Skip to content

release 1.8.6
Compare
Choose a tag to compare
@zandbelt zandbelt released this 26 Oct 08:50
· 1404 commits to master since this release
v1.8.6
47a81e4

Features

  • add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
  • add option to manually assign a key identifier (kid) to the OIDCOAuthVerifySharedKeys, OIDCOAuthVerifyCertFiles and OIDCPublicKeyFiles configuration primitives
  • allow a leading '.' in the OIDCCookieDomain primitive and support older browsers; issue #96
  • include and prioritize the X-Forwarded-Host header in hostname determination
  • allow for missing Host header (HTTP 1.0)
  • add option to make session cookie persistent; closes #97

Bugfixes

  • return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
  • validate received session cookie against the domain it was issued for:
    this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same

Other

  • log a warning if the Set-Cookie value length is greater than 4093 bytes to avoid browsers breaking without any clue
Assets 13
Loading