Release 2.x is mainly focused on security improvements and refactoring; its configuration is backwards compatible with 1.x. The module now depends on an external library cjose for all crypto-related operations. Packages for cjose
version 0.4.1
for all platforms are included in the Downloads section for this release.
Security
- use signed and encrypted JWTs for state cookies and session data in
cookie
/memcache
/redis
/file
backends - this means that e.g. a shared memcache cluster can be used without session data being readable/writeable by 3rd parties - limit max POST data size to 1Mb
Bugfixes
- use
AUTHZ_DENIED
in Apache v2.4oidc_authz_checker
; closes #151; thanks @gwollman - use stricter input parsing validation functions on both single-provider static configurations and multi-provider metadata configurations
- fix front-channel img-style logout with newer versions of PingFederate
- fix directory config merging so values can be set back to their default values in sub directories; closes #170 ; thanks @carldini
- don't add our own cookies to the incoming headers
Features
- add support for chunked session cookies; closes #153; thanks @glatzert - now client-side-only session state can be used (
OIDCSessionType client-cookie
) without the risk of running over cookie size limits (too easy) - support TLS client authentication to token and introspection endpoints with
OIDCClientTokenEndpointCert
/OIDCClientTokenEndpointKey
andOIDCOAuthIntrospectionEndpointCert
/OIDCOAuthIntrospectionEndpointCert
- support preserving POST data across authorization and discovery requests with
OIDCPreservePost
- this allows for preserving posted form data across re-authentication roundtrips triggered by session timeouts - allow passing the refresh token to the application with
OIDCPassRefreshToken
; thanks Amit Joshi - allow setting the token endpoint authentication method for Dynamic Client Registration in multi-provider setups in the
.conf
file withtoken_endpoint_auth
- allow stripping cookies to the application/backend with
OIDCStripCookies
Dependencies
- starting with version 2.0 this module depends on an external library
cjose
(https://github.com/cisco/cjose) for all JOSE related operations e.g.id_token
/JWT verification/signing - support OpenSSL 1.1.x as well as older versions