release 1.8.4

Features

• support passing claims as environment variables (OIDCPassClaimsAs)
  this allows for more reliable interaction with other modules that access environment variables set by mod_auth_openidc

Bugfixes

• avoid double free of JWT after parsing errors have been encountered
• correct debug printout in oidc_util_read_form_encoded_params
• correct memcache logging on cache misses; thanks @scottdear
• work around JSON timestamp print modifier issue (%lld) on some platforms, e.g. Debian 8, thanks to @ralphvanetten

release 1.8.3

2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports

Features

• merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the iss claim in Require claim directives (when not returned from the user info endpoint)
• improve error logging on encountering non-supported JWT signing/encryption algorithms
• allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
• make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
• remove exceptions for accounts.google.com since Google is OpenID Connect compliant now

Bugfixes

• fix at_hash and c_hash comparisons when the input is padded (thanks @steverc, issue #65)
• perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
• fix post-logout URL being set to SSO URL

Packaging

• the *bpo70*.deb packages will work on Debian Wheezy and Ubuntu Precise
• the regular *.deb packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic

release 1.8.2

Bugfixes

• fix Elliptic Curve signature verification in hybrid flows

release 1.8.1

2015/05/12: fixed the erroneous upload of libapache2-mod-auth-openidc_1.8.1-1ubuntu1~precise+1_amd64.deb

Features

• allow setting OIDCDiscoverURL inside of Directory and Location directives
• allow setting OIDCCookie outside of Directory and Location directives
• add configurable token expiry parsing of OAuth 2.0 introspection result (OIDCOAuthTokenExpiryClaim)
• increase SHM cache key size from 255 to 512
• add support for regular expressions in remote user setting for OIDC and OAuth 2.0

Bugfixes

• fix building with OpenSSL <1.0
• avoid timing attacks on symmetric key signature/hash comparisons

Packaging

• add Ubuntu Trusty and Precise packages

release 1.8.0

2015/03/16: fixed the erronous 32 bit upload of mod_auth_openidc-1.8.0-1.el6.x86_64.rpm

Features

• more options for running as (only) an OAuth 2.0 Resource Server
  • support for local JWT access token validation using OIDCOAuthVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyJwksUri, see https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server
  • support configurable introspection HTTP method: can be POST (default) or GET
• support configuration of a maximum session duration (OIDCSessionMaxDuration)

Bug Fixes

• avoid including line feeds in header values (@forkbomber and @ekanthi)
  • this is a security fix to prevent passing crafted header values in a reverse proxy setup
• the response type must now strictly match the requested response type
• fix free() crash on simple-valued error printouts
• fix returning keys without a kid
• fix searching for keys with a x5t thumbprint
• fix oauth.introspection_endpoint_method initialization

Other

• make Redis support conditional at compilation time using autoconf
• preliminary support for GET-style logout (under development in the OIDC WG)

release 1.7.3

Bug fixes

• fix symmetric key decryption of JWTs encrypted with A128CBC-HS256 and A256CBC-HS512
• fix memory leak in RSA key conversion
• Allow {... "error": null ...} in JSON responses (@fatlotus)
• get rid of extraneous ; in Set-Cookie headers
• fix configuration validation check where no config would be checked if OIDCProviderIssuer is set
  but both OIDRedirectURI and OIDCCryptoPassphrase are not set

Features

• update to draft-bradley-oauth-jwt-encoded-state-03: change target_uri parameter name to target_link_uri

Other

• add preliminary support for local JWT access token validation (contact the author for docs)
• JWT code refactoring & extended test coverage

release 1.7.2

Features

• add support for OIDCOAuthIntrospectionTokenParamName
  this also adds support for Google OAuth 2.0 access token validation
• printout JOSE error reports on failure

Bug fixes

• fix Redis reconnect behavior: avoid keep reconnecting
• correct expiry debug printout
• fix return result on error in function that decrypts CEK
• improve accuracy of expired/invalid session handling

Other

• document OIDCPassCookies
• fix compiler warnings and printf formatting
• revise JOSE/JWT API wrt. error handling

release 1.7.1

Features

• return HTTP 401 on specific paths instead of redirecting for authentication with OIDCReturn401 On
• add configurable JSON parameters to Dynamic Client Registration requests with OIDCProviderRegistrationEndpointJson/registration_endpoint_json
• make shared memory cache entry maximum size configurable with OIDCCacheShmEntrySizeMax
• pass error codes back to the caller when the refresh hook fails
• pass cookies specified in OIDCPassCookies from browser on to OP/AS calls (for loadbalancing purposes)

Bugfixes

• reconnect to the Redis server after I/O failure as raised in #43
• allow OIDCRedirectURI's with an empty path and fix crash
• require the expiring access_token on the refresh hook for XSRF protection

Other

• improve handling of non-string (=non-compliant) error responses
• return http 500 when detecting requests that will loop on return

release 1.7.0

Features

• add support for Redis cache backend
• support regular expressions in Require statements
• generalize support for OAuth 2.0 token introspection and conform to:
  https://tools.ietf.org/html/draft-ietf-oauth-introspection-00
• add support for the refresh_token flow + hook
• pass the expires_in as an absolute timestamp in OIDC_access_token_expires

Bugfixes

• scrub all OIDC_ headers

Dependencies

• there are build and runtime dependencies on libhiredis and libpcre3 now.

release 1.6.0

Features

• add support for Session Management based on
  http://openid.net/specs/openid-connect-session-1_0.html (draft 21)
• support static provider configuration from a metadata URL (OIDCProviderMetadataURL)
• add config option to POST extra parameters to the token endpoint (OIDCProviderTokenEndpointParams / token_endpoint_params)
• support for passing runtime determined authentication request parameters in the discovery response (auth_request_params)
• support for "x5c" JWK representation

Bugs

• fix set_slot functions for algorithm/url used as default for dynamic registration (OIDCClientJwksUri / OIDCIDTokenSignedResponseAlg)
• fix JSON array memory leak in OAuth 2.0 access token validation flow
• set expiry on state cookies
• return JWKS on jwks_uri with content-type "application/json"
• HTML-encode error descriptions before displaying them

Other

• be less strict about issuer validation in metadata
• check that endpoints in metadata are URLs
• various minor logging improvements
• various minor documentation improvements
• improve error handling on direct browser access to redirect uri