Features
- add support for applying a custom HTML error template with
OIDCHTMLErrorTemplate - add option to manually assign a key identifier (
kid) to theOIDCOAuthVerifySharedKeys,OIDCOAuthVerifyCertFilesandOIDCPublicKeyFilesconfiguration primitives - allow a leading '.' in the
OIDCCookieDomainprimitive and support older browsers; issue #96 - include and prioritize the
X-Forwarded-Hostheader in hostname determination - allow for missing
Hostheader (HTTP 1.0) - add option to make session cookie persistent; closes #97
Bugfixes
- return
DONEinstead ofHTTP_UNAUTHORIZEDwith Discovery page (prevent double HTML in HTTP 1.0) - validate received session cookie against the domain it was issued for:
this handles the case where the cache configured is a the same single memcache, Redis, or file backend for different (virtual) hosts, or a client-side cookie protected with the same secret; it also handles the case that a cookie is unexpectedly shared across multiple hosts in name-based virtual hosting even though the OP(s) would be the same
Other
- log a warning if the
Set-Cookievalue length is greater than 4093 bytes to avoid browsers breaking without any clue