Connect2id server 13.7.3
This release of the Connect2id server fixes a bug affecting deployments that have their signing RSA and / or EC keys stored in an Hardware Security Module (HSM). Details can be found in the release notes below.
Download 13.7.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.3: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: efe4f68520c6ef18512c1feadaaa462719e642bba570eb9c8667eaa16e00d67c
Connect2id server 13.7.3 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: a5b78089710452c2c33b03a1372d648035969d4dd6d814e5b0b9ac5ed19d13a4
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.3: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: a8991dc660b6c30ebcbc63fd971b9d1d67f336eb8825485e5bda10f66b7ac518
Connect2id server 13.7.3 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 5d27fa07a3bc057108141b411edac40b418e249e82316d80b4b63bfaa4fdd709
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.3 (2023-04-14)
Resolved issues
- The validator of signing Connect2id server RSA and EC keys that are backed by a PKCS#11 store (HSM) must use the default or BouncyCastle JCA providers for the signature verification step to prevent public key extraction errors in jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory / P11ECKeyFactory (issue server/857).
Connect2id server 13.7.2
This week's Connect2id server addresses two issues and updates the JDBC drivers for MySQL, PostgreSQL and Microsoft SQL Server. More information can be found in the release notes below.
Download 13.7.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 286009ecd578c577c75db8963064e7e75ace5963d7fbce07b8b25f53e4981e9b
Connect2id server 13.7.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 21e97fa58f1109a8be2510ea570b8b057855ffcdcb210bee3fbb30017b839321
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 8fda8e804c175a7ae83d04f37586afd4755b4da660fc99e5f2b4beef015ee5dc
Connect2id server 13.7.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 17c55c7c74744c21801a7662162105c57cc0f5d08461dcdcada04b4aa99e41c4
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.2 (2023-04-11)
Resolved issues
Fixes the OAuth 2.0 token exchange grant policy to allow both confidential and public clients. The client grant authorisation check must be adjusted accordingly (issue server/853).
The OP6201 log INFO message should include the OAuth 2.0 grant type for unsupported_grant_type errors when a password, client_credentials, urn:ietf:params:oauth:grant-type:jwt-bearer, urn:ietf:params:oauth:grant-type:saml2-bearer or urn:ietf:params:oauth:grant-type:token-exchange grant handler plugin is unavailable (issue server/855).
Dependency changes
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.9
Updates to org.postgresql:postgresql:42.5.4
Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.3.jre11
Connect2id server 13.7.1
This maintenance release of the Connect2id server fixes a bug that affected the OAuth 2.0 token exchange grant and also updates selected dependencies. Details can be found in the release notes below.
Download 13.7.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: dd82ec7cd211b02a6f4aba5985ad33ec476f3948eac1a6bb49c33acb9b7e3f88
Connect2id server 13.7.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 9bbcadc11fbea14f911875ebe3efe85e09134906fdc0db62c003b3cb43c45392
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 5550c31ad66237c4c54d1d813666240b633d1ab95043f16419ebe0f65f8dea21
Connect2id server 13.7.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 9ed6fdfdb792108942a4f462758ea4450969c589aadeb91e140858ddd54880ae
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.1 (2023-04-05)
Resolved issues
- Loading of a TokenExchangeGrantHandler SPI implementation was not reflected in the OpenID provider / OAuth 2.0 authorisation server metadata (issue server/849).
Dependency changes
Updates to com.unboundid:unboundid-ldapsdk:6.0.8
Updates Log4j to 2.20.0
Connect2id server 13.7
This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.
New configuration properties
op.idToken.includeX5C
-- this configuration makes it possible to control the inclusion of X.509
certificate (chains) in the JWT header of issued ID
tokens. The X.509 certificate get
automatically included by the Connect2id server when one is found in the
configured signing keys. To disable
this behaviour and issue leaner ID tokens set this configuration property to
false
.
op.idToken.includeX5C=false
op.reg.allowNonTLSLogoutURIsForTest
-- the configuration allows the registration of OpenID relying parties as
clients with a frontchannel_logout_uri
or backchannel_logout_uri
that is an
insecure (plain) HTTP URL. This is intended to help with test and devops
deployments that cannot issue HTTPS certificates. Unsecured logout URLs must
not be used in production!
op.reg.allowNonTLSLogoutURIsForTest=true
You can find more information about the frontchannel_logout_uri
and
backchannel_logout_uri
parameters in their respective specifications:
Bug fixes
This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.
Download 13.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6
Connect2id server 13.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673
Connect2id server 13.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7 (2023-03-30)
Configuration
/WEB-INF/oidcProvider.properties
op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is
true
.op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is
false
(not allowed). Must not be allowed in production!
Resolved issues
- The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).
Dependency changes
Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1
Updates to com.nimbusds:oauth2-authz-store:19.5.1
Updates to net.minidev:json-smart:2.4.10
Updates to com.google.crypto.tink:tink:1.8.0
Updates to com.google.code.gson:gson:2.10.1
Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2
Connect2id server 14.0 RC3 with Oracle Database support
This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.
The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
More information can be found in the release notes below.
Download 14.0-rc.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: acaf4e2bb79b666c4cb0e99ce36c0b2c77ad423fcf29d595c28b62ff50fb1e71
Connect2id server 14.0-rc.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 39fbb7f6ae88a3d165c0b5f93ebdb8eec3e146b53c5b458d6fb5610b4dccbdfe
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0-rc.3 (2023-03-11)
Summary
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/infinispan-*.xml
- Upgrades the XML schema to Infinispan 14.0.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Dependency changes
Updates to com.nimbusds:c2id-server-sdk:4.52.1
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:20.1
Updates to com.nimbusds:oidc-session-store:16.1
Upgrades to com.nimbusds:common:2.50
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to Infinispan 14.0.6.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0