release 2.4.15.1

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
• fix OIDCCacheType file on Windows and use apr_file_rename() in file cache backend instead of rename() to fix Windows file renaming issue; thanks @adg-mh

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.15

The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

New Defaults

• use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring OIDCPKCEMethod none
• use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
• apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none for backwards compatibility

Bugfixes

• restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
• do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see #1132; thanks @esunke
• fix SSL server certificate validation when revoking tokens and apply OIDCSSLValidateServer setting rather than OIDCOAuthSSLValidateServer in oidc_revoke_tokens; see #1141; thanks @mschmidt72
• make sure the shm cache entry size OIDCCacheShmEntrySizeMax is a multiple of 8 bytes, see #1067; thanks @sanzinger
• fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES

Features

• add metrics collection/observability capability with OIDCMetricsData and OIDCMetricsPublish, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
• generate or propagate the traceparent header on outgoing (and proxied) requests; ties the parent-id to the (8-byte hash of) the session or access token when available
• retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
• improve error message in case of curl timeouts
• add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the previous one
• add iat and exp claims to request objects; closes #1137
• populate User-Agent header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes

Other

• return HTTP 500 on token refresh errors instead of HTTP 401
• use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
• remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
• use clang-format-17 for code formatting and reformat all code

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.14.4

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix OIDCRefreshAccessTokenBeforeExpiry when using it with logout_on_error or authenticate_on_error; see #1111; thanks @brandonk10
• improve behaviour when parallel refresh token grant requests occur on the same Apache server/host and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid corrupting the session by storing/overwriting an expired refresh token
• fix memory leak in oidc_refresh_token_grant: free the parsed id_token if returned from the token endpoint
• avoid potential process lifetime memory leak when mutex lock/unlock fails

Performance

• store userinfo refresh interval in session to avoid parsing Provider JSON metadata on each request
• fix performance issue with latin1 encoding when using OIDCPassClaimsAs <any> latin1 with large claim values
• skip re-validating cached provider metadata
• use process based locking for Redis caching instead of global locking

Features

• add options for authentication to OIDCOutgoingProxy; thanks @drzraf; see #1107
• add support for custom preserve/restore POST data templates with OIDCPreservePostTemplates to be used when OIDCPreservePost is set to On; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.14.3

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix session updates on userinfo requests; see #1077; this bug was introduced in v2.4.11 with d9fff15; thanks @adenix

Features

• add OIDCPassAccessToken Off option to disable (the default of) passing the access token and its expiry in the OIDC_access_token/OIDC_access_token_expires header/environment variables; thanks @mattias-asander
• allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
• support authenticate_on_error 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry to re-authenticate the user when refreshing the access token fails see: #1084; thanks @xrammit
• add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
• add support for adding extra parameters to the Logout Request to the OP with OIDCLogoutRequestParams see: #1096; thanks @smarsching

Other

• add a sanity alg/enc check on internal self-encrypted AES GCM JWTs
• increase performance of JQ filtering by caching JQ filtering results; default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.14.2

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix OIDCUnAutzAction auth step up authentication - which in 2.4.14.1 would only work with an SSI enabled ErrorDocument - by reverting all 401/403/302/step up behaviour to <= 2.4.13.2; this re-introduces the limitation for step up authentication being restricted to a single Require or a RequireAll statement
• avoid using encryption keys as signing keys for request objects and private_key_jwt token endpoint auth

Features

• add support for extend_session=false query parameter to the info hook to avoid extending the session on calls to the info hook

Other

• log the first Redis error as a warning before retrying

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.14.1

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix RequireAny behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
  as the first non-matching Require claim directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those
• make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/nested Require claim expressions e.g. using RequireAny and Require not claim
• fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session since environment variable OIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION has been set
• fix memory leak when refreshing claims from the userinfo endpoint

Other

• to make OIDCUnAutzAction 403 actually return 403 in Apache 2.4 it also needs AuthzSendForbiddenOnFailure again, i.e. the fix in 2.4.14 for it was reverted

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.14

Deprecated

• OIDCHTMLErrorTemplate is now deprecated in favour of standard Apache error handling capabilities; the environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC have been made available for use in ErrorDocument, see: https://httpd.apache.org/docs/2.4/custom-error.html; backwards compatibility is retained by setting OIDCHTMLErrorTemplate deprecated

Bugfixes

• fix session cookie decompression error with OIDCSessionType client-cookie; closes #1046; thanks @oss-aimoto
• properly respect use attribute (i.e. sig and enc) in signing, verification and encryption JWK sets
• don't immediately refresh of JWKs from (signed)_jwks_uri if kid was not set in JWT header, but lookup in the cache first
• return HTTP 40<x> instead of HTTP 200 on all authorization) error responses
• make sure mod_auth_openidc runs before mod_proxy so calls to the redirect URI are never proxied and no separate <Location> directive or ProxyPass exception for OIDCRedirectURI is required (anymore) in proxied configs
• return the OP Discovery page in the content handler phase so regular Apache processing applies to the HTTP/HTML response
• fix memory leak when using JQ-based expressions in Require claims_expr
• OIDCUnAutzAction auth for stepup authentication now immediately returns a HTTP 302 instead of a HTTP 200 HTML page with a meta refresh tag and a Location header (reverted >= 2.4.14)
• fix OIDCUnAutzAction 403 so it does not rely on AuthzSendForbiddenOnFailure to return HTTP 403, see #795 (reverted >= 2.4.14)
• fix crash when using a multi-provider setup and Provider has signed_jwks_uri set but the conf file does not define signed_jwks_uri_key
• correct return value from oidc_cache_shm_destroy to avoid misleading "cache destroy function failed" error messages
• preserve linefeeds in text areas used with OIDCPreservePost On
• add resilience for corrupted discovery metadata and jwks_uri cache entries
• cater for libapr/libapr-util version 1.2.x

Features

• use compressed serialized JSON for encrypted state- and session cookies and cache entries, reducing their size; thanks @hihellobolke
• support configuration of dedicated signing and encryption keys in the primitives:
  OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCProviderVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyCertFiles by using the prefix sig: or enc: in the value
• add support for passing on claims resolved from the userinfo endpoint in a JWT signed by mod_auth_openidc using OIDCPassUserInfoAs signed_jwt[:<name>] with an RSA or Elliptic Curve key
• add OIDCFilterClaimsExpr that allows for processing claims before storing them in the session, after applying (optional) blacklisting/whitelisting on the toplevel keys; available only when compiled with libjq support
• add support for OIDCUserInfoClaimsExpr that allows for processing claims returned from the userinfo endpoint with a JQ-based expression before propagating them according to OIDCPassUserInfoAs claims | json | signed_jwt (ie. does not work for OIDCPassUserInfoAs jwt); available only when compiled with libjq support
• allow OIDCPassUserInfoAs and OIDCPassIDTokenAs directives in <Location>/<Directory> contexts; also fixes resetting back to claims in vhosts for the latter
• add support for overriding the default header/environment variable names in OIDCPassUserInfoAs (json|jwt)[:<name>]
• support calling the refresh token grant before doing RP-initiated logout; may be used to supply a (fresh or non-cached) id_token_hint logout request parameter
• add options to avoid revoking tokens before logout as some OPs may kill their SSO session that would make subsequent logout fail
• add support for returning the serialized id_token as id_token_hint from the info hook
• increase default OIDCCacheShmMax setting to 10000
• add exec support to OIDCClientSecret; see #1056; thanks @sealor

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.13.2

Security

• CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
  GHSA-f5xw-rvfr-24qr
• fix code scanning alerts from 2 code scanning tools all over the place

Features

• add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
  i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
  and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,
  but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
• record authorization errors in environment variable OIDC_AUTHZ_ERROR
  so its value can be used in logs e.g. with HTTP 401 responses in the access log:
  LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
  also log authorization errors with oidc_debug instead of oidc_info

Bugfixes

• fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
• allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
• correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.13.1

Features

• reduce the size of session and state cookies with about 35% by using zlib compression
• add support for OP signed_jwks_uri with OIDCProviderSignedJwksUri <uri> <jwk>
  this allows for explicit configuration of OP verification keys in the way defined by OpenID Connect Federation without relying on default TLS based trust
• allow setting minumum and maximum versions of TLS used in HTTPs calls via an environment variable e.g.:
  SetEnvIfExpr true "CURLOPT_SSL_OPTIONS=CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_MAX_TLSv1_3"

Bugfixes

• do a sanity check on the individual size of claim values stored in the session, warn about blacklisting if > 8Kb
• avoid (small) memory leak when using OpenSSL 3.x when setting public/private keys
  (over graceful restarts) in the config and/or importing JWKs with x5c specs
• warn about incorrect configurations not setting OIDCCryptoPassphrase; see #1030
• use deep-copy and cleanup functions for server and provider configs; fixes overriding server-level keys in vhost configs

Other

• increase maximum allowed size of HTTP responses (e.g. from token endpoint) to 10Mb; see #998; thanks @mikehearn
• don't pull JWKs on id_token verification when the id_token was signed with a symmetric key
• don't immediately refresh JWKs from [signed_]jwks_uri if kid was not set in JWT, but try the cache first
• SHM cache: increase default maximum number of active sessions from 500 to 2000
• SHM cache: allow configuration of max 1Mb of session data for a single session
• add optional - compile time support - for brotli compression of session and state cookies
• move repo to OpenIDC Github organization

Packaging

• added dependency on zlib package

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.13

superseded by 2.4.13.1