release 2.4.11

Note that as of this release running mod_auth_openidc behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders for mod_auth_openidc to interpret those headers, thus this may break existing configurations if unmodified for the former.

Bugfixes

• fix use of regular expressions in Require statements
• no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1
• improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778
• terminate on startup when the crypto passphrase generated by exec: is empty; see #767
• allow authorization on info requests, see #746
• avoid debug printout of payload as header when the latter is stripped
• fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker

Features

• make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders
• make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464
• add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur
• improve detection of suspicious redirect URLs; add test list
• add administrative session revocation capability via <redirect_uri>?revoke_session=<sessionid>

Packaging

• add support for libpcre2; see #740
• add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
• include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
• install taking into account DESTDIR; see #674; thanks @alerque

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.10

This release improves prevention of state cookies piling up (e.g. for Single Page Applications) by interpreting Sec-Fetc-* headers provided by modern browsers. This also means that - by default - authentication in an iframe is prevented, which may impact existing deployments.

Features

• add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
• add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
• log require claims failure on info level
• backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2

Bugfixes

• return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
• don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
• fix memory leak when parsing JWT access token fails (in RS mode)
• fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720

Packaging

• complete usage of autoconf/automake; see #674
• add .deb for Debian Bullseye

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.9.4

Security

• prevent open redirect by applying OIDCRedirectURLsAllowed setting to target_link_uri; closes #672; thanks @Meheni

Bugfixes

• don't apply authz in discovery process; fixes step up authentication when combined with Discovery

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.9.3

Bugfixes

• don't apply authz to the redirect URI; fixes ac56864

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9.2

Bugfixes

• fix graceful restart (regression); see #458; thanks @Foxite

Features

• preserve session cookie in the event of a cache backend failure; thanks @iainh
• update the id_token in the session cache if one is provided while refreshing the access token; thanks @iainh

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9.1

Bugfixes

• fix retried Redis commands after a reconnect; see #642; thanks @iainh

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.9

Note that the format of encrypted cache contents have changed and as such existing server side sessions cannot survive an update to 2.4.9. Clearing the cache contents before restarting the Apache server with the upgraded module is advised.

Security

• use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
• replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
• avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes; thanks @oss-aimoto
• return OK in the content handler for calls to the redirect URI and when preserving POST data; prevent (intermittent) disclosure of content hosted at a (non-vanity) redirect URI location
• use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo

Bugfixes

• verify that alg is not none in logout_token explicitly
• don't clear POST params authn on token revocation; thanks @iainh
• fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.

Other

• make session not found on backchannel logout produce a log warning instead of error
• handle discovery in the content handler
• strip A256GCM JWT header from encrypted JWTs used for state cookies, cache encryption and by-value session cookies resulting in smaller cookies and reduced cache content size

Dependencies

• libcjose >= 0.5.1

Commercial

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.8.4

Bugfixes

• do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.: SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]

release 2.4.8.3

Bugfixes

• avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page see also f5959d7 and #484; at least Debian Buster was affected

Other

• make error "session corrupted: no issuer found in session" a warning only so a logout call for a non-existing session no longer produces error messages

release 2.4.8.2

Bugfixes

• store timestamps in session in seconds to avoid string conversion problems on some (libapr-1) platform build/run combinations, causing "maximum session duration exceeded" errors

Dependencies

• libcjose >= 0.5.1

Other

• binary packages for various other platforms such as Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.2, IBM HTTP Server 8/9, Mac OS X and Microsoft Windows 64bit/32bit are available under a commercial agreement via [email protected]
• support for Redis (TLS) Cluster and Redis over TLS is available under a commercial license via [email protected]