github OpenIDC/mod_auth_openidc v2.1.0
release 2.1.0
on GitHub

latest releases: v2.4.15.7, v2.4.15.6, v2.4.15.5...
7 years ago

Bugfixes

  • fix memory leak in oidc_jwk_to_json when repeatedly downloading keys from the jwks_uri
  • fix JWT verification with multiple keys when no kid is present; closes #184; thanks @solsson
  • use private_key_jwt client authentication only if a private key is configured; closes #189; thanks @solsson
  • return error on session cache failure; closes #185; thanks @solsson
  • handle non-integer exp/iat timestamps in JWTs; closes #187; thanks @drdivano
  • don't include encryption keys from the jwks_uri when verifying JWTs with no kid specified
  • fix A128KW/A192KW encryption key truncation for keys derived from the client secret requiring a key size < 256 bits
  • truncate (metadata) files before (over)writing them
  • fix null pointer segfault in debug printout in oidc_util_read_form_encoded_params
  • fix parsing issue that would affect OIDCClientJwksUri usage in dynamic client registration
  • urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie

Features

Security

  • check that a sub claim returned from the userinfo endpoint matches the one in the id_token
  • refuse webfinger responses with an href value that is not on secure https

Other

  • added test/oidc-rp-certification.sh script to run OIDC RP certification tests
  • changes in logging so that results can be analyzed easier in the oidc-rp-certification.sh script
  • added test/test-cmd tool to have command-line access to various JOSE-related operations
Check out latest releases or
releases around OpenIDC/mod_auth_openidc v2.1.0

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.

Get notifications