release 2.3.9

Bugfixes

• ignore/trim spaces in X-Forwarded-* headers
• fix OAuth 2.0 RS config check when just OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
• fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last

Features

• support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
• deal with forwarding proxy setups; see #395 ; thanks @archzone
• support nested arrays in Require claim authorization evaluation; see #392; thanks @hpbieker
• support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding
• add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt:
  OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens
  when running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.

Other

• add test-cmd command to generate hashed base64urlencoded inputs (i.e. for cnf/tbh claims)

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.8

Bugfixes

• fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
• fix reading access_token form POST parameters when combined with AuthType auth-openidc; see #376; thanks Nicolas Salerno
• fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann

Features

• add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
• make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
• improve auto-detection of XMLHttpRequests via Accept header; see #331
• allow usage with LibreSSL; closes #380; thanks @hihellobolke

Other

• initialize test_proto_authorization_request properly; see #382; thanks @jdennis
• add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
• add LGTM code quality badges, see #385; thanks @xcorail

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.7

You are strongly advised to upgrade to 2.3.7 when using Redis caching across multiple vhosts in the same Apache server.

Bugfixes

• fix Redis concurrency issue when used with multiple vhosts which would lead to cache corruption and random cache entry swaps
• clear session cookie and contents if cache corruption is detected to avoid looping
• abort when string length for remote user name substitution is >=255 characters (e.g. in Distinguished Names) and deal with lengths >50

Features

• add support for authorization server metadata Discovery documents with OIDCOAuthServerMetadataURL in OAuth 2.0 Resource Server setups as specified in RFC 8414

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.6

Bugfixes

• avoid using pipelining for Redis since it produces unreliable results with some Redis implementations (i.e. AWS ElastiCache Redis in clustered mode)
• fix buffer overflow in shm cache key set strcpy; thanks @kyprizel
• avoid memory leak in redis cache backend when an error occurs authenticating to a Redis server

Other

• add check to detect session cache corruption for server-based caches
• add check to detect (static) metadata cache corruption
• explicitly set kid in encrypted request object; ensures compatibility with cjose >= 0.6.0
• turn missing session_state from warning into a debug statement; do not clutter logs
• send Basic header in OAuth 2.0 www-authenticate response if Basic auth is the only accepted method (instead of Bearer); thanks @puiterwijk

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.5

Bugfixes

• avoid values that are too long in shm cache key construction; thanks @kyprizel
• fix encoding of preserved POST data; see #338; thanks @timpuri

Other

• compile with with Libressl; closes #358; thanks @hihellobolke

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.4

Bugfixes

• add Cache-Control no-cache response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321
• avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
• interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @PePe79
• fix bug where endpoint authentication method private_key_jwt would not co-exist with none

Features

• add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
• add explicit endpoint authentication method bearer_access_token
• send session management Javascript logging to debug; thanks @kerrermanisNL

Other

• correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318
• fix compiler warnings for OpenSSL 1.1.x

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.3

Features

• add support for passing claims resolved from the UserInfo endpoint as a JSON object or (when available) as a JWT with OIDCPassUserInfoAs; closes #311
• add support for authentication to the introspection endpoint with a bearer token using OIDCOAuthIntrospectionClientAuthBearerToken; thanks @cristichiru (works in OAuth 2.0 mode only, does not mix with OIDC setups because of a bug in 2.3.3)

Bugfixes

• avoid crash when no scheme is set on OIDCProviderMetadataURL; closes #303; thanks @iconoeugen
• avoid crash when no OIDCOAuthClientID is set for remote access token validation
• don't enforce iat checks on locally validated JWT access tokens (e.g. as issued by Keycloak)

Other

• the Github repository is transferred to ZmartZone IAM
• a number of compiler/static/runtime code analysis issues were addressed

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.2

Bugfixes

• fix "graceful" restart for shm/redis cache backends; see #296
• fix public client configurations; also add support for endpoint authentication method none
• fix issue with the combination of shared memory (shm) cache and using encryption (OIDCCacheEncrypt On) where the cache value would be corrupted after the first (successful) retrieval

Features

• optionally remove request object parameters from the authorization request URL with copy_and_remove_from_request; see #294
• add regex substitution for *RemoteUserClaim; thanks @hihellobolke
• add issuer specific redirect URI option (issuer_specific_redirect_uri) for multi-provider setups to mitigate IDP mixup; see #291
• update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 and use header names prefixed with Sec-; depends on mod_token_binding >= 0.3.4 now

Other

• don't abort when mutex operations fail and printout textual descriptions of errors returned by mutex operations
• support paths that are relative to the Apache root dir for: OIDCHTMLErrorTemplate, OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCOAuthVerifyCertFiles, OIDCClientTokenEndpointCert, OIDCClientTokenEndpointKey, OIDCOAuthIntrospectionEndpointCert and OIDCOAuthIntrospectionEndpointKey
• properly support JSON boolean values in metadata .conf files
• add FreeBSD instructions to documentation; see #298

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Downloads" section
• Ubuntu Wily packages can also be used on Ubuntu Xenial, Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise

release 2.3.1

Bugfixes

• handle multiple values in X-Forwarded-* headers as to better support multiple chained reverse proxies in front of mod_auth_openidc
• fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
• remove A128GCM and A192GCM from the supported algorithms in the config file (and docs)

Features

• assume the default port when X-Forwarded-Proto has been set; closes #282 and may address #278
• support sending the authentication request via HTTP POST through HTML/Javascript autosubmit with OIDCProviderAuthRequestMethod
• support private_key_jwt and client_secret_jwt as client authentication methods for OAuth 2.0 bearer token introspection

Other

• log request headers when used and set
• printout support for libjq expressions at startup
• update (experimental) token binding support to https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 and depend on mod_token_binding >= 0.3.0
• refactored quite a bit of code to support compiler #define-d strings

Packaging Notes

• the libcjose 0.5.1 dependency (with a security fix and renaming) was packaged with release 2.3.0
• Ubuntu Wily packages can also be used on Xenial and Yakkety

release 2.3.0

Features

• support relative OIDCRedirectURI's; closes #200; thanks @moschlar
• add support for custom actions to take after authorization fails with OIDCUnAutzAction; see #263
  this enables step-up authentication scenarios when combined with the following:
  • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
  • add OIDCPathScope that is configurable on a per-path basis and concatenated with OIDCScope as static per-provider value
• support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
• add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers; see #264
• support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
• support nested claim matching in Require directives; thanks @suttod
• support explicitly setting the kid of the private key in OIDCPrivateKeyFiles; thanks @suttod
• allow for a higher session inactivity timeout maximum value
• support JWT verification against multiple keys with no provided kid by looping over the provided keys (only works with cjose >= 0.5.0)
• allow for postfixing OIDCRemoteUser with the issuer value after applying a regex

Bugfixes

• fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
• fix cache fallback so it happens (when enabled) only after failure
• fix potential crash on prefork process exit when used with Redis cache backend
• don't assume that having OIDCCryptoPassphrase set means we should validate the config for
  AuthType openid-connect since it can now also be used to encrypt (auth20) cache entries
• avoid decoding a JSON object and logging an error when the input is NULL
  e.g. when claims have not been resolved because userinfo endpoint is not set
• make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
• avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
• fix parse function of OIDCRequestObject configuration option; thanks @suttod
• avoid cleaning our own state cookie twice when it is expired
• fix caching of provider configuration metadata URLs and JWKs URIs when using OIDCCacheType file

Other

• improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
• change warn log about missing token binding ID to debug log
• improve documentation for OIDCCryptoPassphrase; closes #268
• enable JQ-based claims expression matching when compiled from source; see #178
• normalize cache backend logging

Packaging Notes

• libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
• Centos 6 RPMs depend on libhiredis-0.12 e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/