release 1.5.3

Bugs

• fix cache initialization/destroy leak

Features

• prevent JWE timing attacks on CEK
• check for open redirect on passed target_link_uri
• change target_uri parameter name to target_link_uri in IDP-init-SSO
• include client_id and scope values in resolved access_token (OAuth 2.0)

Other

• convert warning on claim evaluation to debug printout
• add note on restricting access to specific Google Apps domain(s)

Packaging

• add separate .deb packages for Debian Jessie/Ubuntu Trusty and Debian Wheezy

release 1.5.2

Bugs

• fix PF OAuth 2.0 RS functionality after upgrading to jansson

Features

• pass JSON objects in app HTTP headers as plain JSON

Other

• correct printout in hash comparison function and use apr_strnatcmp
• add more (JOSE) "unit" tests
• autoconf libapr and include test code in distribution

release 1.5.1

Packaging

• Changes to Debian packaging for 1.5.1-1 as uploaded to mentors.debian.org

Features

• support for 3rd-party initiated SSO as defined in the OpenID Connect core spec (section 4.)
• enable per-module logging for Apache 2.4

Documentation

• various corrections to README.md and auth_openidc.conf

release 1.5

Features

• change JSON parser from apr-json to jansson
  NOTE: there's a new compilation and runtime dependency on libjansson now
  so make sure to run ./autogen.sh/configure again when compiling
• add warning/errors when configured hosts/domains do not match

Bugs

• fix claims-based authorization with integer values (@martinsrom)
• do not set Secure cookies on plain HTTP