This release primarily addresses upcoming changes in SameSite Set-Cookie behaviour in Chrome and Firefox, see: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Features
- always add a SameSite value (default None) to the
Set-Cookieheader value; this can be overridden by using the environment variableOIDC_SET_COOKIE_APPEND, e.g.:
SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; - add the possibility to use a public key instead of a certificate for
OIDCPublicKeyFilesparameter; thanks @absynth76 - support login with OIDC session management; address #456; thanks Paolo Battino
- support 407 option on
OIDCUnAuthAction; thanks @dfsin-sa
Bugfixes
- fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
- enforce
OIDCIDTokenSignedResponseAlgandOIDCUserInfoSignedResponseAlg; see #435 - changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); see #447 #441
- improve validation of the post-logout URL to avoid an open redirect; closes #449
- unset chunked cookies if setting a non-chunked cookie; thanks @alindeman
Other
- make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
- return
200 OKfor backchannel logout if session not found - added an Alpine Linux Dockerfile =~ 20MB container size; thanks @absynth76
- try to fix graceful restart crash; see #458; thanks @studersi
Packaging
- the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
- Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
- packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu
This release was made possible thanks to sustaining sponsor GLUU.