Bugfixes
- metadata: fix caching of JWKs from
jwks_uri
when using the default expiry setting (i.e. not usingOIDCJWKSRefreshInterval
) and avoid fetching JWKs from thejwks_uri
for each user login; also addresses Redis cache error entries the log[ERR invalid expire time in 'setex' command]
(regression in 2.4.16-2.4.16.5) - info: fix requests to the info hook with
extend_session=false
; see #1279; thanks @fnieri-cdp- properly reflect the (unmodified) inactivity timeout in the response (in the
timeout
claim) - avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
- properly reflect the (unmodified) inactivity timeout in the response (in the
- cookie:
OIDCCookieSameSite
default behaviourLax
- cookie: apply
OIDCCookieSameSite Off/None
properly to state cookies instead of always settingLax
- cache: avoid segfault and improve error reporting in case
apr_temp_dir_get
fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy
Features
- cookie: allow specific settings
Strict|Lax|None|Disabled
forOIDCCookieSameSite
in addition toOn(=Lax)|Off(=None)
- re-introduces the option to configure a
Strict
SameSite session cookie policy, which will turn the initialLax
session cookie - set upon receving the response to the Redirect URI - into aStrict
session cookie immediately after the first application request - cookie: allows for a
Disabled
value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should beLax
by spec)
- re-introduces the option to configure a
- http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g.
SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
Other
- metadata: allow plain HTTP URLs in metadata elements
jwks_uri
andsigned_jwks_uri
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments - code: address warnings from static code analysis tool CodeChecker
- init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux 2023, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com