Blog »

Connect2id server 15.7.1

2024-06-27

This is a small maintenance release of the Connect2id server that fixes five non-critical issues. More information about them can be found in the release notes below.

If you are using the password OAuth 2.0 grant with first party native applications, we recently published a mini guide how to implement a challenge-based flow for a second authenticating factor, such as an OTP, email or SMS verification.

Download 15.7.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 6afa6759052316521e3609455cae75fd96ba677683f8ced9bb8e550b848eb16f

Connect2id server 15.7.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: db385895cb919e4d698923b8945f54a28624ecdfe6d0c2964981a560bb48f267

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6c8f7b5819023163534bcaa8c730fbf957036634c1dd3a8478bd331acc223a4e

Connect2id server 15.7.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b4761c5fb6be4b972e2f0ff2e7c01e7917f76404a09cf4ee878d431a03d0432e

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.7.1 (2024-06-27)

Resolved issues

  • Fixes the return value of the IDTokenIssueEvent.getLocalSubject method (in the IDTokenIssueEventListener SPI) to return the local subject and not the pairwise subject value when the ID token is issued in response to an OAuth 2.0 authorisation code grant (issue server/1001).

  • Removes the redundant automatic setting of the tls_client_certificate_bound_access_tokens client metadata field when a client is registered for self_signed_tls_client_auth, an artefact from Connect2id server v6.x when persistence of the tls_client_certificate_bound_access_tokens client metadata field was not supported (issue server/1003).

  • Calls to the token introspection endpoint with a blank token value and a token_type_hint set to access_token must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue server/1004).

  • Calls to the token revocation endpoint with a blank token value must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/471).

  • Calls with client_secret_jwt or private_key_jwt authentication with an empty or blank client_id must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/472).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.13

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.40

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.6

  • Updates to org.postgresql:postgresql:42.7.3