release 2.0.0

Release 2.x is mainly focused on security improvements and refactoring; its configuration is backwards compatible with 1.x. The module now depends on an external library cjose for all crypto-related operations. Packages for cjose version 0.4.1 for all platforms are included in the Downloads section for this release.

Security

• use signed and encrypted JWTs for state cookies and session data in cookie/memcache/redis/file backends - this means that e.g. a shared memcache cluster can be used without session data being readable/writeable by 3rd parties
• limit max POST data size to 1Mb

Bugfixes

• use AUTHZ_DENIED in Apache v2.4 oidc_authz_checker; closes #151; thanks @gwollman
• use stricter input parsing validation functions on both single-provider static configurations and multi-provider metadata configurations
• fix front-channel img-style logout with newer versions of PingFederate
• fix directory config merging so values can be set back to their default values in sub directories; closes #170 ; thanks @carldini
• don't add our own cookies to the incoming headers

Features

• add support for chunked session cookies; closes #153; thanks @glatzert - now client-side-only session state can be used ( OIDCSessionType client-cookie) without the risk of running over cookie size limits (too easy)
• support TLS client authentication to token and introspection endpoints with OIDCClientTokenEndpointCert/OIDCClientTokenEndpointKey and OIDCOAuthIntrospectionEndpointCert/OIDCOAuthIntrospectionEndpointCert
• support preserving POST data across authorization and discovery requests with OIDCPreservePost - this allows for preserving posted form data across re-authentication roundtrips triggered by session timeouts
• allow passing the refresh token to the application with OIDCPassRefreshToken; thanks Amit Joshi
• allow setting the token endpoint authentication method for Dynamic Client Registration in multi-provider setups in the .conf file with token_endpoint_auth
• allow stripping cookies to the application/backend with OIDCStripCookies

Dependencies

• starting with version 2.0 this module depends on an external library cjose (https://github.com/cisco/cjose) for all JOSE related operations e.g. id_token/JWT verification/signing
• support OpenSSL 1.1.x as well as older versions

release 1.8.10.1

This is a security update that fixes broken JWT signature verification for tokens signed with Elliptic Curve keys.

Security

• fix Elliptic Curve signature verification on garbage input

Advisory

Basically everyone that communicates with a provider that uses Elliptic Curve keys to sign a JWT token should upgrade to 1.8.10.1. Such a provider could be:

• an OpenID Connect Provider using Elliptic Curve cryptography to sign ID tokens (esp. in the front channel), or
• an OAuth 2.0 Authorization Server that produces JWT based Access Tokens signed with Elliptic Curve keys.

Note that the default algorithm in OpenID Connect is RSA-based and typically OAuth 2.0 JWT-based Access Tokens use the same default so parties that use these defaults or variants of those are not affected.

Also, even when using Elliptic Curve cryptography for the ID tokens, when these are delivered over a backchannel, e.g. using the default Authorization Code grant, proper TLS server certificate verification would be in place to prevent any abuse: the ID token signature verification is merely optional in those cases.

In summary, directly affected are:

• OpenID Connect RPs using a front-channel flow ("id_token", "code id_token", "token id_token") to receive an ID token that was signed with an Elliptic Curve key; they should upgrade or change to a backchannel flow
• OAuth 2.0 Resource Servers using a JWT-based access token signed with an Elliptic Curve key; they should upgrade or change to a reference-style access token

Note that the last case can only happen when an RS uses the OIDCOAuthVerifyJwksUri capability of mod_auth_openidc since configuring Elliptic Curve keys statically is not possible today.

release 1.8.10

Features

• add per-path configurable token introspection result cache expiry with OIDCOAuthTokenIntrospectionInterval
• add support for JWT based client authentication to the token endpoint (client_secret_jwt, private_key_jwt)
• allow setting OIDCRemoteUserClaim with values obtained from the userinfo endpoint; thanks @steve-dave

Bugfixes

• fix OIDCUnAuthAction pass mode for Apache 2.4 and in case Require claim primitives used for 2.4 and 2.2; thanks @steve-dave
• don't use local port setting for current URL determination when X-Forwarded-Host has been set

Other

• avoid compilation errors with OpenSSL 1.1.0 and use EVP_CIPHER_CTX_new/EVP_CIPHER_CTX_free

release 1.8.9

Features

• support 410 option on OIDCUnAuthAction; closes #141
• return WWW-Authenticate header on OAuth 2.0 protected paths to conform better to the spec; closes #124; thanks @spinto
• improve support for public clients; closes #130

Bugfixes

• improve X-Forwarded-Host handling over Host
• always make claims from the id_token available for authorization; closes #129
• apr_jwe_decrypt_content_aesgcm() null terminate string, #127, thanks @jdennis
• fix unit test on Apache 2.4 and error description
• fix segfault if OIDCRedirectURI is empty; fixes #138; thanks @brianwcook
• avoid parsing previous refresh timestamp if that failed earlier
• fix get_current_url (proxy) case where r->parsed_uri.path would be null

release 1.8.8

4/25/2016: updated the build for windows to the actual 1.8.8 version

Security

• update mitigation for OAuth AS mixup attack conform the updated https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
  • pass plain state value to the token endpoint instead of a hash
• remove linefeeds from the OIDCAuthNHeader value before setting the header, thanks @rfk
  • this is a security fix to prevent passing crafted header values in a reverse proxy setup, similar to done for other headers earlier in release 1.8.0

Features

• support passing OAuth 2.0 bearer token (or a generic JWT) in alternative ways with OIDCOAuthAcceptTokenAs
  • i.e. a query parameter, a POST parameter or a (PingAccess) cookie, see #112
• don't redirect away to the OP for authentication when the X-Requested-With header is present in an unauthenticated request
  • to avoid state cookies piling up on Javascript paths; as suggested in #113

Bugfixes

• fix custom HTML error template initialization in (derived) virtual host definitions, see #118
• merge id_token and userinfo claims in Apache >2.4 authorization; see #120
• Elliptic Curve support requires OpenSSL 1.0.1 now (was 1.0.0); this allows for builds on OpenSuse, see #116
• include token_endpoint_auth_method in Dynamic Client Registration requests, see #117
• fix loose (prefix only) matching of cookie names

Other

• use session cookies instead of persistent cookies for the "state" cookies to work around a Firefox bug and clean them up when expired
• issue a log warning when cookie size limitations are reached
• log exact version of OpenSSL and EC/GCM/Redis support at startup
• issue a warning if the "openid" scope is not included in the authentication request

release 1.8.7

Security

• add mitigation for OAuth AS mixup attack described in http://www.scmagazineuk.com/researchers-find-two-flaws-in-oauth-20/article/463919/ according to (the unpublished) draft-jones-oauth-issuer-00
  • if present in an authentication response: check iss & client_id against the ones recorded in the state
  • push a hash of the state parameter to the token endpoint in code flows
• strictly match issuer in Discovery document against requested issuer

Features

• add support for PKCE plain & S256 https://tools.ietf.org/html/rfc7636

Bugfixes

• fix memory corruption when using custom html template; closes #106
• return 404 on iframes if session-mgmt disabled; debug logs; closes #109
• fix crash using a custom error template when description is NULL
• fix crash when target_link_uri is not a valid URI or parts are empty

Other

• fix compilation warning on double sizeof call; close #103, thanks @dcb314
• correct debug log in oidc_util_hash_string_and_base64url_encode

release 1.8.6

Features

• add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
• add option to manually assign a key identifier (kid) to the OIDCOAuthVerifySharedKeys, OIDCOAuthVerifyCertFiles and OIDCPublicKeyFiles configuration primitives
• allow a leading '.' in the OIDCCookieDomain primitive and support older browsers; issue #96
• include and prioritize the X-Forwarded-Host header in hostname determination
• allow for missing Host header (HTTP 1.0)
• add option to make session cookie persistent; closes #97

Bugfixes

• return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
• validate received session cookie against the domain it was issued for:
  this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same

Other

• log a warning if the Set-Cookie value length is greater than 4093 bytes to avoid browsers breaking without any clue

release 1.8.5

Features

• authentication option for Redis cache server using OIDCRedisCachePassword
• OIDCUnAuthAction primitive that defines how to act on unauthenticated requests; deprecates OIDCReturn401
• JWT encryption support for RSA-OAEP and A128GCM, A192GCM, A256GCM
• support encrypted JWTs using A192KW and A192CBC-HS384
• graceful handling of browser-back on authorization response, issue #89
• graceful handling of invalid (expired) authorization response state, issue #86
• support (non-sid-based) HTTP logout spec: http://openid.net/specs/openid-connect-logout-1_0.html

Bugfixes

• fix parsing of OIDCOAuthTokenExpiryClaim, PR #90, thanks @bester
• improve logging on metadata parsing failures, issue #94

Security

• add CSRF protection to Discovery, see: https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf

release 1.8.4

Features

• support passing claims as environment variables (OIDCPassClaimsAs)
  this allows for more reliable interaction with other modules that access environment variables set by mod_auth_openidc

Bugfixes

• avoid double free of JWT after parsing errors have been encountered
• correct debug printout in oidc_util_read_form_encoded_params
• correct memcache logging on cache misses; thanks @scottdear
• work around JSON timestamp print modifier issue (%lld) on some platforms, e.g. Debian 8, thanks to @ralphvanetten

release 1.8.3

2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports

Features

• merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the iss claim in Require claim directives (when not returned from the user info endpoint)
• improve error logging on encountering non-supported JWT signing/encryption algorithms
• allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
• make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
• remove exceptions for accounts.google.com since Google is OpenID Connect compliant now

Bugfixes

• fix at_hash and c_hash comparisons when the input is padded (thanks @steverc, issue #65)
• perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
• fix post-logout URL being set to SSO URL

Packaging

• the *bpo70*.deb packages will work on Debian Wheezy and Ubuntu Precise
• the regular *.deb packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic