Bugfixes
- fix memory leak in
oidc_jwk_to_json
when repeatedly downloading keys from thejwks_uri
- fix JWT verification with multiple keys when no
kid
is present; closes #184; thanks @solsson - use
private_key_jwt
client authentication only if a private key is configured; closes #189; thanks @solsson - return error on session cache failure; closes #185; thanks @solsson
- handle non-integer
exp
/iat
timestamps in JWTs; closes #187; thanks @drdivano - don't include encryption keys from the
jwks_uri
when verifying JWTs with nokid
specified - fix
A128KW
/A192KW
encryption key truncation for keys derived from the client secret requiring a key size < 256 bits - truncate (metadata) files before (over)writing them
- fix null pointer segfault in debug printout in
oidc_util_read_form_encoded_params
- fix parsing issue that would affect
OIDCClientJwksUri
usage in dynamic client registration - urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie
Features
- add
remove_at_cache
hook to invalidate cached access tokens, see #177 - support refreshing provider metadata based on timestamp and
OIDCProviderMetadataRefreshInterval
- support for signed and/or encrypted Request URIs: http://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter
- support for signed and/or encrypted JWT responses returned from the userinfo endpoint: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
- support WebFinger Discovery with URL-style user identifiers using the
disc-user
parameter - support presenting the access token to the userinfo endpoint in a POST parameter with
OIDCUserInfoTokenMethod
- handle aggregated and distributed claims returned from the userinfo endpoint: http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
- printout warning about invalid http(s) URLs in metadata
Security
- check that a sub claim returned from the userinfo endpoint matches the one in the
id_token
- refuse webfinger responses with an
href
value that is not on secure https
Other
- added
test/oidc-rp-certification.sh
script to run OIDC RP certification tests - changes in logging so that results can be analyzed easier in the
oidc-rp-certification.sh
script - added
test/test-cmd
tool to have command-line access to various JOSE-related operations