Releases: OpenIDC/mod_auth_openidc
release 2.4.16.6
Bugfixes
- metadata: fix caching of JWKs from
jwks_uri
when using the default expiry setting (i.e. not usingOIDCJWKSRefreshInterval
) and avoid fetching JWKs from thejwks_uri
for each user login; also addresses Redis cache error entries the log[ERR invalid expire time in 'setex' command]
(regression in 2.4.16-2.4.16.5) - info: fix requests to the info hook with
extend_session=false
; see #1279; thanks @fnieri-cdp- properly reflect the (unmodified) inactivity timeout in the response (in the
timeout
claim) - avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
- properly reflect the (unmodified) inactivity timeout in the response (in the
- cookie:
OIDCCookieSameSite
default behaviourLax
- cookie: apply
OIDCCookieSameSite Off/None
properly to state cookies instead of always settingLax
- cache: avoid segfault and improve error reporting in case
apr_temp_dir_get
fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy
Features
- cookie: allow specific settings
Strict|Lax|None|Disabled
forOIDCCookieSameSite
in addition toOn(=Lax)|Off(=None)
- re-introduces the option to configure a
Strict
SameSite session cookie policy, which will turn the initialLax
session cookie - set upon receving the response to the Redirect URI - into aStrict
session cookie immediately after the first application request - cookie: allows for a
Disabled
value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should beLax
by spec)
- re-introduces the option to configure a
- http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g.
SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
Other
- metadata: allow plain HTTP URLs in metadata elements
jwks_uri
andsigned_jwks_uri
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments - code: address warnings from static code analysis tool CodeChecker
- init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux 2023, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.5
Bugfixes
- add backwards compatibility with versions older than 2.4.16.x wrt. ID token
aud
claim validation:
accept the ID token when ourclient_id
is provided as one of the values in a JSON array of string values in theaud
claim; required by (at least) Oracle IDCS see #1272 and #1273; thanks @lufik and @tydalforce - add
OIDCIDTokenAudValues
configuration primitive that allows for explicit - and exhaustive - configuration of the list of accepted values in theaud
claim of the ID token i.e. as required for passing FAPI 2 conformance testing
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux 2023, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.4
Bugfixes
- add the missing copy of the
"x5t"
claim inoidc_jwk_copy
, which brokeprivate_key_jwt
authentication to Microsoft Entra ID / Azure AD since 2.4.13; see #1269; thanks @uoe-pjackson - fix accepting custom cookie names in
OIDCOAuthAcceptTokenAs cookie:<name>
; regression in 2.4.16.1...2.4.16.3; see #1261; thanks @bbartke
Other
- change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
- use compact encoding and preserve claim order where appropriate for most cases of JSON/JWT serialization
- improve basic authentication parsing when using
OIDCOAuthAcceptTokenAs basic
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.3
Bugfixes
- fix segfault in child process initialization routine when using Redis and/or Metrics settings in vhosts; closes #1208; thanks @studersi and Brent van Laere
- fix
OIDCCacheShmMax
min/max settings; see #1260; thanks @bbartke - allow overriding globally set
OIDCCacheType
back toshm
in individual vhosts
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.2
Note that a custom OIDCCacheShmMax setting cannot be configured with this release.
Bugfixes
- fix regressions from the configuration rewrite in 2.4.16/2.4.16.1
- fix setting
OIDCPKCEMethod none
; closes #1256; thanks @eoliphan - fix disabled
OIDCStateCookiePrefix
command; closes #1254; thanks @damisanet
- fix setting
- re-introduce
OIDCSessionMaxDuration 0
; see #1252; thanks @amitmun - improve resilience in case both
Forwarded
andX-Forwarded-*
headers are configured and onlyX-Forwarded-*
is passed in
Other
- remove support for
OIDCHTMLErrorTemplate
, deprecated since 2.4.14
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16.1
Note that OIDCPKCEMethod none
, OIDCSessionMaxDuration 0
, OIDCCacheShmMax
and OIDCStateCookiePrefix
cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.
Security
- disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr
Features
- add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
- add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
configured through theOIDCDPoPMode [off|optional|required]
primitive (dpop_mode
in the.conf
file in multi-OP setups) - add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
configured throughOIDCProviderPushedAuthorizationRequestEndpoint
andOIDCProviderAuthRequestMethod PAR
- add the
nbf
claim to the Request Object - store the
token_type
in the session and make it available on the info hook together with theaccess_token
- replace multi-provider
.conf
issuer_specific_redirect_uri
boolean withresponse_require_iss
boolean
to require the Provider to pass theiss
value in authorization responses, mitigating the OP mixup attack - return HTTP 502 when refreshing acces token or userinfo fails (default:
502_on_error
) - add support for
OIDCOAuthIntrospectionEndpointKeyPassword
, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection - when an expression is configured for
OIDCUnAuthAction
(i.e. in the 2nd argument), also apply it toOIDCUnAutzAction
so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls
Bugfixes
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
- apply input/boundary checking on all configuration and multi-provider metadata values
- memcache: correct dead server check on
APR_NOTFOUND
; see #1230; thanks @rpluem-vf - tighten up the
aud
claim validation for received ID tokens
Other
- version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
- packages for the recent Ubuntu Noble stable release are added to the Assets section below
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.16
superseded by 2.4.16.1 with a bugfix for parsing OIDCXForwardedHeaders, see: #1250
release 2.4.15.7
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix
OIDCUserInfoRefreshInterval
and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, Amazon Linux, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15.6
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- use
SameSite=Lax
whenOIDCCookieSameSite
isOn
(also the default since 2.4.15) instead ofStrict
as overriding fromLax
toStrict
does not work reliably anymore (i.e. on Chrome with certain plugins) - signed_jwks_url: make the
exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification - cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "
could not construct cache key since key size is too large
" - cache: fix debug printout of cache key in
oidc_cache_get
introduced in 2.4.15 - http: fix applying the default HTTP short retry interval setting and use 300ms as default value
- userinfo: fix setting the
exp
claim in userinfo signed JWTs (exp
would benow+0
) when noexpires_in
is returned by the OpenID Connect Provider - userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the
exp
claim as the cache TTL - refresh: fix for
expires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes usingOIDCRefreshAccessTokenBeforeExpiry
andOIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4 - authz: fix evaluation of
Require claim
statements for nested array claims - authz: properly handle parse errors in
Require claim <name>:<integer>
statements - fix setting the default PKCE method to
none
in a multi-provider setup
Other
- userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
- logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
- (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook
Features
- signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
- redis: enable TCP keepalive on Redis connections by default and make it configurable with:
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
- proto: accept strings as well as integers in the
expires_in
claim from the token endpoint to cater for non-spec compliant implementations - userinfo: accept
0
inOIDCUserInfoRefreshInterval
which will refresh userinfo on every request - authz: add support for JSON
real
andnull
value matching inRequire claim
statements
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15.3
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Security
- fix CVE-2024-24814: prevent DoS when
OIDCSessionType client-cookie
is set and a craftedCookie
header is supplied, see the advisory; thanks @olipo186
Bugfixes
- rewrite handling of parallel refresh token grant requests
- temporarily cache the results of the refresh token grant for other (almost) parallel callers
- fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
- improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
- avoid crash when Forwarded is not present but
OIDCXForwardedHeaders Forwarded
is configured for it; see #1171; thanks @daviddpd - set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]