release 2.4.16.3

Bugfixes

• fix segfault in child process initialization routine when using Redis and/or Metrics settings in vhosts; closes #1208; thanks @studersi and Brent van Laere
• fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
• allow overriding globally set OIDCCacheType back to shm in individual vhosts

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.2

Note that a custom OIDCCacheShmMax setting cannot be configured with this release.

Bugfixes

• fix regressions from the configuration rewrite in 2.4.16/2.4.16.1
  • fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
  • fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
• re-introduce OIDCSessionMaxDuration 0; see #1252; thanks @amitmun
• improve resilience in case both Forwarded and X-Forwarded-* headers are configured and only X-Forwarded-* is passed in

Other

• remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.1

Note that OIDCPKCEMethod none, OIDCSessionMaxDuration 0, OIDCCacheShmMax and OIDCStateCookiePrefix cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.

Security

• disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr

Features

• add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
• add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
  configured through the OIDCDPoPMode [off|optional|required] primitive (dpop_mode in the .conf file in multi-OP setups)
• add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
  configured through OIDCProviderPushedAuthorizationRequestEndpoint and OIDCProviderAuthRequestMethod PAR
• add the nbf claim to the Request Object
• store the token_type in the session and make it available on the info hook together with the access_token
• replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss boolean
  to require the Provider to pass the iss value in authorization responses, mitigating the OP mixup attack
• return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
• add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection
• when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls

Bugfixes

• allow overriding defined global configuration primitives to their default value on the individual vhost level
• various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
• apply input/boundary checking on all configuration and multi-provider metadata values
• memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
• tighten up the aud claim validation for received ID tokens

Other

• version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
• packages for the recent Ubuntu Noble stable release are added to the Assets section below

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16

superseded by 2.4.16.1 with a bugfix for parsing OIDCXForwardedHeaders, see: #1250

release 2.4.15.7

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix OIDCUserInfoRefreshInterval and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, Amazon Linux, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.6

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• use SameSite=Lax when OIDCCookieSameSite is On (also the default since 2.4.15) instead of Strict as overriding from Lax to Strict does not work reliably anymore (i.e. on Chrome with certain plugins)
• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements
• fix setting the default PKCE method to none in a multi-provider setup

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with:
  OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.3

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Security

• fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is supplied, see the advisory; thanks @olipo186

Bugfixes

• rewrite handling of parallel refresh token grant requests
  • temporarily cache the results of the refresh token grant for other (almost) parallel callers
  • fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
  • improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
• avoid crash when Forwarded is not present but OIDCXForwardedHeaders Forwarded is configured for it; see #1171; thanks @daviddpd
• set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.2

commercial-binaries-only security patch release for CVE-2024-24814

release 2.4.15.1

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
• fix OIDCCacheType file on Windows and use apr_file_rename() in file cache backend instead of rename() to fix Windows file renaming issue; thanks @adg-mh

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15

The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

New Defaults

• use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring OIDCPKCEMethod none
• use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
• apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none for backwards compatibility

Bugfixes

• restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
• do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see #1132; thanks @esunke
• fix SSL server certificate validation when revoking tokens and apply OIDCSSLValidateServer setting rather than OIDCOAuthSSLValidateServer in oidc_revoke_tokens; see #1141; thanks @mschmidt72
• make sure the shm cache entry size OIDCCacheShmEntrySizeMax is a multiple of 8 bytes, see #1067; thanks @sanzinger
• fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES

Features

• add metrics collection/observability capability with OIDCMetricsData and OIDCMetricsPublish, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
• generate or propagate the traceparent header on outgoing (and proxied) requests; ties the parent-id to the (8-byte hash of) the session or access token when available
• retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
• improve error message in case of curl timeouts
• add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the previous one
• add iat and exp claims to request objects; closes #1137
• populate User-Agent header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes

Other

• return HTTP 500 on token refresh errors instead of HTTP 401
• use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
• remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
• use clang-format-17 for code formatting and reformat all code

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com