Connect2id server 19.9 introduces selective refresh token revocation
Connect2id server 19.9 brings more flexibility to token revocation and a couple of important fixes and updates.
The token revocation endpoint (defined in RFC 7009) now supports revocation of a single refresh token, without affecting other refresh or access tokens issued to a client for a given subject (end-user).
This gives more precise control in scenarios such as:
- targeted session termination
- device-specific logout
- handling suspected token compromise
The feature is disabled by default for performance reasons and can be enabled with:
authzStore.revocation.enableSingleRefreshTokens=true
For a client to revoke only the submitted refresh token, it includes the custom
form parameter token_only=true. Example request for a public client:
POST /token/revoke HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
token=Ohw8choo.wii3ohCh.Eesh1AeDGong3eir
&token_type_hint=refresh_token
&token_only=true
&client_id=xa9xesah
Detailed information about the new release can be found in the notes below.
Download 19.9
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 19.9: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 19c1b99111b9dc651eb93b85da605565a5c66cba75f12db80dce3c1c4ef8a4a8
Connect2id server 19.9 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 6df06995eb2724c56d8112663104e848622ddce4f9753f175c4996ac04a92d01
Multi-tenant edition
Apache Tomcat package with Connect2id server 19.9: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4597601bfbb1188849b89b2ac5351c56a4370942646a695e1552c16b3e9ea16f
Connect2id server 19.9 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 0c512e2e5ed68390148165f974d788e4d060358ae545a53277632833fa8fce07
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
19.9 (2026-03-24)
Summary
- The token revocation endpoint (RFC 7009) now supports revocation of a single
refresh token, leaving any other active refresh and access tokens for the
same subject and client unaffected. The selective revocation is disabled by default for performance reasons. It can be enabled with theauthzStore.revocation.enableSingleRefreshTokensconfiguration property. To revoke a single refresh token, use the customtoken_onlyform parameter set totrue.
Configuration
-
/WEB-INF/autzStore.properties
-
authzStore.revocation.enableSingleRefreshTokens– New optional configuration property to enable / disable revocation of a single refresh token at the/token/revokeendpoint, while leaving other refresh and access tokens for the same subject and client active. The default isfalse(disabled). -
authzStore.expendedTokens.maxHashRetention– New optional configuration property to specify the maximum retention time in seconds for stored hashes of expended rotated self-contained (JWT-encoded) refresh tokens and individually revoked self-contained (JWT-encoded) refresh tokens. Must be a positive integer. The default is 7776000 seconds (90 days).
-
Web API
- /token/revoke – Supports optional revocation of a single refresh token,
leaving other refresh and access tokens for the same subject and client
active. This behaviour is triggered by setting the custom
token_onlyform parameter totrueand requiresauthzStore.expendedTokens.maxHashRetentionto be enabled.
Resolved issues
-
OpenID claims for inclusion in access tokens (tagged with the
access_token:prefix) could not be retrieved from the subject session-based claims source for theauthorization_codeandrefresh_tokengrant types. This resulted in an HTTP 500 error (issue server/1166). -
The production WAR must not include JUnit dependencies (issue server/1172).
Dependency changes
-
Upgrades to com.nimbusds:oauth2-oidc-sdk:11.35
-
Upgrades to com.nimbusds:oauth2-authz-store:28.15.1