Skip to content
Connect2id
Connect2id server

Connect2id server 19.8

We’re pleased to announce the release of Connect2id server 19.8, introducing support for seamless migration of OAuth 2.0 client authentication methods.

This new capability enables clients to switch authentication methods without service interruption, simplifying security upgrades and operational changes.

OAuth 2.0 defines several methods for client authentication, ranging from shared-secret approaches such as client_secret_basic to stronger asymmetric methods like private_key_jwt and mutual TLS.

Occasionally client applications need to upgrade their authentication method as their security posture evolves. Traditionally, this migration required carefully coordinated deployments, which could still result in service interruption, or a coordinated migration to a new client identity (client_id).

Connect2id server 19.8 introduces a mechanism that allows clients to temporarily include two authentication methods in the same request, enabling a simpler, smooth transition.

The migration proceeds in three steps:

  1. Dual authentication phase

    The client includes both the current and the future authentication methods in its requests.

  2. Registration update

    The client registration is updated to set the new token_endpoint_auth_method.

  3. Completion

    After the update takes effect, the client sends only the new authentication method.

This approach ensures uninterrupted operation while the registration update propagates, avoiding authentication failures during the transition.

Example token request, containing two client authentication methods (client_secret_basic and private_key_jwt) during the migration window:

POST /token HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

grant_type=authorization_code
&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ...

The server evaluates the candidate authentication methods and authenticates the client using the method configured in its registration.

Example log output:

INFO TOKEN - [OP6203] Bad authentication: Client not registered for the authentication method: client_id=eavk44cim5q4q method=client_secret_basic candidate_methods=[client_secret_basic,private_key_jwt] client_auth_id=0P2D6QUGSNpy_9n8
INFO TOKEN - [OP6204] Authenticated: client_id=eavk44cim5q4q method=private_key_jwt candidate_methods=[client_secret_basic,private_key_jwt] client_auth_id=0P2D6QUGSNpy_9n8

More information is available in the client authentication guide.

This release also fixes a security issue affecting the token exchange profile for web session bootstrap.

Download 19.8

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.8: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a97cc6ee769c317be78c4960d6b1f193b433a590c38b7c50cb826c82de5859bf

Connect2id server 19.8 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 50799adfdec7ce7fc85ac8b659af2b2f4ea2ebf7d17be2fd16bf1cd5b7bde57f

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.8: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 666c013844006c504e6de99eb258e834a31675a12dff9e506dafbca00957f58f

Connect2id server 19.8 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: c2cebb0db1026798bad3b0751361d36fde0421c79077e357d6fd20d040b5cc04

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.8 (2026-03-09)

Summary

  • Adds support for seamless migration of a client authentication method, for example from client_secret_basic to private_key_jwt.

    The migration strategy is as follows:

    1. The client begins including both the current and the future authentication methods in requests.

    2. The client registration is updated to switch to the new authentication method.

    3. After the switch, the client continues including only the new authentication method.

    This mechanism allows uninterrupted operation while the client registration change propagates.

    Supported requests:

    • Token requests

    • Token introspection requests

    • Token revocation requests

    • Pushed authorization requests

Web API

  • /par – Pushed authorisation requests (PAR) may include two client authentication methods to enable seamless migration of the authentication method for a client.

  • /token – Token requests may include two client authentication methods to enable seamless migration of the authentication method for a client.

  • /token/introspect – Token introspection requests may include two client authentication methods to enable seamless migration of the authentication method for a client.

  • /token/revoke – Token revocation requests may include two client authentication methods to enable seamless migration of the authentication method for a client.

Resolved issues

  • The token exchange (RFC 8693) profile for web session bootstrap for native apps must return an OAuth 2.0 invalid_grant error when the identifier of the requesting client is not found in the aud (audience) claim of the ID token (subject token) (issue server/1162).

  • The token_type token introspection response parameter must not be included for an invalid or expired token (issue server/1154).

  • Shortens OP6202, OP6203, OP6203 and OP6204 log INFO messages (issue / 1163).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.34

  • Updates to net.thisptr:jackson-jq:1.6.0

  • Updates to com.fasterxml.jackson.core:jackson-core:2.21.1