forked from OpenIDC/mod_auth_openidc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
2283 lines (1771 loc) · 77.5 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
04/11/2023
- add caching of signed userinfo JWTs; default cache time is set to the "exp" claim, can be configured/disabled with:
SetEnvIfExpr true "OIDC_USERINFO_SIGNED_JWT_CACHE_TTL=0"
be careful when setting "jti", "nbf", "iat" and" "exp" claims in the OIDCUserInfoClaimsExpr filter since they may
overload the cache with entries per-user/per-timestamp if the result differs from the previous request
- bump to 2.4.14rc5
04/11/2023
- add OIDCFilterClaimsExpr that allows for processing claims in the both the id_token and claims from the
userinfo endpoint before storing them in the session, after applying (optional) blacklisting/whitelisting
on the toplevel keys; only available when compiled/linked with libjq
- fix memory access error using default value for OIDCPassUserInfoAs
- bump to 2.4.14rc4
04/10/2023
- add support for OIDCUserInfoClaimsExpr that allows for processing claims returned from the userinfo
endpoint with a JQ-based expression before propagating them according to OIDCPassUserInfoAs claims|json|signed_jwt
(ie. does not work for "OIDCPassUserInfoAs jwt"), and is only available when compiled/linked with libjq
- allow OIDCPassUserInfoAs directive in Location/Directory contexts
- fix memory leak when using JQ-based expressions in "Require claims_expr"
- bump to 2.4.14rc3
04/09/2023
- make sure mod_auth_openidc runs before mod_proxy so calls to the redirect URI are never proxied
and no separate Location directive or ProxyPass exception for OIDCRedirectURI is required (anymore)
- handle discovery in the content handler so regular Apache processing applies to the HTTP/HTML response
- bump to 2.4.14rc2
04/09/2023
- return 40x instead of 200 on all (authorization) error responses
- correct backwards compatibility with <2.4.14 for state mismatch/timeout handling
- bump to 2.4.14rc1
04/07/2023
- deprecate OIDCHTMLErrorTemplate and rely on standard Apache error handling capabilities by default
environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available in ErrorDocument
backwards compatibility is retained by setting "OIDCHTMLErrorTemplate deprecated"
- bump to 2.4.14rc0
04/07/2023
- add support for passing on claims resolved from the userinfo endpoint in a JWT signed by
mod_auth_openidc using `OIDCPassUserInfoAs signed_jwt[:<name>]` with the keys configured
in OIDCPrivateKeyFiles/OIDCPublicKeyFiles
- add support for overriding the default header/environment variable names in
`OIDCPassUserInfoAs json:<name>` (default: "OIDC_userinfo_json")
and
`OIDCPassUserInfoAs jwt:<name>` (default: "OIDC_userinfo_jwt")
- bump to 2.4.13.3rc3
04/06/2023
- merge client_signing_keys and client_encryption_keys into client_keys
since we detect the usage type correctly now
- bump to 2.4.13.3rc2
04/04/2023
- support configuration of dedicated signing and encryption keys in the primitives:
OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCProviderVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyCertFiles
by using the prefix "sig:" or "enc:" in the value; using this in OIDCPublicKeyFiles also
publishes separate "use: sig" and/or "use: enc" keys on the client jwks_uri <redirect_uri>?jwks=rsa
- fix: don't immediately refresh of JWKs from (signed)_jwks_uri if "kid" was not set in JWT, but try the cache first
- fix: properly respect "use" attribute (sig/enc) in signing, verification and encryption
- bump to 2.4.13.3rc1
04/03/2023
- generate Elliptic Curve "kid" using curve identifier with htonl in network byte order
so "make check" works on big endian platforms
- include openssl/err.h in config.c to avoid compiler warning with OpenSSL 1.0.x
- bump to 2.4.13.3rc0
04/03/2023
- release 2.4.13.2
04/01/2023
- allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
- correct error log in target_link_uri matching
03/28/2023
- CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
- replace apr_strnatcmp/strcmp with _oidc_strcmp and replace strncmp with _oidc_strncmp
- handle OpenSSL initialization in new oidc_pre_config_init function:
this allows omitting "kid" in OIDCPublicKeyFiles (ao.) when linked against OpenSSL 1.0.x
03/27/2023
- fix code scanning alerts
- bump to 2.4.13.2rc2
03/24/2023
- add support for Elliptic Curve signing/encryption keys in addtion to RSA keys,
i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,
but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
- refactor Docker tests make targets; add test/Makefile
- bump to 2.4.13.2rc1
03/24/2023
- record authorization errors in environment variable OIDC_AUTHZ_ERROR
so its value can be used in logs e.g. with HTTP 401 responses:
LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
- log authorization errors with oidc_debug instead of oidc_info
- bump to 2.4.13.2rc0
03/10/2023
- fix oidc_jwk_list_copy and usage of OIDCProviderVerifyCertFiles
- release 2.4.13.1
03/10/2023
- shm cache: increase default maximum number of active sessions from 500 to 2000
- shm cache: allow configuration of max 1Mb of session data for a single session
- use deep-copy and cleanup functions for server and provider configs; fixes overriding server-level keys in vhost configs
- release 2.4.13
03/09/2023
- add support for OP "signed_jwks_uri" with "OIDCProviderSignedJwksUri <uri> <jwk>"
- don't pull JWKs when the id_token was signed with a symmetric key
- don't immediately refresh of JWKs from (signed)_jwks_uri if "kid" was not set in JWT, but try the cache first
- warn about incorrect configurations not setting OIDCCryptoPassphrase; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1030
- bump to 2.4.13rc5
03/08/2023
- move repo to OpenIDC github organization
03/02/2023
- allow setting minumum and maximum versions of TLS used in HTTPs calls via libcurl environment
variable CURLOPT_SSL_OPTIONS e.g.:
SetEnvIfExpr true "CURLOPT_SSL_OPTIONS=CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_MAX_TLSv1_3" ; bump to 2.4.13rc3
- bump to 2.4.13rc3
03/01/2023
- revert accidentally removed libbrotli code in jose.c
- bump to 2.4.13rc2
02/19/2023
- add optional - compilation time support - for brotli compression of session and state cookies
02/17/2023
- avoid (small) memory leak when using OpenSSL 3.x when setting public/private keys
(over graceful restarts) in the config and/or importing JWKs with x5c specs
- compress session and state cookies; add zlib as a dependency
- bump to 2.4.13rc0
01/27/2023
- increase maximum allowed size of HTTP responses (e.g. from token endpoint) to 10Mb; see #998; thanks @mikehearn
- do a sanity check on the individual size of claim values stored in the session, warn about blacklisting if > 8Kb
- bump to 2.4.12.4rc2
01/23/2023
- release 2.4.12.3
01/20/2023
- add OIDCProviderVerifyCertFiles option to statically configure ID token validation keys; see #989; thanks @madsfreek
- fix bug in OIDCOAuthVerifyCertFiles where cert(s) would be cast to apr_hash_t instead of apr_array_header_t; see #990; thanks @bommo1
- bump to 2.4.12.3rc0
12/28/2022
- update sample/test Dockerfile to Ubuntu Jammy
12/13/2022
- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
- release 2.4.12.2
12/08/2022
- simplify redis context code
- bump to 2.4.12.2rc1
11/18/2022
- allow overriding the type of lock used at compile time with OIDC_LOCK
- bump to 2.4.12.2rc0
11/15/2022
- release 2.4.12.1
11/13/2022
- switch to using apr_generate_random_bytes instead of apr_uuid_get to generate session identifiers
so there's no longer a (rather implicit) dependency on a libapr that is compiled againt libuuid
on Linux platforms; see #431, #603 and #694; thanks @amitnarang28
- cache file backend fix: delete the correct file upon logout; closes #955; thanks @damisanet
- bump to 2.4.12.1rc5
11/08/2022
- add option to use ISO-8859-1 encoding for propagated claim values by adding
"latin1" option to OIDCPassClaimsAs <> latin1; see #957; thanks @nvchaudhari1991
Note that the encoding - including the existing "base64url" - apply to both header and
environment variables as well now.
- bump to 2.4.12.1rc4
10/26/2022
- OIDCProviderMetadataRefreshInterval was interpreted in microseconds instead
of the documented and intended seconds; setting in to seconds would effectively
turn of caching and pull the configuration document on each request
- bump to 2.4.12.1rc3
10/25/2022
- define APLOG_TRACE1 if it does not exist
- bump to 2.4.12.1rc2
10/20/2022
- CI: add memory and semaphore checks on various distro's
- correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
- fix printout of cache mutex errors in cache/common.c
- prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
which is apparently required for (some) ARM based builds (and CI)
- bump to 2.4.12.1rc1
- fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
- fix potential memory leak in proto.c when oidc_proto_validate_access_token fails (at_hash validation)
10/19/2022
- fix cleanup of semaphores on graceful restarts; see #522, closes #458
simplify mutex/shm cleanup without semaphores because we track the parent process anyway;
- bump to 2.4.12.1rc0
10/17/2022
- release 2.4.12
10/15/2022
- add option to set a username for Redis authentication via OIDCRedisCacheUsername
- bump to 2.4.11.4rc7
10/14/2022
- set minimum number of default memcache threads to 0 to retain backwards compatibility
see #916
- support OIDCSessionInactivityTimeout values greater than 30 days when using Memcache
see #936, thanks @takesson
- bump to 2.4.11.4rc6
10/03/2022
- add -fPIC to test and test-cmd compilation; see #925
- bump to 2.4.11.4rc5
09/23/2022
- allow for step-up discovery with an external URL using HTML refresh
fixes behaviour on CentOS 7/8 when combined with ProxyPass
- bump to 2.4.11.4rc4
09/12/2022
- add options to retrieve the configuration document only or pull keys from the JWKS URI;
for certification purposes
- check ID token signed response algorithm on backchannel logout_token and retrieve its
configuration value from the client metadata file; for certification purposes
- register request_object_signing_alg in dynamic client registration when using request_uri;
for certification purposes
- bump to 2.4.11.4rc3
09/08/2022
- store access token obtained from backchannel in session over the one returned
in the frontchannel for "code token" and "code id_token token" flows; for
certification purposes
- apply exact length matching for at_hash and c_hash validation; for certification purposes
- increase size of the output buffer when using libpcre2 for substitution; closes #915
- bump to 2.4.11.4rc2
- allow setting connection pool parameters for Memcache server connections;
see #916; thanks @rpluem-vf
08/24/2022
- avoid using $< in Makefile
- allow storing the id_token in a client-cookie based session; see #812 and #888
- bump to 2.4.11.4rc1
08/22/2022
- add oidc_util_strcasestr
- bump to 2.4.11.4rc0
08/22/2022
- release 2.4.11.3
08/15/2022
- avoid memory leak when using PCRE2 regular expressions with array matching; closes #902; thanks @smanolache
- avoid memory leak when cjose_jws_get_plaintext fails; closes #903; thanks @smanolache
- bump to 2.4.11.3rc4
05/20/2022
- fix handling of IPv6 based logout URLs; thanks @@codemaker219
- bump to 2.4.11.3rc1
05/16/2022
- Use optionally provided sid and iss request parameters during front channel
logout; see #855; thanks @rpluem-vf
05/06/2022
- support Forwarded header in addition to X-Forwarded-*; see #853; thanks @studersi
- bump to 2.4.11.3rc0
05/05/2022
- release 2.4.11.2
05/04/2022
- add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594
- bump to 2.4.11.2rc2
04/22/2022
- add no Cache-Control headers to logout request response; see #846; thanks @blackwhiser1
- bump to 2.4.11.2rc1
04/06/2022
- don't strip the header from encrypted JWTs as future versions of cjose may use compact
encoding for JWEs; this slightly increases state cookie size, by-value session cookies
and encrypted cache contents again at the benefit of forward cjose compatibility
- bump to 2.4.11.2rc0
03/29/2022
- release 2.4.11.1
03/28/2022
- correct registration_endpoint_json naming in auth_openidc.conf documentation
03/21/2022
- fix OIDCUnAuthAction pass, see #790
- bump to 2.4.11.1rc5
03/18/2022
- fix make check; add @smanolache to the AUTHORS file
- bump to 2.4.11.1rc4
03/17/2022
- fix memory leaks over graceful restarts: use s->process->pconf pool instead of
the s->process->pool in oidc_slog and oidc_cache_shm_cfg_create
closes #823 and #824; thanks @smanolache
03/14/2022
- fix temporary cache file naming; see #777
03/08/2022
- fix a 2nd race condition in the file cache backend; see #777; thanks @dbakker and @blackwhiser1
- bump to 2.4.11.1rc3
03/04/2022
- add support for OpenSSL 3.0
- remove test-cmd jwk2cert command
- bump to 2.4.11.1rc2
02/28/2022
- add a check to make sure URLs do not contain unencoded Unicode characters; see #796; thanks @cnico
- bump to 2.4.11.1rc1
02/27/2022
- document Apache 2.4 behavior on OIDCUnAuthzAction 403; see #795; thanks @candlerb
02/04/2022
- correct ap_hook_insert_filter function signature in stub.c, part 2; closes #784; thanks @stroeder
02/03/2022
- add Valgrind Github action
- warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
- avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
- bump to 2.4.11.1rc0
01/26/2022
- improve handling session duration expiry when combined with OIDCUnAuthAction or Discovery
also clear r->user in oidc_session_kill for such cases; see #778
- release 2.4.11
01/24/2022
- fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker
- bump to 2.4.11rc7
01/23/2022
- fix regular expressions in Require statements
- bump to 2.4.11rc6
01/22/2022
- no longer defer Discovery to the content handler to allow RequireAll and Require not directives
see #770; closes #775; thanks @rajeevn1
- bump to 2.4.11rc5
01/17/2022
- terminate on startup when the crypto passphrase generated by "exec:" is empty; see #767
- bump to 2.4.11rc4
01/15/2022
- correct printout of session id and remote user tuple for new sessions
- avoid debug printout of payload as header when the latter is stripped
01/14/2022
- fix: avoid crash when using pcre2 for claims matching: don't pass NULL for errorstr
- add administrative session revocation capability <redirect_uri>?revoke_session=<uuid>
- bump to 2.4.11rc3
01/12/2022
- add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
- include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
- fix parameters to get_current_url in oidc_handle_unauthorized_user22
- bump to 2.4.11rc2
01/06/2022
- improve detection of suspicious redirect URLs; add test list
- bump to 2.4.11rc1
12/24/2021
- make interpretation of X-Forwarded-* headers configurable, defaulting to none
so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers
needs explicit configuration of OIDCXForwardedHeaders
- bump to 2.4.11rc0
12/21/2021
- add "x5t" to JWT header in private_key_jwt client assertions; for interop with Azure AD
- add CI Github workflow over Travis
- bump to 2.4.10.1rc4
12/16/2021
- make X-Frame-Options header returned on OIDC front-channel logout requests configurable
through OIDCLogoutXFrameOptions; closes #464
- bump to 2.4.10.1rc3
12/15/2021
- remove typedef for oidc_pcre to avoid compiler errors
12/02/2021
- add support for libpcre2; see #740
- bump to 2.4.10.1rc2
12/01/2021
- allow authorization on info requests, see #746
- bump to 2.4.10rc1
11/28/2021
- install taking into account DESTDIR; see #674; thanks @alerque
11/11/2021
- correct ap_hook_insert_filter function signature in stub.c; closes #732; thanks @stroeder
- bump to 2.4.10.1rc0
11/10/2021
- release 2.4.10
11/03/2021
- add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
- bump to 2.4.10rc1
11/02/2021
- add check for Sec-Fetch-Dest header != "document" value to auto-detect requests that are not
capable of handling an authentication round trip to the Provider;
see https://github.com/zmartzone/mod_auth_openidc/discussions/714; thanks @studersi
- bump to 2.4.10rc0
10/28/2021
- use apxs to link the module in Makefile.am
- bump to 2.4.9.5rc8
10/27/2021
- fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720
- backport ap_get_exec_line, supporting the "exec:" option in OIDCCryptoPassphrase
- add check for Sec-Fetch-Mode header != "navigate" value to auto-detect XML HTTP Requests
- bump to 2.4.9.5rc7
10/22/2021
- complete usage of autoconf/automake; see #674
- bump to 2.4.9.5rc4
10/20/2021
- fix parallel builds (on Debian) for now
- bump to 2.4.9.5rc1
10/19/2021
- log require claims failure on info level
- bump to 2.4.9.5rc0
09/09/2021
- fix memory leak when parsing JWT access token fails (in RS mode)
09/07/2021
- reorganize Redis code for extensibility
09/03/2021
- return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
- don't apply claims based authorization for OPTIONS requests
so paths protected with Require claim directives will now also
return HTTP 200 for OPTIONS requests
- fix typo in 2.2 authorization routine
09/03/2021
- don't apply authz in discovery process; fixes 2.4.9.3
- apply OIDCRedirectURLsAllowed setting to target_link_uri; closes #672; thanks @Meheni
- release 2.4.9.4
08/26/2021
- don't apply authz to the redirect URI; fixes ac5686495a51bc93e257e42bfdc9c9c46252feb1
- bump to 2.4.9.3
08/20/2021
- fix graceful restart (regression); see #458; thanks @Foxite
- bump to 2.4.9.2
08/18/2021
- preserve session cookie in the event of a cache backend failure
- update the id_token in the session cache if one is provided while refreshing the access token
08/13/2021
- fix retried Redis commands after a reconnect; thanks @iainh
- release 2.4.9.1
07/22/2021
- use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
- replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
- release 2.4.9
- don't use DEFAULT_LIMIT_REQUEST_LINE constant; since it does not exist in Apache 2.2.x
07/15/2021
- verify that "alg" is not none in logout_token explicitly
- make session not found on backchannel logout produce a log warning instead of error
- don't clear POST params authn on token revocation; thanks @iainh
- bump to 2.4.9rc0
07/02/2021
- handle discovery in the content handler
- return OK in the content handler for calls to the redirect URI and when preserving POST data
06/25/2021
- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
thanks @oss-aimoto
06/21/2021
- strip A256GCM JWT header from encrypted JWTS used for state cookies, cache encryption and by-value session cookies
resulting in smaller cookies and reduced cache content size
06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
- bump to 2.4.9-dev
06/04/2021
- fix a problem where the host and port are calculated incorrectly, when you use literal ipv6 address.
06/02/2021
- do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.:
SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true
- release 2.4.8.4
06/01/2021
- avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page
see also f5959d767b0eec4856d561cbaa6d2262a52da551 and #484; at least Debian Buster was affected
- release 2.4.8.3
05/18/2021
- make error "session corrupted: no issuer found in session" a warning only so a logout call for a
non-existing session no longer produces error messages
05/08/2021
- store timestamps in session in seconds to avoid string conversion problems on some (libapr-1)
platform build/run combinations, causing "maximum session duration exceeded" errors
- bump to 2.4.8.2
05/07/2021
- add OIDCClientTokenEndpointKeyPassword option to allow the use of an encrypted private key
- release 2.4.8.1
04/30/2021
- fix potential crash when Content-Type is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC
- release 2.4.8
04/21/2021
- on OAuth 2.0 RS token scope/claim 401 error, add environment variable for usage with mod_headers,
instead of adding a header ourselves; see #572; usage, e.g;
Header always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
- bump to 2.4.8-dev
04/13/2021
- add OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout options to configure Redis timeouts
- bump to 2.4.7.2
04/12/2021
- fix memory leaks when caching fails
- bump to 2.4.7.1
04/04/2021
- improve documentation on OIDCPreservePost
- release 2.4.7
04/01/2021
- bump to 2.4.7rc1
02/16/2021
- remove session from cache before clearing it.
02/12/2021
- add maximum session lifetime (exp), inactivity timeout (timeout) and remote_user to OIDCInfoHook
- bump to 2.4.7-dev
02/08/2021
- return 400 instead of 500 when state cookie matching fails
- release 2.4.6
02/03/2021
- avoid displaying the client_secret in debug logs
01/28/2021
- avoid segmentation fault when hitting an endpoint configured with AuthType openid-connect
in an OAuth 2.0 only setup; see #529
01/23/2021
- fix semaphore cleanup on graceful restarts; see #522
01/12/2021
- fix inconsistent public/private keys loading order; closes #515
12/17/2020
- remove support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
12/10/2020
- add "base64url" option to OIDCPassClaimsAs primitive; closes #417
12/09/2020
- add Redis database selection option with OIDCRedisCacheDatabase; closes #423
- optimize Redis AUTH execution once per connection
12/07/2020
- don't set SameSite=None on cookies when on plain http
12/03/2020
- add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors
e.g.: SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
11/23/2020
- release 2.4.5
- make sure the module compiles with Apache 2.2 for passphrase exec:
- bump to 2.4.6-dev
11/19/2020
- ensure that "sub" is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum
- don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
- restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum
- bump to 2.4.5rc6
11/5/2020
- fix content processing for info and JWKs handler so mod_headers etc. works; closes #497
- bump to 2.4.5rc5
11/2/2020
- improve sanity checking on Redis reply
- bump to 2.4.5rc4
10/30/2020
- disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
- bump to 2.4.5rc3
10/27/2020
- config check on OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled
- bump to 2.4.5rc2
10/22/2020
- hash define expression option to OIDCUnAuthAction so it compiles for Apache 2.2; fixes 1461634
- bump to 2.4.5rc1
- add exec support to OIDCCryptoPassphrase
10/19/2020
- delete stale session cookies that aren't in the cache
- allow OIDCDiscoverURL to be a relative URL
10/08/2020
- add OIDCCABundlePath for configuring path to curl CA bundle
09/22/2020
- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
- bump to 2.4.5rc0
09/21/2020
- populate AUTH_TYPE when performing authentication; thanks @spanglerco
09/19/2020
- enable authentication of sub-requests when the main request doesn't require
authentication; thanks @spanglerco
09/03/2020
- add SameSite attribute on cookie clearance / logout; thanks @v0gler
- bump to 2.4.4.1
09/01/2020
- forward port Tufin patches
- always set session cookie same site policy to Lax
- disable cookie domain check
- unset host headers for metadata URL retrieval
- bump to 2.4.4-tufin
09/01/2020
- avoid GCC 9 compiler warnings
- release 2.4.4
08/28/2020
- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc)
- terminate backchannel logout with DONE instead of OK to avoid authz error 500
- bump to 2.4.4rc8
08/18/2020
- add recommended cache headers on backchannel logout response
https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8
- bump to 2.4.4rc7
08/10/2020
- add new OIDCStateCookiePrefix primitive for the state cookie prefix
08/01/2020
- add conditional expression to OIDCUnAuthAction; see #479; thanks @raro42 and @marcstern
- bump to 2.4.4rc6
07/31/2020
- reverse order of creating HTML response and adding session cookie; thanks @deisser
- bump to 2.4.4rc5
07/30/2020
- fix doubled Set-Cookie behaviour when using `client-cookie`, calling the session info hook
and writing out a session update (twice); thanks @deisser
- bump to 2.4.4rc4
07/27/2020
- prevent XSS and open redirect on OIDC session managemement OP iframe with OIDCRedirectURLsAllowed
thanks Andrew Brady
- bump to 2.4.4rc3
07/22/2020
- delete state cookie when it cannot be decoded/decrypted
- bump to 2.4.4rc2
07/03/2020
- fix for loop initial declarations to not require c99 for compilation (RHEL 6)
- add ap_expr.h include in stub.c (RHEL 6)
- bump to 2.4.4rc1
06/30/2020
- add grant_types to dynamic client registration request
- don't send access_token in user info request when method is set to POST; conform OIDC test suite 4.0.5
- bump to 2.4.4rc0
06/10/2020
- prevent open redirect on refresh token requests
add new OIDCRedirectURLsAllowed primitive to handle post logout and refresh-return-to validation
addresses #453; closes #466
- release 2.4.3
06/09/2020
- fix complex expressions crash when compiled from source with libjq; closes #472
thanks vincentscharf0803
introduced by OIDCStateInputHeaders addition in 2.4.3rc0
- bump to 2.4.3rc1
05/11/2020
- added OIDCValidateIssuer to allow for disabling of issuer matching. helps to support multi-tenant applications.
05/02/2020
- when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
- move oidc_parse_config inside MODULE_MAGIC_NUMBER_MAJOR to make sure the module compiles with Apache 2.0
04/25/2020
- add OIDCStateInputHeaders that allows configuring the header values used to calculate the fingerprint of the state during authentication
- bump to 2.4.3rc0
03/25/2020
- oops: fix json_deep_copy of claims
- release 2.4.2.1
03/24/2020
- fix memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
- fix configured private/public key cleanup on process exit
03/21/2020
- allow for expressions in Require statements, see #469; thanks @wwaaron
also see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements
- bump to 2.4.2rc5
03/19/2020
- always refresh keys from jwks_uri when there is no kid in the JWT header
- bump to 2.4.2rc4
03/15/2020
- destroy shared memory segments only in parent process; see #458
- bump to 2.4.2rc3
03/10/2020
- fix memory leaks introduced by #457
- bump to 2.4.2rc2
02/19/2020
- if content was already returned via html/http send then don't return 500
but send 200 to avoid extraneous internal error document text to be sent
on some Apache 2.4.x versions e.g. CentOS 7
- bump to 2.4.2rc1
02/03/2020
- if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and x5t#256
parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa"
thanks @absynth76
- fix: also add SameSite=None to by-value session cookies
- bump to 2.4.2rc0
01/30/2020
- try to fix graceful restart crash; see #458
- release 2.4.1
01/29/2020
- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
this can be overridden by using, e.g.:
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
- release 2.4.1rc6
01/22/2020
- URL encode logout url in session management JS; thanks Paolo Battino
- bump to 2.4.1rc5
01/15/2020
- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=SameSite=None
- bump to 2.4.1rc4
01/08/2020
- support 407 option on OIDCUnAuthAction
12/09/2019
- fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
- enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
- bump to 2.4.1rc2
- support login with OIDC session management; address #456
- bump to 2.4.1rc3
12/05/2019
- add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter
- added an alpine dockerfile =~ 20MB container size
12/04/2019
- return 200 OK for backchannel logout if session not found
- bump to 2.4.1rc1
11/19/2019
- make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
- bump to 2.4.1rc0
10/03/2019
- improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449
- release 2.4.0.3
- clear any existing chunked cookies when setting a non-chunked cookie; prevents login loops in some scenarios
08/28/2019
- fixes #447 #441 : changed storing POST params from localStorage to
sessionStorage due to some issue of losing data in localStorage in Firefox
(private mode)
08/22/2019
- release 2.4.0
08/16/2019
- revert 3d95b4a3fbc493c6acc745626ac33143eb4968bf: don't return early from the content handler
08/15/2019
- be smart about picking the token endpoint authentication method when not configured explicitly:
don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well
see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva
- bump to 2.4.0rc24
08/12/2019
- fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic
08/12/2019
- fix JWT decryption crashing on non-null terminated input
- bump to 2.4.0rc23
08/09/2019
- add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when
refreshing an access token fails; thanks @rickyepoderi
- bump to 2.4.0rc22
08/08/2019
- no longer use the fixup handler for environment variable setting but do it as part of the authn handler
- bump to 2.4.0rc21
08/04/2019
- avoid decoding non-form-encoded POST data; closes #443
- bump to 2.4.0rc20
08/02/2019
- return DONE from the content handler early to prevent triggering other content handlers
- fix `OIDCOAuthAcceptTokenAs post` so POST data is propagated and not lost; see #443
- bump to 2.4.0rc19
07/10/2019
- fix RSA JWK "x5c" parsing issue (e.g. when parsing "n" fails): explicitly set the "kid" into to JWK
- bump to 2.4.0rc18
06/19/2019
- fix regression bug that includes a HTTP 500 message after rendering content
- bump to 2.4.0rc17
06/14/2019
- fix regression bug when no per-provider keys have been configured and private_key_jwt is used
- bump to 2.4.0rc15
06/06/2019
- use per-provider signing keys in private_key_jwt authentication towards token endpoint
- bump to 2.4.0rc14
06/05/2019
- avoid passing empty key set for JWT decryption (solve but introduced in 2.4.0rc12)
- bump to 2.4.0rc13
06/03/2019
- enable per-provider signing and encryption keys; limitations:
- for request object signing and id_token decryption only
- take the first configured key, no kid specification
- no publishing of key information on client endpoints
- no userinfo JWT decryption
- no composite claims decryption
- no backchannel logout with encrypted logout token (inherent)
- bump to 2.4.0rc12
05/31/2019
- make sure the content handler is called for every request to the configured Redirect URI so all
Apache processing is executed (e.g. setting headers with mod_headers) before returning the response
thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
- add ability to view session info in HTML via the session info hook: <redirect_uri)?info=html
- bump to 2.4.0rc11
05/24/2019
- fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses
closes #440; thanks @gobreak
- bump to 2.4.0rc10
05/21/2019
- log the original URL for expired state cookies, useful for debugging SPA/JS issues
05/17/2019
- allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only
- support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
- bump to 2.4.0rc9
05/03/2019
- fix (cached) parsing of OIDCOAuthServerMetadataURL; thanks Lance Fannin
- bump to 2.4.0rc5
05/02/2019
- correct caching for OIDCOAuthServerMetadataURL
- bump to 2.4.0rc4
04/21/2019
- remove option to skip scrubbing request headers (thus avoiding potentionally insecure setups)
- bump to 2.4.0rc3
04/19/2019
- add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation
configure with APXS2_OPTS="-DUSE_URANDOM"
- bump to 2.4.0rc2
04/15/2019
- add debug logs in oidc_proto_generate_random_string
- URL-encode client_id/client_secret when using client_secret_basic according to: https://tools.ietf.org/html/rfc6749#section-2.3.1
- bump to 2.4.0rc1
04/09/2019
- deprecate the OAuth 2.0 Resource Server functionality
- bump to 2.4.0rc0
03/13/2019
- release 2.3.11
02/26/2019
- add session expiry to session info hook response (and change inactivity timeout key)
- bump to 2.3.11rc2
02/25/2019
- add option to dynamically pass query parameters to the authorization request; closes #401
- bump to 2.3.11rc1
01/31/2019
- support conditional compilation of memcache support
- bump to 2.3.11rc0
01/22/2019
- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann
- release 2.3.10.2
01/16/2019
- fix bug in current URL detection where query parameters would be duplicated; see #420; thanks @jreynaert
- release 2.3.10.1
12/31/2018
- fix warning printout in oidc_delete_oldest_state_cookies
- release 2.3.10
12/16/2018
- fix encryption buffer tag length mismatch
12/06/2018
- retain the unparsed URL path in current/original URL determination, and thereby preserve
and support URL-encoded characters in paths when redirecting back to the original URL
- add state to code exchange token requests only in multi-provider setups; see #402
- optionally delete the oldest state cookie(s); see #399
- bump to 2.3.10rc3
11/29/2018
- add support for refreshing an access token associated with an OIDC session using OIDCRefreshAccessTokenBeforeExpiry
- bump to 2.3.10rc0
11/15/2018
- release 2.3.9
11/13/2018
- fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last
- bump to 2.3.9rc7
11/12/2018
- fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
- bump to 2.3.9rc6