github OpenIDC/mod_auth_openidc v2.4.16.6
release 2.4.16.6

13 days ago

Bugfixes

  • metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache error entries the log [ERR invalid expire time in 'setex' command] (regression in 2.4.16-2.4.16.5)
  • info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
    • properly reflect the (unmodified) inactivity timeout in the response (in thetimeout claim)
    • avoid refreshing an access token (since the session is not saved)
    • avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
  • cookie: OIDCCookieSameSite default behaviour Lax
  • cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
  • cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy

Features

  • cookie: allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
    • re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie immediately after the first application request
    • cookie: allows for a Disabled value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should be Lax by spec)
  • http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2

Other

  • metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
  • code: address warnings from static code analysis tool CodeChecker
  • init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux 2023, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
  • support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

Don't miss a new mod_auth_openidc release

NewReleases is sending notifications on new releases.