Logout API updates in Connect2id server 13.6

The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.

  • The logout end response message gets a new sub_session_closed parameter to provide a clear hint when the browser session should be deleted.

  • Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.

More information can be found in the release notes below.

Download 13.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00

Connect2id server 13.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94

Connect2id server 13.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f


If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.6 (2023-02-22)


  • Updates to the logout session API.


  • /logout-sessions/rest/v1/

    • Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.

    • The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.31