Releases: OpenIDC/mod_auth_openidc
Releases · OpenIDC/mod_auth_openidc
release 1.5.3
Bugs
- fix cache initialization/destroy leak
Features
- prevent JWE timing attacks on CEK
- check for open redirect on passed target_link_uri
- change target_uri parameter name to target_link_uri in IDP-init-SSO
- include client_id and scope values in resolved access_token (OAuth 2.0)
Other
- convert warning on claim evaluation to debug printout
- add note on restricting access to specific Google Apps domain(s)
Packaging
- add separate .deb packages for Debian Jessie/Ubuntu Trusty and Debian Wheezy
release 1.5.2
Bugs
- fix PF OAuth 2.0 RS functionality after upgrading to jansson
Features
- pass JSON objects in app HTTP headers as plain JSON
Other
- correct printout in hash comparison function and use apr_strnatcmp
- add more (JOSE) "unit" tests
- autoconf libapr and include test code in distribution
release 1.5.1
Packaging
- Changes to Debian packaging for 1.5.1-1 as uploaded to mentors.debian.org
Features
- support for 3rd-party initiated SSO as defined in the OpenID Connect core spec (section 4.)
- enable per-module logging for Apache 2.4
Documentation
- various corrections to README.md and auth_openidc.conf
release 1.5
Features
- change JSON parser from apr-json to jansson
NOTE: there's a new compilation and runtime dependency on libjansson now
so make sure to run ./autogen.sh/configure again when compiling - add warning/errors when configured hosts/domains do not match
Bugs
- fix claims-based authorization with integer values (@martinsrom)
- do not set Secure cookies on plain HTTP