.iatInFuture – New meter of rejected DPoP proofs with an iat that is ahead of the configured op.dpop.proofMaxClockSkew. For DPoP proofs received at the token and UserInfo endpoints.

    • dPoP.rejectedReplay – New meter of DPoP proofs rejected due to replay. For DPoP proofs received at the token and UserInfo endpoints.

Resolved issues

  • OpenID authentication requests with a max_age parameter set to 0 (zero) (identical to a prompt=login_required) must result in an ID token that includes the auth_time claim (issue server / 1113).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.28