Connect2id server 13.4.1

This is a maintenance release of the Connect2id server.

It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.

The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.

There is more information about the resolved issues in the notes below.

The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.

Download 13.4.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4.1:

GPG signature:

SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e

Connect2id server 13.4.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4.1:

GPG signature:

SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9

Connect2id server 13.4.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4.1 (2023-02-09)

Resolved issues

  • The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).

  • Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the op.authz.includeClientInfoInAuthPrompt configuration property is set to true and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).

  • The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).

  • Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.30.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2