Releases: OpenIDC/mod_auth_openidc
Releases · OpenIDC/mod_auth_openidc
release 2.4.9.1
Bugfixes
Dependencies
libcjose >= 0.5.1
Commercial
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.9
Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised.
Security
- use
redisvCommand
to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource - replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
- avoid XSS vulnerability when using
OIDCPreservePost On
and supplying URLs that contain single quotes; thanks @oss-aimoto - return OK in the content handler for calls to the redirect URI and when preserving POST data; prevent (intermittent) disclosure of content hosted at a (non-vanity) redirect URI location
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
Bugfixes
- verify that
alg
is notnone
inlogout_token
explicitly - don't clear POST params authn on token revocation; thanks @iainh
- fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.
Other
- make session not found on backchannel logout produce a log warning instead of error
- handle discovery in the content handler
- strip
A256GCM
JWT header from encrypted JWTs used for state cookies, cache encryption and by-value session cookies resulting in smaller cookies and reduced cache content size
Dependencies
libcjose >= 0.5.1
Commercial
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.8.4
Bugfixes
- do not send state timeout HTML document when
OIDCDefaultURL
is set; this can be overridden by using e.g.:SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.8.3
Bugfixes
- avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page see also f5959d7 and #484; at least Debian Buster was affected
Other
- make error "
session corrupted: no issuer found in session
" a warning only so a logout call for a non-existing session no longer produces error messages
release 2.4.8.2
Bugfixes
- store timestamps in session in seconds to avoid string conversion problems on some (libapr-1) platform build/run combinations, causing
"maximum session duration exceeded"
errors
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.8.1
Security
- fix potential crash when the
Content-Type
header is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC (CVE-2021-20718 and JVN#49704918)
Bugfixes
- avoid
jwt
/proto_state json_object
memory leaks on cache failures - when an OAuth 2.0 RS token scope/claim authorization (401 ) error occurs, add a
OIDC_OAUTH_BEARER_SCOPE_ERROR
environment variable for usage with mod_headers, instead of adding a header ourselves; see #572; usage, e.g;Note: if you're using mod_auth_openidc in OAuth 2.0 RS mode and your clients rely on theHeader always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
WWW-Authenticate
header the above is a breaking change, and you'll need to explicitly set that header now.
Features
- add options to configure Redis connectivity timeouts with
OIDCRedisCacheConnectTimeout
andOIDCRedisCacheTimeout
- add
OIDCClientTokenEndpointKeyPassword
option to set a private key password for the client's private key to be used against the token endpoint; see #576
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.7
Bugfixes
- avoid logged-out sessions remaining (valid) in the session cache: remove session from cache before clearing it; see #542
Features
- add maximum session lifetime (
exp
), inactivity timeout (timeout
) andremote_user
toOIDCInfoHook
; closes #541
Security
- add opt-out on
sub
check in userinfo endpoint response using the (undocumented)OIDC_NO_USERINFO_SUB
environment variable, for backwards (but insecure) compatibility, see #544
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.6
Bugfixes
- don't set
SameSite=None
on cookies when on plain http - fix semaphore cleanup on graceful restarts; see #522
- fix inconsistent public/private keys loading order; closes #515
- return
HTTP 400 Bad Request
instead of500 Internal Server Error
when state cookie matching fails - optimize Redis
AUTH
execution once per connection - avoid segmentation fault when hitting an endpoint configured with
AuthType openid-connect
in an OAuth 2.0 only setup; see #529 - make sure the module compiles with Apache 2.2 for passphrase exec:
Features
- add Redis database selection option with
OIDCRedisCacheDatabase
; closes #423 - add
base64url
option toOIDCPassClaimsAs
primitive; closes #417 - add environment variable to control libcURL
CURLOPT_SSL_OPTIONS
behaviors e.g.:
SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
- removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
Security
- avoid displaying the
client_secret
in debug logs
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.5
Features
- disable caching token introspection results by setting
OIDCOAuthTokenIntrospectionInterval
to-1
; thanks @wadahiro - add exec support to
OIDCCryptoPassphrase
; thanks @spanglerco - delete stale session cookies that aren't in the cache; thanks @spanglerco
- allow
OIDCDiscoverURL
to be a relative URL; thanks @spanglerco - add
OIDCCABundlePath
for configuring path to curl CA bundle; thanks @spanglerco
Bugfixes
- enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
- fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
- add config check for
OIDCCryptoPassphrase
in OAuth 2.0 RS setup with cache encryption enabled - populate
AUTH_TYPE
when performing authentication; thanks @spanglerco - improve sanity checking on Redis reply
Security
- ensure that
sub
is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum - don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
- restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu
release 2.4.4.1
Bugfixes
- add
SameSite=None
attribute on cookie clearance / logout and make sure it works in OP iframes
Packaging
- packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via sales@zmartzone.eu