Features
- add support for applying a custom HTML error template with
OIDCHTMLErrorTemplate
- add option to manually assign a key identifier (
kid
) to theOIDCOAuthVerifySharedKeys
,OIDCOAuthVerifyCertFiles
andOIDCPublicKeyFiles
configuration primitives - allow a leading '.' in the
OIDCCookieDomain
primitive and support older browsers; issue #96 - include and prioritize the
X-Forwarded-Host
header in hostname determination - allow for missing
Host
header (HTTP 1.0) - add option to make session cookie persistent; closes #97
Bugfixes
- return
DONE
instead ofHTTP_UNAUTHORIZED
with Discovery page (prevent double HTML in HTTP 1.0) - validate received session cookie against the domain it was issued for:
this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same
Other
- log a warning if the
Set-Cookie
value length is greater than 4093 bytes to avoid browsers breaking without any clue