Skip to content
Connect2id
Connect2id server

Connect2id server 19.6 introduces a web session bootstrap endpoint

Integrated web session bootstrap for native apps

Connect2id server 19.6 introduces a groundbreaking feature - a web session bootstrap endpoint. This new capability allows authorised native clients to initialise a WebView with a pre-established session for authenticated end-users. By skipping the user authentication step, web applications loaded in the WebView can benefit from a seamless login experience.

Key features of the integrated web session bootstrap:

  • No more redundant logins - users stay authenticated as they move between native and web apps.

  • Flexible configuration - deployments can control the acr and amr attributes of the bootstrapped web sessions, for example by assigning them from the original ID token for the authenticated end-user.

  • Supports DPoP (RFC 9449) and mTLS (RFC 8705), ensuring that web sessions are tied to the same client instance that obtained the ID token.

  • The access tokens for bootstrapping are single-use and short-lived, minimising exposure.

Use of the web session bootstrap endpoint is explained in the guide.

Connect2id server deployments that have implemented such a bootstrap using a token exchange grant handler plugin can continue using that, or switch to the new, built-in capability.

Reduced code lifetimes to protect against browser-swap attacks

To mitigate the risk of browser-swap attacks Connect2id 19.6 shortens the lifetime of authorization codes (see authzStore.code.lifetime):

  • Minimum: 1 second
  • Maximum: 180 seconds
  • Default: 60 seconds

This reduces the opportunity for browser-swap attackers to misuse stolen codes, while still providing legitimate clients with sufficient time to complete their token requests.

SPI updates

Plugins implementing the TokenExchangeGrantHandler SPI can now request introspection of locally issued ID tokens. Previously this task required plugins to implemented their own ID token signature and claims validation.

Dependency updates

This release updates Log4j to address CVE-2025-68161, a medium vulnerability that affected the Socket Appender. Other Log4j appenders were not affected.

More information about this new release can be found in the notes below.

Download 19.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 3a455706ebdbd275e283df18f058c87348fc699f748530f9a515564faebdbb11

Connect2id server 19.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d1e24fc976032e00cdde7dd065dcd179a418ba3f364c652dc407380e22b03431

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 843f14e416328689d6fe66132d4ce22772923dcd124da65d77a573a4afe3f69e

Connect2id server 19.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 7e22cb3f0dcc88f459d759c20320fda70b6ce4ebe7caf63e54c247b4ee2dffcd

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.6 (2026-02-02)

Summary

  • A new web session bootstrap endpoint allows authorised native clients to
    initialise a WebView with a pre-established session for an authenticated subject (end-user) at the Connect2id server. Web applications loaded in the WebView that rely on the Connect2id server can then skip the user authentication step, providing a seamless login experience.

    The web session bootstrap endpoint is disabled by default. To enable it, the op.webSessionBootstrap.enable configuration property must be set to true, and the op.webSessionBootstrap.cookie.name configuration property must be set to the name of the cookie that stores the Connect2id server session ID for the subject (end-user). Additional optional configuration properties are available to configure policies for the cookies and the bootstrapped web sessions, such as the authentication strength (ACR value) to assign to them.

    For a client to bootstrap a web session, it must possess an ID token for the logged-in end-user. The ID token must have been issued with a scope that includes the web_session_bootstrap value (or the scope value specified by
    op.webSessionBootstrap.tokenScope), in addition to the required openid value and any other scope values. ID tokens authorised for web session bootstrap include a boolean wsb (web session bootstrap) claim to indicate consent.

    To obtain an access token for the web session bootstrap endpoint, the client must submit a token exchange (RFC 8693) request to the Connect2id server, using the ID token as the subject_token. The maximum allowed age of ID token (determined by the iat claim) for web session bootstrap is controlled by the op.webSessionBootstrap.cookie.maxAgeIDToken configuration property. The exp (expiration-time) claim of the ID token is ignored, as it’s intended for validation by the client when the token is first received.

    For clients that support DPoP (RFC 9449), the entire flow - ID token issuance, token exchange, and web session bootstrap - can be DPoP bound. This ensures that web sessions are created by the same client instance that obtained the ID token (applicable to for native clients, such as mobile and desktop applications). Client X.509 certificate binding (RFC 8705) of the flow is also supported.

  • Reduced the minimum, maximum, and default lifetimes of authorization codes (authzStore.code.lifetime) to 1 second (minimum), 180 seconds (maximum), and 60 seconds (default). This adjustment mitigates the risk of browser swap attacks and phishing-based authorisation code theft. By shortening the window during which codes are valid, the likelihood of an attacker successfully using a stolen code is significantly reduced. The configured lifetime should be long enough for legitimate clients to redeem them, even in high-latency environments.

  • Connect2id server plugins implementing the TokenExchangeGrantHandler SPI (for the OAuth 2.0 token exchange grant, specified in RFC 8693) are able to request introspection of received subject tokens that are locally issued ID tokens.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.webSessionBootstrap.enable – New optional configuration property that enables / disables the web session bootstrap endpoint. Disabled by default.

    • op.webSessionBootstrap.tokenScope – New optional configuration property that specifies the scope value for a client to request an ID token enabled for web session bootstrap, and then to exchange the ID token for an access tokens for the web session bootstrap endpoint. The default value is web_session_bootstrap.

    • op.webSessionBootstrap.tokenLifetime – New optional configuration property that specifies the lifetime of the access tokens for the web session bootstrap endpoint, in seconds. The default value is 60 seconds.

    • op.webSessionBootstrap.cookie.name – New optional configuration property that specifies the name of the cookie used by the login page (see op.authz.endpoint) to store the subject (end-user) session ID. Required when the web session bootstrap endpoint is enabled.

    • op.webSessionBootstrap.cookie.domain – New optional configuration property that specifies the domain of the cookie that stores the subject (end-user) session ID. If omitted, the cookie uses the default domain.

    • op.webSessionBootstrap.cookie.path – New optional configuration property that specifies the path of the cookie that stores the subject (end-user) session ID. The default value is /.

    • op.webSessionBootstrap.cookie.secure – New optional configuration property that specifies the “Secure” attribute of the cookie that stores the subject (end-user) session ID. The default value is true.

    • op.webSessionBootstrap.cookie.httpOnly – New optional configuration property that specifies the “HttpOnly” attribute of the cookie that stores the subject (end-user) session ID. The default value is true.

    • op.webSessionBootstrap.cookie.sameSite – New optional configuration property that specifies the “SameSite” attribute of the cookie that stores the subject (end-user) session ID. The supported values are LAX and STRICT. The default value is LAX.

    • op.webSessionBootstrap.cookie.maxAgeIDToken – New optional configuration property that specifies the maximum allowed age of ID tokens (iat claim) that clients may use to bootstrap web sessions, in seconds. The default value is 2592000 seconds (30 days).

    • op.webSessionBootstrap.assumeIDTokenACR – New optional boolean configuration property that specifies whether bootstrapped web sessions are assigned the ACR value from the ID token acr claim (if present). If false, the ACR may instead be set via op.webSessionBootstrap.defaultACR. The default value is false.

    • op.webSessionBootstrap.defaultACR – New optional configuration property that specifies the ACR value to assign to bootstrapped web sessions if no ACR is assigned from the ID token. If blank, no default ACR is assigned.

    • op.webSessionBootstrap.assumeIDTokenAMR – New optional boolean configuration property that specifies whether bootstrapped web sessions are assigned the AMR values from the ID token amr claim (if present). If false, the AMR may instead be set via op.webSessionBootstrap.defaultAMR. The default value is false.

    • op.webSessionBootstrap.defaultAMR – New optional configuration property that specifies the AMR value(s) to assign to bootstrapped web sessions if no AMR is assigned from the ID token, as a comma and / or space separated list. If blank, no default AMR is assigned.

  • /WEB-INF/authzStore.properties

    • authzStore.code.lifetime – Reduces the minimum, maximum and default lifetimes of authorisation codes. The minimum lifetime is reduced from 60 seconds to 1 seconds. The maximum lifetime is reduced from 600 seconds to 180 seconds. The default lifetime is reduced from 300 seconds to 60 seconds.

Web API

  • /token

    • Supports issue of ID tokens authorised for web session bootstrap. They include a boolean wsb (web session bootstrap) claim, with a value of true.

      The Connect2id server supports the following OAuth 2.0 grant types for issuing ID tokens authorised for web session bootstrap:

      • authorization_code

      • password

      • urn:ietf:params:oauth:grant-type:jwt-bearer

      • urn:ietf:params:oauth:grant-type:saml2-bearer

      • urn:ietf:params:oauth:grant-type:token-exchange

      The implicit grant type is also supported, however its use is not
      recommended due to security concerns.

      ID tokens issued for web session bootstrap include a cnf.jkt (JSON Web Key thumbprint confirmation) claim, if the token request included a DPoP proof. For token requests which include an X.509 client certificate, the ID token includes a cnf.x5t#S256 (X.509 certificate SHA-256 thumbprint confirmation) claim.

    • Supports a proprietary token exchange (RFC 8693) profile to issue access tokens for the new web session bootstrap endpoint.

      • The grant_type must be urn:ietf:params:oauth:grant-type:token-exchange.

      • The subject_token must be a locally issued ID token with the wsb (web session bootstrap) claim set to true. The exp claim of the ID token is ignored. The iat claim must not be older than the configured op.webSessionBootstrap.cookie.maxAgeIDToken property.

      • The subject_token_type_hint must be urn:ietf:params:oauth:token-type:id_token.

      • The scope parameter must include the web_session_bootstrap scope value, or the value configured in the op.webSessionBootstrap.tokenScope configuration property.

      • If the ID token was issued with a DPoP binding, the token request must include a DPoP header with the DPoP proof constructed for the subject_token. The DPoP proof must include the ath (access token hash) claim computed as the SHA-256 hash of the ID token.

      • If the ID token was issued with a client X.509 certificate binding, the token request must include the client’s X.509 certificate.

      The issued access token is a short-lived, single-use, identifier-based (opaque) token, which audience is to the issuer URL (op.issuer) and its scope web_session_bootstrap, or the value configured in the op.webSessionBootstrap.tokenScope configuration property.

  • /web-session-bootstrap/rest/v1/

    • New web API resource for authorised native clients to bootstrap Connect2id server web sessions for an authenticated subject (end-user). The bootstrap is performed by making an HTTP POST request with an Authorization header containing the access token. The following token schemes are supported: Bearer, for bearer access tokens and client certificate-bound token, and DPoP.

      If the access token is DPoP bound, the HTTP request must include a DPoP header with the DPoP proof constructed for the access token. The DPoP proof must include the ath (access token hash) claim computed as the BASE64URL-encoded SHA-256 hash of the access token.

      If the access token is client X.509 certificate-bound, the HTTP request must include the client’s X.509 certificate.

      On success the resource returns a Set-Cookie HTTP response header,
      which the client can use to initialise the cookie jar for a WebView.

      Bootstrapped web sessions include the following members in the data JSON object:

      • bootstrap – JSON object with members:

        • client_id – The ID of the client that bootstrapped the session.

        • id_token – Selected claims from the ID token was used to bootstrap the session:

          • iat – The iat (issued-at) claim of the ID token.

          • auth_time – The auth_time claim of the ID token (if present).

          • acr – The acr (authentication context class reference) claim of the ID token (if present).

          • amr – The amr (authentication methods references) claim of the ID token (if present).

  • /monitor/v1/metrics

    • wsbEndpoint.successfulRequests – New meter of successful web session bootstrap endpoint requests.

    • wsbEndpoint.invalidRequestErrors – New meter of web session bootstrap endpoint requests rejected with an HTTP 400 Bad Request error.

    • wsbEndpoint.forbiddenErrors – New meter of web session bootstrap endpoint requests rejected with an HTTP 403 Forbidden error.

    • wsbEndpoint.invalidTokenErrors – New meter of web session bootstrap endpoint requests rejected with an HTTP 401 Unauthorized error.

    • wsbEndpoint.serverErrors – New meter of web session bootstrap endpoint requests rejected with an HTTP 500 Internal Server Error error.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.15

    • Plugins implementing the TokenExchangeGrantHandler SPI (for the OAuth 2.0 token exchange grant, specified in RFC 8693) are able to request introspection of received subject tokens that are locally issued ID tokens. If the ID token issuer matches the OpenID provider issuer, the identifier of the requesting client (client_id) is found in the token audience (aud) and the token signature is valid, the introspection result returns the ID token claims. The ID token validation ignores the token expiration time (exp).

      The introspection of locally issued ID tokens is made available via a new
      getIDTokenClaims method of the TokenIntrospection argument.

      Token exchange plugins may use this method to implement custom web session bootstrap logic in Connect2id server deployments.

Resolved issues

  • Native client group SSO token exchange must ensure the registered client scope metadata parameter includes the device_sso scope value. Previously, the Connect2id server allowed SSO to proceed for a client by only checking that the received ID token and device_secret were valid, and that their subject matches. Token exchange for native SSO will now be rejected with an OAuth 2.0 unauthorized_client error if the client scope metadata parameter doesn’t include the requisite device_sso scope value. The event is logged at INFO level under OP7112 (issue server / 1146).

  • Adds native client group SSO logging at INFO level for these client errors: ID token subject doesn’t match the session subject (OP7113), ID token ds_hash hash (OP7115) (issue server / 1150).

  • Limits the length of the current JWK set in the Connect2id server key store (in dynamic mode) to 500 thousand characters, to signal administrators that old superseded keys should be removed (issue key-store / 3).

  • Reject requests to the Connect2id server key store web API that include a JWK ID with illegal characters (issue key-store / 4).

  • Updates Log4j to address CVE-2025-68161 - a CVSS-B / 6.3 MEDIUM vulnerability that affected the Socket Appender, which did not not perform TLS hostname verification of the peer certificates. Other Log4j appenders were not affected (issue server / 1140).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.15

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.32

  • Upgrades to com.nimbusds:c2id-server-jwkset:2.1

  • Updates to com.nimbusds:c2id-server-key-store:1.8

  • Updates to com.nimbusds:oauth2-authz-store:28.11

  • Updates to com.nimbusds:oidc-session-store:22.1.8

  • Updates to com.nimbusds:tenant-manager:10.1.8

  • Updates to Log4j 2.25.3