Blog »

Connect2id server 9.5

2020-05-25

This release of the OpenID Connect / OAuth 2.0 server adds two new configuration properties:

  • op.authz.prohibitSwitchBetweenBasicResponseModes -- when enabled the Connect2id server will prevent OAuth clients from switching the normal query response mode for an authorisation request to "fragment" and similarly, for a normal fragment response mode to "query". Disabled by default.

  • op.token.requireClientX509Cert -- when enabled the Connect2id server will require all clients to present a client X.509 certificate at the token endpoint, thus enforcing issue of client certificate bound access tokens (according to RFC 8705). Disabled by default.

We also updated the FAPI checklist and also added instructions how to setup a Connect2id server deployment to run the FAPI certification test suite provided by the OpenID Foundation.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 9.5: Connect2id-server.zip

SHA-256: 2d15486eb97b970a9114e6768ab573b153e2a845e7c151a6babc52253e0e8622

Connect2id server 9.5 WAR package: c2id.war

SHA-256: 5646fd2d02cd32b1ff334a8eca7e0ee5fa71f2bcea1331ca280a4d76fd292b3e

Multi-tenant edition

Apache Tomcat package with Connect2id server 9.5: Connect2id-server-mt.zip

SHA-256: 54b2cbc6882200132d944cd87159c1e37bf3ecf9b44a83eea48451031d393f0c

Connect2id server 9.5 WAR package: c2id-multi-tenant.war

SHA-256: d62201d931254fe9a28fd0dbe02996ec5123e68bf824801cdba540e0800806c5

Questions?

Contact Connect2id support.

Release notes

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.prohibitSwitchBetweenBasicResponseModes -- New optional configuration property. If true client requests to switch between the "query" and "fragment" response modes by setting the response_mode authorisation request parameter are prohibited. The default value is false.

    • op.token.requireClientX509Cert -- New optional configuration property. If true the token endpoint will require a client X.509 certificate from all clients, in order to enforce issue of client certificate bound access tokens (RFC 8705). The default value is false.