Connect2id server 7.5.1


This is a maintenance release of the Connect2id server which fixes a bug introduced in version 7.5 that prevented the server from receiving client X.509 certificates used for self-signed certificate authentication (self_signed_tls_client_auth) at the token endpoint. Further details in the release notes.


To download a ZIP package of Connect2id server 7.5.1:

SHA-256: 1f6c38de8ea72e5c94e32cf28d9963ff46cf3f939776e4a7d5dbabe389cf936d

As WAR package only:

SHA-256: 4b20b1c26a686ecaaf346e83b405f28ce70d5e6a7623b8d27f05aa1917353817


Get in touch with Connect2id support.

Release notes

7.5.1 (2018-07-30)

Resolved issues

  • Fixes a bug introduced in Connect2id server 7.5 which prevented receiving client X.509 certificates set by a TLS termination proxy via the HTTP header configured in op.tls.clientX509CertHeader. The bug affected token requests by OAuth 2.0 clients / OpenID relying parties registered for self-signed certificate mutual TLS authentication (self_signed_tls_client_auth) (issue server/390).

Connect2id server 7.5 enables publishing of custom OpenID provider metadata


Support for custom OP / AS metadata

With Connect2id server 7.5 you can now include custom fields in the OpenID provider and OAuth 2.0 authorisation server metadata. To do that set the new op.customMetadata configuration property:

op.customMetadata = {"custom-param-1":"val-1","custom-param-2":"val-2"}

The custom-param-1 and custom-param-2 fields will then get published alongside the standard ones.

The JSON object can also be given an additional BASE64 encoding, to make it easier to pass the value in Connect2id server deployments configured via Java system properties set from a command line shell:

op.customMetadata = eyJjdXN0b20tcGFyYW0tMSI6InZhbC0xLCJjdXN0b20tcGFyYW0tMiI6InZhbC0yfQ==

Block client X.509 certificates at the token endpoint

The configuration was also extended to enable blocking of client certificates at the token endpoint, if for some reason issuing of client certificate bound access tokens, as per draft-ietf-oauth-mtls, is not desired. The default setting is to bind the tokens.


To download a ZIP package of Connect2id server 7.5:

SHA-256: b41c853d8a1dfd1a97e88154a019e09b84dd4c9f7f85e8130e7f80cefbd85835

As WAR package only:

SHA-256: 994378b93455692b3b3196179b2d82483520aed71b49db74d5fa60ca0b795e72


Get in touch with Connect2id support.

Release notes

7.5 (2018-07-26)


  • /WEB-INF/

    • op.customMetadata -- New configuration property for setting custom OpenID provider / OAuth 2.0 Authorisation server metadata to be included for publishing at the .well-known/openid-configuration and .well-known/oauth-authorization-server endpoints. If set the metadata must be represented as a JSON object string containing the custom fields, and can be optionally BASE64 encoded to ease passing the configuration property from a command line shell.

    • op.tls.blockClientX509Certs -- New configuration property for blocking client X.509 certificates received at the token endpoint. Can be used to prevent binding of issued access tokens to client X.509 certificates received with a token request when such binding isn’t desired.

Dependency changes

  • Upgrades to org.asynchttpclient:async-http-client:2.5.2

  • Upgrades to com.zaxxer:HikariCP:2.7.9

  • Upgrades to org.mariadb.jdbc:mariadb-java-client:2.2.6

  • Upgrades to org.postgresql:postgresql:42.2.4

Connect2id server 7.4


Following last week's release of Connect2id server 7.3 which brought support for the OpenID Connect front and back-channel logout extensions we now have a small update to the logout session web API.

If your deployment only needs to handle logout requests initiated by the OpenID provider (i.e. no logout requests received from OpenID relying parties), the API will be enabled without having to declare a logout page (end-session endpoint) in the server configuration. This should make more sense to developers and integrators of the Connect2id server.

You can find further information in the release notes below.


To download a ZIP package of Connect2id server 7.4:

SHA-256: 2752304c12e1e8236f9917d4ffa3f151e1a53ce1c5d79c0fe73477c8752b2b96

As WAR package only:

SHA-256: f7cc07756f9ee4737ad53b55746480bc7fcdb6fc19d75b1b6fdf169d4e591538


Get in touch with Connect2id support.

Release notes

7.4 (2018-07-16)


  • /logout-sessions/rest/v1/

    • Updates the logout session web API so that OpenID provider (OP) initiated logout requests are accepted for processing without a configured OpenID Connect end-session endpoint URL (see op.logout.endpoint and OpenID Connect Session Management 1.0, section 5. RP-Initiated Logout (draft 28)). The API change was made because a logout (end-session) HTML page is not technically required for OP-initiated logout requests, only for RP-initiated ones (issue server/383).