github OpenIDC/mod_auth_openidc v1.8.3
release 1.8.3

latest releases: v2.4.16.5, v2.4.16.4, v2.4.16.3...
9 years ago

2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports

Features

  • merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the iss claim in Require claim directives (when not returned from the user info endpoint)
  • improve error logging on encountering non-supported JWT signing/encryption algorithms
  • allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
  • make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
  • remove exceptions for accounts.google.com since Google is OpenID Connect compliant now

Bugfixes

  • fix at_hash and c_hash comparisons when the input is padded (thanks @steverc, issue #65)
  • perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
  • fix post-logout URL being set to SSO URL

Packaging

  • the *bpo70*.deb packages will work on Debian Wheezy and Ubuntu Precise
  • the regular *.deb packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.