Connect2id server 19.2
This Connect2id server release introduces DPoP proof time window metrics and control.
The DPoP token type was conceived as an alternative to the client X.509 certificate bound tokens, to cater for client applications that require the security of sender-constrained access tokens, but cannot use mutual TLS (mTLS). SPAs for instance face the issue that browsers lack a suitable JavaScript API - fetch/XHR doesn’t expose mTLS flows in a controllable way.
DPoP replaces the concept of the certificate with a self-signed JWT, called the DPoP proof.
For the proof to be considered valid, the Connect2id server ensures that the
proof iat
(issued-at time) is fairly recent (among other things). This time
check is sensitive to clock differences between client and server. For
instance, the client clock may have drifted ahead of the server clock,
resulting in iat
timestamps in the future.
New metrics are now made available to monitor the iat
s of received DPoP
proofs, for the token and
UserInfo endpoints combined.
dPoP.iatOffset
– Histogram of the difference in seconds between the current system time and theiat
claims of DPoP proofs.dPoP.iatTooOld
– Meters rejected DPoP proofs due toiat
timestamps which were too old.dPoP.iatInFuture
– Meters rejected DPoP proofs due toiat
timestamps where were too far ahead in the future.
There is also a new metric to monitor replay rejections:
dPoP.rejectedReplay
– Meters DPoP proofs rejected due to replay.
The Connect server had a hard-wired configuration that allowed for the iat
timestamps to be within ±120 seconds of the current system time. This time
window can now be freely adjusted, with the help of these optional properties:
There is more information about the new release in the notes below.
Download 19.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 19.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 031bb66a199f828faee2c675c536df742c28c029b64e91d0da9afe7f6dd01314
Connect2id server 19.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 7480441977a508ea910561c1cde4428840768cd7b42ff5fd4fdf4a39e9419bf2
Multi-tenant edition
Apache Tomcat package with Connect2id server 19.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c947b18d53ae26e4987b3a9b7cd9045059cf70ff851d638ca14183811d308f7a
Connect2id server 19.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 08cdf63036fc40a65997bcf37107db4571c6d5182b6d88d377f1290591fc4a8b
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
19.2 (2025-09-01)
Summary
-
New configuration properties for the DPoP proof validation, to control the accepted time window for the
iat
claim in a DPoP proof. Their purpose is to prevent unnecessary proof rejections due to time differences between clients and the Connect2id server. The default settings preserve the previous hard-wired behaviour, allowing theiat
to be within ±120 seconds of the current system time. -
New DPoP proof metrics: a histogram of the time offset between the server clock and the DPoP proof
iat
claims, meters for proofs rejected because theiat
is too old, too far in the future, or due to replay.
Configuration
-
/WEB-INF/oidcProvider.properties
-
dpop.proofMaxClockSkew
– New optional configuration property for the
maximum permitted DPoP proofiat
clock skew, in seconds. A proof withiat
in the future is accepted if it is within this skew tolerance. Intended to prevent rejections due to client and Connect2id server system time differences. Must not exceedop.dpop.proofMaxAge
. The default value is 120 seconds. -
dpop.proofMaxAge
– New optional configuration property for the maximum accepted DPoP proofiat
age relative to the current system time, in seconds. Intended to limit replay by bounding how long a proof is valid after issue. Must not be shorter thanop.dpop.proofMaxClockSkew
. The default value is 120 seconds.
-
Web API
-
/monitor/v1/metrics
-
dPoP.iatOffset
– New histogram of the difference between the server system time and DPoP proofiat
claims. For DPoP proofs received at the token and UserInfo endpoints. -
dPoP.iatTooOld
– New meter of rejected DPoP proofs with aniat
that is older than the configuredop.dpop.proofMaxAge
. For DPoP proofs received at the token and UserInfo endpoints. -
dPoP.iatInFuture
– New meter of rejected DPoP proofs with aniat
that is ahead of the configuredop.dpop.proofMaxClockSkew
. For DPoP proofs received at the token and UserInfo endpoints. -
dPoP.rejectedReplay
– New meter of DPoP proofs rejected due to replay. For DPoP proofs received at the token and UserInfo endpoints.
-
Resolved issues
- OpenID authentication requests with a
max_age
parameter set to 0 (zero) (identical to aprompt=login_required
) must result in an ID token that includes theauth_time
claim (issue server / 1113).
Dependency changes
- Updates to com.nimbusds:oauth2-oidc-sdk:11.28