- version update to 2.4.18
* add Valgrind target to Makefile and to Github Build action
* release 2.4.18
* revise test/check and code coverage functions
* revise autoconf/automake, split over subdirs now
* add tests for memcache TTL
* fix check OIDC_CONFIG_POS_TIMEOUT_UNSET for memcache TTL getter; #1345
* bump to 2.4.18dev
* fix parsing the value set via OIDCMemCacheConnectionsTTL and interpret it in
seconds correctly now (instead of microseconds); see #1345; thanks @rpluem
* use the server process pool for static variable allocation rather than the pconf pool
to prevents possible segmentation faults after (graceful) restarting the same process
OBS-URL: https://build.opensuse.org/request/show/1303323
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=40
- version update to 2.4.17.1
* fix usage of OIDCSessionType client-cookie:persistent:store_id_token; see #1331; thanks @rgcv
* fix usage of OIDCPreservePostTemplates, regression in 2.4.17; see #1325; thanks @perry19987
* javascript: use HTMLFormElement.prototype.submit.call(document.forms[0]) on all Javascript
auto-submit POST forms to prevent browser Javascript error: "form.submit is not a function"
* metrics: avoid possible segfault after restart twice; thanks @atzm
* code: refactor util.c into util/ directory
* allow adding a prefix to the cache (section) key through environment variable OIDC_CACHE_PREFIX
OBS-URL: https://build.opensuse.org/request/show/1288215
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=39
- version update to 2.4.17
* Features
- proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope
header/environment variable and make it available for Require claim scope: purposes,
if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet
* Bugfixes
- metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
- oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
and falling back to client_secret_basic after that; thanks François Kooman
- fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in.a
multi-provider setup; thanks Sami Korvonen
- allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP
output generation to the content handler (instead of user id check handler) for the following use cases:
OIDCProviderAuthRequestMethod POST
OIDCPreservePost On (both internal and template-based)
POST page for the implicit grant type
Request URI handler
internally generated POST logout page
session management RP iframe
session management logout HTML top-window redirect page
OBS-URL: https://build.opensuse.org/request/show/1273582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=37
- version update to 2.4.16.11 (CVE-2025-31492 [bsc#1240893])
- fix protected content leakage when using OIDCProviderAuthRequestMethod POST, see:
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
- allow for regular Apache processing (e.g. setting response headers) when using OIDCProviderAuthRequestMethod POST
- core: complete case-insensitive protocol/hostname/domain-name comparisons
2.4.16.10
- core: compare hostnames and domains in a case insensitive way in:
oidc_request_check_cookie_domain
oidc_util_cookie_domain_valid
oidc_validate_redirect_url
oidc_cfg_parse_is_valid_url_scheme
oidc_discovery_target_link_uri_match
- cookie: fix oidc_util_cookie_domain_valid so that it checks the incoming request against OIDCCookieDomain
rather than the OIDCRedirectURI and displays the correct error message if they don't match
2.4.16.9
- cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
- authz: remove the Location header from HTML based step up authentication redirects
as it may conflict with its HTTP 200 status code and confuse middle boxes
- metrics: avoid double-free on shutdown by not calling pthread_exit; fixes#1207; thanks @studersi
- metrics: upon exit, do write cached metrics into shared memory before exiting
OBS-URL: https://build.opensuse.org/request/show/1267826
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=36
- version update to 2.4.16.6
12/05/2024
- metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
error entries the log [ERR invalid expire time in 'setex' command]
- avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
11/21/2024
- add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
- try and address metris cleanup segmentation fault on shutdown; see #1207
by not flushing metrics to the shared memory segment upon exit
11/14/2024
- allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- fix: default behaviour Lax
- fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
immediately after the first application request
- allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
falls back to its default browser behaviour (which should be Lax by spec)
11/07/2024
- info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response ("timeout")
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
10/23/2024
- metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
10/22/2024 (forwarded request 1230123 from pgajdos)
OBS-URL: https://build.opensuse.org/request/show/1232177
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=33
12/05/2024
- metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
error entries the log [ERR invalid expire time in 'setex' command]
- avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
11/21/2024
- add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
- try and address metris cleanup segmentation fault on shutdown; see #1207
by not flushing metrics to the shared memory segment upon exit
11/14/2024
- allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- fix: default behaviour Lax
- fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
immediately after the first application request
- allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
falls back to its default browser behaviour (which should be Lax by spec)
11/07/2024
- info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response ("timeout")
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
10/23/2024
- metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
10/22/2024
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_auth_openidc?expand=0&rev=72
- version update to 2.4.16.3
09/06/2024
- allow overriding globally set OIDCCacheType back to shm in vhosts
- correct typo in child initialization routines when using multiple vhosts; closes#1208; thanks @studersi
this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
09/05/2024
- fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
08/29/2024
- fix setting OIDCPKCEMethod none; closes#1256; thanks @eoliphan
08/28/2024
- re-introduce OIDCSessionMaxDuration 0; see #1252
- add some resilience when both Forwarded and X-Forwarded-* are configured
- fix disabled OIDCStateCookiePrefix command; closes#1254; thanks @damisanet
- remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
08/26/2024
- fix parsing OIDCXForwardedHeaders; closes#1250; thanks @maltesmann
07/03/2024
- cfg/provider: use oidc_jwk_list_copy when merging client_keys
06/18/2024
- memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
06/08/2024
- support DPoP nonces to the userinfo endpoint
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session
06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
06/04/2024
- add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean (forwarded request 1201556 from pgajdos)
OBS-URL: https://build.opensuse.org/request/show/1202153
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_auth_openidc?expand=0&rev=32
09/06/2024
- allow overriding globally set OIDCCacheType back to shm in vhosts
- correct typo in child initialization routines when using multiple vhosts; closes#1208; thanks @studersi
this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
09/05/2024
- fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
08/29/2024
- fix setting OIDCPKCEMethod none; closes#1256; thanks @eoliphan
08/28/2024
- re-introduce OIDCSessionMaxDuration 0; see #1252
- add some resilience when both Forwarded and X-Forwarded-* are configured
- fix disabled OIDCStateCookiePrefix command; closes#1254; thanks @damisanet
- remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
08/26/2024
- fix parsing OIDCXForwardedHeaders; closes#1250; thanks @maltesmann
07/03/2024
- cfg/provider: use oidc_jwk_list_copy when merging client_keys
06/18/2024
- memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
06/08/2024
- support DPoP nonces to the userinfo endpoint
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session
06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
06/04/2024
- add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_auth_openidc?expand=0&rev=70
- version update to 2.4.15.6
03/14/2024
- fix userinfo refresh interval parsing; closes#1200; thanks @HolgerHees
avoid refreshing userinfo on each request until access token expiry
- store interval as JSON integer in session
- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
- release 2.4.15.6
03/13/2024
- fix compilation without libhiredis; closes#1195 ; thanks @HolgerHees
conditionally define oidc_set_redis_connect_timeout
- fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees
- release 2.4.15.5
03/12/2024
- release 2.4.15.4
- fix setting the default PCKE method to "none" in a multi-provider setup
OBS-URL: https://build.opensuse.org/request/show/1161426
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_auth_openidc?expand=0&rev=68
