Connect2id server 13.5

This Connect2id server release ships three new features.

  • Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.

  • The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.

  • Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom encoded_client_secret client metadata field.

This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.

Detailed information is available in the release notes below.

Download 13.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.5:

GPG signature:

SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02

Connect2id server 13.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.5:

GPG signature:

SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d

Connect2id server 13.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.5 (2023-02-20)


  • Single sign-on (SSO) can be disabled for selected clients.

  • New session store web API resource for modifying the authentication lifetime of an end-user session.

  • Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.


  • /WEB-INF/

    • op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.

      Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.

      Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean true result. The default configuration property is no selector specified.

      Example JSON query to disable SSO for clients which registered a custom data JSON object containing a disable_sso member set to true: .data.disable_sso==true.

      The Connect2id server logs the configured JSON query at INFO level with the ID OP0090.


  • /session-store/rest/v2/

    • Adds a new /sessions/subject-auth-life resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from the sessionStore.authLifetime configuration property. Returns HTTP 204 No Content on success.
  • /clients/

    • Connect2id server deployments with a ClientSecretStoreCodec plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses the ClientSecretStoreCodec.decode method must return a DecodedSecret.withEncodedValue.
  • /monitor/v1/metrics

    • Adds new sessionStore.sessionAuthLifetimeUpdates meter.

Resolved issues

  • The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).

  • Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7

  • Upgrades to com.nimbusds:oidc-session-store:15.3

  • Adds net.thisptr:jackson-jq:1.0.0-preview.20220705