OpenIDC/mod_auth_openidc v1.8.8

release 1.8.8

on GitHub

4/25/2016: updated the build for windows to the actual 1.8.8 version

Security

• update mitigation for OAuth AS mixup attack conform the updated https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
  • pass plain state value to the token endpoint instead of a hash
• remove linefeeds from the OIDCAuthNHeader value before setting the header, thanks @rfk
  • this is a security fix to prevent passing crafted header values in a reverse proxy setup, similar to done for other headers earlier in release 1.8.0

Features

• support passing OAuth 2.0 bearer token (or a generic JWT) in alternative ways with OIDCOAuthAcceptTokenAs
  • i.e. a query parameter, a POST parameter or a (PingAccess) cookie, see #112
• don't redirect away to the OP for authentication when the X-Requested-With header is present in an unauthenticated request
  • to avoid state cookies piling up on Javascript paths; as suggested in #113

Bugfixes

• fix custom HTML error template initialization in (derived) virtual host definitions, see #118
• merge id_token and userinfo claims in Apache >2.4 authorization; see #120
• Elliptic Curve support requires OpenSSL 1.0.1 now (was 1.0.0); this allows for builds on OpenSuse, see #116
• include token_endpoint_auth_method in Dynamic Client Registration requests, see #117
• fix loose (prefix only) matching of cookie names

Other

• use session cookies instead of persistent cookies for the "state" cookies to work around a Firefox bug and clean them up when expired
• issue a log warning when cookie size limitations are reached
• log exact version of OpenSSL and EC/GCM/Redis support at startup
• issue a warning if the "openid" scope is not included in the authentication request