Skip to content

release 2.3.0
Compare
Choose a tag to compare
@zandbelt zandbelt released this 13 Jun 07:24
· 1070 commits to master since this release
v2.3.0
c0777be

Features

  • support relative OIDCRedirectURI's; closes #200; thanks @moschlar
  • add support for custom actions to take after authorization fails with OIDCUnAutzAction; see #263
    this enables step-up authentication scenarios when combined with the following:
    • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
    • add OIDCPathScope that is configurable on a per-path basis and concatenated with OIDCScope as static per-provider value
  • support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
  • add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers; see #264
  • support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
  • support nested claim matching in Require directives; thanks @suttod
  • support explicitly setting the kid of the private key in OIDCPrivateKeyFiles; thanks @suttod
  • allow for a higher session inactivity timeout maximum value
  • support JWT verification against multiple keys with no provided kid by looping over the provided keys (only works with cjose >= 0.5.0)
  • allow for postfixing OIDCRemoteUser with the issuer value after applying a regex

Bugfixes

  • fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
  • fix cache fallback so it happens (when enabled) only after failure
  • fix potential crash on prefork process exit when used with Redis cache backend
  • don't assume that having OIDCCryptoPassphrase set means we should validate the config for
    AuthType openid-connect since it can now also be used to encrypt (auth20) cache entries
  • avoid decoding a JSON object and logging an error when the input is NULL
    e.g. when claims have not been resolved because userinfo endpoint is not set
  • make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
  • avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
  • fix parse function of OIDCRequestObject configuration option; thanks @suttod
  • avoid cleaning our own state cookie twice when it is expired
  • fix caching of provider configuration metadata URLs and JWKs URIs when using OIDCCacheType file

Other

  • improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
  • change warn log about missing token binding ID to debug log
  • improve documentation for OIDCCryptoPassphrase; closes #268
  • enable JQ-based claims expression matching when compiled from source; see #178
  • normalize cache backend logging

Packaging Notes

  • libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
  • Centos 6 RPMs depend on libhiredis-0.12 e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

Contributors

moschlar and suttod
Assets 16
Loading