release 1.6.0

Features

• add support for Session Management based on
  http://openid.net/specs/openid-connect-session-1_0.html (draft 21)
• support static provider configuration from a metadata URL (OIDCProviderMetadataURL)
• add config option to POST extra parameters to the token endpoint (OIDCProviderTokenEndpointParams / token_endpoint_params)
• support for passing runtime determined authentication request parameters in the discovery response (auth_request_params)
• support for "x5c" JWK representation

Bugs

• fix set_slot functions for algorithm/url used as default for dynamic registration (OIDCClientJwksUri / OIDCIDTokenSignedResponseAlg)
• fix JSON array memory leak in OAuth 2.0 access token validation flow
• set expiry on state cookies
• return JWKS on jwks_uri with content-type "application/json"
• HTML-encode error descriptions before displaying them

Other

• be less strict about issuer validation in metadata
• check that endpoints in metadata are URLs
• various minor logging improvements
• various minor documentation improvements
• improve error handling on direct browser access to redirect uri

release 1.5.5

Features

• set HttpOnly by default on cookies, override using OIDCCookieHTTPOnly [On|Off]
• use default of "/" for OIDCCookiePath

Bugs

• fix debug printout on open redirect prevention and code response validation
• cleanup in-memory crypto context on shutdown
• clear session cookie after cache miss or corruption

Other

• disable OIDCMetadataDir in sample config since it may be overlooked
• use FQDN for sample hostname in sample configs since Google requires that
• make implicit post javascript HTML 4.01 Strict compliant
• provide Wheezy backports as uploaded to the Debian repositories

release 1.5.4

Bugs

• fix big endian issue #18 and fix Debian auto-builds on PPC/MIPS (@latinovic)
• remove ownership sentence from disclaimer text that conflicts with license

Features

• support "none" JWS algorithm in signature validation for "code" flow (@wadahiro)
• pass the "access_token" to the application in the OIDC_access_token header
• add support for passing the id_token to the application in multiple formats (claims,payload,serialized)

Packaging

• add separate packages for Debian 7 (Wheezy) and Debian Testing (Jessie) and Ubuntu 14.04 (Trusty)
• RHEL packages available through https://github.com/wadahiro/mod_auth_openidc_rpmbuild_container/releases

release 1.5.3

Bugs

• fix cache initialization/destroy leak

Features

• prevent JWE timing attacks on CEK
• check for open redirect on passed target_link_uri
• change target_uri parameter name to target_link_uri in IDP-init-SSO
• include client_id and scope values in resolved access_token (OAuth 2.0)

Other

• convert warning on claim evaluation to debug printout
• add note on restricting access to specific Google Apps domain(s)

Packaging

• add separate .deb packages for Debian Jessie/Ubuntu Trusty and Debian Wheezy

release 1.5.2

Bugs

• fix PF OAuth 2.0 RS functionality after upgrading to jansson

Features

• pass JSON objects in app HTTP headers as plain JSON

Other

• correct printout in hash comparison function and use apr_strnatcmp
• add more (JOSE) "unit" tests
• autoconf libapr and include test code in distribution

release 1.5.1

Packaging

• Changes to Debian packaging for 1.5.1-1 as uploaded to mentors.debian.org

Features

• support for 3rd-party initiated SSO as defined in the OpenID Connect core spec (section 4.)
• enable per-module logging for Apache 2.4

Documentation

• various corrections to README.md and auth_openidc.conf

release 1.5

Features

• change JSON parser from apr-json to jansson
  NOTE: there's a new compilation and runtime dependency on libjansson now
  so make sure to run ./autogen.sh/configure again when compiling
• add warning/errors when configured hosts/domains do not match

Bugs

• fix claims-based authorization with integer values (@martinsrom)
• do not set Secure cookies on plain HTTP