github OpenIDC/mod_auth_openidc v2.4.14.1

latest releases: v2.4.14.2,
12 days ago


  • fix RequireAny behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
    as the first non-matching Require claim directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those
  • make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/nested Require claim expressions e.g. using RequireAny and Require not claim
  • fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session since environment variable OIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION has been set
  • fix memory leak when refreshing claims from the userinfo endpoint


  • to make OIDCUnAutzAction 403 actually return 403 in Apache 2.4 it also needs AuthzSendForbiddenOnFailure again, i.e. the fix in 2.4.14 for it was reverted


  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.