All Versions
22
Latest Version
Avg Release Cycle
50 days
Latest Release
1337 days ago

Changelog History
Page 2

  • v2.4.0.2

    October 03, 2019
  • v2.4.0.1

    October 02, 2019
  • v2.3.11 Changes

    March 13, 2019

    Features

    • dynamically pass query params to the authorization request; closes #401
      • using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
    • βž• add session expiry info to session info hook response
      • session inactivity key is timeout now (was exp)
      • session expiry key is exp

    Other

    • πŸ‘ allow compilation without memcache support on older platforms not providing apr_memcache.h

    Packaging

    • 🍱 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.3.11.rc1

    February 25, 2019
  • v2.3.10

    December 31, 2018
  • v2.3.10.2 Changes

    January 22, 2019

    Security

    • πŸ›  fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

    Packaging

    • the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
  • v2.3.10.1 Changes

    January 16, 2019

    πŸ‘€ Note: 2.3.10.1 fixes a bug in 2.3.10 wrt. query parameter duplication in the URL, see #420

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

    πŸ›  Bugfixes

    • πŸ“œ retain the unparsed URL path in current/original URL determination, thereby preserving and support URL-encoded characters in paths when redirecting back to the original URL; thanks Michael Furman
    • πŸ›  fix encryption buffer tag length mismatch

    πŸ”‹ Features

    • optionally delete the oldest state cookie(s) using OIDCStateMaxNumberOfCookies <number> true see #399
    • add state to code exchange token requests only in multi-provider setups; see #402; thanks @ecattez
    • βž• add support for refreshing an access token associated with an OIDC session using OIDCRefreshAccessTokenBeforeExpiry; thanks Andreas Hanisch

    Packaging

    • the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🏁 Windows 64bit builds (and builds for various other platforms) are available under a commercial agreement via [email protected]
  • v2.3.9 Changes

    November 15, 2018

    Bugfixes

    • ignore/trim spaces in X-Forwarded-* headers
    • πŸ›  fix OAuth 2.0 RS config check when just OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
    • πŸ›  fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last

    πŸ”‹ Features

    Other

    • βž• add test-cmd command to generate hashed base64urlencoded inputs (i.e. for cnf/tbh claims)

    Packaging

    • the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • v2.3.8 Changes

    September 12, 2018

    Bugfixes

    • fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
    • πŸ‘€ fix reading access_token form POST parameters when combined with AuthType auth-openidc; see #376; thanks Nicolas Salerno
    • fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann

    πŸ”‹ Features

    • add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
    • make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
    • improve auto-detection of XMLHttpRequests via Accept header; see #331
    • allow usage with LibreSSL; closes #380; thanks @hihellobolke

    Other

    • initialize test_proto_authorization_request properly; see #382; thanks @jdennis
    • add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
    • add LGTM code quality badges, see #385; thanks @xcorail

    Packaging

    • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • v2.3.7 Changes

    July 06, 2018

    ⬆️ You are strongly advised to upgrade to 2.3.7 when using Redis caching across multiple vhosts in the same Apache server.

    πŸ›  Bugfixes

    • πŸ›  fix Redis concurrency issue when used with multiple vhosts which would lead to cache corruption and random cache entry swaps
    • clear session cookie and contents if cache corruption is detected to avoid looping
    • abort when string length for remote user name substitution is >=255 characters (e.g. in Distinguished Names) and deal with lengths >50

    πŸ”‹ Features

    • βž• add support for authorization server metadata Discovery documents with OIDCOAuthServerMetadataURL in OAuth 2.0 Resource Server setups as specified in RFC 8414

    Packaging

    • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise