All Versions
22
Latest Version
Avg Release Cycle
50 days
Latest Release
1247 days ago

Changelog History
Page 1

  • v2.4.5 Changes

    November 23, 2020

    Features

    • disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
    • βž• add exec support to OIDCCryptoPassphrase; thanks @spanglerco
    • βœ‚ delete stale session cookies that aren't in the cache; thanks @spanglerco
    • πŸ‘ allow OIDCDiscoverURL to be a relative URL; thanks @spanglerco
    • βž• add OIDCCABundlePath for configuring path to curl CA bundle; thanks @spanglerco

    πŸ›  Bugfixes

    • enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
    • fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
    • avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
    • βž• add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled
    • populate AUTH_TYPE when performing authentication; thanks @spanglerco
    • πŸ‘Œ improve sanity checking on Redis reply

    πŸ”’ Security

    • ensure that sub is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum
    • πŸ–¨ don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
    • πŸ–¨ restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum

    Packaging

    • πŸš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0

    Other

    • 🐧 packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
    • πŸ‘Œ support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

  • v2.4.4 Changes

    September 01, 2020

    Security

    • prevent XSS and open redirect on OIDC session management OP iframe with generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
    • βž• add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name

    πŸ›  Bugfixes

    • πŸ›  fix double Set-Cookie behaviour when using client-cookie, calling the session info hook and writing out a session update (twice); thanks @deisser
    • reverse order of creating HTML response and adding session cookie in info hook; thanks @deisser
    • βœ‚ delete state cookie when it cannot be decoded/decrypted
    • don't send access_token in user info request when method is set to POST; OIDC conformance
    • πŸ‘ allow Content-Type check on backchannel logout to have postfixes (utf-8 etc)
    • terminate backchannel logout with DONE instead of OK to avoid authz error 500
    • πŸ›  fixes for various compiler warnings/issues (older and newer versions of GCC)

    πŸ”‹ Features

    Packaging

    • πŸš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

  • v2.4.4.1 Changes

    September 03, 2020

    Bugfixes

    • βž• add SameSite attribute on cookie clearance / logout

  • v2.4.3 Changes

    June 10, 2020

    πŸš€ This release addresses an open redirect in the refresh token handler.

    πŸ›  Bugfixes

    • prevent open redirect on refresh token requests
      βž• add new OIDCRedirectURLsAllowed primitive to handle post logout and refresh-return-to validation
      addresses #453; closes #466
    • when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
    • πŸ›  fix compilation against Apache 2.0

    πŸ”‹ Features

    • βž• add OIDCStateInputHeaders that allows configuring the header values used to calculate the fingerprint of the state during authentication
    • βž• added OIDCValidateIssuer primitive to allow for disabling of issuer matching, helps to support multi-tenant applications i.e. Microsoft AAD

    Packaging

    • πŸš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

  • v2.4.2

    March 24, 2020

  • v2.4.2.1 Changes

    March 25, 2020

    πŸš€ This release fixes the SameSite Set-Cookie behaviour introduced in 2.4.1 when by-value session cookies are used, and it fixes a memory leak in an OAuth 2.0 Resource Server setup when using JWT token validation.

    πŸ›  Bugfixes

    • also add SameSite=None to by-value session cookies
    • avoid memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
    • destroy shared memory segments only in parent process; see #458
    • if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7
    • πŸ›  fix configured private/public key cleanup on process exit

    πŸ”‹ Features

    Packaging

    • πŸš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

  • v2.4.1 Changes

    January 30, 2020

    πŸš€ This release primarily addresses upcoming changes in SameSite Set-Cookie behaviour in Chrome and Firefox, see: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

    πŸ”‹ Features

    • always add a SameSite value (default None) to the Set-Cookie header value; this can be overridden by using the environment variable OIDC_SET_COOKIE_APPEND, e.g.:
      SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
    • βž• add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter; thanks @absynth76
    • support login with OIDC session management; address #456; thanks Paolo Battino
    • πŸ‘Œ support 407 option on OIDCUnAuthAction; thanks @dfsin-sa

    πŸ›  Bugfixes

    • πŸ›  fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
    • enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
    • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); see #447 #441
    • improve validation of the post-logout URL to avoid an open redirect; closes #449
    • unset chunked cookies if setting a non-chunked cookie; thanks @alindeman

    Other

    • ⚠ make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
    • return 200 OK for backchannel logout if session not found
    • βž• added an Alpine Linux Dockerfile =~ 20MB container size; thanks @absynth76
    • try to fix graceful restart crash; see #458; thanks @studersi

    Packaging

    • πŸš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.4.0 Changes

    August 22, 2019

    Important

    • πŸ”– version 2.4.0 carries quite a number of relatively small changes (see: Bugfixes and Features below) that are subtle but may impact runtime behavior nevertheless; you should verify an upgrade in a test environment before rolling out to production
    • this release deprecates the OAuth 2.0 Resource Server functionality which is now implemented as a separate module mod_oauth2.

    πŸ›  Bugfixes

    • URL-encode client_id/client_secret when using client_secret_basicaccording to: https://tools.ietf.org/html/rfc6749#section-2.3.1
    • πŸ›  fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin
    • fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses; closes #440; thanks @gobreak
    • πŸ›  fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK
    • fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443
    • πŸ›  fix JWT decryption crashing on non-null terminated input
    • fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic

    πŸ”‹ Features

    • πŸ‘Œ support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
    • πŸ”§ make sure the content handler is called for every request to the configured Redirect URI so all Apache processing is executed (e.g. setting headers with mod_headers) before returning the response; thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
    • βž• add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html
    • enable per-provider signing and encryption keys in multi-provider setups (with limitations)
    • no longer use the fixup handler for environment variable setting but do it as part of the authn handler
    • add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when refreshing an access token fails; thanks @rickyepoderi
    • be smart about picking the token endpoint authentication method when not configured explicitly: don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva

    Other

    • βœ‚ remove option OIDCScrubRequestHeaders that allows for skipping scrubbing request headers, thus avoiding potentially insecure setups
    • 🌲 log the original URL for expired state cookies, useful for debugging SPA/JS issues
    • add debug logs in oidc_proto_generate_random_string to allow for spotting lack of entropy in the random number generator (on VM environments) more easily
    • πŸ”§ add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation: configure with APXS2_OPTS="-DUSE_URANDOM"
    • allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only

    Packaging

    • 🍱 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
    • πŸ“¦ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
    • 🐧 packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

    πŸš€ This release was made possible thanks to sustaining sponsor GLUU.

    Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

  • v2.4.0.4 Changes

    November 08, 2019
    • just tagging along

  • v2.4.0.3 Changes

    October 03, 2019

    Security

    • improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449

    πŸ›  Bugfixes

    • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441