github OpenIDC/mod_auth_openidc v1.8.6
release 1.8.6

latest releases: v2.4.16.5, v2.4.16.4, v2.4.16.3...
9 years ago

Features

  • add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
  • add option to manually assign a key identifier (kid) to the OIDCOAuthVerifySharedKeys, OIDCOAuthVerifyCertFiles and OIDCPublicKeyFiles configuration primitives
  • allow a leading '.' in the OIDCCookieDomain primitive and support older browsers; issue #96
  • include and prioritize the X-Forwarded-Host header in hostname determination
  • allow for missing Host header (HTTP 1.0)
  • add option to make session cookie persistent; closes #97

Bugfixes

  • return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
  • validate received session cookie against the domain it was issued for:
    this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same

Other

  • log a warning if the Set-Cookie value length is greater than 4093 bytes to avoid browsers breaking without any clue

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.