github OpenIDC/mod_auth_openidc v2.0.0
release 2.0.0
on GitHub

latest releases: v2.4.15.7, v2.4.15.6, v2.4.15.5...
7 years ago

Release 2.x is mainly focused on security improvements and refactoring; its configuration is backwards compatible with 1.x. The module now depends on an external library cjose for all crypto-related operations. Packages for cjose version 0.4.1 for all platforms are included in the Downloads section for this release.

Security

  • use signed and encrypted JWTs for state cookies and session data in cookie/memcache/redis/file backends - this means that e.g. a shared memcache cluster can be used without session data being readable/writeable by 3rd parties
  • limit max POST data size to 1Mb

Bugfixes

  • use AUTHZ_DENIED in Apache v2.4 oidc_authz_checker; closes #151; thanks @gwollman
  • use stricter input parsing validation functions on both single-provider static configurations and multi-provider metadata configurations
  • fix front-channel img-style logout with newer versions of PingFederate
  • fix directory config merging so values can be set back to their default values in sub directories; closes #170 ; thanks @carldini
  • don't add our own cookies to the incoming headers

Features

  • add support for chunked session cookies; closes #153; thanks @glatzert - now client-side-only session state can be used ( OIDCSessionType client-cookie) without the risk of running over cookie size limits (too easy)
  • support TLS client authentication to token and introspection endpoints with OIDCClientTokenEndpointCert/OIDCClientTokenEndpointKey and OIDCOAuthIntrospectionEndpointCert/OIDCOAuthIntrospectionEndpointCert
  • support preserving POST data across authorization and discovery requests with OIDCPreservePost - this allows for preserving posted form data across re-authentication roundtrips triggered by session timeouts
  • allow passing the refresh token to the application with OIDCPassRefreshToken; thanks Amit Joshi
  • allow setting the token endpoint authentication method for Dynamic Client Registration in multi-provider setups in the .conf file with token_endpoint_auth
  • allow stripping cookies to the application/backend with OIDCStripCookies

Dependencies

  • starting with version 2.0 this module depends on an external library cjose (https://github.com/cisco/cjose) for all JOSE related operations e.g. id_token/JWT verification/signing
  • support OpenSSL 1.1.x as well as older versions
Check out latest releases or
releases around OpenIDC/mod_auth_openidc v2.0.0

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.

Get notifications