release 2.3.4

zandbelt released this 27 Apr 12:22

· 985 commits to master since this release

Bugfixes

add Cache-Control no-cache response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321
avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @PePe79
fix bug where endpoint authentication method private_key_jwt would not co-exist with none

Features

add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
add explicit endpoint authentication method bearer_access_token
send session management Javascript logging to debug; thanks @kerrermanisNL

Other

correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318
fix compiler warnings for OpenSSL 1.1.x

Packaging

the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

Contributors

puiterwijk, kerrermanisNL, and PePe79

Assets 9