Sync from SUSE:SLFO:Main apache2-mod_auth_openidc revision 3be2560e5dc08661d466bc85bbf7fb29

apache2-mod_auth_openidc.changes

@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Mon Feb 10 11:16:24 UTC 2025 - pgajdos@suse.com
+
+- version update to 2.4.16.7
+  01/29/2025
+  - add OIDCProfile to configure OpenID Connect profile behaviours for, so far "FAPI20" only, which configures:
+    Authentication Request method, DPoP, PKCE, ID token aud values requirements
+    token endpoint JWT authentication "aud" values, "iss" parameter requirement in authentication reponses
+
+-------------------------------------------------------------------
+Wed Dec 11 13:55:46 UTC 2024 - pgajdos@suse.com
+
+- version update to 2.4.16.6
+  12/05/2024
+  - metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
+    and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
+    error entries the log [ERR invalid expire time in 'setex' command]
+  - avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
+    on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
+  11/21/2024
+  - add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
+    using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
+  - try and address metris cleanup segmentation fault on shutdown; see #1207
+    by not flushing metrics to the shared memory segment upon exit
+  11/14/2024
+  - allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
+  - fix: default behaviour Lax
+  - fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
+  - re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
+    Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
+    immediately after the first application request
+  - allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
+    falls back to its default browser behaviour (which should be Lax by spec)
+  11/07/2024
+  - info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
+  - properly reflect the (unmodified) inactivity timeout in the response ("timeout")
+  - avoid refreshing an access token (since the session is not saved)
+  - avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
+  10/23/2024
+  - metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
+    to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
+  10/22/2024
+  - address warnings from static code analysis tool CodeChecker
+  10/04/2024
+  - ensure backwards compatibility with versions <2.4.16.x when a JSON array of string values
+    is provided in the "aud" claim of the ID token; required by (at least) Oracle IDCS
+    see #1272 and #1273; thanks @lufik and @tydalforce
+  - add OIDCIDTokenAudValues configuration primitive that allows for explicit (and exhaustive)
+    configuration of the list of accepted values in the "aud" claim of the ID token
+    e.g. as required for passing FAPI 2 conformance testing
+  09/27/2024
+  - correct usage of free() for json_dumps return values instead of cjose_get_dealloc()()
+  - use compact encoding and preserve order where appropriate for most calls to json_dumps
+  - replace json_dumps/free combos with oidc_util_encode_json
+  - refactor oidc_jwk_to_json
+  09/26/2024
+  - fix oidc_jwk_copy wrt. "x5t", which broke private_key_jwt authentication to Azure AD since 2.4.13
+    see #1269; thanks @uoe-pjackson
+  09/21/2024
+  - refactor state and userinfo
+  09/11/2024
+  - change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
+  09/09/2024
+  - fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
+  - improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
+
 -------------------------------------------------------------------
 Tue Sep 17 08:52:12 UTC 2024 - pgajdos@suse.com
 

apache2-mod_auth_openidc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_auth_openidc
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           apache2-mod_auth_openidc
-Version:        2.4.16.3
+Version:        2.4.16.7
 Release:        0
 Summary:        Apache2.x module for an OpenID Connect enabled Identity Provider
 License:        Apache-2.0