Releases: OpenIDC/mod_auth_openidc
Releases · OpenIDC/mod_auth_openidc
release 2.3.9
Bugfixes
- ignore/trim spaces in
X-Forwarded-*
headers - fix OAuth 2.0 RS config check when just
OIDCOAuthServerMetadataURL
is set; thanks @psteniusubi - fix parsing of cookie name in
OIDCOAuthAcceptTokenAs
when thecookie
option is not listed last
Features
- support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
- deal with forwarding proxy setups; see #395 ; thanks @archzone
- support nested arrays in Require claim authorization evaluation; see #392; thanks @hpbieker
- support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding
- add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt:
OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens
when running as an OAuth 2.0 RS, validatingcnf["x5t#S256"]
claims.
Other
- add
test-cmd
command to generate hashed base64urlencoded inputs (i.e. forcnf
/tbh
claims)
Packaging
- the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.8
Bugfixes
- fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
- fix reading access_token form POST parameters when combined with
AuthType auth-openidc
; see #376; thanks Nicolas Salerno - fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann
Features
- add option to set an upper limit to the number of concurrent state cookies via
OIDCStateMaxNumberOfCookies
; see #331 - make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
- improve auto-detection of XMLHttpRequests via
Accept
header; see #331 - allow usage with LibreSSL; closes #380; thanks @hihellobolke
Other
- initialize
test_proto_authorization_request
properly; see #382; thanks @jdennis - add sanity check on
provider->auth_request_method
; closes #382; thanks @jdennis - add LGTM code quality badges, see #385; thanks @xcorail
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.7
You are strongly advised to upgrade to 2.3.7 when using Redis caching across multiple vhosts in the same Apache server.
Bugfixes
- fix Redis concurrency issue when used with multiple vhosts which would lead to cache corruption and random cache entry swaps
- clear session cookie and contents if cache corruption is detected to avoid looping
- abort when string length for remote user name substitution is >=255 characters (e.g. in Distinguished Names) and deal with lengths >50
Features
- add support for authorization server metadata Discovery documents with
OIDCOAuthServerMetadataURL
in OAuth 2.0 Resource Server setups as specified in RFC 8414
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.6
Bugfixes
- avoid using pipelining for Redis since it produces unreliable results with some Redis implementations (i.e. AWS ElastiCache Redis in clustered mode)
- fix buffer overflow in shm cache key set strcpy; thanks @kyprizel
- avoid memory leak in
redis
cache backend when an error occurs authenticating to a Redis server
Other
- add check to detect session cache corruption for server-based caches
- add check to detect (static) metadata cache corruption
- explicitly set
kid
in encrypted request object; ensures compatibility withcjose
>=0.6.0
- turn missing session_state from warning into a debug statement; do not clutter logs
- send
Basic
header in OAuth 2.0www-authenticate
response if Basic auth is the only accepted method (instead of Bearer); thanks @puiterwijk
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.5
Bugfixes
- avoid values that are too long in shm cache key construction; thanks @kyprizel
- fix encoding of preserved POST data; see #338; thanks @timpuri
Other
- compile with with Libressl; closes #358; thanks @hihellobolke
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.4
Bugfixes
- add
Cache-Control no-cache
response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321 - avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
- interpret
X-Forwarded-Host
when doing XSRF protection on the after-logout URL; see #341; thanks @PePe79 - fix bug where endpoint authentication method
private_key_jwt
would not co-exist withnone
Features
- add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
- add explicit endpoint authentication method
bearer_access_token
- send session management Javascript logging to debug; thanks @kerrermanisNL
Other
- correct documentation on kid usage for
OIDCOAuthVerifyCertFiles
; closes #318 - fix compiler warnings for OpenSSL 1.1.x
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.3
Features
- add support for passing claims resolved from the UserInfo endpoint as a JSON object or (when available) as a JWT with
OIDCPassUserInfoAs
; closes #311 - add support for authentication to the introspection endpoint with a bearer token using
OIDCOAuthIntrospectionClientAuthBearerToken
; thanks @cristichiru (works in OAuth 2.0 mode only, does not mix with OIDC setups because of a bug in 2.3.3)
Bugfixes
- avoid crash when no scheme is set on
OIDCProviderMetadataURL
; closes #303; thanks @iconoeugen - avoid crash when no
OIDCOAuthClientID
is set for remote access token validation - don't enforce
iat
checks on locally validated JWT access tokens (e.g. as issued by Keycloak)
Other
- the Github repository is transferred to ZmartZone IAM
- a number of compiler/static/runtime code analysis issues were addressed
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.2
Bugfixes
- fix "graceful" restart for shm/redis cache backends; see #296
- fix public client configurations; also add support for endpoint authentication method
none
- fix issue with the combination of shared memory (
shm
) cache and using encryption (OIDCCacheEncrypt On
) where the cache value would be corrupted after the first (successful) retrieval
Features
- optionally remove request object parameters from the authorization request URL with
copy_and_remove_from_request
; see #294 - add regex substitution for
*RemoteUserClaim
; thanks @hihellobolke - add issuer specific redirect URI option (
issuer_specific_redirect_uri
) for multi-provider setups to mitigate IDP mixup; see #291 - update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 and use header names prefixed with
Sec-
; depends on mod_token_binding >=0.3.4
now
Other
- don't abort when mutex operations fail and printout textual descriptions of errors returned by mutex operations
- support paths that are relative to the Apache root dir for:
OIDCHTMLErrorTemplate
,OIDCPublicKeyFiles
,OIDCPrivateKeyFiles
,OIDCOAuthVerifyCertFiles
,OIDCClientTokenEndpointCert
,OIDCClientTokenEndpointKey
,OIDCOAuthIntrospectionEndpointCert
andOIDCOAuthIntrospectionEndpointKey
- properly support JSON boolean values in metadata
.conf
files - add FreeBSD instructions to documentation; see #298
Packaging
- the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Downloads" section
- Ubuntu Wily packages can also be used on Ubuntu Xenial, Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
release 2.3.1
Bugfixes
- handle multiple values in
X-Forwarded-*
headers as to better support multiple chained reverse proxies in front of mod_auth_openidc - fix bug where
token_endpoint_auth
set toprivate_key_jwt
would fail to provide the credential ifclient_secret
wasn't set - remove
A128GCM
andA192GCM
from the supported algorithms in the config file (and docs)
Features
- assume the default port when
X-Forwarded-Proto
has been set; closes #282 and may address #278 - support sending the authentication request via HTTP POST through HTML/Javascript autosubmit with
OIDCProviderAuthRequestMethod
- support
private_key_jwt
andclient_secret_jwt
as client authentication methods for OAuth 2.0 bearer token introspection
Other
- log request headers when used and set
- printout support for
libjq
expressions at startup - update (experimental) token binding support to https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 and depend on
mod_token_binding >= 0.3.0
- refactored quite a bit of code to support compiler
#define
-d strings
Packaging Notes
- the
libcjose 0.5.1
dependency (with a security fix and renaming) was packaged with release 2.3.0 - Ubuntu Wily packages can also be used on Xenial and Yakkety
release 2.3.0
Features
- support relative
OIDCRedirectURI
's; closes #200; thanks @moschlar - add support for custom actions to take after authorization fails with
OIDCUnAutzAction
; see #263
this enables step-up authentication scenarios when combined with the following:- add
OIDCPathAuthRequestParams
that is configurable on a per-path basis and useOIDCAuthRequestParams
for the static per-provider value - add
OIDCPathScope
that is configurable on a per-path basis and concatenated withOIDCScope
as static per-provider value
- add
- support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
- add support for an empty
OIDCClaimPrefix
; can be used withOIDCWhiteListedClaims
to protect selected headers; see #264 - support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
- support nested claim matching in
Require
directives; thanks @suttod - support explicitly setting the
kid
of the private key inOIDCPrivateKeyFiles
; thanks @suttod - allow for a higher session inactivity timeout maximum value
- support JWT verification against multiple keys with no provided
kid
by looping over the provided keys (only works with cjose >= 0.5.0) - allow for postfixing
OIDCRemoteUser
with the issuer value after applying a regex
Bugfixes
- fix wrong return value for cache_file_set in the file cache backend (
OIDCCacheType file
); thanks Ernani Joppert Pontes Martins - fix cache fallback so it happens (when enabled) only after failure
- fix potential crash on prefork process exit when used with Redis cache backend
- don't assume that having
OIDCCryptoPassphrase
set means we should validate the config for
AuthType openid-connect
since it can now also be used to encrypt (auth20
) cache entries - avoid decoding a JSON object and logging an error when the input is NULL
e.g. when claims have not been resolved because userinfo endpoint is not set - make
OIDCStripCookies
work onAuthType oauth20
paths; closes #273; thanks Michele Danieli - avoid crash when the
X-Forwarded-Proto
header is not correctly set by a reverse proxy in front of mod_auth_openidc - fix parse function of
OIDCRequestObject
configuration option; thanks @suttod - avoid cleaning our own state cookie twice when it is expired
- fix caching of provider configuration metadata URLs and JWKs URIs when using
OIDCCacheType file
Other
- improve error message in
oidc_util_http_send
whenap_pass_brigade
fails and mention possible interference with mod_deflate - change warn log about missing token binding ID to debug log
- improve documentation for
OIDCCryptoPassphrase
; closes #268 - enable JQ-based claims expression matching when compiled from source; see #178
- normalize cache backend logging
Packaging Notes
- libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
- Centos 6 RPMs depend on
libhiredis-0.12
e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/