4/25/2016: updated the build for windows to the actual 1.8.8 version
Security
- update mitigation for OAuth AS mixup attack conform the updated https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
- pass plain
state
value to the token endpoint instead of a hash
- pass plain
- remove linefeeds from the
OIDCAuthNHeader
value before setting the header, thanks @rfk- this is a security fix to prevent passing crafted header values in a reverse proxy setup, similar to done for other headers earlier in release 1.8.0
Features
- support passing OAuth 2.0 bearer token (or a generic JWT) in alternative ways with
OIDCOAuthAcceptTokenAs
- i.e. a query parameter, a POST parameter or a (PingAccess) cookie, see #112
- don't redirect away to the OP for authentication when the
X-Requested-With
header is present in an unauthenticated request- to avoid state cookies piling up on Javascript paths; as suggested in #113
Bugfixes
- fix custom HTML error template initialization in (derived) virtual host definitions, see #118
- merge
id_token
anduserinfo
claims in Apache >2.4 authorization; see #120 - Elliptic Curve support requires OpenSSL 1.0.1 now (was 1.0.0); this allows for builds on OpenSuse, see #116
- include
token_endpoint_auth_method
in Dynamic Client Registration requests, see #117 - fix loose (prefix only) matching of cookie names
Other
- use session cookies instead of persistent cookies for the "state" cookies to work around a Firefox bug and clean them up when expired
- issue a log warning when cookie size limitations are reached
- log exact version of OpenSSL and EC/GCM/Redis support at startup
- issue a warning if the "openid" scope is not included in the authentication request