OpenIDC/mod_auth_openidc v1.8.7

release 1.8.7

on GitHub

Security

• add mitigation for OAuth AS mixup attack described in http://www.scmagazineuk.com/researchers-find-two-flaws-in-oauth-20/article/463919/ according to (the unpublished) draft-jones-oauth-issuer-00
  • if present in an authentication response: check iss & client_id against the ones recorded in the state
  • push a hash of the state parameter to the token endpoint in code flows
• strictly match issuer in Discovery document against requested issuer

Features

• add support for PKCE plain & S256 https://tools.ietf.org/html/rfc7636

Bugfixes

• fix memory corruption when using custom html template; closes #106
• return 404 on iframes if session-mgmt disabled; debug logs; closes #109
• fix crash using a custom error template when description is NULL
• fix crash when target_link_uri is not a valid URI or parts are empty

Other

• fix compilation warning on double sizeof call; close #103, thanks @dcb314
• correct debug log in oidc_util_hash_string_and_base64url_encode