Blog »

Patched up Connect2id server 7.10.2 for Java 8

2020-03-23

The last Connect2id server release which supported Java 8, 7.10 from April 2019, was patched up for critical bugs and updated to the latest stable versions of the OAuth 2.0 SDK, the Nimbus JOSE+JWT library and Infinispan.

The release notes below provide more information.

Download 7.10.2

To download a ZIP package of Connect2id server 7.10.2:

https://connect2id.com/assets/products/server/download/7.10.2/Connect2id-server.zip

SHA-256: 1ea688bb925818738e551c69a451dccd2a5fe5e9da16293218f696a66579fd60

As WAR package only:

https://connect2id.com/assets/products/server/download/7.10.2/c2id.war

SHA-256: 49514685d55ac72d2fcfc3ed0cb4595be0bdfa97ba4ad6e8cbb5196562c4416f

Questions?

Contact Connect2id support.

Release notes

7.10.2 (2020-03-23)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug which prevented loading of Connect2id server keys overridden or passed via the "jose.jwkSet" Java system property. Deployments that rely on loading the server JWK set via the "jose.jwkSet" Java system property must upgrade. The bug did not affect the multi-tenant Connect2id server edition (issue server/471).

  • The client registration endpoint must return HTTP status code 201 instead of 200 on a successful POST (issue oauth-oidc-sdk/277).

  • Fixes a bug in the session store which resulted in closing an active subject (end-user) session when a new session is created and the index for the subject is filled with stale (pending purge) entries up to the configured session quota (sessionStore.quotaPerSubject) (issue session store/77).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.10

  • Updates to com.nimbusds:nimbus-jwkset-loader:3.1.1

  • Updates to com.nimbusds:oidc-session-store:11.0

  • Updates to Infinispan 9.4.18.Final.