Releases: OpenIDC/mod_auth_openidc
Releases · OpenIDC/mod_auth_openidc
release 1.8.4
Features
- support passing claims as environment variables (
OIDCPassClaimsAs
)
this allows for more reliable interaction with other modules that access environment variables set by mod_auth_openidc
Bugfixes
- avoid double free of JWT after parsing errors have been encountered
- correct debug printout in oidc_util_read_form_encoded_params
- correct memcache logging on cache misses; thanks @scottdear
- work around JSON timestamp print modifier issue (
%lld
) on some platforms, e.g. Debian 8, thanks to @ralphvanetten
release 1.8.3
2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports
Features
- merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the
iss
claim inRequire claim
directives (when not returned from the user info endpoint) - improve error logging on encountering non-supported JWT signing/encryption algorithms
- allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
- make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
Bugfixes
- fix
at_hash
andc_hash
comparisons when the input is padded (thanks @steverc, issue #65) - perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
- fix post-logout URL being set to SSO URL
Packaging
- the
*bpo70*.deb
packages will work on Debian Wheezy and Ubuntu Precise - the regular
*.deb
packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic
release 1.8.2
Bugfixes
- fix Elliptic Curve signature verification in hybrid flows
release 1.8.1
2015/05/12: fixed the erroneous upload of libapache2-mod-auth-openidc_1.8.1-1ubuntu1~precise+1_amd64.deb
Features
- allow setting
OIDCDiscoverURL
inside ofDirectory
andLocation
directives - allow setting
OIDCCookie
outside ofDirectory
andLocation
directives - add configurable token expiry parsing of OAuth 2.0 introspection result (
OIDCOAuthTokenExpiryClaim
) - increase SHM cache key size from 255 to 512
- add support for regular expressions in remote user setting for OIDC and OAuth 2.0
Bugfixes
- fix building with OpenSSL <1.0
- avoid timing attacks on symmetric key signature/hash comparisons
Packaging
- add Ubuntu Trusty and Precise packages
release 1.8.0
2015/03/16: fixed the erronous 32 bit upload of mod_auth_openidc-1.8.0-1.el6.x86_64.rpm
Features
- more options for running as (only) an OAuth 2.0 Resource Server
- support for local JWT access token validation using
OIDCOAuthVerifyCertFiles
,OIDCOAuthVerifySharedKeys
andOIDCOAuthVerifyJwksUri
, see https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server - support configurable introspection HTTP method: can be
POST
(default) orGET
- support for local JWT access token validation using
- support configuration of a maximum session duration (
OIDCSessionMaxDuration
)
Bug Fixes
- avoid including line feeds in header values (@forkbomber and @ekanthi)
- this is a security fix to prevent passing crafted header values in a reverse proxy setup
- the response type must now strictly match the requested response type
- fix
free()
crash on simple-valued error printouts - fix returning keys without a
kid
- fix searching for keys with a
x5t
thumbprint - fix
oauth.introspection_endpoint_method
initialization
Other
- make Redis support conditional at compilation time using autoconf
- preliminary support for GET-style logout (under development in the OIDC WG)
release 1.7.3
Bug fixes
- fix symmetric key decryption of JWTs encrypted with
A128CBC-HS256
andA256CBC-HS512
- fix memory leak in RSA key conversion
- Allow
{... "error": null ...}
in JSON responses (@fatlotus) - get rid of extraneous
;
inSet-Cookie
headers - fix configuration validation check where no config would be checked if
OIDCProviderIssuer
is set
but bothOIDRedirectURI
andOIDCCryptoPassphrase
are not set
Features
- update to
draft-bradley-oauth-jwt-encoded-state-03
: changetarget_uri
parameter name totarget_link_uri
Other
- add preliminary support for local JWT access token validation (contact the author for docs)
- JWT code refactoring & extended test coverage
release 1.7.2
Features
- add support for
OIDCOAuthIntrospectionTokenParamName
this also adds support for Google OAuth 2.0 access token validation - printout JOSE error reports on failure
Bug fixes
- fix Redis reconnect behavior: avoid keep reconnecting
- correct expiry debug printout
- fix return result on error in function that decrypts CEK
- improve accuracy of expired/invalid session handling
Other
- document
OIDCPassCookies
- fix compiler warnings and printf formatting
- revise JOSE/JWT API wrt. error handling
release 1.7.1
Features
- return HTTP 401 on specific paths instead of redirecting for authentication with
OIDCReturn401 On
- add configurable JSON parameters to Dynamic Client Registration requests with
OIDCProviderRegistrationEndpointJson
/registration_endpoint_json
- make shared memory cache entry maximum size configurable with
OIDCCacheShmEntrySizeMax
- pass error codes back to the caller when the
refresh
hook fails - pass cookies specified in
OIDCPassCookies
from browser on to OP/AS calls (for loadbalancing purposes)
Bugfixes
- reconnect to the Redis server after I/O failure as raised in #43
- allow OIDCRedirectURI's with an empty path and fix crash
- require the expiring access_token on the
refresh
hook for XSRF protection
Other
- improve handling of non-string (=non-compliant) error responses
- return http 500 when detecting requests that will loop on return
release 1.7.0
Features
- add support for Redis cache backend
- support regular expressions in Require statements
- generalize support for OAuth 2.0 token introspection and conform to:
https://tools.ietf.org/html/draft-ietf-oauth-introspection-00 - add support for the refresh_token flow + hook
- pass the expires_in as an absolute timestamp in OIDC_access_token_expires
Bugfixes
- scrub all OIDC_ headers
Dependencies
- there are build and runtime dependencies on libhiredis and libpcre3 now.
release 1.6.0
Features
- add support for Session Management based on
http://openid.net/specs/openid-connect-session-1_0.html (draft 21) - support static provider configuration from a metadata URL (
OIDCProviderMetadataURL
) - add config option to POST extra parameters to the token endpoint (
OIDCProviderTokenEndpointParams
/token_endpoint_params
) - support for passing runtime determined authentication request parameters in the discovery response (
auth_request_params
) - support for "x5c" JWK representation
Bugs
- fix set_slot functions for algorithm/url used as default for dynamic registration (
OIDCClientJwksUri
/OIDCIDTokenSignedResponseAlg
) - fix JSON array memory leak in OAuth 2.0 access token validation flow
- set expiry on state cookies
- return JWKS on jwks_uri with content-type "application/json"
- HTML-encode error descriptions before displaying them
Other
- be less strict about issuer validation in metadata
- check that endpoints in metadata are URLs
- various minor logging improvements
- various minor documentation improvements
- improve error handling on direct browser access to redirect uri