OpenIDC/mod_auth_openidc v1.8.0

release 1.8.0

on GitHub

2015/03/16: fixed the erronous 32 bit upload of mod_auth_openidc-1.8.0-1.el6.x86_64.rpm

Features

• more options for running as (only) an OAuth 2.0 Resource Server
  • support for local JWT access token validation using OIDCOAuthVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyJwksUri, see https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server
  • support configurable introspection HTTP method: can be POST (default) or GET
• support configuration of a maximum session duration (OIDCSessionMaxDuration)

Bug Fixes

• avoid including line feeds in header values (@forkbomber and @ekanthi)
  • this is a security fix to prevent passing crafted header values in a reverse proxy setup
• the response type must now strictly match the requested response type
• fix free() crash on simple-valued error printouts
• fix returning keys without a kid
• fix searching for keys with a x5t thumbprint
• fix oauth.introspection_endpoint_method initialization

Other

• make Redis support conditional at compilation time using autoconf
• preliminary support for GET-style logout (under development in the OIDC WG)