OpenID v2.4.5 Release Notes

Release Date: 2020-11-23 // over 1 year ago
  • Features

    • disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
    • โž• add exec support to OIDCCryptoPassphrase; thanks @spanglerco
    • โœ‚ delete stale session cookies that aren't in the cache; thanks @spanglerco
    • ๐Ÿ‘ allow OIDCDiscoverURL to be a relative URL; thanks @spanglerco
    • โž• add OIDCCABundlePath for configuring path to curl CA bundle; thanks @spanglerco

    ๐Ÿ›  Bugfixes

    • enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
    • fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
    • avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
    • โž• add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled
    • populate AUTH_TYPE when performing authentication; thanks @spanglerco
    • ๐Ÿ‘Œ improve sanity checking on Redis reply

    ๐Ÿ”’ Security

    • ensure that sub is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum
    • ๐Ÿ–จ don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
    • ๐Ÿ–จ restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum

    Packaging

    • ๐Ÿš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0

    Other

    • ๐Ÿง packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
    • ๐Ÿ‘Œ support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

Previous changes from v2.4.4

  • Security

    • prevent XSS and open redirect on OIDC session management OP iframe with generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
    • โž• add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name

    ๐Ÿ›  Bugfixes

    • ๐Ÿ›  fix double Set-Cookie behaviour when using client-cookie, calling the session info hook and writing out a session update (twice); thanks @deisser
    • reverse order of creating HTML response and adding session cookie in info hook; thanks @deisser
    • โœ‚ delete state cookie when it cannot be decoded/decrypted
    • don't send access_token in user info request when method is set to POST; OIDC conformance
    • ๐Ÿ‘ allow Content-Type check on backchannel logout to have postfixes (utf-8 etc)
    • terminate backchannel logout with DONE instead of OK to avoid authz error 500
    • ๐Ÿ›  fixes for various compiler warnings/issues (older and newer versions of GCC)

    ๐Ÿ”‹ Features

    Packaging

    • ๐Ÿš€ the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
    • ๐Ÿ“ฆ Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
    • ๐Ÿง packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]