Skip to content
Connect2id
Connect2id server

Connect2id server 19.7

Connect2id server release 19.7 ships an update to consent prompts to enable IdPs easy access to previous decisions and other saved context. The web session bootstrap flow security is strengthened with revocation-aware ID tokens. Deployments can also turn on new JVM and HTTP metrics.

Authorisation record data in consent prompts

The consent prompt is now able to pull the custom data object from a previous persisted authorisation. This enables IdPs to to make consent prompts aware of previous decisions and other saved context.

Example consent prompt that records a timestamp of the last scope consent. This can be used to enforce custom expiration of consent for selected scopes and claims.

{
  "type"        : "consent",
  "sid"         : "cAjH3ZAonDVFs9u8XZtvuA.L-WFBXv5ompD96ztw0Rr4w",
  "display"     : "popup",
  "sub_session" : { "sid"           : "WYqFXK7Q4HFnJv0hiT3Fgw.-oVkvSXgalUuMQDfEsh1lw",
                    "sub"           : "alice",
                    "auth_time"     : 12345678,
                    "creation_time" : 1234567,
                    "max_life"      : 20160,
                    "auth_life"     : 1440,
                    "max_idle"      : 15 },
  "client"      : { "client_id"        : "8cc2043",
                    "client_type"      : "confidential",
                    "application_type" : "web" },
  "scope"       : { "new"       : [ ],
                    "consented" : [ "openid", "email" ] },
  "claims"      : { "new"       : { "essential" : [ ],
                                    "voluntary" : [ ] },
                    "consented" : { "essential" : [ ],
                                    "voluntary" : [ "email", "email_verified" ] } },
  "record_data" : { "last_email_consent_ts" : 1771187764 }                              
}

To include the record_data in consent prompts enable
op.authz.includeRecordDataInPrompt, together with op.authz.alwaysPromptForConsent so that the previous authorisation data can also be checked when there is existing consent for all requested scope values (in which case the consent prompt would be skipped).

Revocation-aware ID tokens for web session bootstrap

The web session bootstrap flow for native apps, introduced in Connect2id server 19.6, adds an extra check to ensure that once a subject or client has been revoked — for example due to account changes or security events - previously issued ID tokens can no longer be used to establish new web sessions. This prevents stale authentication artefacts from being reused after a revocation event.

The revocation check is performed at the token exchange step.

New JVM and HTTP endpoint metrics

The monitoring endpoint is receives new optional JVM and HTTP metrics. They can help improve operational visibility, by exposing detailed runtime, memory, threading, and request-level indicators.

Detailed information about the new release can be found in the notes below.

Download 19.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 9f85b6f03e545ffaf52353522f487c5d6945770632bffa521b5fa49aa3dcbe61

Connect2id server 19.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 592977998ede36b93c716288f034986917097e94b838725a62e218573170dcf1

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c34b90e897d3a7e8d44e95cb5d32652183f043b06f25c7cc6a0688573a27f8f4

Connect2id server 19.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 85cc0f4ee604d2534fb65ff3abfa2e7c4646173c372ffc90bb63de60e5fb6f0f

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.7 (2026-02-15)

Summary

  • The consent prompt in authorisation sessions supports inclusion of
    authorisation record data for a returning subject (end-user) and client. This enables deployments to present richer, customised consent experiences, and to implement custom expiration of previously consented scopes and claims.

  • The web session bootstrap token exchange profile is updated to prevent stale ID tokens from being used after a revocation event for the subject or client, for example due to logout, account changes, or other security events.

  • New optional JVM and HTTP metrics are introduced to improve operational visibility. The runtime, memory, threading, and request-level indicators provide operators with clearer insight into deployment health and traffic
    behaviour.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.includeRecordDataInPrompt – New optional boolean configuration property that controls the inclusion of the record_data JSON object in consent prompts, provided an authorisation record is found for the subject (end-user) and the requesting client. The default value is false.

  • /WEB-INF/monitor.properties

    • monitor.includeJVM – New optional boolean configuration property that controls whether the new JVM metrics (jvm.*) are included. The default value is false.

    • monitor.includeHTTP – New optional boolean configuration property that controls whether the new HTTP metrics (http.*) are included. The default value is false.

Web API

  • /authz-sessions/rest/v3/

    • The consent prompt receives a new optional record_data JSON object parameter. Its inclusion is controlled by the new op.authz.includeRecordDataInPrompt configuration property. The record_data object contains the authorization record data for the authenticated subject (end-user) and the requesting client, provided a record is found (from a previous authorisation that was flagged for persistence with the consent long_lived parameter set true).

  • /token

    • The token exchange (RFC 8693) profile to issue access tokens for the web session bootstrap endpoint (/web-session-bootstrap/rest/v1) returns an invalid_grant error if the iat (issued-at) claim of the ID token is followed by a revocation event for the subject (end-user) and / or client.

  • /monitor/v1/metrics

    • jvm.gc.G1-Young-Generation.count – New gauge of young generation (minor) GC cycles since JVM start. Available when monitor.includeJVM is enabled. Note: GC names depend on the JVM and garbage collector in use. The G1-* names are typical for the G1 GC.

    • jvm.gc.G1-Young-Generation.time – New gauge of total time spent in young generation (minor) garbage collection since JVM start (milliseconds). Available when monitor.includeJVM is enabled.

    • jvm.gc.G1-Old-Generation.count – New gauge of old generation (major or mixed) GC cycles since JVM start. Available when monitor.includeJVM is enabled.

    • jvm.gc.G1-Old-Generation.time – New gauge of total time spent in old generation (major or mixed) garbage collection since JVM start (milliseconds). Available when monitor.includeJVM is enabled.

    • jvm.memory.heap.init – New gauge of the initial heap size allocated at JVM startup. Available when monitor.includeJVM is enabled.

    • jvm.memory.heap.used – New gauge of the currently used heap memory. Available when monitor.includeJVM is enabled.

    • jvm.memory.heap.committed – New gauge of the heap memory committed (guaranteed to be available to the JVM). Available when monitor.includeJVM is enabled.

    • jvm.memory.heap.max – New gauge of the maximum heap memory the JVM may use (the -Xmx limit). Available when monitor.includeJVM is enabled.

    • jvm.memory.heap.usage – New gauge of the heap usage ratio (used / max). Available when monitor.includeJVM is enabled.

    • jvm.memory.non-heap.init – New gauge of the initial non-heap memory size (e.g. Metaspace, CodeCache) at JVM startup. Available when monitor.includeJVM is enabled.

    • jvm.memory.non-heap.used – New gauge of the currently used non-heap memory. Available when monitor.includeJVM is enabled.

    • jvm.memory.non-heap.committed – New gauge of the committed non-heap memory. Available when monitor.includeJVM is enabled.

    • jvm.memory.non-heap.max – New gauge of the maximum non-heap memory available (may be undefined depending on the JVM). Available when monitor.includeJVM is enabled.

    • jvm.memory.non-heap.usage – New gauge of the non-heap usage ratio (used / max, where defined). Available when monitor.includeJVM is enabled.

    • jvm.threads.count – New gauge of the current live thread count (includes daemon and non-daemon threads). Available when monitor.includeJVM is enabled.

    • jvm.threads.daemon.count – New gauge of the current daemon thread count. Available when monitor.includeJVM is enabled.

    • jvm.threads.peak.count – New gauge of the peak live thread count since JVM start. Available when monitor.includeJVM is enabled.

    • jvm.threads.total_started.count – New counter of the total number of threads started since JVM start. Available when monitor.includeJVM is enabled.

    • jvm.threads.new.count – New gauge of threads in the NEW state (created but not yet started). Available when monitor.includeJVM is enabled.

    • jvm.threads.blocked.count – New gauge of threads currently BLOCKED waiting to enter a synchronized block or monitor. Available when monitor.includeJVM is enabled.

    • jvm.threads.runnable.count – New gauge of threads in the RUNNABLE state (running or ready to run). Available when monitor.includeJVM is enabled.

    • jvm.threads.timed_waiting.count – New gauge of threads in the TIMED_WAITING state (e.g. sleep, wait with timeout). Available when monitor.includeJVM is enabled.

    • jvm.threads.waiting.count – New gauge of threads in the WAITING state (waiting indefinitely). Available when monitor.includeJVM is enabled.

    • jvm.threads.terminated.count – New gauge of threads in the TERMINATED state. Available when monitor.includeJVM is enabled.

    • jvm.threads.deadlock.count – New gauge of the number of threads currently involved in a detected deadlock. Available when monitor.includeJVM is enabled.

    • jvm.threads.deadlocks – New diagnostic gauge listing the thread IDs currently involved in a detected deadlock. Available when monitor.includeJVM is enabled.

    • jvm.fd.ratio – New gauge of the ratio of open file descriptors to the maximum allowed (open / max). Available on Unix-like systems when monitor.includeJVM is enabled.

    • http.requests – New timer of all HTTP requests processed by the server. Provides total request count, minimum, maximum, mean and standard deviation of request duration, as well as latency percentiles. Also exposes 1-, 5- and 15-minute moving average request rates and overall mean rate. Available when monitor.includeHTTP is enabled.

    • http.activeRequests – New counter of currently active (in-flight) HTTP requests being processed by the server. Available when monitor.includeHTTP is enabled.

    • http.errors – New meter of uncaught exceptions and internal request processing errors. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.timeouts – New meter of HTTP request timeouts. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.ok – New meter of HTTP 200 (OK) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.created – New meter of HTTP 201 (Created) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.noContent – New meter of HTTP 204 (No Content) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.badRequest – New meter of HTTP 400 (Bad Request) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.notFound – New meter of HTTP 404 (Not Found) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.serverError – New meter of HTTP 5xx (Server Error) responses. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

    • http.responseCodes.other – New meter of all other HTTP response codes not explicitly categorised above. Provides total count and 1-, 5- and 15-minute moving average rates. Available when monitor.includeHTTP is enabled.

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:28.12

  • Updates to com.nimbusds:commons:3.9

  • Updates to io.dropwizard.metrics:*.4.2.38

  • Adds io.dropwizard.metrics:metrics-jvm:4.2.38

  • Adds io.dropwizard.metrics:metrics-jakarta-servlet:4.2.38