diff --git a/apache2-mod_auth_openidc.changes b/apache2-mod_auth_openidc.changes index ade9fad..94524e2 100644 --- a/apache2-mod_auth_openidc.changes +++ b/apache2-mod_auth_openidc.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Mon Feb 10 11:16:24 UTC 2025 - pgajdos@suse.com + +- version update to 2.4.16.7 + 01/29/2025 + - add OIDCProfile to configure OpenID Connect profile behaviours for, so far "FAPI20" only, which configures: + Authentication Request method, DPoP, PKCE, ID token aud values requirements + token endpoint JWT authentication "aud" values, "iss" parameter requirement in authentication reponses + +------------------------------------------------------------------- +Wed Dec 11 13:55:46 UTC 2024 - pgajdos@suse.com + +- version update to 2.4.16.6 + 12/05/2024 + - metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) + and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache + error entries the log [ERR invalid expire time in 'setex' command] + - avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found + on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy + 11/21/2024 + - add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi + using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2 + - try and address metris cleanup segmentation fault on shutdown; see #1207 + by not flushing metrics to the shared memory segment upon exit + 11/14/2024 + - allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None) + - fix: default behaviour Lax + - fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax + - re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial + Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie + immediately after the first application request + - allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser + falls back to its default browser behaviour (which should be Lax by spec) + 11/07/2024 + - info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp + - properly reflect the (unmodified) inactivity timeout in the response ("timeout") + - avoid refreshing an access token (since the session is not saved) + - avoid refreshing claims from the user info endpoint, and possibly refreshing the access token + 10/23/2024 + - metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri` + to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments + 10/22/2024 + - address warnings from static code analysis tool CodeChecker + 10/04/2024 + - ensure backwards compatibility with versions <2.4.16.x when a JSON array of string values + is provided in the "aud" claim of the ID token; required by (at least) Oracle IDCS + see #1272 and #1273; thanks @lufik and @tydalforce + - add OIDCIDTokenAudValues configuration primitive that allows for explicit (and exhaustive) + configuration of the list of accepted values in the "aud" claim of the ID token + e.g. as required for passing FAPI 2 conformance testing + 09/27/2024 + - correct usage of free() for json_dumps return values instead of cjose_get_dealloc()() + - use compact encoding and preserve order where appropriate for most calls to json_dumps + - replace json_dumps/free combos with oidc_util_encode_json + - refactor oidc_jwk_to_json + 09/26/2024 + - fix oidc_jwk_copy wrt. "x5t", which broke private_key_jwt authentication to Azure AD since 2.4.13 + see #1269; thanks @uoe-pjackson + 09/21/2024 + - refactor state and userinfo + 09/11/2024 + - change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau + 09/09/2024 + - fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:; see #1261; thanks @bbartke + - improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic + ------------------------------------------------------------------- Tue Sep 17 08:52:12 UTC 2024 - pgajdos@suse.com diff --git a/apache2-mod_auth_openidc.spec b/apache2-mod_auth_openidc.spec index 7edcbed..080f3b6 100644 --- a/apache2-mod_auth_openidc.spec +++ b/apache2-mod_auth_openidc.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_auth_openidc # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: apache2-mod_auth_openidc -Version: 2.4.16.3 +Version: 2.4.16.7 Release: 0 Summary: Apache2.x module for an OpenID Connect enabled Identity Provider License: Apache-2.0 diff --git a/mod_auth_openidc-2.4.16.3.tar.gz b/mod_auth_openidc-2.4.16.3.tar.gz deleted file mode 100644 index cec7a65..0000000 --- a/mod_auth_openidc-2.4.16.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dbf162bbdf7e650d9dc8d10ffa627aeee660908018161006dbe6c1b89b0b0fb8 -size 675468 diff --git a/mod_auth_openidc-2.4.16.7.tar.gz b/mod_auth_openidc-2.4.16.7.tar.gz new file mode 100644 index 0000000..d7bd930 --- /dev/null +++ b/mod_auth_openidc-2.4.16.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b823ab758e52249f9c61f6204e84635ead701018d5e6d1b93327eb2466f37f67 +size 688803