Features
- improved support for Single Page Applications, see here and here
- add session info hook that is configurable through
OIDCInfoHook - add
AuthType auth-openidcoption that allows bothoauth20andopenid-connectbehaviours on the same path
- add session info hook that is configurable through
- add encryption for all cache entries instead of just session data through
OIDCCacheEncrypt - add cookie SameSite flag/policy through
OIDCCookieSameSite - return HTTP 200 on OPTIONS requests to (unauthenticated)
oauth20paths - add fallback to a by-value session cookie if the primary session cache fails with
OIDCSessionCacheFallbackToCookie - add support for black- and/or white-listing claims with
OIDCBlackListedClaimsandOIDCWhiteListedClaims
Bugfixes
- fix clearing chunked session cookies on logout; closes #246; thanks @Jharmuth
- fix removing session state from cache on logout
Experimental
- add prototype token binding support in conjunction with mod_token_binding, see here
- for state & session cookies, see here
- for ID tokens with OpenID Connect Token Bound Authentication support
- for Authorization Codes with OAuth 2.0 Token Binding for Authorization Codes
Packaging Notes
- the name of the
cjosedependency changed for Debian and Ubuntu releases to be in line with the name in the official distributions:libcjose0; so an update to 2.2.0 via the provided packages requires re-installing the renamedlibcjose0package; you can use the binaries attached to this release or use the one in the Debian/Ubuntu distributions as long as you have version >= 0.4.1; that also holds for CentOS/Fedora - the name of Debian and Ubuntu packages is more explicit now about the distribution that it is intended for; Ubuntu Wily packages can also be used on Xenial and Yakkety
- Centos 6 RPMs depend on
libhiredis-0.12now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/