Skip to content

release 2.4.15
Compare
Choose a tag to compare
@zandbelt zandbelt released this 09 Jan 11:55
· 156 commits to master since this release
v2.4.15
fbef7a9

The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

New Defaults

  • use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring OIDCPKCEMethod none
  • use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
  • apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none for backwards compatibility

Bugfixes

  • restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
  • do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see #1132; thanks @esunke
  • fix SSL server certificate validation when revoking tokens and apply OIDCSSLValidateServer setting rather than OIDCOAuthSSLValidateServer in oidc_revoke_tokens; see #1141; thanks @mschmidt72
  • make sure the shm cache entry size OIDCCacheShmEntrySizeMax is a multiple of 8 bytes, see #1067; thanks @sanzinger
  • fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES

Features

  • add metrics collection/observability capability with OIDCMetricsData and OIDCMetricsPublish, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
  • generate or propagate the traceparent header on outgoing (and proxied) requests; ties the parent-id to the (8-byte hash of) the session or access token when available
  • retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
  • improve error message in case of curl timeouts
  • add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the previous one
  • add iat and exp claims to request objects; closes #1137
  • populate User-Agent header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes

Other

  • return HTTP 500 on token refresh errors instead of HTTP 401
  • use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
  • remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
  • use clang-format-17 for code formatting and reformat all code

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

Contributors

sanzinger, esunke, and mschmidt72
Assets 11
Loading