Releases: OpenIDC/mod_auth_openidc
release 2.4.15.2
commercial-binaries-only security patch release for CVE-2024-24814
release 2.4.15.1
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
- fix
OIDCCacheType file
on Windows and useapr_file_rename()
in file cache backend instead ofrename()
to fix Windows file renaming issue; thanks @adg-mh
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.15
The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
New Defaults
- use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring
OIDCPKCEMethod none
- use SameSite cookies Strict by default; disable by configuring
OIDCCookieSameSite Off
- apply ISO-8859-1 (
latin1
) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; useOIDCPassClaimsAs <any> none
for backwards compatibility
Bugfixes
- restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar
OIDC_PARALLEL_REFRESH_NOT_ALLOWED
- do not apply
logout_on_error
andauthenticate_on_error
when a parallel refresh token request is detected see #1132; thanks @esunke - fix SSL server certificate validation when revoking tokens and apply
OIDCSSLValidateServer
setting rather thanOIDCOAuthSSLValidateServer
inoidc_revoke_tokens
; see #1141; thanks @mschmidt72 - make sure the shm cache entry size
OIDCCacheShmEntrySizeMax
is a multiple of 8 bytes, see #1067; thanks @sanzinger - fix Redis connnect retries and make it configurable through environment variable
OIDC_REDIS_MAX_TRIES
Features
- add metrics collection/observability capability with
OIDCMetricsData
andOIDCMetricsPublish
, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability - generate or propagate the
traceparent
header on outgoing (and proxied) requests; ties theparent-id
to the (8-byte hash of) the session or access token when available - retry failed outgoing HTTP requests and add options to configure it in
OIDCHTTPTimeoutLong
/OIDCHTTPTimeoutShort
- improve error message in case of curl timeouts
- add capability to seamlessly rollover
OIDCCryptoPassphrase
using a (temporary) 2nd value that holds the previous one - add
iat
andexp
claims to request objects; closes #1137 - populate
User-Agent
header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes
Other
- return HTTP 500 on token refresh errors instead of HTTP 401
- use only the
User-Agent
header as input for the state browser fingerprinting by default (noX-Forwarded-For
) - remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
- use clang-format-17 for code formatting and reformat all code
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.14.4
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
OIDCRefreshAccessTokenBeforeExpiry
when using it withlogout_on_error
orauthenticate_on_error
; see #1111; thanks @brandonk10 - improve behaviour when parallel refresh token grant requests occur on the same Apache server/host and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid corrupting the session by storing/overwriting an expired refresh token
- fix memory leak in
oidc_refresh_token_grant
: free the parsedid_token
if returned from the token endpoint - avoid potential process lifetime memory leak when mutex lock/unlock fails
Performance
- store userinfo refresh interval in session to avoid parsing Provider JSON metadata on each request
- fix performance issue with
latin1
encoding when usingOIDCPassClaimsAs <any> latin1
with large claim values - skip re-validating cached provider metadata
- use process based locking for Redis caching instead of global locking
Features
- add options for authentication to
OIDCOutgoingProxy
; thanks @drzraf; see #1107 - add support for custom preserve/restore POST data templates with
OIDCPreservePostTemplates
to be used whenOIDCPreservePost
is set toOn
; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.14.3
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix session updates on userinfo requests; see #1077; this bug was introduced in v2.4.11 with d9fff15; thanks @adenix
Features
- add
OIDCPassAccessToken Off
option to disable (the default of) passing the access token and its expiry in theOIDC_access_token
/OIDC_access_token_expires
header/environment variables; thanks @mattias-asander - allow relative values in
OIDCDefaultURL
andOIDCDefaultLoggedOutURL
- support
authenticate_on_error
2nd parameter value inOIDCRefreshAccessTokenBeforeExpiry
to re-authenticate the user when refreshing the access token fails see: #1084; thanks @xrammit - add
logout_on_error
andauthenticate_on_error
2nd parameter option toOIDCUserInfoRefreshInterval
- add support for adding extra parameters to the Logout Request to the OP with
OIDCLogoutRequestParams
see: #1096; thanks @smarsching
Other
- add a sanity
alg
/enc
check on internal self-encrypted AES GCM JWTs - increase performance of JQ filtering by caching JQ filtering results; default cache ttl is 10 min, configured through environment variable
OIDC_JQ_FILTER_CACHE_TTL
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.14.2
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
OIDCUnAutzAction auth
step up authentication - which in 2.4.14.1 would only work with an SSI enabledErrorDocument
- by reverting all401
/403
/302
/step up behaviour to <= 2.4.13.2; this re-introduces the limitation for step up authentication being restricted to a singleRequire
or aRequireAll
statement - avoid using encryption keys as signing keys for request objects and
private_key_jwt
token endpoint auth
Features
- add support for
extend_session=false
query parameter to the info hook to avoid extending the session on calls to the info hook
Other
- log the first Redis error as a warning before retrying
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.14.1
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
RequireAny
behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
as the first non-matchingRequire claim
directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those - make
OIDCUnautzAction 302|auth
(i.e. step up authentication) work with multiple/nestedRequire claim
expressions e.g. usingRequireAny
andRequire not claim
- fix refreshing claims from the userinfo endpoint when no
id_token
claims are stored in the session since environment variableOIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION
has been set - fix memory leak when refreshing claims from the userinfo endpoint
Other
- to make
OIDCUnAutzAction 403
actually return 403 in Apache 2.4 it also needsAuthzSendForbiddenOnFailure
again, i.e. the fix in 2.4.14 for it was reverted
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.14
Deprecated
OIDCHTMLErrorTemplate
is now deprecated in favour of standard Apache error handling capabilities; the environment variable stringsREDIRECT_OIDC_ERROR
andREDIRECT_OIDC_ERROR_DESC
have been made available for use inErrorDocument
, see: https://httpd.apache.org/docs/2.4/custom-error.html; backwards compatibility is retained by settingOIDCHTMLErrorTemplate deprecated
Bugfixes
- fix session cookie decompression error with
OIDCSessionType client-cookie
; closes #1046; thanks @oss-aimoto - properly respect
use
attribute (i.e.sig
andenc
) in signing, verification and encryption JWK sets - don't immediately refresh of JWKs from
(signed)_jwks_uri
ifkid
was not set in JWT header, but lookup in the cache first - return
HTTP 40<x>
instead ofHTTP 200
on all authorization) error responses - make sure
mod_auth_openidc
runs beforemod_proxy
so calls to the redirect URI are never proxied and no separate<Location>
directive orProxyPass
exception forOIDCRedirectURI
is required (anymore) in proxied configs - return the OP Discovery page in the content handler phase so regular Apache processing applies to the HTTP/HTML response
- fix memory leak when using JQ-based expressions in
Require claims_expr
(reverted >= 2.4.14)OIDCUnAutzAction auth
for stepup authentication now immediately returns a HTTP 302 instead of a HTTP 200 HTML page with a meta refresh tag and a Location headerfix(reverted >= 2.4.14)OIDCUnAutzAction 403
so it does not rely onAuthzSendForbiddenOnFailure
to return HTTP 403, see #795- fix crash when using a multi-provider setup and Provider has
signed_jwks_uri
set but the conf file does not definesigned_jwks_uri_key
- correct return value from
oidc_cache_shm_destroy
to avoid misleading"cache destroy function failed"
error messages - preserve linefeeds in text areas used with
OIDCPreservePost On
- add resilience for corrupted discovery metadata and
jwks_uri
cache entries - cater for libapr/libapr-util version 1.2.x
Features
- use compressed serialized JSON for encrypted state- and session cookies and cache entries, reducing their size; thanks @hihellobolke
- support configuration of dedicated signing and encryption keys in the primitives:
OIDCPublicKeyFiles
,OIDCPrivateKeyFiles
,OIDCProviderVerifyCertFiles
,OIDCOAuthVerifySharedKeys
andOIDCOAuthVerifyCertFiles
by using the prefixsig:
orenc:
in the value - add support for passing on claims resolved from the userinfo endpoint in a JWT signed by
mod_auth_openidc
usingOIDCPassUserInfoAs signed_jwt[:<name>]
with an RSA or Elliptic Curve key - add
OIDCFilterClaimsExpr
that allows for processing claims before storing them in the session, after applying (optional) blacklisting/whitelisting on the toplevel keys; available only when compiled withlibjq
support - add support for
OIDCUserInfoClaimsExpr
that allows for processing claims returned from the userinfo endpoint with a JQ-based expression before propagating them according toOIDCPassUserInfoAs claims | json | signed_jwt
(ie. does not work forOIDCPassUserInfoAs jwt
); available only when compiled withlibjq
support - allow
OIDCPassUserInfoAs
andOIDCPassIDTokenAs
directives in<Location>
/<Directory>
contexts; also fixes resetting back toclaims
in vhosts for the latter - add support for overriding the default header/environment variable names in
OIDCPassUserInfoAs (json|jwt)[:<name>]
- support calling the refresh token grant before doing RP-initiated logout; may be used to supply a (fresh or non-cached)
id_token_hint
logout request parameter - add options to avoid revoking tokens before logout as some OPs may kill their SSO session that would make subsequent logout fail
- add support for returning the serialized
id_token
asid_token_hint
from the info hook - increase default
OIDCCacheShmMax
setting to 10000 - add
exec
support toOIDCClientSecret
; see #1056; thanks @sealor
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.13.2
Security
- CVE-2023-28625: prevent core dump when
OIDCStripCookies
is set and a craftedCookie
header is supplied
GHSA-f5xw-rvfr-24qr - fix code scanning alerts from 2 code scanning tools all over the place
Features
- add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
i.e. client keys configured inOIDCPrivateKeyFiles
/OIDCPublicKeyFiles
, published onOIDCClientJwksUri
and used inprivate_key_jwt
authentication, encryptedid_token
's, request objects/uri's,
but also statically configured provider keys inOIDCOAuthVerifyCertFiles
andOIDCProviderVerifyCertFiles
- record authorization errors in environment variable
OIDC_AUTHZ_ERROR
so its value can be used in logs e.g. with HTTP 401 responses in the access log:
LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
also log authorization errors withoidc_debug
instead ofoidc_info
Bugfixes
- fix for omitting the
kid#
prefix inOIDCPublicKeyFiles
/OIDCPrivateKeyFiles
and other certificate configuration primitives when linked against OpenSSL <= 1.0.x - allow
target_link_uri
's without a path in 3rd-party-init SSO with a multi-provider setup - correct cookie path printout in error log when
target_link_uri
does not matchOIDCCookiePath
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]
release 2.4.13.1
Features
- reduce the size of session and state cookies with about 35% by using
zlib
compression - add support for OP
signed_jwks_uri
withOIDCProviderSignedJwksUri <uri> <jwk>
this allows for explicit configuration of OP verification keys in the way defined by OpenID Connect Federation without relying on default TLS based trust - allow setting minumum and maximum versions of TLS used in HTTPs calls via an environment variable e.g.:
SetEnvIfExpr true "CURLOPT_SSL_OPTIONS=CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_MAX_TLSv1_3"
Bugfixes
- do a sanity check on the individual size of claim values stored in the session, warn about blacklisting if > 8Kb
- avoid (small) memory leak when using OpenSSL 3.x when setting public/private keys
(over graceful restarts) in the config and/or importing JWKs withx5c
specs - warn about incorrect configurations not setting
OIDCCryptoPassphrase
; see #1030 - use deep-copy and cleanup functions for server and provider configs; fixes overriding server-level keys in vhost configs
Other
- increase maximum allowed size of HTTP responses (e.g. from token endpoint) to 10Mb; see #998; thanks @mikehearn
- don't pull JWKs on
id_token
verification when theid_token
was signed with a symmetric key - don't immediately refresh JWKs from
[signed_]jwks_uri
ifkid
was not set in JWT, but try the cache first - SHM cache: increase default maximum number of active sessions from 500 to 2000
- SHM cache: allow configuration of max 1Mb of session data for a single session
- add optional - compile time support - for brotli compression of session and state cookies
- move repo to OpenIDC Github organization
Packaging
- added dependency on
zlib
package
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]