All Versions
18
Latest Version
Avg Release Cycle
47 days
Latest Release
62 days ago

Changelog History
Page 1

  • v2.4.2

    March 24, 2020
  • v2.4.2.1

    March 25, 2020

    🚀 This release fixes the SameSite Set-Cookie behaviour introduced in 2.4.1 when by-value session cookies are used, and it fixes a memory leak in an OAuth 2.0 Resource Server setup when using JWT token validation.

    🛠 Bugfixes

    • also add SameSite=None to by-value session cookies
    • avoid memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
    • destroy shared memory segments only in parent process; see #458
    • if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7
    • 🛠 fix configured private/public key cleanup on process exit

    🔋 Features

    Packaging

    • 🚀 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • 📦 Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

    🚀 This release was made possible thanks to sustaining sponsor GLUU.

  • v2.4.1

    January 30, 2020

    🚀 This release primarily addresses upcoming changes in SameSite Set-Cookie behaviour in Chrome and Firefox, see: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

    🔋 Features

    • always add a SameSite value (default None) to the Set-Cookie header value; this can be overridden by using the environment variable OIDC_SET_COOKIE_APPEND, e.g.:
      SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
    • ➕ add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter; thanks @absynth76
    • support login with OIDC session management; address #456; thanks Paolo Battino
    • 👌 support 407 option on OIDCUnAuthAction; thanks @dfsin-sa

    🛠 Bugfixes

    • 🛠 fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
    • enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
    • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); see #447 #441
    • improve validation of the post-logout URL to avoid an open redirect; closes #449
    • unset chunked cookies if setting a non-chunked cookie; thanks @alindeman

    Other

    • ⚠ make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
    • return 200 OK for backchannel logout if session not found
    • ➕ added an Alpine Linux Dockerfile =~ 20MB container size; thanks @absynth76
    • try to fix graceful restart crash; see #458; thanks @studersi

    Packaging

    • 🚀 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • 📦 Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

    🚀 This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.4.0

    August 22, 2019

    Important

    • 🔖 version 2.4.0 carries quite a number of relatively small changes (see: Bugfixes and Features below) that are subtle but may impact runtime behavior nevertheless; you should verify an upgrade in a test environment before rolling out to production
    • this release deprecates the OAuth 2.0 Resource Server functionality which is now implemented as a separate module mod_oauth2.

    🛠 Bugfixes

    • URL-encode client_id/client_secret when using client_secret_basicaccording to: https://tools.ietf.org/html/rfc6749#section-2.3.1
    • 🛠 fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin
    • fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses; closes #440; thanks @gobreak
    • 🛠 fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK
    • fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443
    • 🛠 fix JWT decryption crashing on non-null terminated input
    • fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic

    🔋 Features

    • 👌 support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
    • 🔧 make sure the content handler is called for every request to the configured Redirect URI so all Apache processing is executed (e.g. setting headers with mod_headers) before returning the response; thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
    • ➕ add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html
    • enable per-provider signing and encryption keys in multi-provider setups (with limitations)
    • no longer use the fixup handler for environment variable setting but do it as part of the authn handler
    • add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when refreshing an access token fails; thanks @rickyepoderi
    • be smart about picking the token endpoint authentication method when not configured explicitly: don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva

    Other

    • ✂ remove option OIDCScrubRequestHeaders that allows for skipping scrubbing request headers, thus avoiding potentially insecure setups
    • 🌲 log the original URL for expired state cookies, useful for debugging SPA/JS issues
    • add debug logs in oidc_proto_generate_random_string to allow for spotting lack of entropy in the random number generator (on VM environments) more easily
    • 🔧 add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation: configure with APXS2_OPTS="-DUSE_URANDOM"
    • allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only

    Packaging

    • 🍱 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
    • 📦 Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

    🚀 This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.4.0.4

    November 08, 2019
    • just tagging along
  • v2.4.0.3

    October 03, 2019

    Security

    • improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449

    🛠 Bugfixes

    • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441
  • v2.4.0.2

    October 03, 2019
  • v2.4.0.1

    October 02, 2019
  • v2.3.11

    March 13, 2019

    Features

    • dynamically pass query params to the authorization request; closes #401
      • using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
    • ➕ add session expiry info to session info hook response
      • session inactivity key is timeout now (was exp)
      • session expiry key is exp

    Other

    • 👍 allow compilation without memcache support on older platforms not providing apr_memcache.h

    Packaging

    • 🍱 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
    • 📦 Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

    🚀 This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.3.11.rc1

    February 25, 2019