| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: apache2-mod_auth_openidc | Distribution: SUSE Linux 16 |
| Version: 2.4.16.7 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: 160000.1.2 | Build date: Mon Feb 10 12:16:24 2025 |
| Group: Productivity/Networking/Web/Servers | Build host: reproducible |
| Size: 851755 | Source RPM: apache2-mod_auth_openidc-2.4.16.7-160000.1.2.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: https://github.com/zmartzone/mod_auth_openidc/ | |
| Summary: Apache2.x module for an OpenID Connect enabled Identity Provider | |
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Apache-2.0
* Mon Feb 10 2025 pgajdos@suse.com
- version update to 2.4.16.7
01/29/2025
- add OIDCProfile to configure OpenID Connect profile behaviours for, so far "FAPI20" only, which configures:
Authentication Request method, DPoP, PKCE, ID token aud values requirements
token endpoint JWT authentication "aud" values, "iss" parameter requirement in authentication reponses
* Wed Dec 11 2024 pgajdos@suse.com
- version update to 2.4.16.6
12/05/2024
- metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
error entries the log [ERR invalid expire time in 'setex' command]
- avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
11/21/2024
- add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
- try and address metris cleanup segmentation fault on shutdown; see #1207
by not flushing metrics to the shared memory segment upon exit
11/14/2024
- allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- fix: default behaviour Lax
- fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
immediately after the first application request
- allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
falls back to its default browser behaviour (which should be Lax by spec)
11/07/2024
- info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response ("timeout")
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
10/23/2024
- metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
10/22/2024
- address warnings from static code analysis tool CodeChecker
10/04/2024
- ensure backwards compatibility with versions <2.4.16.x when a JSON array of string values
is provided in the "aud" claim of the ID token; required by (at least) Oracle IDCS
see #1272 and #1273; thanks @lufik and @tydalforce
- add OIDCIDTokenAudValues configuration primitive that allows for explicit (and exhaustive)
configuration of the list of accepted values in the "aud" claim of the ID token
e.g. as required for passing FAPI 2 conformance testing
09/27/2024
- correct usage of free() for json_dumps return values instead of cjose_get_dealloc()()
- use compact encoding and preserve order where appropriate for most calls to json_dumps
- replace json_dumps/free combos with oidc_util_encode_json
- refactor oidc_jwk_to_json
09/26/2024
- fix oidc_jwk_copy wrt. "x5t", which broke private_key_jwt authentication to Azure AD since 2.4.13
see #1269; thanks @uoe-pjackson
09/21/2024
- refactor state and userinfo
09/11/2024
- change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
09/09/2024
- fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
- improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
* Tue Sep 17 2024 pgajdos@suse.com
- version update to 2.4.16.3
09/06/2024
- allow overriding globally set OIDCCacheType back to shm in vhosts
- correct typo in child initialization routines when using multiple vhosts; closes #1208; thanks @studersi
this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
09/05/2024
- fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
08/29/2024
- fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
08/28/2024
- re-introduce OIDCSessionMaxDuration 0; see #1252
- add some resilience when both Forwarded and X-Forwarded-* are configured
- fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
- remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
08/26/2024
- fix parsing OIDCXForwardedHeaders; closes #1250; thanks @maltesmann
07/03/2024
- cfg/provider: use oidc_jwk_list_copy when merging client_keys
06/18/2024
- memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
06/08/2024
- support DPoP nonces to the userinfo endpoint
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session
06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
06/04/2024
- add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean
- tighten up the "aud" claim validation in ID tokens
- add support for the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-profile-ID2.html
05/30/2024
- add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
04/23/2024
- disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe
due to the Marvin attack and is removed from libcjose as well
04/05/2024
- add debug printout for OIDCUnAuthAction expression evaluation
04/03/2024
- when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
see #1205; thanks @ryanwilliamnicholls
04/02/2024
- major rewrite of config primitive handling:
- split out over different files, use header files consistently
- encapsulate config record with getters/setters
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- apply input/boundary checking on all configuration values, shared with provider metadata parsing
- various fixes to applying default config values and allowing primitives in vhost/directory scopes
- return HTTTP 502 when refreshing acces token or userinfo fails (default: "502_on_error")
- use a singleton token refresh mutex
- add support for OIDCOAuthIntrospectionEndpointKeyPassword
- bump to 2.4.16dev
04/01/2024
- release 2.4.15.7
03/29/2024
- fix OIDCUserInfoRefreshInterval, interval seconds would be interpreted as microseconds
* Mon Mar 25 2024 pgajdos@suse.com
- version update to 2.4.15.6
03/14/2024
- fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
avoid refreshing userinfo on each request until access token expiry
- store interval as JSON integer in session
- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
- release 2.4.15.6
03/13/2024
- fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees
conditionally define oidc_set_redis_connect_timeout
- fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees
- release 2.4.15.5
03/12/2024
- release 2.4.15.4
- fix setting the default PCKE method to "none" in a multi-provider setup
* Fri Feb 16 2024 danilo.spinella@suse.com
- Update to 2.4.15.3:
* for the complete list of changes, please have a look at ChangeLog
- Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set
and a crafted Cookie header is supplied, bsc#1219911
* Thu Nov 30 2023 danilo.spinella@suse.com
- update to 2.4.14.4:
* for the complete list of changes, please have a look at ChangeLog
* Tue Dec 20 2022 michael@stroeder.com
- update to 2.4.12.2
* Security
- CVE-2022-23527: prevent open redirect in default setup when
OIDCRedirectURLsAllowed is not configured
see: GHSA-q6f2-285m-gr53
* Features
- allow overriding the type of lock used at compile time with OIDC_LOCK
* Tue Nov 15 2022 michael@stroeder.com
- update to 2.4.12.1
* Features
- add option to use ISO-8859-1 encoding for propagated claim values by
adding latin1 option to OIDCPassClaimsAs <> latin1; see #957
- Note that the encoding - including the existing "base64url" - apply to
both header and environment variables as well now
* Bugfixes
- switch to using apr_generate_random_bytes instead of apr_uuid_get to
generate session identifiers so there's no longer a (rather implicit)
dependency on a libapr that is compiled against libuuid on Linux
platforms; see #431, #603 and #694
- fix cache file backend: delete the correct file upon logout; closes #955
- fix cleanup of semaphores on graceful restarts; see #522, closes #458
- fix OIDCProviderMetadataRefreshInterval since it was interpreted in
microseconds instead of the documented and intended seconds; setting in
to seconds would effectively turn of caching and pull the configuration
document on each request
- define APLOG_TRACE1 if it does not exist
- correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
- fixed printout of cache mutex errors in cache/common.c
- prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
which is apparently required for (some) ARM based builds
- fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
- fix potential memory leak in proto.c when oidc_proto_validate_access_token
fails (at_hash validation)
* Mon Oct 17 2022 michael@stroeder.com
- update to 2.4.12
* Features
- allow storing the id_token in a client-cookie based session; see #812 and #888
- allow setting connection pool parameters for Memcache server connections; see #916
- add option to set a username for Redis authentication via OIDCRedisCacheUsername
- register request_object_signing_alg in dynamic client registration when using request_uri
* Bugfixes
- increase size of the output buffer when using libpcre2 for substitution; closes #915
- support OIDCSessionInactivityTimeout values greater than 30 days
when using Memcache; see #936
- allow for step-up discovery with an external URL using HTML refresh;
fixes behaviour on CentOS 7/8 when combined with ProxyPass
- apply exact length matching for at_hash and c_hash validation
- store access token obtained from backchannel in session over the one
returned in the frontchannel for code token and code id_token token flows
- check ID token signed response algorithm on backchannel logout_token
and retrieve its configuration value from the client metadata file
* Tue Aug 23 2022 michael@stroeder.com
- update to 2.4.11.3
* Bugfixes
- avoid memory leak when using PCRE2 regular expressions with
array matching; closes #902
- avoid memory leak when cjose_jws_get_plaintext fails; closes #903
- fix handling of IPv6 based logout URLs
* Features
- Use optionally provided sid and iss request parameters during
front channel logout; see #855
- support Forwarded header in addition to X-Forwarded-*; see #853
* Mon Jul 25 2022 michael@stroeder.com
- removed obsolete BuildRequires autoconf and automake
- update to 2.4.11.2
+ release 2.4.11.2
* Features
- add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594
* Bugfixes
- add Cache-Control headers to logout response; see #846; thanks @blackwhiser1
* Other
- don't strip the header from encrypted JWTs as future versions of cjose may use compact
- encoding for JWEs; this slightly increases state cookie size, by-value session cookies
- and encrypted cache contents again at the benefit of forward cjose compatibility
+ release 2.4.11.1
* Bugfixes
- fix OIDCUnAuthAction pass not passing claims for authenticated users, see #790, thanks @cm0s
- fix race conditions in the file cache backend, see #777, thanks @dbakker and @blackwhiser1
- fix memory leaks over graceful restarts, see #823 and #824, thanks @smanolache
- avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
- add a check to make sure URLs do not contain unencoded Unicode characters, see #796, thanks @cnico
* Features
- warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
- add support for OpenSSL 3.0
* Other
- remove test-cmd jwk2cert command
- correct ap_hook_insert_filter function signature in stub.c, part 2, closes #784, thanks @stroeder
- add Valgrind Github action
+ release 2.4.11
* Bugfixes
- fix use of regular expressions in Require statements
- no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1
- improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778
- terminate on startup when the crypto passphrase generated by exec: is empty; see #767
- allow authorization on info requests, see #746
- avoid debug printout of payload as header when the latter is stripped
- fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker
* Features
- make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders
- make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464
- add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur
- improve detection of suspicious redirect URLs; add test list
- add administrative session revocation capability via <redirect_uri>?revoke_session=<sessionid>
* Packaging
- add support for libpcre2; see #740
- add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
- include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
- install taking into account DESTDIR; see #674; thanks @alerque
+ release 2.4.10
* Features
- add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
- add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
- log require claims failure on info level
- backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2
* Bugfixes
- return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
- don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
- fix memory leak when parsing JWT access token fails (in RS mode)
- fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720
* Packaging
- complete usage of autoconf/automake; see #674
- add .deb for Debian Bullseye
* Fri Sep 03 2021 michael@stroeder.com
- update to 2.4.9.4
* Security
- prevent open redirect by applying OIDCRedirectURLsAllowed setting to
target_link_uri; closes #672
* Bugfixes
- don't apply authz in discovery process; fixes step up authentication
when combined with Discovery
* Fri Aug 27 2021 michael@stroeder.com
- update to 2.4.9.3
* Bugfixes
- don't apply authz to the redirect URI; fixes ac56864
* Tue Aug 24 2021 pgajdos@suse.com
- use declared tarball
* Mon Aug 23 2021 michael@stroeder.com
- update to 2.4.9.2
* Bugfixes
- fix graceful restart (regression); see #458
* Features
- preserve session cookie in the event of a cache backend failure
- update the id_token in the session cache if one is provided while
refreshing the access token
* Fri Aug 13 2021 michael@stroeder.com
- update to 2.4.9.1
fix retried Redis commands after a reconnect; see #642
* Fri Jul 23 2021 michael@stroeder.com
- Update to version 2.4.9
* Security
- use redisvCommand to avoid crash with crafted key when using Redis
without encryption; thanks @thomas-chauchefoin-sonarsource
- replace potentially harmful backslashes with forward slashes when
validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
- avoid XSS vulnerability when using OIDCPreservePost On and supplying
URLs that contain single quotes; thanks @oss-aimoto
- return OK in the content handler for calls to the redirect URI and when
preserving POST data; prevent (intermittent) disclosure of content
hosted at a (non-vanity) redirect URI location
- use encrypted JWTs for storing encrypted cache contents and
avoid using static AAD/IV; thanks @niebardzo
* Bugfixes
- verify that alg is not none in logout_token explicitly
- don't clear POST params authn on token revocation; thanks @iainh
- fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.
* Other
- make session not found on backchannel logout produce a log warning instead of error
- handle discovery in the content handler
- strip A256GCM JWT header from encrypted JWTs used for state cookies,
cache encryption and by-value session cookies resulting in smaller
cookies and reduced cache content size
- Fix CVE-2021-32785 format string bug via hiredis
(CVE-2021-32785, bsc#1188638)
- Fix CVE-2021-32786 open redirect in logout functionality
(CVE-2021-32786, bsc#1188639)
* Wed Jun 02 2021 michael@stroeder.com
- Use autogen.sh to generate missing configure script
- Update to version 2.4.8.4
* Bugfixes
- do not send state timeout HTML document when OIDCDefaultURL is set;
this can be overridden by using e.g.:
SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true
- avoid Apache 2.4 appending 400/302(200/404) HTML document text to
state timeout HTML info page see also f5959d7 and #484; at least Debian
Buster was affected
* Other
- make error "session corrupted: no issuer found in session" a warning
only so a logout call for a non-existing session no longer produces
error messages
* Tue May 18 2021 michael@stroeder.com
- Update to version 2.4.8.2
* store timestamps in session in seconds to avoid string conversion
problems on some (libapr-1) platform build/run combinations, causing
"maximum session duration exceeded" errors
* Fri May 07 2021 michael@stroeder.com
- Update to version 2.4.8.1
* Bugfixes
- fix potential crash when the Content-Type header is not set in POST requests
- avoid jwt/proto_state json_object memory leaks on cache failures
- when an OAuth 2.0 RS token scope/claim authorization (401 ) error
occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for
usage with mod_headers, instead of adding a header ourselves; see #572
* Features
- add options to configure Redis connectivity timeouts with
OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
- add OIDCClientTokenEndpointKeyPassword option to set a private key
password for the client's private key to be used against the token
endpoint; see #576
* Mon Apr 12 2021 pgajdos@suse.com
- test package
* Sun Apr 11 2021 andreas.stieger@gmx.de
- fix installation path on Factory (boo#1184572)
- switch to bootstrapped tarball
- package the license, docs and sample config
* Mon Apr 05 2021 michael@stroeder.com
- Update to version 2.4.7
* Bugfixes
- avoid logged-out sessions remaining (valid) in the session cache:
remove session from cache before clearing it; see #542
* Features
- add maximum session lifetime (exp), inactivity timeout (timeout)
and remote_user to OIDCInfoHook; closes #541
* Security
- add opt-out on sub check in userinfo endpoint response using the
(undocumented) OIDC_NO_USERINFO_SUB environment variable,
for backwards (but insecure) compatibility, see #544
* Dependencies
- libcjose >= 0.5.1
- if your distribution does not provide libcjose in its package repository,
recent packages for a number of platforms are available from the "Assets"
section in release 2.4.0
* Thu Apr 01 2021 pgajdos@suse.com
- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
* Thu Feb 18 2021 pgajdos@suse.com
- re-download tarball
* Wed Feb 17 2021 michael@stroeder.com
- Update to version 2.4.6
* Bugfixes
- don't set SameSite=None on cookies when on plain http
- fix semaphore cleanup on graceful restarts; see #522
- fix inconsistent public/private keys loading order; closes #515
- return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails
- optimize Redis AUTH execution once per connection
- avoid segmentation fault when hitting an endpoint configured with
AuthType openid-connect in an OAuth 2.0 only setup; see #529
- make sure the module compiles with Apache 2.2 for passphrase exec:
* Features
- add Redis database selection option with OIDCRedisCacheDatabase; closes #423
- add base64url option to OIDCPassClaimsAs primitive; closes #417
- add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.:
- SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
- removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
* Security
- avoid displaying the client_secret in debug logs
* Dependencies
- libcjose >= 0.5.1
* Mon Nov 23 2020 michael@stroeder.com
- Update to version 2.4.5
* Features
- disable caching token introspection results by setting
OIDCOAuthTokenIntrospectionInterval to -1
- add exec support to OIDCCryptoPassphrase
- delete stale session cookies that aren't in the cache
- allow OIDCDiscoverURL to be a relative URL
- add OIDCCABundlePath for configuring path to curl CA bundle
* Bugfixes
- enable authentication of sub-requests when the main request
doesn't require authentication
- fix content processing for info and JWKs handler so mod_headers etc.
work; closes #497
- avoid Apache 2.4 appending 401 HTML document text to step-up
authentication HTML refresh page; closes #484
- add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with
cache encryption enabled
- populate AUTH_TYPE when performing authentication
- improve sanity checking on Redis reply
* Security
- ensure that sub is returned from the userinfo endpoint following
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse;
prevents potential ID spoofing
- don't printout JSON errors about NULL characters in error log
- restrict printout of JSON parsing errors to 4096 bytes
* Wed Sep 09 2020 michael@stroeder.com
- Update to version 2.4.4.1
* Bugfixes
- add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes
* Packaging
- the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
* Tue Sep 01 2020 michael@stroeder.com
- Update to version 2.4.4
* Security
- prevent XSS and open redirect on OIDC session management OP iframe,
introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
- add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name
* Bugfixes
- fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
calling the session info hook and writing out a session update (twice); thanks @deisser
- reverse order of creating HTML response and writing the (client-type)
session cookie in the session info hook so the session data is actually saved; thanks @deisser
- delete state cookie when it cannot be decoded/decrypted
- avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
* Features
- add conditional expression to OIDCUnAuthAction to override auto-detection of
non-browser requests; see #479; thanks @raro42 and @marcstern
* Other
- fixes for various compiler warnings/issues (older and newer versions of GCC)
- add grant_types to dynamic client registration request [OIDC conformance test suite]
- don't send access_token in user info request when method is set to POST
[OIDC conformance test suite]
- add recommended cache headers on backchannel logout response
https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite]
* Tue Aug 11 2020 michael@stroeder.com
- Update to version 2.4.3
* Bugfixes
- prevent open redirect on refresh token requests
- add new OIDCRedirectURLsAllowed primitive to handle post logout
and refresh-return-to validation
addresses #453; closes #466
- when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
- fix compilation against Apache 2.0
* Features
- add OIDCStateInputHeaders that allows configuring the header values
used to calculate the fingerprint of the state during authentication
- added OIDCValidateIssuer primitive to allow for disabling of issuer
matching, helps to support multi-tenant applications i.e. Microsoft AAD
* Wed Mar 25 2020 mardnh@gmx.de
- Update to version 2.4.2.1
Changes since 2.4.1:
* oops: fix json_deep_copy of claims
* fix memory leak in OAuth 2.0 JWT validation
* fix configured private/public key cleanup on process exit
* allow for expressions in Require statements, see #469
* always refresh keys from jwks_uri when there is no kid in the
JWT header
* destroy shared memory segments only in parent process; see #458
* fix memory leaks introduced by #457
* if content was already returned via html/http send then don't
return 500 but send 200 to avoid extraneous internal error
document text to be sent on some Apache 2.4.x versions
* if OIDCPublicKeyFiles contains a certificate, the corresponding
x5c, x5t and x5t#256 parameters will be added to the generated
jwkset available at "<redirect_uri>?jwks=rsa"
- fix: also add SameSite=None to by-value session cookies
- try to fix graceful restart crash; see #458
* Fri Jan 31 2020 michael@stroeder.com
- Update to version 2.4.1
* This release primarily addresses upcoming changes in
SameSite Set-Cookie behaviour in Chrome and Firefox
* Wed Oct 30 2019 kstreitova@suse.com
- Update to version 2.4.0.3
Security
* improve validation of the post-logout URL parameter on logout;
thanks AIMOTO Norihito; closes #449
[bsc#1153666], [CVE-2019-14857]
Bugfixes
* changed storing POST params from localStorage to sessionStorage
due to some issue of losing data in localStorage in Firefox
(private mode); fixes #447 #441
* Thu Aug 22 2019 michael@stroeder.com
- Update to version 2.4.0
Important
* version 2.4.0 carries quite a number of relatively small changes (see:
Bugfixes and Features below) that are subtle but may impact runtime
behavior nevertheless; you should verify an upgrade in a test environment
before rolling out to production
* this release deprecates the OAuth 2.0 Resource Server functionality
which is now implemented as a separate module mod_oauth2.
Bugfixes
* URL-encode client_id/client_secret when using client_secret_basic according to:
https://tools.ietf.org/html/rfc6749#section-2.3.1
* fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin
* fix oidc_proto_html_post auto-post-submit so it no longer results in
duplicate parentheses; closes #440; thanks @gobreak
* fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK
* fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443
* fix JWT decryption crashing on non-null terminated input
* fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic
Features
* support refresh and access tokens revocation from an RFC 7009 endpoint
upon OIDC session logout
* make sure the content handler is called for every request to the
configured Redirect URI so all Apache processing is executed (e.g.
setting headers with mod_headers) before returning the response; thanks
Don Sengpiehl (NB: this may affect browser behavior and backwards
compatibility)
* add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html
* enable per-provider signing and encryption keys in multi-provider setups (with limitations)
* no longer use the fixup handler for environment variable setting but do it as part of the authn handler
* add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to
kill the session when refreshing an access token fails; thanks @rickyepoderi
* be smart about picking the token endpoint authentication method when
not configured explicitly: don't choose the first one published by the OP
but prefer client_secret_basic if that is listed as well see:
panva/node-oidc-provider#514; thanks @richard-drummond and @panva
Other
* remove option OIDCScrubRequestHeaders that allows for skipping
scrubbing request headers, thus avoiding potentially insecure setups
* log the original URL for expired state cookies, useful for debugging
SPA/JS issues
* add debug logs in oidc_proto_generate_random_string to allow for
spotting lack of entropy in the random number generator (on VM
environments) more easily
* add USE_URANDOM compile time option to use /dev/urandom explicitly for
non-blocking random number generation: configure with
APXS2_OPTS="-DUSE_URANDOM"
* allow removing an access token from the cache ("remove_at_cache") when
running in OAuth 2.0 RS mode only
* Wed Mar 13 2019 mardnh@gmx.de
- Update to version 2.3.11
Features
* dynamically pass query params to the authorization request
+ using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
* add session expiry info to session info hook response
+ session inactivity key is timeout now (was exp)
+ session expiry key is exp
Other
* allow compilation without memcache support on older platforms
not providing apr_memcache.h
* Wed Feb 20 2019 mardnh@gmx.de
- Update to version 2.3.10.2
* fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in
OIDC Session Management RP iframe
* fix bug in current URL detection where query parameters would
be duplicated
* fix warning printout in oidc_delete_oldest_state_cookies
* fix encryption buffer tag length mismatch
* retain the unparsed URL path in current/original URL determination,
and thereby preserve and support URL-encoded characters in paths
when redirecting back to the original URL
* add state to code exchange token requests only in multi-provider
setups
* optionally delete the oldest state cookie(s)
* add support for refreshing an access token associated with an
OIDC session using OIDCRefreshAccessTokenBeforeExpiry
* fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie
option is not listed last
* fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set
* add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt
OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens when
running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.
* ignore/trim spaces in X-Forwarded-* headers
* deal with forwarding proxy setups
* improve OIDC backchannel logout based on config/Discover
* add OIDCProviderBackChannelLogoutSupported config primitive
* parse/interpret `backchannel_logout_supported` in Discovery document
* add `id_token_token_binding_cnf`: `tbh` to dynamic client registration
metadata
* support backchannel logout according to:
https://openid.net/specs/openid-connect-backchannel-1_0.html
* add test-cmd command to generate hashes base64urlencoded inputs
(cnf/tbh claims)
* support Token Binding for Access Tokens according to:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding
* support nested arrays in Require claim authorization evaluation
* Fri Nov 09 2018 kstreitova@suse.com
- submission to SLE15SP1 because of fate#324447
- build with hiredis only for openSUSE where hiredis is available
- add a version for jansson BuildRequires
* Tue Oct 30 2018 kstreitova@suse.com
- update to 2.3.8
- changes in 2.3.8
* fix return result FALSE when JWT payload parsing fails
* add LGTM code quality badges
* fix 3 LGTM alerts
* improve auto-detection of XMLHttpRequests via Accept header
* initialize test_proto_authorization_request properly
* add sanity check on provider->auth_request_method
* allow usage with LibreSSL
* don't return content with 503 since it will turn the HTTP
status code into a 200
* add option to set an upper limit to the number of concurrent
state cookies via OIDCStateMaxNumberOfCookies
* make the default maximum number of parallel state cookies
7 instead of unlimited
* fix using access token as endpoint auth method in
introspection calls
* fix reading access_token form POST parameters when combined
with `AuthType auth-openidc`
- changes in 2.3.7
* abort when string length for remote user name substitution
is larger than 255 characters
* fix Redis concurrency issue when used with multiple vhosts
* add support for authorization server metadata with
OIDCOAuthServerMetadataURL as in RFC 8414
* refactor session object creation
* clear session cookie and contents if cache corruption is detected
* use apr_pstrdup when setting r->user
* reserve 255 characters in remote username substition instead of 50
- changes in 2.3.6
* add check to detect session cache corruption for server-based
caches and cached static metadata
* avoid using pipelining for Redis
* send Basic header in OAuth www-authenticate response if that's
the only accepted method; thanks @puiterwijk
* refactor Redis cache backend to solve issues on AUTH errors:
a) memory leak and b) redisGetReply lagging behind
* adjust copyright year/org
* fix buffer overflow in shm cache key set strcpy
* turn missing session_state from warning into a debug statement
* fix missing "return" on error return from the OP
* explicitly set encryption kid so we're compatible with
cjose >= 0.6.0
- changes in 2.3.5
* fix encoding of preserved POST data
* avoid buffer overflow in shm cache key construction
* compile with with Libressl
* Fri Apr 27 2018 vcizek@suse.com
- update to 2.3.4
- requested in fate#323817
* Wed Dec 13 2017 christof.hanke@mpcdf.mpg.de
- initial packaging
/usr/lib64/apache2/mod_auth_openidc.so /usr/share/doc/packages/apache2-mod_auth_openidc /usr/share/doc/packages/apache2-mod_auth_openidc/AUTHORS /usr/share/doc/packages/apache2-mod_auth_openidc/ChangeLog /usr/share/doc/packages/apache2-mod_auth_openidc/README.md /usr/share/doc/packages/apache2-mod_auth_openidc/auth_openidc.conf /usr/share/licenses/apache2-mod_auth_openidc /usr/share/licenses/apache2-mod_auth_openidc/LICENSE.txt
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Mar 9 19:43:46 2025