Releases: OpenIDC/mod_auth_openidc
release 2.0.0
Release 2.x is mainly focused on security improvements and refactoring; its configuration is backwards compatible with 1.x. The module now depends on an external library cjose for all crypto-related operations. Packages for cjose
version 0.4.1
for all platforms are included in the Downloads section for this release.
Security
- use signed and encrypted JWTs for state cookies and session data in
cookie
/memcache
/redis
/file
backends - this means that e.g. a shared memcache cluster can be used without session data being readable/writeable by 3rd parties - limit max POST data size to 1Mb
Bugfixes
- use
AUTHZ_DENIED
in Apache v2.4oidc_authz_checker
; closes #151; thanks @gwollman - use stricter input parsing validation functions on both single-provider static configurations and multi-provider metadata configurations
- fix front-channel img-style logout with newer versions of PingFederate
- fix directory config merging so values can be set back to their default values in sub directories; closes #170 ; thanks @carldini
- don't add our own cookies to the incoming headers
Features
- add support for chunked session cookies; closes #153; thanks @glatzert - now client-side-only session state can be used (
OIDCSessionType client-cookie
) without the risk of running over cookie size limits (too easy) - support TLS client authentication to token and introspection endpoints with
OIDCClientTokenEndpointCert
/OIDCClientTokenEndpointKey
andOIDCOAuthIntrospectionEndpointCert
/OIDCOAuthIntrospectionEndpointCert
- support preserving POST data across authorization and discovery requests with
OIDCPreservePost
- this allows for preserving posted form data across re-authentication roundtrips triggered by session timeouts - allow passing the refresh token to the application with
OIDCPassRefreshToken
; thanks Amit Joshi - allow setting the token endpoint authentication method for Dynamic Client Registration in multi-provider setups in the
.conf
file withtoken_endpoint_auth
- allow stripping cookies to the application/backend with
OIDCStripCookies
Dependencies
- starting with version 2.0 this module depends on an external library
cjose
(https://github.com/cisco/cjose) for all JOSE related operations e.g.id_token
/JWT verification/signing - support OpenSSL 1.1.x as well as older versions
release 1.8.10.1
This is a security update that fixes broken JWT signature verification for tokens signed with Elliptic Curve keys.
Security
- fix Elliptic Curve signature verification on garbage input
Advisory
Basically everyone that communicates with a provider that uses Elliptic Curve keys to sign a JWT token should upgrade to 1.8.10.1. Such a provider could be:
- an OpenID Connect Provider using Elliptic Curve cryptography to sign ID tokens (esp. in the front channel), or
- an OAuth 2.0 Authorization Server that produces JWT based Access Tokens signed with Elliptic Curve keys.
Note that the default algorithm in OpenID Connect is RSA-based and typically OAuth 2.0 JWT-based Access Tokens use the same default so parties that use these defaults or variants of those are not affected.
Also, even when using Elliptic Curve cryptography for the ID tokens, when these are delivered over a backchannel, e.g. using the default Authorization Code grant, proper TLS server certificate verification would be in place to prevent any abuse: the ID token signature verification is merely optional in those cases.
In summary, directly affected are:
- OpenID Connect RPs using a front-channel flow ("
id_token
", "code id_token
", "token id_token
") to receive an ID token that was signed with an Elliptic Curve key; they should upgrade or change to a backchannel flow - OAuth 2.0 Resource Servers using a JWT-based access token signed with an Elliptic Curve key; they should upgrade or change to a reference-style access token
Note that the last case can only happen when an RS uses the OIDCOAuthVerifyJwksUri
capability of mod_auth_openidc since configuring Elliptic Curve keys statically is not possible today.
release 1.8.10
Features
- add per-path configurable token introspection result cache expiry with
OIDCOAuthTokenIntrospectionInterval
- add support for JWT based client authentication to the token endpoint (
client_secret_jwt
,private_key_jwt
) - allow setting
OIDCRemoteUserClaim
with values obtained from the userinfo endpoint; thanks @steve-dave
Bugfixes
- fix
OIDCUnAuthAction pass
mode for Apache 2.4 and in caseRequire claim
primitives used for 2.4 and 2.2; thanks @steve-dave - don't use local port setting for current URL determination when
X-Forwarded-Host
has been set
Other
- avoid compilation errors with OpenSSL 1.1.0 and use
EVP_CIPHER_CTX_new
/EVP_CIPHER_CTX_free
release 1.8.9
Features
- support
410
option onOIDCUnAuthAction
; closes #141 - return
WWW-Authenticate
header on OAuth 2.0 protected paths to conform better to the spec; closes #124; thanks @spinto - improve support for public clients; closes #130
Bugfixes
- improve
X-Forwarded-Host
handling overHost
- always make claims from the
id_token
available for authorization; closes #129 apr_jwe_decrypt_content_aesgcm()
null terminate string, #127, thanks @jdennis- fix unit test on Apache 2.4 and error description
- fix segfault if
OIDCRedirectURI
is empty; fixes #138; thanks @brianwcook - avoid parsing previous refresh timestamp if that failed earlier
fix get_current_url
(proxy) case wherer->parsed_uri.path
would be null
release 1.8.8
4/25/2016: updated the build for windows to the actual 1.8.8 version
Security
- update mitigation for OAuth AS mixup attack conform the updated https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
- pass plain
state
value to the token endpoint instead of a hash
- pass plain
- remove linefeeds from the
OIDCAuthNHeader
value before setting the header, thanks @rfk- this is a security fix to prevent passing crafted header values in a reverse proxy setup, similar to done for other headers earlier in release 1.8.0
Features
- support passing OAuth 2.0 bearer token (or a generic JWT) in alternative ways with
OIDCOAuthAcceptTokenAs
- i.e. a query parameter, a POST parameter or a (PingAccess) cookie, see #112
- don't redirect away to the OP for authentication when the
X-Requested-With
header is present in an unauthenticated request- to avoid state cookies piling up on Javascript paths; as suggested in #113
Bugfixes
- fix custom HTML error template initialization in (derived) virtual host definitions, see #118
- merge
id_token
anduserinfo
claims in Apache >2.4 authorization; see #120 - Elliptic Curve support requires OpenSSL 1.0.1 now (was 1.0.0); this allows for builds on OpenSuse, see #116
- include
token_endpoint_auth_method
in Dynamic Client Registration requests, see #117 - fix loose (prefix only) matching of cookie names
Other
- use session cookies instead of persistent cookies for the "state" cookies to work around a Firefox bug and clean them up when expired
- issue a log warning when cookie size limitations are reached
- log exact version of OpenSSL and EC/GCM/Redis support at startup
- issue a warning if the "openid" scope is not included in the authentication request
release 1.8.7
Security
- add mitigation for OAuth AS mixup attack described in http://www.scmagazineuk.com/researchers-find-two-flaws-in-oauth-20/article/463919/ according to (the unpublished)
draft-jones-oauth-issuer-00
- if present in an authentication response: check
iss
&client_id
against the ones recorded in the state - push a hash of the state parameter to the token endpoint in code flows
- if present in an authentication response: check
- strictly match issuer in Discovery document against requested issuer
Features
- add support for PKCE plain & S256 https://tools.ietf.org/html/rfc7636
Bugfixes
- fix memory corruption when using custom html template; closes #106
- return 404 on iframes if session-mgmt disabled; debug logs; closes #109
- fix crash using a custom error template when description is NULL
- fix crash when target_link_uri is not a valid URI or parts are empty
Other
release 1.8.6
Features
- add support for applying a custom HTML error template with
OIDCHTMLErrorTemplate
- add option to manually assign a key identifier (
kid
) to theOIDCOAuthVerifySharedKeys
,OIDCOAuthVerifyCertFiles
andOIDCPublicKeyFiles
configuration primitives - allow a leading '.' in the
OIDCCookieDomain
primitive and support older browsers; issue #96 - include and prioritize the
X-Forwarded-Host
header in hostname determination - allow for missing
Host
header (HTTP 1.0) - add option to make session cookie persistent; closes #97
Bugfixes
- return
DONE
instead ofHTTP_UNAUTHORIZED
with Discovery page (prevent double HTML in HTTP 1.0) - validate received session cookie against the domain it was issued for:
this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same
Other
- log a warning if the
Set-Cookie
value length is greater than 4093 bytes to avoid browsers breaking without any clue
release 1.8.5
Features
- authentication option for Redis cache server using
OIDCRedisCachePassword
OIDCUnAuthAction
primitive that defines how to act on unauthenticated requests; deprecatesOIDCReturn401
- JWT encryption support for
RSA-OAEP
andA128GCM
,A192GCM
,A256GCM
- support encrypted JWTs using
A192KW
andA192CBC-HS384
- graceful handling of browser-back on authorization response, issue #89
- graceful handling of invalid (expired) authorization response state, issue #86
- support (non-sid-based) HTTP logout spec: http://openid.net/specs/openid-connect-logout-1_0.html
Bugfixes
- fix parsing of
OIDCOAuthTokenExpiryClaim
, PR #90, thanks @bester - improve logging on metadata parsing failures, issue #94
Security
- add CSRF protection to Discovery, see: https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf
release 1.8.4
Features
- support passing claims as environment variables (
OIDCPassClaimsAs
)
this allows for more reliable interaction with other modules that access environment variables set by mod_auth_openidc
Bugfixes
- avoid double free of JWT after parsing errors have been encountered
- correct debug printout in oidc_util_read_form_encoded_params
- correct memcache logging on cache misses; thanks @scottdear
- work around JSON timestamp print modifier issue (
%lld
) on some platforms, e.g. Debian 8, thanks to @ralphvanetten
release 1.8.3
2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports
Features
- merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the
iss
claim inRequire claim
directives (when not returned from the user info endpoint) - improve error logging on encountering non-supported JWT signing/encryption algorithms
- allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
- make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
Bugfixes
- fix
at_hash
andc_hash
comparisons when the input is padded (thanks @steverc, issue #65) - perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
- fix post-logout URL being set to SSO URL
Packaging
- the
*bpo70*.deb
packages will work on Debian Wheezy and Ubuntu Precise - the regular
*.deb
packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic