Security
- state: fix an out-of-bounds read (and one-byte out-of-bounds write) in the state-cookie parser; a state-prefixed
Cookietoken without a "=" scanned past the end of the token buffer; stop the scan at the string terminator - util: parse Apache expressions with
AP_EXPR_FLAG_RESTRICTED; the flags were combined with bitwise-AND instead of OR, which left them at zero and dropped theRESTRICTEDflag, so expressions in directives that are valid in.htaccess(OIDCUnAuthAction,OIDCUserInfoClaimsExpr,OIDCPathScope,OIDCPathAuthRequestParams) were parsed unrestricted
Bugfixes
- proto: when copying authorization request parameters into a request object (
copy_from_request/copy_and_remove_from_request), no longer interpret the values of parameters that the OpenID Connect/OAuth 2.0 specifications define as strings (e.g.client_id,scope,nonce,state) as JSON, so a numeric value of such a parameter can no longer change type into a JSON integer; values of other parameters (e.g. claims, max_age) are still decoded as JSON with a fallback to string - cache: copy the
shmcache value out while holding the global lock instead of returning a pointer into the shared memory segment, so a concurrentset()in another process cannot tear the value after the lock is released - cache: return failure from the cache mutex lock/unlock helpers when the underlying APR mutex operation fails; they previously always returned TRUE, so the callers' lock-failure guards never triggered and the code could access the shared cache without holding the lock
- proto: do not skip
id_tokensignature validation for the "code" flow with algorithm "none" when an id_token signing algorithm has been pinned viaOIDCIDTokenSignedResponseAlg; honor the pin and reject the unsigned token - cache: always hash the memcache key so it satisfies memcached's key constraints (length, no whitespace/control chars) regardless of the key contents or whether
OIDCCacheEncryptis enabled - cache: reject shm cache values at ">=" the available entry size so the
NULterminator always fits, removing reliance on struct alignment padding - cache:
NUL-terminate the shm cache entry key explicitly afterstrncpyto avoid an in-struct over-read when a key hits the maximum length
Features
- cfg: allow
OIDCProviderUserInfoEndpointto be set to an empty value to explicitly disable calling the UserInfo Endpoint, even when one is advertised in the Provider's metadata document; see #1390; thanks @drpuur - info: set
Cache-Control: no-cache, no-store(andPragma: no-cache) on theOIDCInfoHookresponse so the access/refresh/id token and session claims it may contain are not stored by the browser or an intermediary cache
Other
- oauth: warn when an introspection response omits the RFC 7662 "active" member, since token validity then relies solely on the expiry claim
- jose: enforce that the kid-selected key type matches the JWT/JWE algorithm on the kid lookup path too, not just the no-kid path (defense in depth against key/algorithm confusion; cjose already rejected the mismatch)
- doc: correct the sample
auth_openidc.confwrt. JWE/JWS algorithms - config: remove the JWE/JWS algorithms from the config primitive help texts as not to get out of sync: at startup the error message will contain what is supported anyhow
- test: use long symmetric key to work against cjose >= 0.6.2.6
Commercial
- redis-sentinel: support separate credentials for Sentinel vs. Redis with
OIDCRedisCacheSentinelUsernameandOIDCRedisCacheSentinelPassword - commercial subscription based support for large enterprise businesses is available via sales@openidc.com
- licensed binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 7, older Ubuntu and Debian distros, Oracle HTTP Server 12.x/14.x and IBM HTTP Server 9.x, are available under a commercial license and agreement via sales@openidc.com
- support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license and agreement via sales@openidc.com
The RPM packages below are signed with the following RSA PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----