release 2.4.9.4

Security

• prevent open redirect by applying OIDCRedirectURLsAllowed setting to target_link_uri; closes #672; thanks @Meheni

Bugfixes

• don't apply authz in discovery process; fixes step up authentication when combined with Discovery

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.9.3

Bugfixes

• don't apply authz to the redirect URI; fixes ac56864

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9.2

Bugfixes

• fix graceful restart (regression); see #458; thanks @Foxite

Features

• preserve session cookie in the event of a cache backend failure; thanks @iainh
• update the id_token in the session cache if one is provided while refreshing the access token; thanks @iainh

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9.1

Bugfixes

• fix retried Redis commands after a reconnect; see #642; thanks @iainh

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9

Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised.

Security

• use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
• replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
• avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes; thanks @oss-aimoto
• return OK in the content handler for calls to the redirect URI and when preserving POST data; prevent (intermittent) disclosure of content hosted at a (non-vanity) redirect URI location
• use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo

Bugfixes

• verify that alg is not none in logout_token explicitly
• don't clear POST params authn on token revocation; thanks @iainh
• fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.

Other

• make session not found on backchannel logout produce a log warning instead of error
• handle discovery in the content handler
• strip A256GCM JWT header from encrypted JWTs used for state cookies, cache encryption and by-value session cookies resulting in smaller cookies and reduced cache content size

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.8.4

Bugfixes

• do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.: SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.8.3

Bugfixes

• avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page see also f5959d7 and #484; at least Debian Buster was affected

Other

• make error "session corrupted: no issuer found in session" a warning only so a logout call for a non-existing session no longer produces error messages

release 2.4.8.2

Bugfixes

• store timestamps in session in seconds to avoid string conversion problems on some (libapr-1) platform build/run combinations, causing "maximum session duration exceeded" errors

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.8.1

Security

• fix potential crash when the Content-Type header is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC (CVE-2021-20718 and JVN#49704918)

Bugfixes

• avoid jwt/proto_state json_object memory leaks on cache failures
• when an OAuth 2.0 RS token scope/claim authorization (401 ) error occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for usage with mod_headers, instead of adding a header ourselves; see #572; usage, e.g;

  Header always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
  

  Note: if you're using mod_auth_openidc in OAuth 2.0 RS mode and your clients rely on the WWW-Authenticate header the above is a breaking change, and you'll need to explicitly set that header now.

Features

• add options to configure Redis connectivity timeouts with OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
• add OIDCClientTokenEndpointKeyPassword option to set a private key password for the client's private key to be used against the token endpoint; see #576

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.7

Bugfixes

• avoid logged-out sessions remaining (valid) in the session cache: remove session from cache before clearing it; see #542

Features

• add maximum session lifetime (exp), inactivity timeout (timeout) and remote_user to OIDCInfoHook; closes #541

Security

• add opt-out on sub check in userinfo endpoint response using the (undocumented) OIDC_NO_USERINFO_SUB environment variable, for backwards (but insecure) compatibility, see #544

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]