Note that this release changes the internal session format in a backwards incompatible way so existing sessions are invalid.
Features
- cookie: support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF cookie by adding 2 more arguments to
OIDCCookieSameSite - id_token: add
offoption toOIDCPassIDTokenAsso no claims from the ID token will be passed on - passphrase: generate a crypto key when
OIDCCryptoPassphraseis not set
note that theOIDCCryptoPassphrasedoes need to be configured statically if you want sessions to survive server restarts, or for a cluster that shares a session storage backend
Bugfixes
- metadata: avoid double-free when validation of provider metadata fails
- response: avoid proto state memory leaks upon errors in response processing
- util/key.c: check for unsupported symmetric key hashing algorithms and avoid a memory leak in such cases
- session: remove expired session from cache with
oidc_session_killinstead of just clearing it
Other
- performance: store claims from the
id_tokenanduserinfoendpoint as JSON objects in the session - rather than strings - and avoid parsing/serializing overhead; results in up to 7% performance increase, depending on the number of claims stored; changes the internal session format in a backwards incompatible way so existing sessions are invalid! - memory: rewrite
pconfpool memory allocation handling to avoid increasing memory (pool) consumption over graceful restarts - drop support for Apache 2.2
- redis: use
SET..EX %dwhen storing cached data instead of the deprecatedSETEX - session/cookie: save 20-40 bytes on the session and
client-cookiesize - request: set the
OIDC_ERRORvariables when PAR is configured but not enabled by the Provider - code: avoid compiler warnings on
curl_easy_setoptinhttp.c - test: add more unit tests in
test/test_*.cand migrate proto tests fromtest.c
Commercial
- binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 7, older Ubuntu and Debian distros, Oracle HTTP Server 12.x/14.x and IBM HTTP Server 9.x, are available under a commercial agreement via sales@openidc.com
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com
The RPM packages below are signed with the following RSA PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----