release 2.4.12.3

Features

• add OIDCProviderVerifyCertFiles option to statically configure ID token validation keys; see #989; thanks @madsfreek

Bugfixes

• fix Apache shutfown/restart bug when OIDCOAuthVerifyCertFiles is configured, where cert(s) on would be cast to apr_hash_t instead of apr_array_header_t on shutdown/restart; see #990; thanks @bommo1

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.12.2

Security

• CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
  see: GHSA-q6f2-285m-gr53

Features

• allow overriding the type of lock used at compile time with OIDC_LOCK

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.12.1

Bugfixes

• switch to using apr_generate_random_bytes instead of apr_uuid_get to generate session identifiers so there's no longer a (rather implicit) dependency on a libapr that is compiled against libuuid on Linux platforms; see #431, #603 and #694; thanks @amitnarang28
• fix cache file backend: delete the correct file upon logout; closes #955; thanks @damisanet
• fix cleanup of semaphores on graceful restarts; see #522, closes #458
• fix OIDCProviderMetadataRefreshInterval since it was interpreted in microseconds instead of the documented and intended seconds; setting in to seconds would effectively turn of caching and pull the configuration document on each request
• define APLOG_TRACE1 if it does not exist
• correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
• fixed printout of cache mutex errors in cache/common.c
• prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create which is apparently required for (some) ARM based builds
• fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
• fix potential memory leak in proto.c when oidc_proto_validate_access_token fails (at_hash validation)

Features

• add option to use ISO-8859-1 encoding for propagated claim values by adding latin1 option to OIDCPassClaimsAs <> latin1; see #957; thanks @nvchaudhari1991
  Note that the encoding - including the existing "base64url" - apply to both header and environment variables as well now

Packaging

• packages for CentOS 9, Debian Bookworm and Ubuntu Jammy have been added
• the (commercially provided) Windows 64bit/32bit builds now include support for Memcache and Redis

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.12

Release 2.4.12 was (re-)certified for all OpenID Connect Relying Party conformance profiles using the OpenID Foundation's certification suite: https://openid.net/certification/#RPs.

Features

• allow storing the id_token in a client-cookie based session so that it can be used as id_token_hint value in a logout request later; see #812 and #888
• allow setting connection pool parameters for Memcache server connections; see #916; thanks @rpluem-vf
• add option to set a username for Redis >= 6.x ACL authentication via OIDCRedisCacheUsername
• register request_object_signing_alg in dynamic client registration when using request_uri

Bugfixes

• increase size of the output buffer when using libpcre2 for substitution; closes #915
• support OIDCSessionInactivityTimeout values greater than 30 days when using Memcache; see #936, thanks @takesson
• allow for step-up discovery with an external URL using HTML refresh; fixes behaviour on CentOS 7/8 when combined with ProxyPass
• apply exact length matching for at_hash and c_hash validation
• store access token obtained from backchannel in session over the one returned in the frontchannel for code token and code id_token token flows
• check ID token signed response algorithm on backchannel logout_token and retrieve its configuration value from the client metadata file

Packaging

• packages for CentOS 9, Debian Bookworm and Ubuntu Jammy have been added
• the (commercially provided) Windows 64bit/32bit builds now include support for Memcache and Redis

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.11.3

Note that as of release 2.4.11 running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former.

Bugfixes

• avoid memory leak when using PCRE2 regular expressions with array matching; closes #902; thanks @smanolache
• avoid memory leak when cjose_jws_get_plaintext fails; closes #903; thanks @smanolache
• fix handling of IPv6 based logout URLs; thanks @@codemaker219

Features

• Use optionally provided sid and iss request parameters during front channel logout; see #855; thanks @rpluem-vf
• support Forwarded header in addition to X-Forwarded-*; see #853; thanks @studersi

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.11.2

Note that as of release 2.4.11 running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former.

Features

• add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594

Bugfixes

• add Cache-Control headers to logout response; see #846; thanks @blackwhiser1

Other

• don't strip the header from encrypted JWTs as future versions of cjose may use compact
  encoding for JWEs; this slightly increases state cookie size, by-value session cookies
  and encrypted cache contents again at the benefit of forward cjose compatibility

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.11.1

Note that as of release 2.4.11 running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former.

Bugfixes

• fix OIDCUnAuthAction pass not passing claims for authenticated users, see #790, thanks @cm0s
• fix race conditions in the file cache backend, see #777, thanks @dbakker and @blackwhiser1
• fix memory leaks over graceful restarts, see #823 and #824, thanks @smanolache
• avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
• add a check to make sure URLs do not contain unencoded Unicode characters, see #796, thanks @cnico

Features

• warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
• add support for OpenSSL 3.0

Other

• remove test-cmd jwk2cert command
• correct ap_hook_insert_filter function signature in stub.c, part 2, closes #784, thanks @stroeder
• add Valgrind Github action

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.11

Note that as of this release running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former.

Bugfixes

• fix use of regular expressions in Require statements
• no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1
• improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778
• terminate on startup when the crypto passphrase generated by exec: is empty; see #767
• allow authorization on info requests, see #746
• avoid debug printout of payload as header when the latter is stripped
• fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker

Features

• make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders
• make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464
• add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur
• improve detection of suspicious redirect URLs; add test list
• add administrative session revocation capability via <redirect_uri>?revoke_session=<sessionid>

Packaging

• add support for libpcre2; see #740
• add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
• include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
• install taking into account DESTDIR; see #674; thanks @alerque

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.10

This release improves prevention of state cookies piling up (e.g. for Single Page Applications) by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by default - authentication in an iframe is prevented, which may impact existing deployments.

Features

• add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
• add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
• log require claims failure on info level
• backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2

Bugfixes

• return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
• don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
• fix memory leak when parsing JWT access token fails (in RS mode)
• fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720

Packaging

• complete usage of autoconf/automake; see #674
• add .deb for Debian Bullseye

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.9.4

Security

• prevent open redirect by applying OIDCRedirectURLsAllowed setting to target_link_uri; closes #672; thanks @Meheni

Bugfixes

• don't apply authz in discovery process; fixes step up authentication when combined with Discovery

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]