release 2.4.10

This release improves prevention of state cookies piling up (e.g. for Single Page Applications) by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by default - authentication in an iframe is prevented, which may impact existing deployments.

Features

• add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
• add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
• log require claims failure on info level
• backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2

Bugfixes

• return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
• don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
• fix memory leak when parsing JWT access token fails (in RS mode)
• fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720

Packaging

• complete usage of autoconf/automake; see #674
• add .deb for Debian Bullseye

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]