Connect2id server 7.5 enables publishing of custom OpenID provider metadata

Support for custom OP / AS metadata

With Connect2id server 7.5 you can now include custom fields in the OpenID provider and OAuth 2.0 authorisation server metadata. To do that set the new op.customMetadata configuration property:

op.customMetadata = {"custom-param-1":"val-1","custom-param-2":"val-2"}

The custom-param-1 and custom-param-2 fields will then get published alongside the standard ones.

The JSON object can also be given an additional BASE64 encoding, to make it easier to pass the value in Connect2id server deployments configured via Java system properties set from a command line shell:

op.customMetadata = eyJjdXN0b20tcGFyYW0tMSI6InZhbC0xLCJjdXN0b20tcGFyYW0tMiI6InZhbC0yfQ==

Block client X.509 certificates at the token endpoint

The configuration was also extended to enable blocking of client certificates at the token endpoint, if for some reason issuing of client certificate bound access tokens, as per draft-ietf-oauth-mtls, is not desired. The default setting is to bind the tokens.


To download a ZIP package of Connect2id server 7.5:

SHA-256: b41c853d8a1dfd1a97e88154a019e09b84dd4c9f7f85e8130e7f80cefbd85835

As WAR package only:

SHA-256: 994378b93455692b3b3196179b2d82483520aed71b49db74d5fa60ca0b795e72


Get in touch with Connect2id support.

Release notes

7.5 (2018-07-26)


  • /WEB-INF/

    • op.customMetadata -- New configuration property for setting custom OpenID provider / OAuth 2.0 Authorisation server metadata to be included for publishing at the .well-known/openid-configuration and .well-known/oauth-authorization-server endpoints. If set the metadata must be represented as a JSON object string containing the custom fields, and can be optionally BASE64 encoded to ease passing the configuration property from a command line shell.

    • op.tls.blockClientX509Certs -- New configuration property for blocking client X.509 certificates received at the token endpoint. Can be used to prevent binding of issued access tokens to client X.509 certificates received with a token request when such binding isn’t desired.

Dependency changes

  • Upgrades to org.asynchttpclient:async-http-client:2.5.2

  • Upgrades to com.zaxxer:HikariCP:2.7.9

  • Upgrades to org.mariadb.jdbc:mariadb-java-client:2.2.6

  • Upgrades to org.postgresql:postgresql:42.2.4