Skip to content

release 2.4.13.1
Compare
Choose a tag to compare
@zandbelt zandbelt released this 10 Mar 13:16
· 352 commits to master since this release
v2.4.13.1
5050a96

Features

  • reduce the size of session and state cookies with about 35% by using zlib compression
  • add support for OP signed_jwks_uri with OIDCProviderSignedJwksUri <uri> <jwk>
    this allows for explicit configuration of OP verification keys in the way defined by OpenID Connect Federation without relying on default TLS based trust
  • allow setting minumum and maximum versions of TLS used in HTTPs calls via an environment variable e.g.:
    SetEnvIfExpr true "CURLOPT_SSL_OPTIONS=CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_MAX_TLSv1_3"

Bugfixes

  • do a sanity check on the individual size of claim values stored in the session, warn about blacklisting if > 8Kb
  • avoid (small) memory leak when using OpenSSL 3.x when setting public/private keys
    (over graceful restarts) in the config and/or importing JWKs with x5c specs
  • warn about incorrect configurations not setting OIDCCryptoPassphrase; see #1030
  • use deep-copy and cleanup functions for server and provider configs; fixes overriding server-level keys in vhost configs

Other

  • increase maximum allowed size of HTTP responses (e.g. from token endpoint) to 10Mb; see #998; thanks @mikehearn
  • don't pull JWKs on id_token verification when the id_token was signed with a symmetric key
  • don't immediately refresh JWKs from [signed_]jwks_uri if kid was not set in JWT, but try the cache first
  • SHM cache: increase default maximum number of active sessions from 500 to 2000
  • SHM cache: allow configuration of max 1Mb of session data for a single session
  • add optional - compile time support - for brotli compression of session and state cookies
  • move repo to OpenIDC Github organization

Packaging

  • added dependency on zlib package

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

Contributors

mikehearn
Assets 11
Loading