commit d8a677d89a8b0314e10e3da065c736080650fc98658476c5a087b0f4614557e4 Author: Adrian Schröter Date: Wed Dec 18 16:26:02 2024 +0100 Sync from SUSE:SLFO:Main apache2-mod_auth_openidc revision d0bb5a2e1d9f656b90a27a5844ae1d0a diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/apache2-mod_auth_openidc.changes b/apache2-mod_auth_openidc.changes new file mode 100644 index 0000000..ade9fad --- /dev/null +++ b/apache2-mod_auth_openidc.changes @@ -0,0 +1,718 @@ +------------------------------------------------------------------- +Tue Sep 17 08:52:12 UTC 2024 - pgajdos@suse.com + +- version update to 2.4.16.3 + 09/06/2024 + - allow overriding globally set OIDCCacheType back to shm in vhosts + - correct typo in child initialization routines when using multiple vhosts; closes #1208; thanks @studersi + this fixes possible segmentation faults when using Redis and Metrics settings in vhosts + 09/05/2024 + - fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke + 08/29/2024 + - fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan + 08/28/2024 + - re-introduce OIDCSessionMaxDuration 0; see #1252 + - add some resilience when both Forwarded and X-Forwarded-* are configured + - fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet + - remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14 + 08/26/2024 + - fix parsing OIDCXForwardedHeaders; closes #1250; thanks @maltesmann + 07/03/2024 + - cfg/provider: use oidc_jwk_list_copy when merging client_keys + 06/18/2024 + - memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf + 06/08/2024 + - support DPoP nonces to the userinfo endpoint + 06/06/2024 + - add OIDCDPoPMode [off|optional|required] primitive + - store the token_type in the session + 06/05/2024 + - add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2 + 06/04/2024 + - add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) + - replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean + - tighten up the "aud" claim validation in ID tokens + - add support for the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-profile-ID2.html + 05/30/2024 + - add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests + 04/23/2024 + - disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe + due to the Marvin attack and is removed from libcjose as well + 04/05/2024 + - add debug printout for OIDCUnAuthAction expression evaluation + 04/03/2024 + - when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply + it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with + non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes + see #1205; thanks @ryanwilliamnicholls + 04/02/2024 + - major rewrite of config primitive handling: + - split out over different files, use header files consistently + - encapsulate config record with getters/setters + - allow overriding defined global configuration primitives to their default value on the individual vhost level + - apply input/boundary checking on all configuration values, shared with provider metadata parsing + - various fixes to applying default config values and allowing primitives in vhost/directory scopes + - return HTTTP 502 when refreshing acces token or userinfo fails (default: "502_on_error") + - use a singleton token refresh mutex + - add support for OIDCOAuthIntrospectionEndpointKeyPassword + - bump to 2.4.16dev + 04/01/2024 + - release 2.4.15.7 + 03/29/2024 +- fix OIDCUserInfoRefreshInterval, interval seconds would be interpreted as microseconds + +------------------------------------------------------------------- +Mon Mar 25 14:07:25 UTC 2024 - pgajdos@suse.com + +- version update to 2.4.15.6 + 03/14/2024 + - fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees + avoid refreshing userinfo on each request until access token expiry + - store interval as JSON integer in session + - use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of + Strict as overriding from Lax to Strict does not work reliably anymore (Chrome) + - release 2.4.15.6 + 03/13/2024 + - fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees + conditionally define oidc_set_redis_connect_timeout + - fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees + - release 2.4.15.5 + 03/12/2024 + - release 2.4.15.4 + - fix setting the default PCKE method to "none" in a multi-provider setup + +------------------------------------------------------------------- +Fri Feb 16 16:57:57 UTC 2024 - Danilo Spinella + +- Update to 2.4.15.3: + * for the complete list of changes, please have a look at ChangeLog +- Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set + and a crafted Cookie header is supplied, bsc#1219911 + +------------------------------------------------------------------- +Thu Nov 30 14:41:39 UTC 2023 - Danilo Spinella + +- update to 2.4.14.4: + * for the complete list of changes, please have a look at ChangeLog + +------------------------------------------------------------------- +Tue Dec 20 15:24:49 UTC 2022 - Michael Ströder + +- update to 2.4.12.2 + * Security + - CVE-2022-23527: prevent open redirect in default setup when + OIDCRedirectURLsAllowed is not configured + see: GHSA-q6f2-285m-gr53 + * Features + - allow overriding the type of lock used at compile time with OIDC_LOCK + +------------------------------------------------------------------- +Tue Nov 15 16:20:35 UTC 2022 - Michael Ströder + +- update to 2.4.12.1 + * Features + - add option to use ISO-8859-1 encoding for propagated claim values by + adding latin1 option to OIDCPassClaimsAs <> latin1; see #957 + - Note that the encoding - including the existing "base64url" - apply to + both header and environment variables as well now + * Bugfixes + - switch to using apr_generate_random_bytes instead of apr_uuid_get to + generate session identifiers so there's no longer a (rather implicit) + dependency on a libapr that is compiled against libuuid on Linux + platforms; see #431, #603 and #694 + - fix cache file backend: delete the correct file upon logout; closes #955 + - fix cleanup of semaphores on graceful restarts; see #522, closes #458 + - fix OIDCProviderMetadataRefreshInterval since it was interpreted in + microseconds instead of the documented and intended seconds; setting in + to seconds would effectively turn of caching and pull the configuration + document on each request + - define APLOG_TRACE1 if it does not exist + - correct ap_hook_insert_filter function signature in stub.c, part 3; see #784 + - fixed printout of cache mutex errors in cache/common.c + - prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create + which is apparently required for (some) ARM based builds + - fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails + - fix potential memory leak in proto.c when oidc_proto_validate_access_token + fails (at_hash validation) + +------------------------------------------------------------------- +Mon Oct 17 14:32:15 UTC 2022 - Michael Ströder + +- update to 2.4.12 + * Features + - allow storing the id_token in a client-cookie based session; see #812 and #888 + - allow setting connection pool parameters for Memcache server connections; see #916 + - add option to set a username for Redis authentication via OIDCRedisCacheUsername + - register request_object_signing_alg in dynamic client registration when using request_uri + * Bugfixes + - increase size of the output buffer when using libpcre2 for substitution; closes #915 + - support OIDCSessionInactivityTimeout values greater than 30 days + when using Memcache; see #936 + - allow for step-up discovery with an external URL using HTML refresh; + fixes behaviour on CentOS 7/8 when combined with ProxyPass + - apply exact length matching for at_hash and c_hash validation + - store access token obtained from backchannel in session over the one + returned in the frontchannel for code token and code id_token token flows + - check ID token signed response algorithm on backchannel logout_token + and retrieve its configuration value from the client metadata file + +------------------------------------------------------------------- +Tue Aug 23 13:51:51 UTC 2022 - Michael Ströder + +- update to 2.4.11.3 + * Bugfixes + - avoid memory leak when using PCRE2 regular expressions with + array matching; closes #902 + - avoid memory leak when cjose_jws_get_plaintext fails; closes #903 + - fix handling of IPv6 based logout URLs + * Features + - Use optionally provided sid and iss request parameters during + front channel logout; see #855 + - support Forwarded header in addition to X-Forwarded-*; see #853 + +------------------------------------------------------------------- +Mon Jul 25 09:25:37 UTC 2022 - Michael Ströder + +- removed obsolete BuildRequires autoconf and automake +- update to 2.4.11.2 + + release 2.4.11.2 + * Features + - add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594 + * Bugfixes + - add Cache-Control headers to logout response; see #846; thanks @blackwhiser1 + * Other + - don't strip the header from encrypted JWTs as future versions of cjose may use compact + - encoding for JWEs; this slightly increases state cookie size, by-value session cookies + - and encrypted cache contents again at the benefit of forward cjose compatibility + + release 2.4.11.1 + * Bugfixes + - fix OIDCUnAuthAction pass not passing claims for authenticated users, see #790, thanks @cm0s + - fix race conditions in the file cache backend, see #777, thanks @dbakker and @blackwhiser1 + - fix memory leaks over graceful restarts, see #823 and #824, thanks @smanolache + - avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform + - add a check to make sure URLs do not contain unencoded Unicode characters, see #796, thanks @cnico + * Features + - warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration + - add support for OpenSSL 3.0 + * Other + - remove test-cmd jwk2cert command + - correct ap_hook_insert_filter function signature in stub.c, part 2, closes #784, thanks @stroeder + - add Valgrind Github action + + release 2.4.11 + * Bugfixes + - fix use of regular expressions in Require statements + - no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1 + - improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778 + - terminate on startup when the crypto passphrase generated by exec: is empty; see #767 + - allow authorization on info requests, see #746 + - avoid debug printout of payload as header when the latter is stripped + - fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker + * Features + - make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders + - make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464 + - add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur + - improve detection of suspicious redirect URLs; add test list + - add administrative session revocation capability via ?revoke_session= + * Packaging + - add support for libpcre2; see #740 + - add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb + - include in jose.c to compile with OpenSSL 1.0.x + - install taking into account DESTDIR; see #674; thanks @alerque + + release 2.4.10 + * Features + - add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi + - add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown + - log require claims failure on info level + - backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2 + * Bugfixes + - return HTTP 200 for OPTIONS requests in auth-openidc mixed mode + - don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests + - fix memory leak when parsing JWT access token fails (in RS mode) + - fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720 + * Packaging + - complete usage of autoconf/automake; see #674 + - add .deb for Debian Bullseye + +------------------------------------------------------------------- +Fri Sep 3 17:47:35 UTC 2021 - Michael Ströder + +- update to 2.4.9.4 + * Security + - prevent open redirect by applying OIDCRedirectURLsAllowed setting to + target_link_uri; closes #672 + * Bugfixes + - don't apply authz in discovery process; fixes step up authentication + when combined with Discovery + +------------------------------------------------------------------- +Fri Aug 27 09:50:50 UTC 2021 - Michael Ströder + +- update to 2.4.9.3 + * Bugfixes + - don't apply authz to the redirect URI; fixes ac56864 + +------------------------------------------------------------------- +Tue Aug 24 07:26:05 UTC 2021 - pgajdos@suse.com + +- use declared tarball + +------------------------------------------------------------------- +Mon Aug 23 19:39:44 UTC 2021 - Michael Ströder + +- update to 2.4.9.2 + * Bugfixes + - fix graceful restart (regression); see #458 + * Features + - preserve session cookie in the event of a cache backend failure + - update the id_token in the session cache if one is provided while + refreshing the access token + +------------------------------------------------------------------- +Fri Aug 13 17:57:57 UTC 2021 - Michael Ströder + +- update to 2.4.9.1 + fix retried Redis commands after a reconnect; see #642 + +------------------------------------------------------------------- +Fri Jul 23 07:46:56 UTC 2021 - Michael Ströder + +- Update to version 2.4.9 + * Security + - use redisvCommand to avoid crash with crafted key when using Redis + without encryption; thanks @thomas-chauchefoin-sonarsource + - replace potentially harmful backslashes with forward slashes when + validating redirection URLs; thanks @thomas-chauchefoin-sonarsource + - avoid XSS vulnerability when using OIDCPreservePost On and supplying + URLs that contain single quotes; thanks @oss-aimoto + - return OK in the content handler for calls to the redirect URI and when + preserving POST data; prevent (intermittent) disclosure of content + hosted at a (non-vanity) redirect URI location + - use encrypted JWTs for storing encrypted cache contents and + avoid using static AAD/IV; thanks @niebardzo + * Bugfixes + - verify that alg is not none in logout_token explicitly + - don't clear POST params authn on token revocation; thanks @iainh + - fix a problem where the host and port are calculated incorrectly when using literal ipv6 address. + * Other + - make session not found on backchannel logout produce a log warning instead of error + - handle discovery in the content handler + - strip A256GCM JWT header from encrypted JWTs used for state cookies, + cache encryption and by-value session cookies resulting in smaller + cookies and reduced cache content size +- Fix CVE-2021-32785 format string bug via hiredis + (CVE-2021-32785, bsc#1188638) +- Fix CVE-2021-32786 open redirect in logout functionality + (CVE-2021-32786, bsc#1188639) + +------------------------------------------------------------------- +Wed Jun 2 19:04:56 UTC 2021 - Michael Ströder + +- Use autogen.sh to generate missing configure script +- Update to version 2.4.8.4 + * Bugfixes + - do not send state timeout HTML document when OIDCDefaultURL is set; + this can be overridden by using e.g.: + SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true + - avoid Apache 2.4 appending 400/302(200/404) HTML document text to + state timeout HTML info page see also f5959d7 and #484; at least Debian + Buster was affected + * Other + - make error "session corrupted: no issuer found in session" a warning + only so a logout call for a non-existing session no longer produces + error messages + +------------------------------------------------------------------- +Tue May 18 15:51:56 UTC 2021 - Michael Ströder + +- Update to version 2.4.8.2 + * store timestamps in session in seconds to avoid string conversion + problems on some (libapr-1) platform build/run combinations, causing + "maximum session duration exceeded" errors + +------------------------------------------------------------------- +Fri May 7 17:38:51 UTC 2021 - Michael Ströder + +- Update to version 2.4.8.1 + * Bugfixes + - fix potential crash when the Content-Type header is not set in POST requests + - avoid jwt/proto_state json_object memory leaks on cache failures + - when an OAuth 2.0 RS token scope/claim authorization (401 ) error + occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for + usage with mod_headers, instead of adding a header ourselves; see #572 + * Features + - add options to configure Redis connectivity timeouts with + OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout + - add OIDCClientTokenEndpointKeyPassword option to set a private key + password for the client's private key to be used against the token + endpoint; see #576 + +------------------------------------------------------------------- +Mon Apr 12 07:49:03 UTC 2021 - pgajdos@suse.com + +- test package + +------------------------------------------------------------------- +Sun Apr 11 12:14:14 UTC 2021 - Andreas Stieger + +- fix installation path on Factory (boo#1184572) +- switch to bootstrapped tarball +- package the license, docs and sample config + +------------------------------------------------------------------- +Mon Apr 5 22:41:02 UTC 2021 - Michael Ströder + +- Update to version 2.4.7 + * Bugfixes + - avoid logged-out sessions remaining (valid) in the session cache: + remove session from cache before clearing it; see #542 + * Features + - add maximum session lifetime (exp), inactivity timeout (timeout) + and remote_user to OIDCInfoHook; closes #541 + * Security + - add opt-out on sub check in userinfo endpoint response using the + (undocumented) OIDC_NO_USERINFO_SUB environment variable, + for backwards (but insecure) compatibility, see #544 + * Dependencies + - libcjose >= 0.5.1 + - if your distribution does not provide libcjose in its package repository, + recent packages for a number of platforms are available from the "Assets" + section in release 2.4.0 + +------------------------------------------------------------------- +Thu Apr 1 12:13:33 UTC 2021 - pgajdos@suse.com + +- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726] + +------------------------------------------------------------------- +Thu Feb 18 07:43:54 UTC 2021 - pgajdos@suse.com + +- re-download tarball + +------------------------------------------------------------------- +Wed Feb 17 18:34:10 UTC 2021 - Michael Ströder + +- Update to version 2.4.6 + * Bugfixes + - don't set SameSite=None on cookies when on plain http + - fix semaphore cleanup on graceful restarts; see #522 + - fix inconsistent public/private keys loading order; closes #515 + - return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails + - optimize Redis AUTH execution once per connection + - avoid segmentation fault when hitting an endpoint configured with + AuthType openid-connect in an OAuth 2.0 only setup; see #529 + - make sure the module compiles with Apache 2.2 for passphrase exec: + * Features + - add Redis database selection option with OIDCRedisCacheDatabase; closes #423 + - add base64url option to OIDCPassClaimsAs primitive; closes #417 + - add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.: + - SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE + - removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state + * Security + - avoid displaying the client_secret in debug logs + * Dependencies + - libcjose >= 0.5.1 + +------------------------------------------------------------------- +Mon Nov 23 19:50:22 UTC 2020 - Michael Ströder + +- Update to version 2.4.5 + * Features + - disable caching token introspection results by setting + OIDCOAuthTokenIntrospectionInterval to -1 + - add exec support to OIDCCryptoPassphrase + - delete stale session cookies that aren't in the cache + - allow OIDCDiscoverURL to be a relative URL + - add OIDCCABundlePath for configuring path to curl CA bundle + * Bugfixes + - enable authentication of sub-requests when the main request + doesn't require authentication + - fix content processing for info and JWKs handler so mod_headers etc. + work; closes #497 + - avoid Apache 2.4 appending 401 HTML document text to step-up + authentication HTML refresh page; closes #484 + - add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with + cache encryption enabled + - populate AUTH_TYPE when performing authentication + - improve sanity checking on Redis reply + * Security + - ensure that sub is returned from the userinfo endpoint following + https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; + prevents potential ID spoofing + - don't printout JSON errors about NULL characters in error log + - restrict printout of JSON parsing errors to 4096 bytes + +------------------------------------------------------------------- +Wed Sep 9 17:42:14 UTC 2020 - Michael Ströder + +- Update to version 2.4.4.1 + * Bugfixes + - add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes + * Packaging + - the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0 + +------------------------------------------------------------------- +Tue Sep 1 23:57:08 UTC 2020 - Michael Ströder + +- Update to version 2.4.4 + * Security + - prevent XSS and open redirect on OIDC session management OP iframe, + introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady + - add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name + * Bugfixes + - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie, + calling the session info hook and writing out a session update (twice); thanks @deisser + - reverse order of creating HTML response and writing the (client-type) + session cookie in the session info hook so the session data is actually saved; thanks @deisser + - delete state cookie when it cannot be decoded/decrypted + - avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP + * Features + - add conditional expression to OIDCUnAuthAction to override auto-detection of + non-browser requests; see #479; thanks @raro42 and @marcstern + * Other + - fixes for various compiler warnings/issues (older and newer versions of GCC) + - add grant_types to dynamic client registration request [OIDC conformance test suite] + - don't send access_token in user info request when method is set to POST + [OIDC conformance test suite] + - add recommended cache headers on backchannel logout response + https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite] + - allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite] + +------------------------------------------------------------------- +Tue Aug 11 08:20:49 UTC 2020 - Michael Ströder + +- Update to version 2.4.3 + * Bugfixes + - prevent open redirect on refresh token requests + - add new OIDCRedirectURLsAllowed primitive to handle post logout + and refresh-return-to validation + addresses #453; closes #466 + - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265) + - fix compilation against Apache 2.0 + * Features + - add OIDCStateInputHeaders that allows configuring the header values + used to calculate the fingerprint of the state during authentication + - added OIDCValidateIssuer primitive to allow for disabling of issuer + matching, helps to support multi-tenant applications i.e. Microsoft AAD + +------------------------------------------------------------------- +Wed Mar 25 14:25:24 UTC 2020 - Martin Hauke + +- Update to version 2.4.2.1 + Changes since 2.4.1: + * oops: fix json_deep_copy of claims + * fix memory leak in OAuth 2.0 JWT validation + * fix configured private/public key cleanup on process exit + * allow for expressions in Require statements, see #469 + * always refresh keys from jwks_uri when there is no kid in the + JWT header + * destroy shared memory segments only in parent process; see #458 + * fix memory leaks introduced by #457 + * if content was already returned via html/http send then don't + return 500 but send 200 to avoid extraneous internal error + document text to be sent on some Apache 2.4.x versions + * if OIDCPublicKeyFiles contains a certificate, the corresponding + x5c, x5t and x5t#256 parameters will be added to the generated + jwkset available at "?jwks=rsa" + - fix: also add SameSite=None to by-value session cookies + - try to fix graceful restart crash; see #458 + +------------------------------------------------------------------- +Fri Jan 31 14:01:12 UTC 2020 - Michael Ströder + +- Update to version 2.4.1 + * This release primarily addresses upcoming changes in + SameSite Set-Cookie behaviour in Chrome and Firefox + +------------------------------------------------------------------- +Wed Oct 30 10:54:48 UTC 2019 - Kristyna Streitova + +- Update to version 2.4.0.3 + +Security + * improve validation of the post-logout URL parameter on logout; + thanks AIMOTO Norihito; closes #449 + [bsc#1153666], [CVE-2019-14857] + +Bugfixes + * changed storing POST params from localStorage to sessionStorage + due to some issue of losing data in localStorage in Firefox + (private mode); fixes #447 #441 + +------------------------------------------------------------------- +Thu Aug 22 20:40:24 UTC 2019 - Michael Ströder + +- Update to version 2.4.0 + +Important + * version 2.4.0 carries quite a number of relatively small changes (see: + Bugfixes and Features below) that are subtle but may impact runtime + behavior nevertheless; you should verify an upgrade in a test environment + before rolling out to production + * this release deprecates the OAuth 2.0 Resource Server functionality + which is now implemented as a separate module mod_oauth2. + +Bugfixes + * URL-encode client_id/client_secret when using client_secret_basic according to: + https://tools.ietf.org/html/rfc6749#section-2.3.1 + * fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin + * fix oidc_proto_html_post auto-post-submit so it no longer results in + duplicate parentheses; closes #440; thanks @gobreak + * fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK + * fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443 + * fix JWT decryption crashing on non-null terminated input + * fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic + +Features + * support refresh and access tokens revocation from an RFC 7009 endpoint + upon OIDC session logout + * make sure the content handler is called for every request to the + configured Redirect URI so all Apache processing is executed (e.g. + setting headers with mod_headers) before returning the response; thanks + Don Sengpiehl (NB: this may affect browser behavior and backwards + compatibility) + * add ability to view session info in HTML via the session info hook via + +- Update to version 2.3.11 + Features + * dynamically pass query params to the authorization request + + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=# + * add session expiry info to session info hook response + + session inactivity key is timeout now (was exp) + + session expiry key is exp + Other + * allow compilation without memcache support on older platforms + not providing apr_memcache.h + +------------------------------------------------------------------ +Wed Feb 20 08:16:59 UTC 2019 - Martin Hauke + +- Update to version 2.3.10.2 + * fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in + OIDC Session Management RP iframe + * fix bug in current URL detection where query parameters would + be duplicated + * fix warning printout in oidc_delete_oldest_state_cookies + * fix encryption buffer tag length mismatch + * retain the unparsed URL path in current/original URL determination, + and thereby preserve and support URL-encoded characters in paths + when redirecting back to the original URL + * add state to code exchange token requests only in multi-provider + setups + * optionally delete the oldest state cookie(s) + * add support for refreshing an access token associated with an + OIDC session using OIDCRefreshAccessTokenBeforeExpiry + * fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie + option is not listed last + * fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set + * add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt + OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens when + running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims. + * ignore/trim spaces in X-Forwarded-* headers + * deal with forwarding proxy setups + * improve OIDC backchannel logout based on config/Discover + * add OIDCProviderBackChannelLogoutSupported config primitive + * parse/interpret `backchannel_logout_supported` in Discovery document + * add `id_token_token_binding_cnf`: `tbh` to dynamic client registration + metadata + * support backchannel logout according to: + https://openid.net/specs/openid-connect-backchannel-1_0.html + * add test-cmd command to generate hashes base64urlencoded inputs + (cnf/tbh claims) + * support Token Binding for Access Tokens according to: + https://tools.ietf.org/html/draft-ietf-oauth-token-binding + * support nested arrays in Require claim authorization evaluation + +------------------------------------------------------------------- +Fri Nov 9 16:38:07 UTC 2018 - kstreitova@suse.com + +- submission to SLE15SP1 because of fate#324447 +- build with hiredis only for openSUSE where hiredis is available +- add a version for jansson BuildRequires + +------------------------------------------------------------------- +Tue Oct 30 11:04:27 UTC 2018 - kstreitova@suse.com + +- update to 2.3.8 +- changes in 2.3.8 + * fix return result FALSE when JWT payload parsing fails + * add LGTM code quality badges + * fix 3 LGTM alerts + * improve auto-detection of XMLHttpRequests via Accept header + * initialize test_proto_authorization_request properly + * add sanity check on provider->auth_request_method + * allow usage with LibreSSL + * don't return content with 503 since it will turn the HTTP + status code into a 200 + * add option to set an upper limit to the number of concurrent + state cookies via OIDCStateMaxNumberOfCookies + * make the default maximum number of parallel state cookies + 7 instead of unlimited + * fix using access token as endpoint auth method in + introspection calls + * fix reading access_token form POST parameters when combined + with `AuthType auth-openidc` +- changes in 2.3.7 + * abort when string length for remote user name substitution + is larger than 255 characters + * fix Redis concurrency issue when used with multiple vhosts + * add support for authorization server metadata with + OIDCOAuthServerMetadataURL as in RFC 8414 + * refactor session object creation + * clear session cookie and contents if cache corruption is detected + * use apr_pstrdup when setting r->user + * reserve 255 characters in remote username substition instead of 50 +- changes in 2.3.6 + * add check to detect session cache corruption for server-based + caches and cached static metadata + * avoid using pipelining for Redis + * send Basic header in OAuth www-authenticate response if that's + the only accepted method; thanks @puiterwijk + * refactor Redis cache backend to solve issues on AUTH errors: + a) memory leak and b) redisGetReply lagging behind + * adjust copyright year/org + * fix buffer overflow in shm cache key set strcpy + * turn missing session_state from warning into a debug statement + * fix missing "return" on error return from the OP + * explicitly set encryption kid so we're compatible with + cjose >= 0.6.0 +- changes in 2.3.5 + * fix encoding of preserved POST data + * avoid buffer overflow in shm cache key construction + * compile with with Libressl + +------------------------------------------------------------------- +Fri Apr 27 13:39:45 UTC 2018 - vcizek@suse.com + +- update to 2.3.4 +- requested in fate#323817 + +------------------------------------------------------------------- +Wed Dec 13 11:19:58 UTC 2017 - christof.hanke@mpcdf.mpg.de + +- initial packaging + diff --git a/apache2-mod_auth_openidc.spec b/apache2-mod_auth_openidc.spec new file mode 100644 index 0000000..7edcbed --- /dev/null +++ b/apache2-mod_auth_openidc.spec @@ -0,0 +1,69 @@ +# +# spec file for package apache2-mod_auth_openidc +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: apache2-mod_auth_openidc +Version: 2.4.16.3 +Release: 0 +Summary: Apache2.x module for an OpenID Connect enabled Identity Provider +License: Apache-2.0 +Group: Productivity/Networking/Web/Servers +URL: https://github.com/zmartzone/mod_auth_openidc/ +Source: https://github.com/zmartzone/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz +BuildRequires: apache-rpm-macros +BuildRequires: apache2-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(cjose) >= 0.5.1 +BuildRequires: pkgconfig(jansson) >= 2.0 +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(libpcre) +BuildRequires: pkgconfig(openssl) >= 1.0.1 +Requires: %{apache_mmn} +Requires: %{apache_suse_maintenance_mmn} +%if 0%{?suse_version} >= 1550 +BuildRequires: hiredis-devel +%endif + +%description +This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. + +%prep +%setup -q -n mod_auth_openidc-%{version} + +%build +%configure \ +%if 0%{?is_opensuse} > 0 + %{?_with_hiredis} \ +%else + %{?_without_hiredis} \ +%endif + +%make_build + +%install +install -D -m0755 .libs/mod_auth_openidc.so %{buildroot}%{apache_libexecdir}/mod_auth_openidc.so + +%check +make -j1 test + +%files +%license LICENSE.txt +%doc ChangeLog README.md AUTHORS +%doc auth_openidc.conf +%{apache_libexecdir}/mod_auth_openidc.so + +%changelog diff --git a/mod_auth_openidc-2.4.16.3.tar.gz b/mod_auth_openidc-2.4.16.3.tar.gz new file mode 100644 index 0000000..cec7a65 --- /dev/null +++ b/mod_auth_openidc-2.4.16.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dbf162bbdf7e650d9dc8d10ffa627aeee660908018161006dbe6c1b89b0b0fb8 +size 675468