release 2.4.15.6
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- use
SameSite=Lax
whenOIDCCookieSameSite
isOn
(also the default since 2.4.15) instead ofStrict
as overriding fromLax
toStrict
does not work reliably anymore (i.e. on Chrome with certain plugins) - signed_jwks_url: make the
exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification - cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "
could not construct cache key since key size is too large
" - cache: fix debug printout of cache key in
oidc_cache_get
introduced in 2.4.15 - http: fix applying the default HTTP short retry interval setting and use 300ms as default value
- userinfo: fix setting the
exp
claim in userinfo signed JWTs (exp
would benow+0
) when noexpires_in
is returned by the OpenID Connect Provider - userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the
exp
claim as the cache TTL - refresh: fix for
expires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes usingOIDCRefreshAccessTokenBeforeExpiry
andOIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4 - authz: fix evaluation of
Require claim
statements for nested array claims - authz: properly handle parse errors in
Require claim <name>:<integer>
statements - fix setting the default PKCE method to
none
in a multi-provider setup
Other
- userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
- logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
- (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook
Features
- signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
- redis: enable TCP keepalive on Redis connections by default and make it configurable with:
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
- proto: accept strings as well as integers in the
expires_in
claim from the token endpoint to cater for non-spec compliant implementations - userinfo: accept
0
inOIDCUserInfoRefreshInterval
which will refresh userinfo on every request - authz: add support for JSON
real
andnull
value matching inRequire claim
statements
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]