How to set up the Connect2id server with global DynamoDB tables

In November 2017 AWS announced a new DynamoDB feature for asynchronous transparent replication of table data between any number of regions. This feature, called global tables, makes it possible to run Connect2id server clusters in multiple AWS regions, based on the same eventually consistent data, such as OAuth client registrations, persisted authorisation and end-user sessions.


  1. Configure your Connect2id server to persist data to DynamoDB.

  2. Launch a server instance in one of the desired AWS regions. The server will automatically create the DynamoDB tables and global secondary indices it needs for its operation.

  3. Open the DynamoDB console and for each created table enable streaming of new and old images. This is done via the table Overview tab, by clicking on Manage Stream.

    Streaming can also be activated via the AWS CLI and APIs.

    Connect2id server 7.6+ has a DynamoDB configuration setting allowing the tables to be created with enabled streaming by setting the dynamodb.enableStream Java system property to true. The console step can be skipped then.

  4. With streaming enabled, go to the Global Tables tab in the console. Choose Enable streams and leave View type at the default value (new and old images). Then specify all additional AWS regions where you want the table to be replicated. AWS with then automatically create the specified table replicas in those regions.

    The setting up of a replication group can also be done via the AWS CLI and APIs.

  5. Launch the Connect2id server instances in the other AWS regions with table replicas.


  1. To replicate only core Connect2id server data, and skip the end-user sessions and other transient objects, enable streaming and replication groups for those DynamoDB tables:

    • id_access_tokens -- Identifier-based access tokens
    • long_lived_authorizations -- Persisted authorisations (consent), including refresh tokens
    • revocation_journal -- Revocation entries
    • clients -- OAuth 2.0 client / OpenID relying party registrations