Connect2id server 12.18

Connect2id server deployments can now mask or rewrite selected OpenID provider metadata fields published at the /.well-known/openid-configuration endpoint, to minimise the amount of metadata, or show fewer supported endpoints and capabilities, which cannot be disabled by a simple configuration setting. This is done by creating a JSON object to act as overlay, and saving it in the new op.metadataOverlay configuration property.

Sample overlay to hide the introspection endpoint:


With additional BASE64 encoding on top of the JSON text, for easier passing around via environment variables:


Note, the overlay will not alter the internal Connect2id server configuration and the server will not check the resulting JSON object for being a legal representation of OpenID provider metadata according to the specification. One way to double check the published metadata is to run it through the parse method of the OIDCProviderMetadata class in the OAuth 2.0 / OpenID Connect SDK.

For more information what's new or changed check the release notes below.

Download 12.18

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.18:

GPG signature:

SHA-256: ab5c6afa1b83f748d60799525327824884acd5d73bb407b12aefc1d826fb8b45

Connect2id server 12.18 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 98e6d1aeebf02198b7139f782689bcf13d4b59cbd9042ec8e2911d6e72468c75

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.18:

GPG signature:

SHA-256: 1ef2ae977c7e5222c1a27fae5be0d9868f80b431007105f4f80bbbda7f136f9a

Connect2id server 12.18 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b4d4bf14ca3492a9301b9625801da3c69258589c3d7545322c4b02cfed46f92f


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.18 (2022-10-25)


  • /WEB-INF/

    • op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.


  • /authz-sessions/rest/v3/

    • Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.

Resolved issues

  • Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2.1

  • Updates to io.prometheus:simpleclient:0.16.0

  • Updates to io.prometheus:simpleclient_servlet:0.16.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.16.0

  • Updates to Log4j 2.19.0