github OpenIDC/mod_auth_openidc v2.4.14
release 2.4.14
on GitHub

latest releases: v2.4.16.3, v2.4.16.2, v2.4.16.1...
16 months ago

Deprecated

  • OIDCHTMLErrorTemplate is now deprecated in favour of standard Apache error handling capabilities; the environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC have been made available for use in ErrorDocument, see: https://httpd.apache.org/docs/2.4/custom-error.html; backwards compatibility is retained by setting OIDCHTMLErrorTemplate deprecated

Bugfixes

  • fix session cookie decompression error with OIDCSessionType client-cookie; closes #1046; thanks @oss-aimoto
  • properly respect use attribute (i.e. sig and enc) in signing, verification and encryption JWK sets
  • don't immediately refresh of JWKs from (signed)_jwks_uri if kid was not set in JWT header, but lookup in the cache first
  • return HTTP 40<x> instead of HTTP 200 on all authorization) error responses
  • make sure mod_auth_openidc runs before mod_proxy so calls to the redirect URI are never proxied and no separate <Location> directive or ProxyPass exception for OIDCRedirectURI is required (anymore) in proxied configs
  • return the OP Discovery page in the content handler phase so regular Apache processing applies to the HTTP/HTML response
  • fix memory leak when using JQ-based expressions in Require claims_expr
  • OIDCUnAutzAction auth for stepup authentication now immediately returns a HTTP 302 instead of a HTTP 200 HTML page with a meta refresh tag and a Location header
  • fix OIDCUnAutzAction 403 so it does not rely on AuthzSendForbiddenOnFailure to return HTTP 403, see #795
  • fix crash when using a multi-provider setup and Provider has signed_jwks_uri set but the conf file does not define signed_jwks_uri_key
  • correct return value from oidc_cache_shm_destroy to avoid misleading "cache destroy function failed" error messages
  • preserve linefeeds in text areas used with OIDCPreservePost On
  • add resilience for corrupted discovery metadata and jwks_uri cache entries
  • cater for libapr/libapr-util version 1.2.x

Features

  • use compressed serialized JSON for encrypted state- and session cookies and cache entries, reducing their size; thanks @hihellobolke
  • support configuration of dedicated signing and encryption keys in the primitives:
    OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCProviderVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyCertFiles by using the prefix sig: or enc: in the value
  • add support for passing on claims resolved from the userinfo endpoint in a JWT signed by mod_auth_openidc using OIDCPassUserInfoAs signed_jwt[:<name>] with an RSA or Elliptic Curve key
  • add OIDCFilterClaimsExpr that allows for processing claims before storing them in the session, after applying (optional) blacklisting/whitelisting on the toplevel keys; available only when compiled with libjq support
  • add support for OIDCUserInfoClaimsExpr that allows for processing claims returned from the userinfo endpoint with a JQ-based expression before propagating them according to OIDCPassUserInfoAs claims | json | signed_jwt (ie. does not work for OIDCPassUserInfoAs jwt); available only when compiled with libjq support
  • allow OIDCPassUserInfoAs and OIDCPassIDTokenAs directives in <Location>/<Directory> contexts; also fixes resetting back to claims in vhosts for the latter
  • add support for overriding the default header/environment variable names in OIDCPassUserInfoAs (json|jwt)[:<name>]
  • support calling the refresh token grant before doing RP-initiated logout; may be used to supply a (fresh or non-cached) id_token_hint logout request parameter
  • add options to avoid revoking tokens before logout as some OPs may kill their SSO session that would make subsequent logout fail
  • add support for returning the serialized id_token as id_token_hint from the info hook
  • increase default OIDCCacheShmMax setting to 10000
  • add exec support to OIDCClientSecret; see #1056; thanks @sealor

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
Check out latest releases or
releases around OpenIDC/mod_auth_openidc v2.4.14

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.

Get notifications