Connect2id server 13.7
This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.
New configuration properties
op.idToken.includeX5C
-- this configuration makes it possible to control the inclusion of X.509
certificate (chains) in the JWT header of issued ID
tokens. The X.509 certificate get
automatically included by the Connect2id server when one is found in the
configured signing keys. To disable
this behaviour and issue leaner ID tokens set this configuration property to
false
.
op.idToken.includeX5C=false
op.reg.allowNonTLSLogoutURIsForTest
-- the configuration allows the registration of OpenID relying parties as
clients with a frontchannel_logout_uri
or backchannel_logout_uri
that is an
insecure (plain) HTTP URL. This is intended to help with test and devops
deployments that cannot issue HTTPS certificates. Unsecured logout URLs must
not be used in production!
op.reg.allowNonTLSLogoutURIsForTest=true
You can find more information about the frontchannel_logout_uri
and
backchannel_logout_uri
parameters in their respective specifications:
Bug fixes
This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.
Download 13.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6
Connect2id server 13.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673
Connect2id server 13.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7 (2023-03-30)
Configuration
/WEB-INF/oidcProvider.properties
op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is
true
.op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is
false
(not allowed). Must not be allowed in production!
Resolved issues
- The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).
Dependency changes
Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1
Updates to com.nimbusds:oauth2-authz-store:19.5.1
Updates to net.minidev:json-smart:2.4.10
Updates to com.google.crypto.tink:tink:1.8.0
Updates to com.google.code.gson:gson:2.10.1
Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2
Connect2id server 14.0 RC3 with Oracle Database support
This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.
The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
More information can be found in the release notes below.
Download 14.0-rc.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: acaf4e2bb79b666c4cb0e99ce36c0b2c77ad423fcf29d595c28b62ff50fb1e71
Connect2id server 14.0-rc.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 39fbb7f6ae88a3d165c0b5f93ebdb8eec3e146b53c5b458d6fb5610b4dccbdfe
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0-rc.3 (2023-03-11)
Summary
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/infinispan-*.xml
- Upgrades the XML schema to Infinispan 14.0.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Dependency changes
Updates to com.nimbusds:c2id-server-sdk:4.52.1
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:20.1
Updates to com.nimbusds:oidc-session-store:16.1
Upgrades to com.nimbusds:common:2.50
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to Infinispan 14.0.6.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0
Connect2id server 14.0 RC2 with Oracle Database support
This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.
The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
More information can be found in the release notes below.
Download 14.0-rc.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 314af2180aedc3c27d8363dfb517e105b0f924763395c22af9ebf924a35b1dbe
Connect2id server 14.0-rc.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: cf19afd1db69b93e0d9d48672f71360da641f5de8d379902e94534adb70b860f
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0-rc.2 (2023-03-06)
Summary
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/infinispan-*.xml
- Upgrades the XML schema to Infinispan 14.0.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
- New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Dependency changes
Updates to com.nimbusds:c2id-server-sdk:4.52.1
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:20.1
Updates to com.nimbusds:oidc-session-store:16.1
Upgrades to com.nimbusds:common:2.50
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to Infinispan 14.0.6.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0
Logout API updates in Connect2id server 13.6
The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.
The logout end response message gets a new
sub_session_closed
parameter to provide a clear hint when the browser session should be deleted.Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.
More information can be found in the release notes below.
Download 13.6
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00
Connect2id server 13.6 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94
Connect2id server 13.6 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.6 (2023-02-22)
Summary
- Updates to the logout session API.
Web API
/logout-sessions/rest/v1/
Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.
The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).
Dependency changes
- Updates to com.nimbusds:nimbus-jose-jwt:9.31
Connect2id server 13.5
This Connect2id server release ships three new features.
Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.
The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.
Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom
encoded_client_secret
client metadata field.
This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.
Detailed information is available in the release notes below.
Download 13.5
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.5: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02
Connect2id server 13.5 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.5: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d
Connect2id server 13.5 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.5 (2023-02-20)
Summary
Single sign-on (SSO) can be disabled for selected clients.
New session store web API resource for modifying the authentication lifetime of an end-user session.
Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.
Configuration
/WEB-INF/oidcProvider.properties
op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.
Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.
Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean
true
result. The default configuration property is no selector specified.Example JSON query to disable SSO for clients which registered a custom
data
JSON object containing adisable_sso
member set totrue
:.data.disable_sso==true
.The Connect2id server logs the configured JSON query at INFO level with the ID
OP0090
.
Web API
/session-store/rest/v2/
- Adds a new
/sessions/subject-auth-life
resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from thesessionStore.authLifetime
configuration property. Returns HTTP 204 No Content on success.
- Adds a new
/clients/
- Connect2id server deployments with a
ClientSecretStoreCodec
plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses theClientSecretStoreCodec.decode
method must return aDecodedSecret.withEncodedValue
.
- Connect2id server deployments with a
/monitor/v1/metrics
- Adds new
sessionStore.sessionAuthLifetimeUpdates
meter.
- Adds new
Resolved issues
The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).
Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).
Dependency changes
Updates to com.nimbusds:oauth2-oidc-sdk:10.7
Upgrades to com.nimbusds:oidc-session-store:15.3
Adds net.thisptr:jackson-jq:1.0.0-preview.20220705