Connect2id server 9.5.1

This is a maintenance release of the Connect2id server.

  • Fixes a bug which will produce an HTTP 500 at the token endpoint if illegal characters appear in a submitted authorisation code.

  • Fixes a bug which affects publishing of EdDSA signing keys in the server JWK set. Deployments which intend to make use of EdDSA-signed access tokens introduced in 9.4 should be updated.

  • Rolls back support for JWT authentication (client_secret_jwt and private_key_jwt) at the token revocation endpoint accepting the token endpoint URI as JWT "aud" (audience), removed unannounced in 8.0. Note that client applications should use an "aud" value set to the exact endpoint URI and acceptance of alternative audience values may be removed in a future release as a security measure.

  • Logs the exact cause when client authentication at the token revocation endpoint fails.

For details check the release notes below.


Standard Connect2id server edition

Apache Tomcat package with Connect2id server 9.5.1:

SHA-256: 6bd8409448f8f34e73c9147f54b44c84524009e2aab51c4995f82f29125f3bed

Connect2id server 9.5.1 WAR package: c2id.war

SHA-256: d416d1043d18ef1ecb4920cb58b63114759bdeca91e0870106f52cda014bc10c

Multi-tenant edition

Apache Tomcat package with Connect2id server 9.5.1:

SHA-256: a016730031deda10d1c7007695ab7b2ea82ea8c877878d1beb1d872c34975d09

Connect2id server 9.5.1 WAR package: c2id-multi-tenant.war

SHA-256: b9a605be18ca82eb037e306b5d2c7c737550e6db9c149ad7497991602591e331


Contact Connect2id support.

Release notes

9.5.1 (2020-06-22)

Resolved issues

  • Replaces the BASE64 Apache Commons Codec with the BASE64 codec from the Nimbus JOSE+JWT library to prevent an unchecked IllegalArgumentException exception due to illegal chars in a submitted authorisation code (issue server/574, common/61).

  • Restores accepting client_secret_jwt and private_key_jwt client authentication JWTs for the token revocation endpoint where the audience is set to the token endpoint URI, removed in Connect2id server v8.0. This rollback is done to preserve backward compatibility with existing clients. New clients should set the authentication JWT "aud" (audience) to the exact endpoint URI as future Connect2id server releases may stop accepting the issuer URI or the token endpoint URI for security reasons (issue server/573).

  • Logs the exception message for OP6412 when client authentication at the token revocation endpoint fails (issue server/570).

  • Exports public EdDSA keys from the server JWK set to /jwks.json (issue server/568).

Dependency changes

  • Updates to com.nimbusds:common:2.38.1

  • Updates to com.nimbusds:oidc-session-store:13.4.2

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.4