Mutual TLS client authentication in Connect2id server 6.12

We are pleased to announce the Connect2id server now supports client X.509 certificate authentication, bound to a public RSA or EC JWK which the client has registered with the server. Open banking applications in Europe, where X.509 certificate based authentication is required by law, will find this new method indispensable.

The OAuth working group is developing the client certificate based authentication as part of the Mutual TLS Profile for OAuth 2.0. The profile includes another great security feature that prevents access token phishing. This is achieved by binding the token to the client's X.509 certificate. This feature will be implemented in the next Connect2id server release.

Client X.509 certificate authentication will also work when the HTTPS connections are terminated at a TLS proxy. Check out our guide for that.


To download a ZIP package of Connect2id server 6.12:

(SHA-256: c18eb19a13a6041dfd9308dc59d62ad70bc0bbecc6a9db391091014d6c495806)

As WAR package only:

(SHA-256: ac3ed2f14228c1335e67a6328e7f668b3ea834511895addf124bc309c8226645)


Get in touch with Connect2id support.

Release notes

6.12 (2017-08-07)


  • Adds support for public key bound TLS client authentication (pub_key_tls_client_auth) at the token endpoint, as specified in Mutual TLS Profile for OAuth 2.0 (draft-ietf-oauth-mtls-03), section 2.1.


  • /WEB-INFO/

    • op.token.authMethods -- Supports pub_key_tls_client_auth for indicating public key bound TLS client authentication, as specified in Mutual TLS Profile for OAuth 2.0 (draft-ietf-oauth-mtls-03), section 2.1.

    • op.tls.clientX509CertHeader -- New optional configuration property. Sets the name of the HTTP header to receive validated self-signed client X.509 certificates (PEM-encoded) from a TLS termination proxy. Intended for use in public key TLS client authentication (pub_key_tls_client_auth) only. The header name must be kept confidential between the TLS termination proxy and the Connect2id server and must include at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified or commented out use of a TLS termination proxy for public key TLS client authentication is disabled.


  • /authz-sessions/rest/v3, /authz-sessions/rest/v2

    • The optional authorisation session "data" JSON object field is now also included in the final response message.

Resolved issues

  • Fixes NPE when logging none configured advertised ACR values at Connect2id server startup (issue server/301).
  • Reduces frequency of reaping orphaned subject/N entries in the session store from once every 5 minutes to once per 24h to reduce effect on touching the last-used timestamp of subject sessions (issue session-store/63).
  • Includes the name of the submitted client authentication method in a token error response message indicating the submitted client authentication method is not supported by the Authorisation Server.

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.34.2
  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.41
  • Upgrades to com.nimbusds:oidc-session-store:5.2.5
  • Upgrades to org.cryptomator:siv-mode:1.2.1
  • Upgrades to Infinispan 8.2.7
  • Upgrades to org.jooq:jooq:3.9.4
  • Upgrades to com.zaxxer:HikariCP:2.6.3
  • Upgrades to org.mariadb.jdbc:mariadb-java-client:2.0.3
  • Upgrades to org.postgresql:postgresql:42.1.3
  • Upgrades to io.prometheus:simpleclient:0.0.25
  • Upgrades to io.prometheus:simpleclient_servlet:0.0.25
  • Upgrades to io.prometheus:simpleclient_dropwizard:0.0.25
  • Upgrades to com.thetransactioncompany:cors-filter:2.6