Patched up Connect2id server 7.10.2 for Java 8
The last Connect2id server release which supported Java 8, 7.10 from April 2019, was patched up for critical bugs and updated to the latest stable versions of the OAuth 2.0 SDK, the Nimbus JOSE+JWT library and Infinispan.
The release notes below provide more information.
To download a ZIP package of Connect2id server 7.10.2:
As WAR package only:
Contact Connect2id support.
Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).
Fixes a bug which prevented loading of Connect2id server keys overridden or passed via the "jose.jwkSet" Java system property. Deployments that rely on loading the server JWK set via the "jose.jwkSet" Java system property must upgrade. The bug did not affect the multi-tenant Connect2id server edition (issue server/471).
The client registration endpoint must return HTTP status code 201 instead of 200 on a successful POST (issue oauth-oidc-sdk/277).
Fixes a bug in the session store which resulted in closing an active subject (end-user) session when a new session is created and the index for the subject is filled with stale (pending purge) entries up to the configured session quota (sessionStore.quotaPerSubject) (issue session store/77).
Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2
Updates to com.nimbusds:nimbus-jose-jwt:8.10
Updates to com.nimbusds:nimbus-jwkset-loader:3.1.1
Updates to com.nimbusds:oidc-session-store:11.0
Updates to Infinispan 9.4.18.Final.