OpenID v2.4.5 Release Notes
Release Date: 2020-11-23 // over 2 years ago-
Features
- disable caching token introspection results by setting
OIDCOAuthTokenIntrospectionIntervalto-1; thanks @wadahiro - ➕ add exec support to
OIDCCryptoPassphrase; thanks @spanglerco - ✂ delete stale session cookies that aren't in the cache; thanks @spanglerco
- 👍 allow
OIDCDiscoverURLto be a relative URL; thanks @spanglerco - ➕ add
OIDCCABundlePathfor configuring path to curl CA bundle; thanks @spanglerco
🛠 Bugfixes
- enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
- fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
- ➕ add config check for
OIDCCryptoPassphrasein OAuth 2.0 RS setup with cache encryption enabled - populate
AUTH_TYPEwhen performing authentication; thanks @spanglerco - 👌 improve sanity checking on Redis reply
🔒 Security
- ensure that
subis returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum - 🖨 don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
- 🖨 restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum
Packaging
- 🚀 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
Other
- 🐧 packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
- 👌 support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]
- disable caching token introspection results by setting
Previous changes from v2.4.4
-
Security
- prevent XSS and open redirect on OIDC session management OP iframe with generic
OIDCRedirectURLsAllowedprimitive; thanks Andrew Brady - ➕ add
OIDCStateCookiePrefixprimitive for the state cookie prefix to anonymise the state cookie name
🛠 Bugfixes
- 🛠 fix double
Set-Cookiebehaviour when usingclient-cookie, calling the session info hook and writing out a session update (twice); thanks @deisser - reverse order of creating HTML response and adding session cookie in info hook; thanks @deisser
- ✂ delete state cookie when it cannot be decoded/decrypted
- don't send
access_tokenin user info request when method is set to POST; OIDC conformance - 👍 allow
Content-Typecheck on backchannel logout to have postfixes (utf-8 etc) - terminate backchannel logout with DONE instead of OK to avoid authz error 500
- 🛠 fixes for various compiler warnings/issues (older and newer versions of GCC)
🔋 Features
- add conditional expression to
OIDCUnAuthAction; see #479; thanks @raro42 and @marcstern - ➕ add
grant_typesto dynamic client registration request - add recommended cache headers on backchannel logout response https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8
Packaging
- 🚀 the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
- 📦 Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- 🐧 packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
- prevent XSS and open redirect on OIDC session management OP iframe with generic