Releases: OpenIDC/mod_auth_openidc
release 2.4.6
Bugfixes
- don't set
SameSite=None
on cookies when on plain http - fix semaphore cleanup on graceful restarts; see #522
- fix inconsistent public/private keys loading order; closes #515
- return
HTTP 400 Bad Request
instead of500 Internal Server Error
when state cookie matching fails - optimize Redis
AUTH
execution once per connection - avoid segmentation fault when hitting an endpoint configured with
AuthType openid-connect
in an OAuth 2.0 only setup; see #529 - make sure the module compiles with Apache 2.2 for passphrase exec:
Features
- add Redis database selection option with
OIDCRedisCacheDatabase
; closes #423 - add
base64url
option toOIDCPassClaimsAs
primitive; closes #417 - add environment variable to control libcURL
CURLOPT_SSL_OPTIONS
behaviors e.g.:
SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
- removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
Security
- avoid displaying the
client_secret
in debug logs
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]
release 2.4.5
Features
- disable caching token introspection results by setting
OIDCOAuthTokenIntrospectionInterval
to-1
; thanks @wadahiro - add exec support to
OIDCCryptoPassphrase
; thanks @spanglerco - delete stale session cookies that aren't in the cache; thanks @spanglerco
- allow
OIDCDiscoverURL
to be a relative URL; thanks @spanglerco - add
OIDCCABundlePath
for configuring path to curl CA bundle; thanks @spanglerco
Bugfixes
- enable authentication of sub-requests when the main request doesn't require authentication; thanks @spanglerco
- fix content processing for info and JWKs handler so mod_headers etc. work; closes #497
- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
- add config check for
OIDCCryptoPassphrase
in OAuth 2.0 RS setup with cache encryption enabled - populate
AUTH_TYPE
when performing authentication; thanks @spanglerco - improve sanity checking on Redis reply
Security
- ensure that
sub
is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum - don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
- restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum
Dependencies
libcjose >= 0.5.1
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Ubuntu and Debian distro's, SUSE Linux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]
release 2.4.4.1
Bugfixes
- add
SameSite=None
attribute on cookie clearance / logout and make sure it works in OP iframes
Packaging
- packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
release 2.4.4
Security
- prevent XSS and open redirect on OIDC session management OP iframe, introducing generic
OIDCRedirectURLsAllowed
primitive; thanks Andrew Brady - add
OIDCStateCookiePrefix
primitive for the state cookie prefix to anonymise the state cookie name
Bugfixes
- fix double
Set-Cookie
behaviour when usingOIDCSessionType client-cookie
, calling the session info hook and writing out a session update (twice); thanks @deisser - reverse order of creating HTML response and writing the (
client-type
) session cookie in the session info hook so the session data is actually saved; thanks @deisser - delete state cookie when it cannot be decoded/decrypted
- avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
Features
- add conditional expression to
OIDCUnAuthAction
to override auto-detection of non-browser requests; see #479; thanks @raro42 and @marcstern
Other
- fixes for various compiler warnings/issues (older and newer versions of GCC)
- add
grant_types
to dynamic client registration request [OIDC conformance test suite] - don't send
access_token
in user info request when method is set to POST [OIDC conformance test suite] - add recommended cache headers on backchannel logout response https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
- allow
Content-Type
check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite]
Packaging
- packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
release 2.4.3
This release addresses an open redirect in the refresh token handler.
Bugfixes
- prevent open redirect on refresh token requests
add newOIDCRedirectURLsAllowed
primitive to handle post logout and refresh-return-to validation
addresses #453; closes #466 - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
- fix compilation against Apache 2.0
Features
- add
OIDCStateInputHeaders
that allows configuring the header values used to calculate the fingerprint of the state during authentication - added
OIDCValidateIssuer
primitive to allow for disabling of issuer matching, helps to support multi-tenant applications i.e. Microsoft AAD
Packaging
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Red Hat 8, Oracle Linux 6, older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
This release was made possible thanks to sustaining sponsor GLUU.
release 2.4.2.1
This release fixes the SameSite
Set-Cookie
behaviour introduced in 2.4.1 when by-value session cookies are used, and it fixes a memory leak in an OAuth 2.0 Resource Server setup when using JWT token validation.
Bugfixes
- also add
SameSite=None
to by-value session cookies - avoid memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
- destroy shared memory segments only in parent process on shutdown/restart; see #458
- if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7
- fix configured private/public key cleanup on shutdown
Features
- allow for expressions in
Require
statements, see #469; thanks @wwaaron
also see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements - always refresh keys from
jwks_uri
when there is nokid
in the JWT header - if
OIDCPublicKeyFiles
contains a certificate, the correspondingx5c
,x5t
andx5t#256
parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa
"; thanks @absynth76
Packaging
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
This release was made possible thanks to sustaining sponsor GLUU.
release 2.4.1
This release primarily addresses upcoming changes in SameSite
Set-Cookie
behaviour in Chrome and Firefox, see: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Features
- always add a SameSite value (default None) to the
Set-Cookie
header value; this can be overridden by using the environment variableOIDC_SET_COOKIE_APPEND
, e.g.:
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
- add the possibility to use a public key instead of a certificate for
OIDCPublicKeyFiles
parameter; thanks @absynth76 - support login with OIDC session management; address #456; thanks Paolo Battino
- support 407 option on
OIDCUnAuthAction
; thanks @dfsin-sa
Bugfixes
- fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
- enforce
OIDCIDTokenSignedResponseAlg
andOIDCUserInfoSignedResponseAlg
; see #435 - changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); see #447 #441
- improve validation of the post-logout URL to avoid an open redirect; closes #449
- unset chunked cookies if setting a non-chunked cookie; thanks @alindeman
Other
- make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
- return
200 OK
for backchannel logout if session not found - added an Alpine Linux Dockerfile =~ 20MB container size; thanks @absynth76
- try to fix graceful restart crash; see #458; thanks @studersi
Packaging
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
This release was made possible thanks to sustaining sponsor GLUU.
release 2.4.0.4
- just tagging along
release 2.4.0.3
Security
- improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449
Bugfixes
- changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441
release 2.4.0
Important
- version 2.4.0 carries quite a number of relatively small changes (see: Bugfixes and Features below) that are subtle but may impact runtime behavior nevertheless; you should verify an upgrade in a test environment before rolling out to production i.e. those who use claim environment variables will find that the names of these variables are now prefixed with
REDIRECT_
, see here - this release deprecates the OAuth 2.0 Resource Server functionality which is now implemented as a separate module mod_oauth2.
Bugfixes
- URL-encode
client_id
/client_secret
when usingclient_secret_basic
according to: https://tools.ietf.org/html/rfc6749#section-2.3.1 - fix parsing and caching of
OIDCOAuthServerMetadataURL
; thanks Lance Fannin - fix
oidc_proto_html_post
auto-post-submit so it no longer results in duplicate parentheses; closes #440; thanks @gobreak - fix RSA JWK
x5c
parsing issue (e.g. when parsingn
fails): explicitly set thekid
into to JWK - fix
OIDCOAuthAcceptTokenAs post
so POST data is propagated and not lost; see #443 - fix JWT decryption crashing on non-null terminated input
- fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic
Features
- support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
- make sure the content handler is called for every request to the configured Redirect URI so all Apache processing is executed (e.g. setting headers with mod_headers) before returning the response; thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
- add ability to view session info in HTML via the session info hook via
<redirect_uri)?info=html
- enable per-provider signing and encryption keys in multi-provider setups (with limitations)
- no longer use the fixup handler for environment variable setting but do it as part of the authn handler
- add
logout_on_error
option toOIDCRefreshAccessTokenBeforeExpiry
to kill the session when refreshing an access token fails; thanks @rickyepoderi - be smart about picking the token endpoint authentication method when not configured explicitly: don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva
Other
- remove option
OIDCScrubRequestHeaders
that allows for skipping scrubbing request headers, thus avoiding potentially insecure setups - log the original URL for expired state cookies, useful for debugging SPA/JS issues
- add debug logs in
oidc_proto_generate_random_string
to allow for spotting lack of entropy in the random number generator (on VM environments) more easily - add
USE_URANDOM
compile time option to use/dev/urandom
explicitly for non-blocking random number generation: configure withAPXS2_OPTS="-DUSE_URANDOM"
- allow removing an access token from the cache (
"remove_at_cache"
) when running in OAuth 2.0 RS mode only
Packaging
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
- packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via [email protected]
This release was made possible thanks to sustaining sponsor GLUU.