Connect2id server 12.17

2022-09-14

This September release of the Connect2id server updates the revocation web API to enable callers to conserve server and network resources. When revoking the tokens and persisted consent for a given subject (end-user) or client the server will return all matching long-lived (persisted) authorisations that have been deleted. For a revoked client with thousands or millions of end-users this can potentially result in the streaming of megabytes of removed authorisations into the HTTP response. In such cases or whenever the revocation is not interested in what authorisations are affected or their details, a new quiet=true query parameter can now be applied to omit the streaming and return a HTTP 204 No Content response.

Example use of the quiet=true query parameter when revoking a client with ID zaqu4ong:

POST /authz-store/rest/v3/revocation?quiet=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

client_id=zaqu4ong

The HTTP 204 No Content response:

Status Code: 204 No Content

The authorisation session API and the token exchange plugin received two bug fixes.

Check the release notes below for details.

Download 12.17

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84959987d94ebca82ac9296161b63631d1fe71208250de5e01dfc682a14d5e79

Connect2id server 12.17 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: eb0cd476641f68228002d63af810fe26a83b5c1bb811ca22443691c4e8b5dd9e

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6941ba145e5f58073aeb05f004886a8d9a509cdb20ba9fb63418945063381179

Connect2id server 12.17 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 504fe78e94d6d6f6ebd8bae647e15823336962043caa7c725346c740751d1c04

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.17 (2022-09-14)

Web API

/authz-store/rest/v2/revocation
- Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).
The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

Updates to com.nimbusds:oauth2-authz-store:18.2
Updates to com.nimbusds:oidc-session-store:14.9.2
Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3
Updates to com.nimbusds:tenant-manager:6.0.4
Updates to com.nimbusds:tenant-registry:6.0.3
Updates to com.google.crypto.tink:tink:1.7.0
Updates DropWizard to 4.2.12
Updates to com.unboundid:unboundid-ldapsdk:6.0.6
Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8
Updates to org.postgresql:postgresql:42.5.0
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6
Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11