OpenID v2.4.2.1 Release Notes
Release Date: 2020-03-25 // about 4 years ago-
๐ This release fixes the
SameSiteSet-Cookiebehaviour introduced in 2.4.1 when by-value session cookies are used, and it fixes a memory leak in an OAuth 2.0 Resource Server setup when using JWT token validation.๐ Bugfixes
- also add
SameSite=Noneto by-value session cookies - avoid memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
- destroy shared memory segments only in parent process; see #458
- if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7
- ๐ fix configured private/public key cleanup on process exit
๐ Features
- allow for expressions in Require statements, see #469; thanks @wwaaron
also see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements - always refresh keys from jwks_uri when there is no kid in the JWT header
- if
OIDCPublicKeyFilescontains a certificate, the correspondingx5c,x5tandx5t#256parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa"; thanks @absynth76
Packaging
- ๐ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
- ๐ฆ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- ๐ง packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
๐ This release was made possible thanks to sustaining sponsor GLUU.
- also add