Security
- fix potential crash when the
Content-Typeheader is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC (CVE-2021-20718 and JVN#49704918)
Bugfixes
- avoid
jwt/proto_state json_objectmemory leaks on cache failures - when an OAuth 2.0 RS token scope/claim authorization (401 ) error occurs, add a
OIDC_OAUTH_BEARER_SCOPE_ERRORenvironment variable for usage with mod_headers, instead of adding a header ourselves; see #572; usage, e.g;
Note: if you're using mod_auth_openidc in OAuth 2.0 RS mode and your clients rely on theHeader always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"WWW-Authenticateheader the above is a breaking change, and you'll need to explicitly set that header now.
Features
- add options to configure Redis connectivity timeouts with
OIDCRedisCacheConnectTimeoutandOIDCRedisCacheTimeout - add
OIDCClientTokenEndpointKeyPasswordoption to set a private key password for the client's private key to be used against the token endpoint; see #576
Dependencies
libcjose >= 0.5.1
if your distribution does not providelibcjosein its package repository, recent packages for a number of platforms are available from the "Assets" section in release 2.4.0
Other
- binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via sales@zmartzone.eu
- support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via sales@zmartzone.eu