This release improves prevention of state cookies piling up (e.g. for Single Page Applications) by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by default - authentication in an iframe is prevented, which may impact existing deployments.
Features
- add check for
Sec-Fetch-Destheader != "document" value andSec-Fetch-Modeheader != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi - add redirect/text options to
OIDCUnAutzAction; see #715; thanks @chrisinmtown - log require claims failure on info level
- backport
ap_get_exec_line, supporting theexec:option inOIDCCryptoPassphraseto Apache 2.2
Bugfixes
- return
HTTP 200forOPTIONSrequests inauth-openidcmixed mode - don't apply claims based authorization for
OPTIONSrequests so paths protected withRequire claimdirectives will now also returnHTTP 200forOPTIONSrequests - fix memory leak when parsing JWT access token fails (in RS mode)
- fix regexp substition crash using
OIDCRemoteUserClaim; thanks @nneul; closes #720
Packaging
- complete usage of autoconf/automake; see #674
- add .deb for Debian Bullseye
Commercial
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@zmartzone.eu