Connect2id server 13.7.4
This release of the Connect2id server fixes a bug that
caused incorrect encoding of the state
parameter in post-logout
redirect URIs.
Deployments that implement an OpenID provider logout endpoint are encouraged to
update. Details are available in the release notes below.
This week we also released a preview of the upcoming Connect2id server 14.0.
Download 13.7.4
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.4: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 97442463a2d50000eb41478ee285dbe78ddf959d5e1f0d35868771fa6896be3b
Connect2id server 13.7.4 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: f94347483b3d04f06bbd1d38bba57aa23d6b6b4ddcb39708fec90e4933b2b7b8
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.4: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 95a547da885cbcd33ae5468ce928502bec4572fa5ab45771f7e48e8bdc30a349
Connect2id server 13.7.4 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 48c63e817000d8f9116e1b532e547998a9a4708e71e1fb1d7564cc10f34a159a
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.4 (2023-05-09)
Resolved issues
- The /logout-sessions/rest/v1 API must URL-encode the state parameter in the final post-logout redirection URI (issue server/873).
Dependency changes
- Updates to com.nimbusds:software-statement-verifier:2.2.4
Connect2id server 13.7.3
This release of the Connect2id server fixes a bug affecting deployments that have their signing RSA and / or EC keys stored in an Hardware Security Module (HSM). Details can be found in the release notes below.
Download 13.7.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.3: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: efe4f68520c6ef18512c1feadaaa462719e642bba570eb9c8667eaa16e00d67c
Connect2id server 13.7.3 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: a5b78089710452c2c33b03a1372d648035969d4dd6d814e5b0b9ac5ed19d13a4
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.3: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: a8991dc660b6c30ebcbc63fd971b9d1d67f336eb8825485e5bda10f66b7ac518
Connect2id server 13.7.3 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 5d27fa07a3bc057108141b411edac40b418e249e82316d80b4b63bfaa4fdd709
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.3 (2023-04-14)
Resolved issues
- The validator of signing Connect2id server RSA and EC keys that are backed by a PKCS#11 store (HSM) must use the default or BouncyCastle JCA providers for the signature verification step to prevent public key extraction errors in jdk.crypto.cryptoki/sun.security.pkcs11.P11RSAKeyFactory / P11ECKeyFactory (issue server/857).
Connect2id server 13.7.2
This week's Connect2id server addresses two issues and updates the JDBC drivers for MySQL, PostgreSQL and Microsoft SQL Server. More information can be found in the release notes below.
Download 13.7.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 286009ecd578c577c75db8963064e7e75ace5963d7fbce07b8b25f53e4981e9b
Connect2id server 13.7.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 21e97fa58f1109a8be2510ea570b8b057855ffcdcb210bee3fbb30017b839321
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 8fda8e804c175a7ae83d04f37586afd4755b4da660fc99e5f2b4beef015ee5dc
Connect2id server 13.7.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 17c55c7c74744c21801a7662162105c57cc0f5d08461dcdcada04b4aa99e41c4
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.2 (2023-04-11)
Resolved issues
Fixes the OAuth 2.0 token exchange grant policy to allow both confidential and public clients. The client grant authorisation check must be adjusted accordingly (issue server/853).
The OP6201 log INFO message should include the OAuth 2.0 grant type for unsupported_grant_type errors when a password, client_credentials, urn:ietf:params:oauth:grant-type:jwt-bearer, urn:ietf:params:oauth:grant-type:saml2-bearer or urn:ietf:params:oauth:grant-type:token-exchange grant handler plugin is unavailable (issue server/855).
Dependency changes
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.9
Updates to org.postgresql:postgresql:42.5.4
Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.3.jre11
Connect2id server 13.7.1
This maintenance release of the Connect2id server fixes a bug that affected the OAuth 2.0 token exchange grant and also updates selected dependencies. Details can be found in the release notes below.
Download 13.7.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: dd82ec7cd211b02a6f4aba5985ad33ec476f3948eac1a6bb49c33acb9b7e3f88
Connect2id server 13.7.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 9bbcadc11fbea14f911875ebe3efe85e09134906fdc0db62c003b3cb43c45392
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 5550c31ad66237c4c54d1d813666240b633d1ab95043f16419ebe0f65f8dea21
Connect2id server 13.7.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 9ed6fdfdb792108942a4f462758ea4450969c589aadeb91e140858ddd54880ae
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.1 (2023-04-05)
Resolved issues
- Loading of a TokenExchangeGrantHandler SPI implementation was not reflected in the OpenID provider / OAuth 2.0 authorisation server metadata (issue server/849).
Dependency changes
Updates to com.unboundid:unboundid-ldapsdk:6.0.8
Updates Log4j to 2.20.0
Connect2id server 13.7
This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.
New configuration properties
op.idToken.includeX5C
-- this configuration makes it possible to control the inclusion of X.509
certificate (chains) in the JWT header of issued ID
tokens. The X.509 certificate get
automatically included by the Connect2id server when one is found in the
configured signing keys. To disable
this behaviour and issue leaner ID tokens set this configuration property to
false
.
op.idToken.includeX5C=false
op.reg.allowNonTLSLogoutURIsForTest
-- the configuration allows the registration of OpenID relying parties as
clients with a frontchannel_logout_uri
or backchannel_logout_uri
that is an
insecure (plain) HTTP URL. This is intended to help with test and devops
deployments that cannot issue HTTPS certificates. Unsecured logout URLs must
not be used in production!
op.reg.allowNonTLSLogoutURIsForTest=true
You can find more information about the frontchannel_logout_uri
and
backchannel_logout_uri
parameters in their respective specifications:
Bug fixes
This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.
Download 13.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6
Connect2id server 13.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673
Connect2id server 13.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7 (2023-03-30)
Configuration
/WEB-INF/oidcProvider.properties
op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is
true
.op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is
false
(not allowed). Must not be allowed in production!
Resolved issues
- The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).
Dependency changes
Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1
Updates to com.nimbusds:oauth2-authz-store:19.5.1
Updates to net.minidev:json-smart:2.4.10
Updates to com.google.crypto.tink:tink:1.8.0
Updates to com.google.code.gson:gson:2.10.1
Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2