Connect2id server 15.7.1

2024-06-27

This is a small maintenance release of the Connect2id server that fixes five non-critical issues. More information about them can be found in the release notes below.

If you are using the password OAuth 2.0 grant with first party native applications, we recently published a mini guide how to implement a challenge-based flow for a second authenticating factor, such as an OTP, email or SMS verification.

Download 15.7.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 6afa6759052316521e3609455cae75fd96ba677683f8ced9bb8e550b848eb16f

Connect2id server 15.7.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: db385895cb919e4d698923b8945f54a28624ecdfe6d0c2964981a560bb48f267

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6c8f7b5819023163534bcaa8c730fbf957036634c1dd3a8478bd331acc223a4e

Connect2id server 15.7.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b4761c5fb6be4b972e2f0ff2e7c01e7917f76404a09cf4ee878d431a03d0432e

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.7.1 (2024-06-27)

Resolved issues

  • Fixes the return value of the IDTokenIssueEvent.getLocalSubject method (in the IDTokenIssueEventListener SPI) to return the local subject and not the pairwise subject value when the ID token is issued in response to an OAuth 2.0 authorisation code grant (issue server/1001).

  • Removes the redundant automatic setting of the tls_client_certificate_bound_access_tokens client metadata field when a client is registered for self_signed_tls_client_auth, an artefact from Connect2id server v6.x when persistence of the tls_client_certificate_bound_access_tokens client metadata field was not supported (issue server/1003).

  • Calls to the token introspection endpoint with a blank token value and a token_type_hint set to access_token must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue server/1004).

  • Calls to the token revocation endpoint with a blank token value must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/471).

  • Calls with client_secret_jwt or private_key_jwt authentication with an empty or blank client_id must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/472).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.13

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.40

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.6

  • Updates to org.postgresql:postgresql:42.7.3

Connect2id server 15.7

2024-06-05

This Connect2id server release enabled support for issue of DPoP bound access tokens, for the JWT as well as the SAML 2.0 bearer grants. With the next major 16.0 release, the server is also going to support the dpop_bound_access_tokens client metadata parameter, so that a client can be required to always use DPoP in its registration.

This release also updates two of the Connect2id server SPIs.

The SPI for ID token issue events receives a new IDTokenIssueEvent.getLocalSubject() method to access the local (system) end-user ID, which can be useful in cases when the ID token sub (subject) is a pairwise identifier.

The SPI for customising token responses receives new methods to access the OpenID claims source and a generic JWT signer.

More information about this new release can be found in the customary notes below.

If you are an authentication provider and have come across Microsoft's May announcement to allow the plugin of External Authentication Method (EAM) providers into Entra ID, check out our new guide how to achieve this with the Connect2id server. If there is sufficient feedback and demand we'll consider creating an official maintained Connect2id server plugin for Entra EAM.

Download 15.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5ae6d0051302f7734aa09081bad943a2a56d32409b08a8acec6239b387bbab24

Connect2id server 15.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 872123f8df4ed3ccc7d57cf8ce1f9bd2ba524cadcc61412ea82e8a091bbe4859

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c32dbe7d03dde79848b7690c81d24eba1bb2e8a17559043a420b5816e8ae3419

Connect2id server 15.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1a7d7fc290bdcc4bc32401a564bf964c735ba578a211fe32c7a3df1b37e059a1

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.7 (2024-06-03)

Summary

  • Enables issue of DPoP access tokens (RFC 9449) for the JWT and SAML 2.0 bearer OAuth 2.0 grants.

  • Updates the CustomTokenResponseComposer SPI to provide access the OpenID claims source and a generic JWT signer.

  • Updates the IDTokenIssueEvent in the IDTokenIssueEventListener SPI to provide access to the local subject, useful in cases when the ID token sub (subject) is a pairwise identifier.

Web API

  • /token

    • Enables support for issue of DPoP-bound access tokens (RFC 9449) for the following OAuth 2.0 grants:

      • urn:ietf:params:oauth:grant-type:jwt-bearer (RFC 7523)

      • urn:ietf:params:oauth:grant-type:saml2-bearer (RFC 7522)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.5

    • The CustomTokenResponseComposer SPI is updated, adding methods to the TokenResponseContext to access the OpenID claims source and a generic JWT signer.

    • IDTokenIssueEvent, part of the IDTokenIssueEventListener SPI, provides access to the local ID token subject, useful in cases when the ID token sub (subject) claim is a pairwise identifier.

Resolved issues

  • The Connect2id server must accept signed request objects (JARs) with the JWT typ (type) header values oauth-authz-req+jwt (see RFC 9101) and JWT (issue server/999).

  • The logout JWT in OpenID Connect back-channel logout notifications must include an exp (expiration time) claim. The expiration for the logout JWTs is set 5 minutes into future (issue server/1000).

  • Improves the parse performance of JSON numbers in JWT claims sets (issue nimbus-jose-jwt/546).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.5

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.12

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.5

  • Updates to com.nimbusds:nimbus-jose-jwt:9.39.3

  • Updates to com.google.code.gson:gson:2.11.0

  • Updates to commons-codec:commons-codec:1.17.0

Connect2id server 15.6 introduces a new plugin interface for authentication and consent events

2024-05-10

The Connect2id server received a new plugin interface (SPI) for receiving an event every time a user authenticates and submits their consent at the authorisation endpoint. The events can be used for purposes such as audit logging and resolving disputes. Contextual information about the user authentication can be obtained from the referenced ID token claims set (if an ID token is issued) as well as the referenced subject session. Information about the user consent can be obtained from the referenced authorised scope, claim names and data.

This release also relaxes the back-channel logout notifications policy for Connect2id server deployments configured with issuer aliasing in the PERSISTED_GRANT_ISOLATION mode, allowing delivery of notifications in response to logout requests. Notification delivery in response to session expiration remains blocked in this mode.

Finally, this release resolves four issues, three related to SPI plugins.

Download 15.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5ad5fc679f9c33837ab46690ae0d23edf692e522622005579bd5c06fa5be9139

Connect2id server 15.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 87c3c7075ac32244ea5b860a7218cbc56e18ea9b0e076e784f84e9f2085be991

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f77623867ef95bfad50ddf896d86294e77419d8b2bb4c8275ae39e11bcfcb384

Connect2id server 15.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 89e6cb73cbec7f3f8789f9871d4e60e139fed8af1f26eee0ce4acd4d850f89a8

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.6 (2024-05-10)

Summary

  • New plugin interface (Service Provider Interface, or SPI) for listening to end-user authentication and consent events at the authorisation endpoint of the Connect2id server.

  • Enables delivery of back-channel logout notifications in the issuer aliasing mode "isolation" in response to end-user logout at the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Delivers back-channel logout notifications when OpenID provider / OAuth 2.0 server issuer aliasing mode PERSISTED_GRANT_ISOLATION is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from logout session API calls to be blocked.

  • /session-store/rest/v2/

    • Delivers back-channel logout notifications in response to end-session (DELETE) calls when OpenID provider / OAuth 2.0 server issuer aliasing mode PERSISTED_GRANT_ISOLATION is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from end-session API calls to be blocked.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.4

    • New SubjectAuthAndConsentEventListener SPI for listening to subject authentication and consent events.

      For clients using the code flow (response_type=code), the event is dispatched when the client submits a valid authorisation code at the token endpoint of the Connect2id server.

      For clients using an implicit (response_type=token, response_type=id_token, id_token token) or hybrid flow (response_type=code id_token, response_type=code token, response_type=code id_token token), the event is dispatched when the request at the authorisation endpoint of the Connect2id server successfully completes.

Resolved issues

  • Fixes StackOverflowException in SPI calls that use the com.nimbusds.openid. connect.provider.spi.internal.sessionstore.SubjectAuthentication.getAMRList method (issue server/993).

  • Revises the OpenID Connect Back-Channel Logout 1.0 policy when issuer alias mode PERSISTED_GRANT_ISOLATION is configured. Back-channel logout notifications were previously blocked in this mode. Starting with this release notifications resulting from API-originating logout / end-session requests will be delivered. Note that the delivery of back-channel logout notifications on subject session expiration remains blocked since subject sessions do not record issuer alias information (issue server/992).

  • Prevents Connect2id server startup when a given OpenID claim is advertised as supported by two or more enabled claims sources. Disabled claims sources are not checked. The exception will be logged at FATAL level using the OP7004 code, detailing the name of the claim and the claim source (issue server/994).

  • Compressed (zip=DEFLATE) JWE request objects (JARs) with cipher texts of compressed plain text that are too large must be rejected to conserve CPU and memory resources on decompression. When JWE DEFLATE compression is utilised a limit of 100K cipher text characters is enforced. Note that all request objects passed by URL (request_uri) are already being limited to 50 KBytes in size (issue jose-jwt/545).

  • Support serialisation of null valued JWT top-level claims returned by the encode and advancedEncode methods of SelfContainedAccessTokenClaimsCodec SPI implementations. Previously such JWT claims were ignored and serialised (issue authz-store/234).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.4

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.10.3

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.39

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.2

  • Upgrades to com.nimbusds:oauth2-authz-store:26.5.1

  • Upgrades to com.nimbusds:oidc-session-store:19.0

  • Upgrades to com.nimbusds:tenant-manager:9.1

  • Updates to com.nimbusds:tenant-registry:9.0.1

Connect2id server 15.5

2024-04-23

This Connect2id server release updates the plugin interface for sourcing user claims (attributes). It also adds a special configuration to mitigate false token revocation positives due to timing issues.

Consented scope hint in the claims source SPI

The Connect2id server comes with a plugin interface for sourcing user claims, such as contact details, profile information and entitlements. These claims are then fed into UserInfo responses, ID tokens or access tokens, subject to consent.

To aid decisions in claims source plugins, the Connect2id server is now going to make the associated consented scope available with each request to the claims source. If you implement your own SPI plugin the scope can be obtained via the new ClaimsSourceRequestContext.getScope method. If you use a web hook it will appear in the optional scope parameter, which must first be enabled.

Example request:

POST /claims-source HTTP/1.1
Host: www.example.com
Content-Type: application/json; charset=UTF-8
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "iss"              : "https://c2id.com",
  "sub"              : "alice",
  "claims"           : [ "email",
                         "email_verified",
                         "name",
                         "given_name",
                         "family_name" ],
  "scope"            : [ "openid",
                         "email",
                         "profile",
                         "offline" ],
  "claims_transport" : "userinfo"
}

More information how the scope gets determined for a particular claims request can be found in the ClaimsSourceRequestContext JavaDoc and the release notes below.

Note that the scope is intended only as a hint in plugin logic. Claims will continue getting sourced by providing an explicit list of their names, regardless of the consented scope value. That's because end-users may not consent to all claims that expand from a certain scope value. Claims can also be requested individually, with a scope value like email or profile, using the claims OpenID authentication request parameter.

Revocation timestamp check bias

The Connect2id server provides an API where clients, end-user access and their tokens can be revoked. POSTed revocations are given a timestamp and recorded in the server's database. Whenever a token is inspected, the server checks for any recorded revocations after the token issue time (iat). If a revocation is found the token is considered invalid.

After a typical revocation the end-user must log in and give their consent again in order for the client application to regain access. In special scenarios where this is done by an automated process the token revocation and subsequent new token issue may occur at the same second. Due to the second resolution of token and revocation timestamps, this can lead to timing issues, for example in clusters where the clocks of the computers are out of sync. To mitigate such issues deployments can adjust the "bite" point of revocation time checks with a special new configuration:

authzStore.revocation.checkBias

Its documentation has hints when and how to use it. If in doubt leave it at its default value (zero bias).

Dependency updates

A range of dependencies were updated, including the BouncyCastle JCA provider to 1.78. The BouncyCastle update clears several reported CVEs, none of them critical for Connect2id server operation.

Download 15.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5fae4e5c8201ec0f72dba96c78724dff702fdeb2a30eb7b4f0159114afbd620f

Connect2id server 15.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 9a4e6fa5e062cbe70d19c248966be3102d286f90836c6fd1c8b39ae8d456dbd9

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1b89b280dd28094dede54eef43086c4139e913ceae2c803c39d77645202894b0

Connect2id server 15.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: fef049716b8773a47fa64d7436ed010883c15e99fc9faf4a44f1f2c9a9524335

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.5 (2024-04-23)

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.revocation.checkBias -- New optional configuration property to adjust the checking of revocation timestamps by adding a negative or positive time bias, in seconds. The default value is 0 seconds (no bias).

      A token is deemed active (non-revoked) if there are no recorded revocations for the token subject and / or client ID after the token issued-at time ("iat"). The resolution of revocations and token issued-at times is in seconds.

      With no (zero) bias tokens issued at the same second when a revocation is recorded are considered active (non-revoked). This enables a subject and / or client ID to have its tokens revoked and then be immediately issued again with active tokens, within the same second.

      A positive bias of 1 ensures tokens issued within the same second of a revocation are considered revoked, preventing any ambiguity in the time sequence of revocation and token issue events. A bias greater than 1 should generally not be used.

      A negative bias can mitigate false revocation positives in a Connect2id server cluster where the clocks of the individual server instances are out of sync.

  • /WEB-INF/httpClaimsSource.properties

    • op.httpClaimsSource.includeScope -- New optional configuration property of type boolean. Enables / disables inclusion in the request of the associated consented scope. Disabled by default.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.3

    • New ClaimsSourceRequestContext.getScope method that returns the associated consented scope:

      • When sourcing claims for a UserInfo endpoint response this is the scope of the access token.

      • When sourcing claims for an ID token to be returned at the token endpoint this is the scope of the OAuth 2.0 grant (such as an authorization_code or refresh_token grant).

      • When sourcing claims for an ID token to be returned at the authorisation endpoint (for a response_type that contains the id_token value) this is the scope of the end-user consent.

      • When sourcing claims for an ID token returned at the Connect2id server direct authorisation endpoint.

      • In all other cases the scope is not provided and will be null.

Resolved issues

  • The Connect2id server must reject op.claims.map.* configuration properties with id_token: and access_token: prefixed claim names. These prefixes are intended for use in the authorisation session API and other documented locations only, using them in a custom OpenID claims map can lead to unintended side effects (issue server/991).

  • The AS0214 log INFO message must be recorded at the start of a revocation (issue authz-store/233).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.3

  • Upgrades to com.nimbusds:oauth2-authz-store:26.3

  • Updates to com.nimbusds:oidc-session-store:17.4

  • Updates to com.nimbusds:oidc-claims-source-http:3.1

  • Updates to net.minidev:json-smart:2.5.1

  • Updates to BouncyCastle 1.78

  • Updates to com.google.crypto.tink:tink:1.13.0

  • Updates to commons-codec:commons-codec:1.16.1

  • Updates to commons-io:commons-io:2.16.1

  • Updates to Log4j 2.23.1

Connect2id server 15.4 introduces an STS web API to aid federated login

2024-03-11

This release of the Connect2id server ships the much anticipated Security Token Service (STS) web API to ease implementation of federated logins for identity providers. The concept of federated login enables an identity provider to call on 3rd party providers to authenticate end-users and obtain attributes about them, in a manner that is completely transparent to the client applications.

An identity provider that is built with the Connect2id server can now utilise the server's existing cryptographic facilities - JWT signing and key store - to mint JWTs to secure OAuth 2.0 flows with upstream OpenID providers. An upstream provider can verify the signature of a JWT using the public JWK set URL of the Connect2id server.

The first version of the STS API supports minting of tokens for the following purposes:

To prevent mistakes in client logic, the STS API uses carefully designed templates to mint the requested JWTs. The templates take care to populate the JWT headers and claims sets with the correct data for the type of JWT and perform validation on the POSTed parameters. This means the STS cannot be used (or abused) to mint arbitrary JWTs.

Example request to the STS API to mint a token for a JAR:

POST /sts/rest/v1/issuer HTTP/1.1
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "template"   : "JAR",
  "alg"        : "RS256",
  "aud"        : "https://op.example.com",
  "parameters" : {
      "response_type"         : "code",
      "client_id"             : "client-123",
      "redirect_uri"          : "https://rp.example.com/cb",
      "scope"                 : "openid",
      "state"                 : "Mu0niexo",
      "nonce"                 : "Baemie2F",
      "code_challenge"        : "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
      "code_challenge_method" : "S256"
  }
}

The STS will return a JWT, which when inspected will show a header and a claims set similar to these:

JWT header, note the typ (type) header to explicitly type the JWT, a security measure against cross-jwt confusion:

{
  "alg" : "RS256",
  "typ" : "oauth-authz-req+jwt",
  "kid" : "q9SZ"
}

JWT claims set, containing the requisite iss and aud claims, the rest are parameters of the signed OpenID authentication request:

{
  "iss"                   : "client-123",
  "aud"                   : "https://op.example.com",
  "response_type"         : "code",
  "client_id"             : "client-123",
  "redirect_uri"          : "https://rp.example.com/cb",
  "scope"                 : "openid",
  "state"                 : "Mu0niexo",
  "nonce"                 : "Baemie2F",
  "code_challenge"        : "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
  "code_challenge_method" : "S256"
}

What else has changed in this release can be found in the release notes below.

Download 15.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 8b6f08c4ac9de28092e3139a511e684709ba97d071895bc795d9f7bb693bad5f

Connect2id server 15.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d87932c45b635ac5c55380f8325c98ea841372c1be3b27d82094b16721c57242

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 4034b1b9fa41e17feb45484648aac58bf893528172a14564570140682e9db0be

Connect2id server 15.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 880bb43a909834c9ea6ce465281b2a0b9b60541c0bea085baf8565f3b9a31475

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.4 (2024-03-11)

Summary

  • Adds a new Security Token Service (STS) web API to issue signed JWTs for JWT-secured Authorisation Requests (JAR, see RFC 9101) and private_key_jwt authentication. Intended when an Identity Provider based on the Connect2id server acts an OAuth 2.0 client / OpenID relying party in federated login scenarios. The signature of an issued JWT can be validated using the server JWK set published at the /jwks.json endpoint.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sts.apiAccessTokenSHA256.* -- New optional configuration property. Specifies a master access token for the STS web API, represented by its SHA-256 hash (in hexadecimal format). The hashed storage is intended to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified the web API is disabled.

      Additional access tokens, to facilitate token roll-over or for other needs, can be configured by appending a dot (.) with a unique label to the property name, e.g. as op.reg.apiAccessTokenSHA256.1=abc....

  • /WEB-INF/log4j.xml

    • Updates the PatternLayouts of the RollingFile and Console appenders to comply with a recent Log4j library change.

Web API

  • /sts/rest/v1/

    • New Security Token Service (STS) web API. Enabled if it has a master API access token (op.sts.apiAccessTokenSHA256) configured.

  • /sts/rest/v1/issuer

    • New resource to issue signed JWTs for JWT-secured Authorisation Requests (JAR) and private_key_jwt authentication. Supports the RSxxx, PSxxx and ESxxx JWS algorithm families. The JWTs are generated according to a built-in template that defines the acceptable JWT header parameters and claims set. The template ensures the JWT is compliant with the respective specification and potential errors, such as including a sub claim in signed request object (JAR), are prevented.

      Supported templates:

      • JAR -- For issue of signed JWT-secured Authorisation Requests (JAR), also called request objects in OpenID Connect.

      • private_key_jwt -- For issue of private key client authentication JWTs for use at the token and other endpoints of an OAuth 2.0 authorisation server / OpenID provider.

Resolved issues

  • Corrects the OP5109 log INFO message that records whether a master API token for the client registration endpoint is configured (issue server/978).

  • Fixes the shipped /WEB-INF/log4j.xml configuration to comply with a recent Log4j library change. In Connect2id server 15.3 this caused the log lines to contain only the log message (%m), with timestamp, etc. missing (issue server/980).

  • Logs token success response (OP6225) and error response (OP6226) at INFO level, with client ID, grant type and other details (issue server/982).

Dependency changes

  • Updates to org.slf4j:slf4j-api:2.0.9

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.8