release 2.3.1

Bugfixes

• handle multiple values in X-Forwarded-* headers as to better support multiple chained reverse proxies in front of mod_auth_openidc
• fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
• remove A128GCM and A192GCM from the supported algorithms in the config file (and docs)

Features

• assume the default port when X-Forwarded-Proto has been set; closes #282 and may address #278
• support sending the authentication request via HTTP POST through HTML/Javascript autosubmit with OIDCProviderAuthRequestMethod
• support private_key_jwt and client_secret_jwt as client authentication methods for OAuth 2.0 bearer token introspection

Other

• log request headers when used and set
• printout support for libjq expressions at startup
• update (experimental) token binding support to https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 and depend on mod_token_binding >= 0.3.0
• refactored quite a bit of code to support compiler #define-d strings

Packaging Notes

• the libcjose 0.5.1 dependency (with a security fix and renaming) was packaged with release 2.3.0
• Ubuntu Wily packages can also be used on Xenial and Yakkety

release 2.3.0

Features

• support relative OIDCRedirectURI's; closes #200; thanks @moschlar
• add support for custom actions to take after authorization fails with OIDCUnAutzAction; see #263
  this enables step-up authentication scenarios when combined with the following:
  • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
  • add OIDCPathScope that is configurable on a per-path basis and concatenated with OIDCScope as static per-provider value
• support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
• add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers; see #264
• support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
• support nested claim matching in Require directives; thanks @suttod
• support explicitly setting the kid of the private key in OIDCPrivateKeyFiles; thanks @suttod
• allow for a higher session inactivity timeout maximum value
• support JWT verification against multiple keys with no provided kid by looping over the provided keys (only works with cjose >= 0.5.0)
• allow for postfixing OIDCRemoteUser with the issuer value after applying a regex

Bugfixes

• fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
• fix cache fallback so it happens (when enabled) only after failure
• fix potential crash on prefork process exit when used with Redis cache backend
• don't assume that having OIDCCryptoPassphrase set means we should validate the config for
  AuthType openid-connect since it can now also be used to encrypt (auth20) cache entries
• avoid decoding a JSON object and logging an error when the input is NULL
  e.g. when claims have not been resolved because userinfo endpoint is not set
• make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
• avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
• fix parse function of OIDCRequestObject configuration option; thanks @suttod
• avoid cleaning our own state cookie twice when it is expired
• fix caching of provider configuration metadata URLs and JWKs URIs when using OIDCCacheType file

Other

• improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
• change warn log about missing token binding ID to debug log
• improve documentation for OIDCCryptoPassphrase; closes #268
• enable JQ-based claims expression matching when compiled from source; see #178
• normalize cache backend logging

Packaging Notes

• libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
• Centos 6 RPMs depend on libhiredis-0.12 e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

release 2.2.0

Features

• improved support for Single Page Applications, see here and here
  • add session info hook that is configurable through OIDCInfoHook
  • add AuthType auth-openidc option that allows both oauth20 and openid-connect behaviours on the same path
• add encryption for all cache entries instead of just session data through OIDCCacheEncrypt
• add cookie SameSite flag/policy through OIDCCookieSameSite
• return HTTP 200 on OPTIONS requests to (unauthenticated) oauth20 paths
• add fallback to a by-value session cookie if the primary session cache fails with OIDCSessionCacheFallbackToCookie
• add support for black- and/or white-listing claims with OIDCBlackListedClaims and OIDCWhiteListedClaims

Bugfixes

• fix clearing chunked session cookies on logout; closes #246; thanks @Jharmuth
• fix removing session state from cache on logout

Experimental

• add prototype token binding support in conjunction with mod_token_binding, see here
  • for state & session cookies, see here
  • for ID tokens with OpenID Connect Token Bound Authentication support
  • for Authorization Codes with OAuth 2.0 Token Binding for Authorization Codes

Packaging Notes

• the name of the cjose dependency changed for Debian and Ubuntu releases to be in line with the name in the official distributions: libcjose0; so an update to 2.2.0 via the provided packages requires re-installing the renamed libcjose0 package; you can use the binaries attached to this release or use the one in the Debian/Ubuntu distributions as long as you have version >= 0.4.1; that also holds for CentOS/Fedora
• the name of Debian and Ubuntu packages is more explicit now about the distribution that it is intended for; Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

release 2.1.6

This is a security release :

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

• scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

Bugfixes

• handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
• fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
• correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci

Other

• improve logging wrt. session management availability; closes #223
• handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
• improve error message on state timeout; closes #226; thanks @security4java
• a call to the refresh hook now also resets the session inactivity timeout

Packaging Notes

• Accompanying libcjose packages can be found in the 2.1.3 release
• Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

release 1.8.10.3

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.6 from the releases page going forward:

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

• scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

release 1.8.10.2

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.5 from the releases page going forward:

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

• scrub headers on OIDCUnAuthAction pass; see #222

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

• use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; see #135

release 2.1.5

This is a security release :

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

• scrub headers on OIDCUnAuthAction pass; closes #222; thanks @wouterhund

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

• fix error message about passing id_token with session type client-cookie; see: #220; thanks @phybros

Packaging Notes

• Accompanying libcjose packages can be found in the 2.1.3 release
• Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

release 2.1.4

This is a minor release with relatively few features and bugfixes. Accompanying libcjose packages can be found in the 2.1.3 release. Ubuntu Wily packages can also be used on Xenial and Yakkety. Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

Bugfixes

• don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not response_mode
• use dynamic memory buffer for writing HTTP call responses which happens to solve (at least) libcurl/mpm-event interference on Debian Stretch; see #207
• remove trailing linebreaks from input in test-cmd tool

Features

• support Libre SSL, see #205, thanks @AliceWonderMiscreations
• update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
• log errors in the error log on invalid requests to redirect URI

Security

• don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke

release 2.1.3

Ubuntu Wily packages can also be used on Xenial and Yakkety. Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

Changes

• don't rollover session ids anymore and the keep same session cookie name over session updates
  closes #204 (also don't remove sessions from cache before storing anymore)

release 2.1.2

binary packages for the libcjose 0.4.1 dependency can be found in the 2.1.0 release section

Ubuntu Wily packages can also be used on Xenial and Yakkety

Bugfixes

• fix crash when searching for keys with a kid, there's no initial match and x5t values exist for the non-matching keys; closes #196; thanks @anthnd; this would affect Microsoft/Azure accounts