release 2.3.11

Features

• dynamically pass query params to the authorization request; closes #401
  • using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
• add session expiry info to session info hook response
  • session inactivity key is timeout now (was exp)
  • session expiry key is exp

Other

• allow compilation without memcache support on older platforms not providing apr_memcache.h

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
• packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

This release was made possible thanks to sustaining sponsor GLUU.

release 2.3.10.2

Security

• fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann

This release was made possible thanks to sustaining sponsor GLUU.

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
• packages for various other platforms such as Redhat Enterprise Linux 6, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via [email protected]

release 2.3.10.1

Note: 2.3.10.1 fixes a bug in 2.3.10 wrt. query parameter duplication in the URL, see #420

This release was made possible thanks to sustaining sponsor GLUU.

Bugfixes

• retain the unparsed URL path in current/original URL determination, thereby preserving and support URL-encoded characters in paths when redirecting back to the original URL; thanks Michael Furman
• fix encryption buffer tag length mismatch

Features

• optionally delete the oldest state cookie(s) using OIDCStateMaxNumberOfCookies <number> true see #399
• add state to code exchange token requests only in multi-provider setups; see #402; thanks @ecattez
• add support for refreshing an access token associated with an OIDC session using OIDCRefreshAccessTokenBeforeExpiry; thanks Andreas Hanisch

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
• Windows 64bit builds (and builds for various other platforms) are available under a commercial agreement via [email protected]

release 2.3.9

Bugfixes

• ignore/trim spaces in X-Forwarded-* headers
• fix OAuth 2.0 RS config check when just OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
• fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last

Features

• support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
• deal with forwarding proxy setups; see #395 ; thanks @archzone
• support nested arrays in Require claim authorization evaluation; see #392; thanks @hpbieker
• support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding
• add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt:
  OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens
  when running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.

Other

• add test-cmd command to generate hashed base64urlencoded inputs (i.e. for cnf/tbh claims)

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.8

Bugfixes

• fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
• fix reading access_token form POST parameters when combined with AuthType auth-openidc; see #376; thanks Nicolas Salerno
• fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann

Features

• add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
• make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
• improve auto-detection of XMLHttpRequests via Accept header; see #331
• allow usage with LibreSSL; closes #380; thanks @hihellobolke

Other

• initialize test_proto_authorization_request properly; see #382; thanks @jdennis
• add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
• add LGTM code quality badges, see #385; thanks @xcorail

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.7

You are strongly advised to upgrade to 2.3.7 when using Redis caching across multiple vhosts in the same Apache server.

Bugfixes

• fix Redis concurrency issue when used with multiple vhosts which would lead to cache corruption and random cache entry swaps
• clear session cookie and contents if cache corruption is detected to avoid looping
• abort when string length for remote user name substitution is >=255 characters (e.g. in Distinguished Names) and deal with lengths >50

Features

• add support for authorization server metadata Discovery documents with OIDCOAuthServerMetadataURL in OAuth 2.0 Resource Server setups as specified in RFC 8414

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.6

Bugfixes

• avoid using pipelining for Redis since it produces unreliable results with some Redis implementations (i.e. AWS ElastiCache Redis in clustered mode)
• fix buffer overflow in shm cache key set strcpy; thanks @kyprizel
• avoid memory leak in redis cache backend when an error occurs authenticating to a Redis server

Other

• add check to detect session cache corruption for server-based caches
• add check to detect (static) metadata cache corruption
• explicitly set kid in encrypted request object; ensures compatibility with cjose >= 0.6.0
• turn missing session_state from warning into a debug statement; do not clutter logs
• send Basic header in OAuth 2.0 www-authenticate response if Basic auth is the only accepted method (instead of Bearer); thanks @puiterwijk

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.5

Bugfixes

• avoid values that are too long in shm cache key construction; thanks @kyprizel
• fix encoding of preserved POST data; see #338; thanks @timpuri

Other

• compile with with Libressl; closes #358; thanks @hihellobolke

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.4

Bugfixes

• add Cache-Control no-cache response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321
• avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
• interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @PePe79
• fix bug where endpoint authentication method private_key_jwt would not co-exist with none

Features

• add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
• add explicit endpoint authentication method bearer_access_token
• send session management Javascript logging to debug; thanks @kerrermanisNL

Other

• correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318
• fix compiler warnings for OpenSSL 1.1.x

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.3

Features

• add support for passing claims resolved from the UserInfo endpoint as a JSON object or (when available) as a JWT with OIDCPassUserInfoAs; closes #311
• add support for authentication to the introspection endpoint with a bearer token using OIDCOAuthIntrospectionClientAuthBearerToken; thanks @cristichiru (works in OAuth 2.0 mode only, does not mix with OIDC setups because of a bug in 2.3.3)

Bugfixes

• avoid crash when no scheme is set on OIDCProviderMetadataURL; closes #303; thanks @iconoeugen
• avoid crash when no OIDCOAuthClientID is set for remote access token validation
• don't enforce iat checks on locally validated JWT access tokens (e.g. as issued by Keycloak)

Other

• the Github repository is transferred to ZmartZone IAM
• a number of compiler/static/runtime code analysis issues were addressed

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise