release 2.4.9.1

Bugfixes

• fix retried Redis commands after a reconnect; see #642; thanks @iainh

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.9

Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised.

Security

• use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
• replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
• avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes; thanks @oss-aimoto
• return OK in the content handler for calls to the redirect URI and when preserving POST data; prevent (intermittent) disclosure of content hosted at a (non-vanity) redirect URI location
• use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo

Bugfixes

• verify that alg is not none in logout_token explicitly
• don't clear POST params authn on token revocation; thanks @iainh
• fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.

Other

• make session not found on backchannel logout produce a log warning instead of error
• handle discovery in the content handler
• strip A256GCM JWT header from encrypted JWTs used for state cookies, cache encryption and by-value session cookies resulting in smaller cookies and reduced cache content size

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.8.4

Bugfixes

• do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.: SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.8.3

Bugfixes

• avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page see also f5959d7 and #484; at least Debian Buster was affected

Other

• make error "session corrupted: no issuer found in session" a warning only so a logout call for a non-existing session no longer produces error messages

release 2.4.8.2

Bugfixes

• store timestamps in session in seconds to avoid string conversion problems on some (libapr-1) platform build/run combinations, causing "maximum session duration exceeded" errors

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.8.1

Security

• fix potential crash when the Content-Type header is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC (CVE-2021-20718 and JVN#49704918)

Bugfixes

• avoid jwt/proto_state json_object memory leaks on cache failures
• when an OAuth 2.0 RS token scope/claim authorization (401 ) error occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for usage with mod_headers, instead of adding a header ourselves; see #572; usage, e.g;

  Header always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
  

  Note: if you're using mod_auth_openidc in OAuth 2.0 RS mode and your clients rely on the WWW-Authenticate header the above is a breaking change, and you'll need to explicitly set that header now.

Features

• add options to configure Redis connectivity timeouts with OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
• add OIDCClientTokenEndpointKeyPassword option to set a private key password for the client's private key to be used against the token endpoint; see #576

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.7

Bugfixes

• avoid logged-out sessions remaining (valid) in the session cache: remove session from cache before clearing it; see #542

Features

• add maximum session lifetime (exp), inactivity timeout (timeout) and remote_user to OIDCInfoHook; closes #541

Security

• add opt-out on sub check in userinfo endpoint response using the (undocumented) OIDC_NO_USERINFO_SUB environment variable, for backwards (but insecure) compatibility, see #544

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.6

Bugfixes

• don't set SameSite=None on cookies when on plain http
• fix semaphore cleanup on graceful restarts; see #522
• fix inconsistent public/private keys loading order; closes #515
• return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails
• optimize Redis AUTH execution once per connection
• avoid segmentation fault when hitting an endpoint configured with AuthType openid-connect in an OAuth 2.0 only setup; see #529
• make sure the module compiles with Apache 2.2 for passphrase exec:

Features

• add Redis database selection option with OIDCRedisCacheDatabase; closes #423
• add base64url option to OIDCPassClaimsAs primitive; closes #417
• add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.:
  SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
• removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state

Security

• avoid displaying the client_secret in debug logs

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.5

Features

• disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
• add exec support to OIDCCryptoPassphrase; thanks @spanglerco
• delete stale session cookies that aren't in the cache; thanks @spanglerco
• allow OIDCDiscoverURL to be a relative URL; thanks @spanglerco
• add OIDCCABundlePath for configuring path to curl CA bundle; thanks @spanglerco

Bugfixes

• enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
• fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
• avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
• add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled
• populate AUTH_TYPE when performing authentication; thanks @spanglerco
• improve sanity checking on Redis reply

Security

• ensure that sub is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum
• don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
• restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via sales@zmartzone.eu
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu

release 2.4.4.1

Bugfixes

• add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes

Packaging

• packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via sales@zmartzone.eu