Connect2id server 14.10

2023-11-22

This Connect2id server release improves the performance of expired entry purges in deployments with an SQL database. If you have an identity provider deployment that deals with a large number of sessions and identifier-based access tokens, objects that eventually expire, this upgrade will reduce the database traffic and load when the purge task runs.

The SQL connector also adds two Java system properties:

  • dataSource.maxLifetime -- Overrides the maximum SQL connection lifetime (in the Hikari connection pool)

  • dataSource.expiredQueryPageLimit -- Overrides the page limit in SQL select statements for expired records.

These two new properties are explained in the configuration docs for the supported SQL databases:

The dataSource.maxLifetime configuration override can be useful to address situations where the backend SQL database is configured to close connections before their expiration in the Connect2id server pool (30 minutes).

The release notes below have more information.

Download 14.10

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c7143ea19bb1327809f6666a797e9e4558317812d06a8444401742d8d187e068

Connect2id server 14.10 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ae45fafe8922d349aab6a4a81e20d04b78800d1330c0bf0a682acaadf2876ba4

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.10: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: d1bc3923a24e37e86b1159506c4933f87e5f03a7cf9c6945a4a93d117a393cae

Connect2id server 14.10 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 4a2f5411aac6e0019c44d972bb677e529b7e2feb15f5a26625bd0f2c4a6f6b74

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.10 (2023-11-22)

Summary

  • Connect2id server deployments with an SQL database receive an optimised purge task and SQL query for expired records, such as records for expired subject sessions or identifier-based access tokens. The page limit in the SQL query to select expired records is made configurable, to enable further performance tuning.

    A Java system property to override the maximum lifetime of SQL connections in the connection pool is also made available.

Configuration

  • /WEB-INF/infinispan-*-{mysql|oracle|postgres95|sqlserver}.xml

    • Upgrades the SQL store schema to v3.2.

    • dataSource.maxLifetime -- New optional Java system property to override the default maximum lifetime of SQL connections in the Hikari connection pool. The value is expressed in microseconds and must not be shorter than 30000 (30 seconds). The default value is 1800000 (30 minutes).

      This configuration can be used to address Hikari warnings (recorded in the Connect2id server log) "Failed to validate connection (Closed Connection)".

    • dataSource.expiredQueryPageLimit -- New optional Java system property to override the default page limit of SQL queries to select expired records, such as the records of expired subject sessions. The page limit value is 1000 records.

      This configuration can be used to optimise the retrieval of expired records by the Infinispan entry purge task.

    • Upgrades the SQL database connector and the sessionStore.sessionMap, authzStore.idAccessTokenMap, authzStore.expendedTokenMap, op.authSessionMap, clients.registrationsMap SQL definitions to select only expired records from the respective tables when the Infinispan purge task runs.

Resolved issues

  • The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked exception is encountered during an SQL select or delete query. The exception must be swallowed and an appropriate error logged (issue sql-store/31, sql-store/32).

  • The infinispan-replication-*.xml configurations must not use passivation for sessionStore.sessionMap and sessionStore.subjectMap as this is incompatible with shared cache stores (issue server/943).

  • Reduces and aligns the memory max-count limits in the infinispan-*-local-h2.xml configurations (issue server/944).

  • The page LIMIT in the SQL select query run by the purge task must be inlined (issue sql-store/29).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.8

  • Updates to com.nimbusds:oidc-session-store:16.8

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.4.1

  • Updates to com.zaxxer:HikariCP:5.1.0

  • Updates to Log4j 2.22.0

Connect2id server 14.9

2023-11-13

This release ships an enhancement for Connect2id server deployments with an AWS DynamoDB. The purge thread that wakes up periodically to scan the subject (end-user) sessions table for expired entries and then delete them, will now automatically limit the rate of read and write capacity unit consumption to 10% of the provisioned for the sub_sessions table.

The rate limiting moderates the use of capacity units when the purge thread is running. With a DynamoDB table in provisioned mode the rate limiting ensures the scan (and delete) requests will not potentially starve regular API requests of database capacity. In on-demand mode the rate limiting smooths potential peaks in capacity use and thus can help reduce your AWS bill.

The default configuration can be overridden with a dynamodb.purgeMaxReadCapacity Java system property, by setting it to an absolute capacity unit value, or to a percentage (evaluated using the reported provisioned read capacity every time before the purge thread runs).

Example override to use at most 20 read capacity units / second for purges:

dynamodb.purgeMaxReadCapacity=20

Example override to rate limit the consumption to 15% of the current read capacity units for the table:

dynamodb.purgeMaxReadCapacity=15%

Note that when automatic DynamoDB TTL expiration is enabled for the sessions table the Connect2id server will not run the purge thread (as all sessions are being expired within DynamoDB) and the dynamodb.purgeMaxReadCapacity will have no effect then.

Check the release notes below for more information.

Download 14.9

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: e64d17123bf28407252f8699b029421d888e8e0351478b45c96981fc5bafa6c1

Connect2id server 14.9 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e4a74dfd5d2ffe1d326adaff2a735672abc2214c95b2fed0ca1681a787344f56

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.9: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a416855669d1e18b0e5e83941c500c8a98abb83fe24591f46b32b99ac95aac82

Connect2id server 14.9 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9d5efad8de9e16ca4e5d6e200c6bcbdadbfba41f238ce6b8cf6da53217d2ba4a

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.9 (2023-11-13)

Summary

  • Connect2id server deployments with an AWS DynamoDB receive rate limiting of the paged scan and delete requests that purge the database of expired subject sessions. This enhancement guards regular requests to DynamoDB from potentially being starved of their provisioned database read and write capacity when a purge scan is taking place. Moderating the purge scans may also smooth spikes in DynamoDB consumption over time and thus enable the provisioned capacity to be lowered to save costs.

    Note, in deployments where native DynamoDB TTL expiration is enabled for the subject sessions, by setting the "dynamodb.enableTTL.sessionStore.sessionMap" Java system property to true, the sessions will be expired automatically by DynamoDB and the Connect2id server doesn't need to run purge scans on the sessions table. The TTL expiration suits Connect2id server deployments that have no OpenID relying parties registered to receive logout and session expiration notifications. Such notifications can be generated only when the sessions are expired by the Connect2id server itself.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Upgrades the dynamodb schema to v2.1.

  • /WEB-INF/infinispan-*-{stateless|replication}-dynamodb.xml

    • Scan and delete requests that purge the sub_sessions table of expired subject sessions are rate limited to 10% of the reported provisioned read capacity for the table. For example, if the table is provisioned with 100 read capacity units, the consumed purge scan read and delete operations will be rate-limited to 10 capacity units.

      To specify a different value set the "dynamodb.purgeMaxReadCapacity" Java system property to the desired maximum read capacity units that may be consumed during a purge, as an absolute value, e.g. 20, or as a percentage of the current provisioned read capacity of the table, e.g. 20%. Any write capacity consumed to delete expired items is bounded by the "dynamodb.purgeMaxReadCapacity" and will always stay below it. The default value of "dynamodb.purgeMaxReadCapacity" is 10%, as explained above.

Resolved issues

  • The expired entry reaper in Connect2id server deployments with an AWS Dynamo database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved DynamoDB item. This may occur in DynamoDB items manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending item logged. This is now done with a DS0152 log error (issue dynamodb-store/21).

  • The *.dynamoDB.deleteTimer metrics must include DynamoDB delete requests performed as part of purges of expired items (issue dynamodb-store/22).

  • Removes legacy comma separator support in Scope.parse(String) (issue oidc-sdk/445).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.6

  • Updates to com.nimbusds:nimbus-jose-jwt:9.37.1

  • Updates to com.nimbusds:oauth2-authz-store:24.7.3

  • Updates to com.nimbusds:oidc-session-store:16.7.5

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.2

Connect2id server 14.8.3

2023-11-08

This Connect2id server release fixes a bug in the SQL connector that was introduced in v14.8.1 last week. Connect2id server 14.8.* deployments are encouraged to upgrade to this release.

More information is available in the release notes below.

Download 14.8.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: b02d2d0bb9a3af71d887fddf51748fdfef8b3196d2a46efb37820402a99ba5e1

Connect2id server 14.8.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: f311f7f871c49c5d2e10ac72bdce615da9f187e5a4a8fae9c688f7fdfc595981

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: b1de2efc8c26da1b178bc4c0699597da5fcded48f319204f1f991608226ffce7

Connect2id server 14.8.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: dc9247aa06deb0d530de5b74e066e23ecd9a72d13f70a1e4f7c2117cbb67bf5d

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.8.3 (2023-11-08)

Resolved issues

  • Fixes a bug introduced in v14.8.1 that affects Connect2id server deployments with an SQL database. The bug resulted in repeat duplicate SQL delete queries when purging expired records in the database, causing excessive slowdown of the purge task in SQL tables with many expired records, such as records for subject sessions (issue server/938, sql-store/25).

  • The *.sqlStore.deleteTimer metrics must include SQL delete queries performed as part of purges of expired records (issue sql-store/26).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.7.2

  • Updates to com.nimbusds:oidc-session-store:16.7.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.1.1

Connect2id server 14.8.1

2023-11-02

This maintenance release of the Connect2id server addresses issues related to the SQL database connector, which is now optimised to conserve memory when purging expired entres. An issue slowing down the server startup with Oracle Databases is also fixed. If you have a deployment that uses an SQL database and deals with significant traffic updating to 14.8.1 is recommended.

Updating to 14.8.1 can be skipped if you have a Connect2id server deployment that uses DynamoDB.

More information can be found in the release notes below.

Download 14.8.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: cac7e644f028f5ca84e100c9ae402d0ca3e8bd86fce598c9731798827a1108b0

Connect2id server 14.8.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: bbdda0f1ecb5c5af003b8d3efe31e775cc32ebff537882ed7b2e3e65f89cc529

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 16f12425588d4bbb13f19cf48943593c3e40fa258be08c8711535853f94202c3

Connect2id server 14.8.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: f83af6cbc94e539368695f2e2da47fb500b32ba3a19688439db2c594adc2ca49

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.8.1 (2023-11-02)

Resolved issues

  • Updates the expired entry reaper for Connect2id server deployments with an SQL database to conserve memory by employing paged key set seek, in sets of up to 100 SQL records and interleaving the record deletion between the pages. Intended to prevent OOM errors in deployments with a very large number of sessions and other expiring objects (issue server/935).

  • Optimises the dataSource.createTableIfMissing implementation for Oracle Databases when the queried table has a very large number of records, causing Connect2id server startup to pause for times longer than 1 minute at startup. The issue is addressed by switching from LIMIT 0 to LIMIT 1 in the query to obtain the table's column names (issue server/933).

  • The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved SQL record. This may occur in SQL records manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending SQL record logged. This is now done with an IS0141 log error (issue sql-store/23).

  • Fixes the default value and parsing of the optional sessions form parameter of the /session-store/rest/v2/purge resource (issue session-store/95).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.7.1

  • Updates to com.nimbusds:oidc-session-store:16.7.3

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.1

  • Updates to Log4j 2.21.1

  • Updates to Dropwizard Metrics 4.2.20.

Connect2id server 14.8.2

2023-11-02

This second Connect2id server release for today fixes an issue in v14.8.1 with the Log4j Web 2.21.1 BOM that introduced an erroneous transitive dependency to two Spring artifacts. The erroneous dependency is now removed and we'll make a report upstream.

As always, more information can be found in the release notes below.

Download 14.8.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: d76f0d31096f495b0861ba9e79b8905d70ba2ef1b6571b9f17a8e6b305963620

Connect2id server 14.8.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 43e5667e20ed952395bce8ece3c50d4fb359976a499cdd68d7bcb7d4a7cac419

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2959666e0cc7ea55311c962650d7008511f191de4024dda8de6ac05257bf2b61

Connect2id server 14.8.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3390a7eb98c809d5ade60d23d47aa4bae858f2dfaa6a7514b98bc52fffd8068f

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.8.2 (2023-11-02)

Resolved issues

  • Forces removal of the org.springframework:spring-test dependency erroneously introduced as compile scope dependency of org.apache.logging.log4j:log4j-web:2.21.1 (issue server/936).

Dependency changes

  • Forces removal of org.springframework:spring-test