Connect2id server 15.0 upgrades to Java 17, adds a refresh token maximum idle timeout

2024 begins with a new major release of the Connect2id server which was in silent preparation for several months.

Runtime changes

The server is now built for Java 17, meaning the Java 11 runtime is no longer supported. The most recent Java LTS runtime, 21, has not been tested and therefore isn't marked as supported yet. We intend to test it once Apache Tomcat 11 with virtual threads support (project Loom) ships a stable release.

The Servlet APIs and related dependencies were also upgraded, to the latest Jakarta Servlet 6.0 API. This means that the Connect2id server will now require Apache Tomcat 10.1 to run. Tomcat 9, which is based on the older Java Servlet APIs, can no longer be used.

The c2id/c2id-server-min Docker image was updated to reflect this changes. Note that the stock image for Tomcat 10.1 has switched to the Eclipse Temurin Java SE build and uses Ubuntu Linux as the underlying Linux distribution. The older Tomcat 9 image was based on Amazon's Corretto image.

New refresh token capabilities

The refresh token in OAuth 2.0 enables client applications to receive a long-term credential for accessing protected resources. The credential can be issued with indefinite validity (and revoked when required), or issued with an a set expiration time. When the refresh token becomes invalidated, due to revocation or end of its lifetime, the client application can no longer use it at the token endpoint, indicated by an invalid_grant error, which means the end-user must be asked to authorise the client again.

This Connect2id server release introduces an additional time dimension to refresh tokens -- the ability to set an maximum idle time.

Refresh token max idle time

By configuring the refresh tokens for a client with a suitable maximum idle time, a session for the client and the end-user is established at the token endpoint. As long as the client keeps using the refresh token it will remain valid and will grant the issue of new access tokens. When use of the refresh token stops, due to the end-user leaving the client application or due to inactivity, and the maximum idle time is reached, the refresh token becomes invalidated. In order to continue use of the application, the end-user must re-authenticate and re-authorise the client (unless the consent was persisted).

This new refresh token property is set using the optional refresh_token.max_idle parameter of the consent object. The value is expressed in seconds, with zero being the default and meaning no maximum idle time.

Example setting of a 1 hour idle time:

{
  "scope"         : [ "openid", "email" ],
  "claims"        : [ "email", "email_verified" ],
  "refresh_token" : { "issue"    : true,
                      "max_idle" : 3600 }
}

The maximum idle time and be combined with a lifetime limit of the refresh token. The refresh token will become invalidated when one or the other timeout occurs. The maximum idle time should be shorter than the lifetime limit.

Example setting of a 1 week lifetime limit and a 1 hour idle time for the refresh token:

{
  "scope"         : [ "openid", "email" ],
  "claims"        : [ "email", "email_verified" ],
  "refresh_token" : { "issue"    : true,
                      "lifetime" : 604800,
                      "max_idle" : 3600 }
}

New refresh_token_expires_in token response parameter

The token response of the Connect2id server was also updated and will now include a refresh_token_expires_in parameter, whenever a refresh token with a lifetime limit is issued. Refresh tokens that don't have a lifetime limit, or have maximum idle time only, will not include this parameter. A client may use this hint to make an authorisation request to the Connect2id server ahead of the refresh token expiration.

{
  "access_token"             : "vJkbPNUFaK4kVIMGQlEmyA.-MAquq_5yQqtae62b8i7aw",
  "token_type"               : "Bearer",
  "expires_in"               : 600,
  "scope"                    : "openid email",
  "refresh_token"            : "eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUl...",
  "refresh_token_expires_in" : 604800
}

The invalid_grant error code remains the standard and recommended method for clients to detect when the refresh token has become invalid, due to expiration or revocation.

Access token lifetime guarantees

The refresh token as an OAuth grant is used to mint new access tokens and when it's given a certain time limit descendant access tokens should not exceed it.

This can occur when a refresh token that is configured for expiration approaches it end of life, which may then become shorter that the configured access token lifetime. To prevent this from occurring the Connect2id server will automatically trim the access token lifetime to the (remaining) lifetime of the refresh token, or the maximum idle time of the refresh token (whichever is shorter).

The above token example token response may get modified as follows when the remaining refresh token lifetime becomes shorter than the originally configured access token lifetime of 600 seconds:

{
  "access_token"             : "vJkbPNUFaK4kVIMGQlEmyA.-MAquq_5yQqtae62b8i7aw",
  "token_type"               : "Bearer",
  "expires_in"               : 550,
  "scope"                    : "openid email",
  "refresh_token"            : "eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUl...",
  "refresh_token_expires_in" : 550
}

Refresh token introspection updates

The Connect2id server resource for inspecting refresh tokens will now provide a more exact picture of the token. The rti (refresh token issue time) will be reported consistently for both refresh tokens linked to long-lived authorisations as well as self-contained (JWT-encoded) refresh tokens linked to transient authorisations. The rtl (refresh token lifetime) will report the actual remaining token lifetime, relative to the refresh token issue time, rather than the originally configured. The new refresh token maximum idle time property is going to appear as rtm when set.

Connect2id server SDK

The current Connect2id server SDK version is now 5.1. Starting with v5.0 it is being built with Java 17, which becomes the minimum JDK requirement for developing new server plugins in future.

The RefreshTokenSpec was updated to support the new max_idle parameter.

There are no breaking changes in the server SDK, save for InitContext.getServletContext. which will now return a jakarta.servlet.ServletContext instead of a javax.servlet.ServletContext. This interface method is rarely used, but if you do happen to have a plugin that relies on it update it accordingly to the new Jakarta Servlet 6.0 API.

Other changes and fixed bugs

The op.idToken.ignoreUserInfoError configuration property was deprecated. If you rely on it to require ID token issue to fail on claims source exceptions use the new op.idToken.ignoreClaimsSourceErrors instead.

The SQL connection pool metrics will now be published under the sqlStore.pool.* prefix, rather than taking the name of the first Infinispan map / cache as the prefix, for ease and consistency.

A handful of bugs, some more serious, some less (but none critical) were also fixed in this release. You can find detailed information in the release notes below.

Upgrading to Connect2id server 15.0

  1. Make sure the new Connect2id server is deployed in a Java 17 runtime.

  2. Make sure the Servlet container is Jakarta Servlet 6.0 compliant. The compliant Apache Tomcat version is 10.1.

  3. Database schema changes:

    This new release requires an upgrade to the SQL database schema of existing deployments.

    In order to support the new max_idle refresh token property the long_lived_authorizations SQL table, part of the Connect2id server authorisation store, received a new rtm column. The schema upgrade will be performed automatically for existing deployments, on Connect2id server 15.0 startup, unless the server is intentionally configured with dataSource.createTableIfMissing=false, in which case the column addition to upgrade the table schema must be done manually.

    All SQL table definitions can be found in /WEB-INF/sql/create-table-statements-*.sql, where * identifies the database type, e.g. postgres95 for PostgreSQL.

    Deployments with DynamoDB, which is essentially a schema-less database, do not require a schema upgrade operation.

Download 15.0

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.0: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 7ca4a6699ed7bc014069ae1d830cbd28f706e81987c427ad834e8e6fea1f407c

Connect2id server 15.0 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 7d02b3f3bae9988815c340c9c49b69a1a28ecdc53c87118ff713dc58191ceab7

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.0: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 75f15bff04792af288e6669e1e254f2acc2c5c04c4f9ef1d5ba53308e0274127

Connect2id server 15.0 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 26b2d23114a17999e31bfba27cb3aa3893b1d9c62b8b284373ea4bb610301e2f

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

15.0 (2024-01-02)

Summary

  • Upgrades to Java 17.

  • Upgrades to Jakarta Servlet 6.0 and Jakarta JAX-RS 3.1. The minimum supported Apache Tomcat version becomes 10.1.x.

  • The Connect2id server SDK (v5.0) is upgraded to Java 17 and Jakarta Servlet 6.0. Plugins that retrieve a ServletContext from the InitContext interface will receive a jakarta.servlet.ServletContext instead of a javax.servlet.ServletContext.

  • Refresh tokens issued by the Connect2id server can be optionally set to expire after a period of idle time, expressed in seconds. This enables an identity provider to establish a session for a given end-user and client application, with the refresh token remaining active as long as the client keeps using it frequently enough to obtain new tokens. When use of the refresh token stops, due to the end-user leaving the client application, and the maximum idle time is reached, the refresh token becomes invalidated. The client application must make a new authorisation request, to log in the end-user and / or obtain their consent, in order to receive a new refresh token.

    The refresh token maximum idle time is settable per end-user and / or client, can be applied to both regular and rotated refresh tokens, and is disabled by default. The refresh token maximum idle time is independent of the optional refresh token lifetime setting, and should not exceed it.

  • For token responses containing an access and refresh token, the lifetime of the access token will be automatically trimmed so that it doesn't exceed the maximum idle time or lifetime of the refresh token, whichever is shorter.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.idToken.ignoreClaimsSourceErrors -- New optional configuration property, deprecating the existing op.idToken.ignoreUserInfoError which will be removed in a future major Connect2id server release.
  • /WEB-INF/infinispan-*-{mysql|oracle|postgres95|sqlserver}.xml

    • Sets the HikariCP property "poolName" to sqlStore so that all SQL connection pool related metrics appear under the sqlStore.* prefix instead of the name of the first declared Infinispan map / cache (sessionStore.subjectMap in the regular Connect2id server edition, or tenantRegistry.tenants in the multi-tenant Connect2id server edition).

    • Upgrades the SQL schema by adding a new rtm (refresh token maximum idle time) column to the long_lived_authorizations table. In existing deployments the Connect2id server will automatically add the new column on startup, unless dataSource.createTableIfMissing is disabled.

Web API

  • /authz-sessions/rest/v3/

    • The consent object receives a new optional refresh_token.max_idle parameter. May be used to specify a maximum idle time, in seconds, for the issued refresh token. If the refresh token is not used within this time period the Connect2id server will invalidate it due to inactivity. The default value is 0 (no idle time expiration).
  • /direct-authz/rest/v2

    • The request object receives a new optional refresh_token.max_idle parameter. May be used to specify a maximum idle time, in seconds, for the issued refresh token. If the refresh token is not used within this time period the Connect2id server will invalidate it due to inactivity. The default value is 0 (no idle time expiration).
  • /token

    • The token response will include a refresh_token_expires_in parameter for responses that contain a refresh token that is set to expire. When present the value is a positive integer indicating the number of seconds until the refresh token expiration, similar to the standard access token expires_in parameter. Responses with refresh tokens that don't have a maximum lifetime set will not include this parameter. Clients can use this parameter as a hint when to make a new request to the Connect2id server authorisation endpoint. The invalid_grant error code remains the standard and recommended method for clients to detect when the refresh token has become invalid, due to expiration or revocation.

    • For token responses with an expiring refresh token, the lifetime of the issued access token is guaranteed to never exceed the lifetime or the maximum idle time of the refresh token. If the lifetime of the access token would exceed the refresh token lifetime or maximum idle time, it will be automatically trimmed to achieve expiration parity with the refresh token.

  • /authz-store/rest/v3/authorizations

    • The OAuth 2.0 / OpenID Connect authorisation object receives a new optional rtm member, representing the refresh token maximum idle time, in seconds. The default value is 0 (no idle time expiration).
  • /monitor/v1/metrics

    • All SQL store Hikari connection pool metrics are now published under the sqlStore.pool.* prefix. The [infinispan-cache-name].sqlStore.pool.* prefix is no longer used.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.1

    • Upgrades to Java 17.

    • The InitContext.getServletContext() method returns jakarta.servlet.ServletContext instead of javax.servlet.ServletContext (breaking change).

    • The ServletInitContext constructor accepts jakarta.servlet.ServletContext instead of javax.servlet.ServletContext (breaking change).

    • The RefreshTokenSpec adds support for setting a maximum idle time for the refresh token.

Resolved issues

  • Fixes the HTML representation of the static pages for HTTP 404, 405, 500 and all other errors that aren't handled by the web application (issue server/953).

  • Removes support for legacy cnf.x5t encoding in access tokens issued by Connect2id server 7.x and older releases (issue authz-store/229).

  • The access token lifetime must be automatically trimmed to match the lifetime or the remaining lifetime of the refresh token (for expiring refresh tokens)(issue authz-store/228).

  • The rtl (refresh token lifetime) value of authorisation objects returned by the authorisation store web API must reflect the remaining lifetime in respect to rti (refresh token issue time) when the refresh token was configured for rotation (issue authz-store/224).

  • The rti (refresh token issue time) value for long-lived authorisation objects with configured rotation must be updated after a refresh (issue authz-store/224).

  • The expiration time of self-contained (JWT-encoded) refresh tokens must not be advanced when the refresh token is set for rotation and a new refresh token is returned at the token endpoint in response to a refresh token grant (issue authz-store/225).

  • Removes the /client-reg/* endpoint alias to /clients/* that was deprecated in Connect2id server 3.0 (2015-03-26) (issue server/911).

  • Removes the authorisation store and session banner pages (issue server/763).

  • The SQL store ExpiredEntryPagedReaper must log the IS0128 debug message in all execution paths (issue sql-store/37).

  • Fixes the Infinispan metadata recreation for authorisation code entries persisted to an SQL database. The bug was introduced in Connect2id server 9.1.1 in response to issue authz-store/176 and caused expired entries to remain persisted in the "pending_codes" table (issue authz-store/230).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.1

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.9

  • Updates to com.nimbusds:c2id-server-property-source:2.0

  • Updates to com.nimbusds:tenant-manager:9.0.2

  • Updates to com.nimbusds:tenant-registry:9.0

  • Upgrades to com.nimbusds:oauth2-authz-store:26.2.1

  • Upgrades to com.nimbusds:oidc-session-store:17.1

  • Updates to com.nimbusds:oauth-grant-handlers-web:2.0

  • Updates to com.nimbusds:nimbus-jwkset-loader:6.0

  • Updates to com.nimbusds:content-type:2.3

  • Upgrades to com.nimbusds:common:3.0.3

  • Updates to com.thetransactioncompany:cors-filter:3.0

  • Updates to Infinispan 14.0.21.Final

  • Updates to com.nimbusds:infinispan-cachestore-common:4.0

  • Updates to com.nimbusds:infinispan-cachestore-sql:8.1.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:6.0

  • Updates to com.nimbusds:infinispan-cachestore-redis:11.0

  • Upgrades to Jakarta Servlet API 6.0.0

  • Upgrades to JAX-RS 3.1

  • Upgrades to Jersey 3.1.4

  • Updates to DropWizard Metrics 4.2.23

  • Updates to commons-io:commons-io:2.15.0

  • Updates to org.apache.commons:commons-compress:1.24.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.11

Connect2id server 14.11

This Connect2id server release modifies the logout endpoint to allow post-logout redirections without an ID token hint (id_token_hint). It suffices for the client application that initiates the logout request to include its client_id only.

Example logout request with a post_logout_redirect_uri:

POST /logout HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded

client_id=eive6koh
&post_logout_redirect_uri=https%3A%2F%2Fclient.example.org%2Fpost-logout

The SQL database connector received an upgrade and a performance fix for INSERT / UPDATE / MERGE queries.

There is more information about the resolved issues and changes in the release notes below.

Download 14.11

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.11: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 114fcb67882dcb3b49ed4c2655ee34c5ea06679b55059ddc70523c309bdfbcc9

Connect2id server 14.11 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8154f5dccd3a51409219d10190a26a68870a46fb78320aeee18dc29f17ca235a

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.11: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 9b6ad435160c7db499691b2b03df858419fc4bdbc469ee555554b9801ace3d68

Connect2id server 14.11 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 67be25ddc6e36a2b86dbde89f326dd89ced8c887792bc7d1766e638c5991466b

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.11 (2023-12-08)

Web API

  • /logout-sessions/rest/v1/

    • Logout requests initiated by an OpenID Relying Party (RP) with a post_logout_redirect_uri parameter will be allowed to proceed if the RP includes its client_id parameter. Previously such redirections were allowed to proceed only when a valid id_token_hint was provided in the request. With this change RPs that wish to perform a post-logout redirection have the choice to include an ID token hint, their client ID, or both, in order to enable the Connect2id server to validate the URI by checking it against the registered post_logout_redirect_uris metadata parameter for the RP.

Resolved issues

  • The client registration endpoint must allow registration of native applications with a localhost or loopback IP frontchannel_logout_uri (issue server/950).

  • The SQL database connector must not serialise the jOOQ Query to an intermediate String unless when dealing with Oracle (N)CLOB chunking. By using direct Query execution a PreparedStatement can be correctly inferred (issue sql-store/35).

  • Updates SQLStore.write() to switch from the deprecated jOOQ mergeInto() to an insertInto() for PostgreSQL and Oracle databases (issue sql-store/34).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.7.1

  • Updates to com.nimbusds:oauth2-authz-store:24.8.1

  • Updates to com.nimbusds:oidc-session-store:16.8.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.37.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.4.3

  • Upgrades to org.jooq.pro-java-11:jooq:3.18.7

  • Updates to net.minidev:json-smart:2.5.0

  • Updates to com.google.crypto.tink:tink:1.12.0

  • Updates to BouncyCastle 1.77

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.11

  • Updates to com.nimbusds:tenant-registry:8.3.1

Connect2id server 14.10

This Connect2id server release improves the performance of expired entry purges in deployments with an SQL database. If you have an identity provider deployment that deals with a large number of sessions and identifier-based access tokens, objects that eventually expire, this upgrade will reduce the database traffic and load when the purge task runs.

The SQL connector also adds two Java system properties:

  • dataSource.maxLifetime -- Overrides the maximum SQL connection lifetime (in the Hikari connection pool)

  • dataSource.expiredQueryPageLimit -- Overrides the page limit in SQL select statements for expired records.

These two new properties are explained in the configuration docs for the supported SQL databases:

The dataSource.maxLifetime configuration override can be useful to address situations where the backend SQL database is configured to close connections before their expiration in the Connect2id server pool (30 minutes).

The release notes below have more information.

Download 14.10

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c7143ea19bb1327809f6666a797e9e4558317812d06a8444401742d8d187e068

Connect2id server 14.10 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ae45fafe8922d349aab6a4a81e20d04b78800d1330c0bf0a682acaadf2876ba4

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: d1bc3923a24e37e86b1159506c4933f87e5f03a7cf9c6945a4a93d117a393cae

Connect2id server 14.10 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 4a2f5411aac6e0019c44d972bb677e529b7e2feb15f5a26625bd0f2c4a6f6b74

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.10 (2023-11-22)

Summary

  • Connect2id server deployments with an SQL database receive an optimised purge task and SQL query for expired records, such as records for expired subject sessions or identifier-based access tokens. The page limit in the SQL query to select expired records is made configurable, to enable further performance tuning.

    A Java system property to override the maximum lifetime of SQL connections in the connection pool is also made available.

Configuration

  • /WEB-INF/infinispan-*-{mysql|oracle|postgres95|sqlserver}.xml

    • Upgrades the SQL store schema to v3.2.

    • dataSource.maxLifetime -- New optional Java system property to override the default maximum lifetime of SQL connections in the Hikari connection pool. The value is expressed in microseconds and must not be shorter than 30000 (30 seconds). The default value is 1800000 (30 minutes).

      This configuration can be used to address Hikari warnings (recorded in the Connect2id server log) "Failed to validate connection (Closed Connection)".

    • dataSource.expiredQueryPageLimit -- New optional Java system property to override the default page limit of SQL queries to select expired records, such as the records of expired subject sessions. The page limit value is 1000 records.

      This configuration can be used to optimise the retrieval of expired records by the Infinispan entry purge task.

    • Upgrades the SQL database connector and the sessionStore.sessionMap, authzStore.idAccessTokenMap, authzStore.expendedTokenMap, op.authSessionMap, clients.registrationsMap SQL definitions to select only expired records from the respective tables when the Infinispan purge task runs.

Resolved issues

  • The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked exception is encountered during an SQL select or delete query. The exception must be swallowed and an appropriate error logged (issue sql-store/31, sql-store/32).

  • The infinispan-replication-*.xml configurations must not use passivation for sessionStore.sessionMap and sessionStore.subjectMap as this is incompatible with shared cache stores (issue server/943).

  • Reduces and aligns the memory max-count limits in the infinispan-*-local-h2.xml configurations (issue server/944).

  • The page LIMIT in the SQL select query run by the purge task must be inlined (issue sql-store/29).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.8

  • Updates to com.nimbusds:oidc-session-store:16.8

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.4.1

  • Updates to com.zaxxer:HikariCP:5.1.0

  • Updates to Log4j 2.22.0

Connect2id server 14.9

This release ships an enhancement for Connect2id server deployments with an AWS DynamoDB. The purge thread that wakes up periodically to scan the subject (end-user) sessions table for expired entries and then delete them, will now automatically limit the rate of read and write capacity unit consumption to 10% of the provisioned for the sub_sessions table.

The rate limiting moderates the use of capacity units when the purge thread is running. With a DynamoDB table in provisioned mode the rate limiting ensures the scan (and delete) requests will not potentially starve regular API requests of database capacity. In on-demand mode the rate limiting smooths potential peaks in capacity use and thus can help reduce your AWS bill.

The default configuration can be overridden with a dynamodb.purgeMaxReadCapacity Java system property, by setting it to an absolute capacity unit value, or to a percentage (evaluated using the reported provisioned read capacity every time before the purge thread runs).

Example override to use at most 20 read capacity units / second for purges:

dynamodb.purgeMaxReadCapacity=20

Example override to rate limit the consumption to 15% of the current read capacity units for the table:

dynamodb.purgeMaxReadCapacity=15%

Note that when automatic DynamoDB TTL expiration is enabled for the sessions table the Connect2id server will not run the purge thread (as all sessions are being expired within DynamoDB) and the dynamodb.purgeMaxReadCapacity will have no effect then.

Check the release notes below for more information.

Download 14.9

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: e64d17123bf28407252f8699b029421d888e8e0351478b45c96981fc5bafa6c1

Connect2id server 14.9 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e4a74dfd5d2ffe1d326adaff2a735672abc2214c95b2fed0ca1681a787344f56

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a416855669d1e18b0e5e83941c500c8a98abb83fe24591f46b32b99ac95aac82

Connect2id server 14.9 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9d5efad8de9e16ca4e5d6e200c6bcbdadbfba41f238ce6b8cf6da53217d2ba4a

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.9 (2023-11-13)

Summary

  • Connect2id server deployments with an AWS DynamoDB receive rate limiting of the paged scan and delete requests that purge the database of expired subject sessions. This enhancement guards regular requests to DynamoDB from potentially being starved of their provisioned database read and write capacity when a purge scan is taking place. Moderating the purge scans may also smooth spikes in DynamoDB consumption over time and thus enable the provisioned capacity to be lowered to save costs.

    Note, in deployments where native DynamoDB TTL expiration is enabled for the subject sessions, by setting the "dynamodb.enableTTL.sessionStore.sessionMap" Java system property to true, the sessions will be expired automatically by DynamoDB and the Connect2id server doesn't need to run purge scans on the sessions table. The TTL expiration suits Connect2id server deployments that have no OpenID relying parties registered to receive logout and session expiration notifications. Such notifications can be generated only when the sessions are expired by the Connect2id server itself.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Upgrades the dynamodb schema to v2.1.
  • /WEB-INF/infinispan-*-{stateless|replication}-dynamodb.xml

    • Scan and delete requests that purge the sub_sessions table of expired subject sessions are rate limited to 10% of the reported provisioned read capacity for the table. For example, if the table is provisioned with 100 read capacity units, the consumed purge scan read and delete operations will be rate-limited to 10 capacity units.

      To specify a different value set the "dynamodb.purgeMaxReadCapacity" Java system property to the desired maximum read capacity units that may be consumed during a purge, as an absolute value, e.g. 20, or as a percentage of the current provisioned read capacity of the table, e.g. 20%. Any write capacity consumed to delete expired items is bounded by the "dynamodb.purgeMaxReadCapacity" and will always stay below it. The default value of "dynamodb.purgeMaxReadCapacity" is 10%, as explained above.

Resolved issues

  • The expired entry reaper in Connect2id server deployments with an AWS Dynamo database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved DynamoDB item. This may occur in DynamoDB items manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending item logged. This is now done with a DS0152 log error (issue dynamodb-store/21).

  • The *.dynamoDB.deleteTimer metrics must include DynamoDB delete requests performed as part of purges of expired items (issue dynamodb-store/22).

  • Removes legacy comma separator support in Scope.parse(String) (issue oidc-sdk/445).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.6

  • Updates to com.nimbusds:nimbus-jose-jwt:9.37.1

  • Updates to com.nimbusds:oauth2-authz-store:24.7.3

  • Updates to com.nimbusds:oidc-session-store:16.7.5

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.2

Connect2id server 14.8.3

This Connect2id server release fixes a bug in the SQL connector that was introduced in v14.8.1 last week. Connect2id server 14.8.* deployments are encouraged to upgrade to this release.

More information is available in the release notes below.

Download 14.8.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: b02d2d0bb9a3af71d887fddf51748fdfef8b3196d2a46efb37820402a99ba5e1

Connect2id server 14.8.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: f311f7f871c49c5d2e10ac72bdce615da9f187e5a4a8fae9c688f7fdfc595981

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: b1de2efc8c26da1b178bc4c0699597da5fcded48f319204f1f991608226ffce7

Connect2id server 14.8.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: dc9247aa06deb0d530de5b74e066e23ecd9a72d13f70a1e4f7c2117cbb67bf5d

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.8.3 (2023-11-08)

Resolved issues

  • Fixes a bug introduced in v14.8.1 that affects Connect2id server deployments with an SQL database. The bug resulted in repeat duplicate SQL delete queries when purging expired records in the database, causing excessive slowdown of the purge task in SQL tables with many expired records, such as records for subject sessions (issue server/938, sql-store/25).

  • The *.sqlStore.deleteTimer metrics must include SQL delete queries performed as part of purges of expired records (issue sql-store/26).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.7.2

  • Updates to com.nimbusds:oidc-session-store:16.7.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.1.1