OpenIDC/mod_auth_openidc v2.3.4

release 2.3.4

on GitHub

Bugfixes

• add Cache-Control no-cache response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321
• avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
• interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @PePe79
• fix bug where endpoint authentication method private_key_jwt would not co-exist with none

Features

• add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
• add explicit endpoint authentication method bearer_access_token
• send session management Javascript logging to debug; thanks @kerrermanisNL

Other

• correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318
• fix compiler warnings for OpenSSL 1.1.x

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise