Releases · OpenIDC/mod_auth_openidc

01 Oct 01:17

zandbelt

v2.4.18.1

aac7566

release 2.4.18.1 Latest

Latest

Bugfixes

shm: use _oidc_strcpy instead of _oidc_strncpy to avoid segfaults on some platforms; see #1353; regression since 2.4.16.7, found on Amazon Linux 2023
logout: when revoking tokens at the revocation endpoint with client_secret_jwt or private_key_jwt, use the revocation endpoint as "aud" value (instead of the token endpoint that was used before), unless environment variable OIDC_TOKEN_REVOCATION_AUD is set to "token" (or another literal aud value)
refresh: turn debug printouts on config errors into warnings; see #1349; thanks@CrazyWolf13
pass JSON real claims without trailing zeros, use 8 digits precision instead of 6

Features

improve Redis (and Metrics) performance on process MPMs by using apr_thread_mutex_t (instead of apr_proc_mutex_t) for locking; see #1340

Other

version 2.4.18.1 is certified for the OpenID Foundation's FAPI2 RP Security Final and FAPI2 RP Messaging Final profiles using the OpenID Certification Conformance suite, see: https://openid.net/certification/
test: add util/* coverage tests

Commercial

binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7 are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The RPM packages below are signed with the following RSA PGP key:

Assets 11

21 Aug 21:35

zandbelt

v2.4.18

ad2075b

release 2.4.18

Bugfixes

fix segmentation faults upon gracefully restarting the same process: use the server process pool for static variable allocation rather than the pconf pool (regression since 2.4.14)
fix setting OIDCMemCacheConnectionsTTL: interpret the value correctly in seconds instead of microseconds (regression since 2.4.16); see #1345; thanks @rpluem

Other

revise test/check and code coverage functions and split autoconf/automake over src and test subdirs

Packaging

added Debian Trixie package

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The RPM packages below are signed with the following RSA PGP key:

Contributors

rpluem

Assets 11

29 Jul 19:09

zandbelt

v2.4.17.2

72304a4

release 2.4.17.2

Bugfixes

fix regression in 2.4.17 for processing unauthenticated requests that generate HTML
content, e.g. OIDCProviderAuthRequestMethod POST and OIDCPreservePost On
when protected with Require claim statements rather than just Require valid-user.

Features

support the use of Elliptic Curve keys for private_key_jwt authentication at
the token- and introspection endpoints and make the signing algorithm configurable
for both RSA en EC keys; closes #1336; thanks @rjr162
allow suppressing warnings about (individual) X-Forwarded-* headers; see #1333
through environment variable OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE, e.g.:
SetEnvIfExpr true OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE=X-Forwarded-Proto

Packaging

added RHEL 10 RPM package

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The RPM packages below are signed with the following RSA PGP key:

Contributors

rjr162

Assets 10

23 Jun 14:37

zandbelt

v2.4.17.1

b3dea62

release 2.4.17.1

Bugfixes

metrics: avoid possible segfault after restart twice; thanks @atzm
fix usage of OIDCSessionType client-cookie:persistent:store_id_token; see #1331; thanks @rgcv
fix usage of OIDCPreservePostTemplates, regression in 2.4.17; see #1325; thanks @perry19987
javascript: use HTMLFormElement.prototype.submit.call(document.forms[0]) on all Javascript
auto-submit POST forms to prevent browser Javascript error: "form.submit is not a function"
which would occur when an element (i.e. the submit button) in a HTML form has a name or id
with a value "submit" and OIDCPreservePost is set to On

Features

allow adding a prefix to the cache (section) key through environment variable OIDC_CACHE_PREFIX

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Update 20251018: the *-2 RPM packages are now signed with the following 2048 bit RSA PGP key:

Contributors

atzm, rgcv, and perry19987

Assets 9

22 Apr 06:43

zandbelt

v2.4.17

b2e9915

release 2.4.17

Features

proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope header/environment variable and make it available for Require claim scope: purposes, if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet

Bugfixes

metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
and falling back to client_secret_basic after that; thanks François Kooman
fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in a multi-provider setup; thanks Sami Korvonen
allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP output generation to the content handler (instead of user id check handler) for the following use cases:
- OIDCProviderAuthRequestMethod POST
- OIDCPreservePost On (both internal and template-based)
- POST page for the implicit grant type
- Request URI handler
- internally generated POST logout page
- session management RP iframe
- session management logout HTML top-window redirect page

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Assets 9

06 Apr 08:15

zandbelt

v2.4.16.11

b59b8ad

release 2.4.16.11

Security

request: fix protected content leakage when using OIDCProviderAuthRequestMethod POST; thanks @pjb1008; see:
GHSA-59jp-rwph-878r

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Contributors

pjb1008

Assets 9

21 Mar 08:31

zandbelt

v2.4.16.10

d1d6a65

release 2.4.16.10

Bugfixes

core: use case insensitive protocol/hostname/domain comparisons everywhere

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Assets 9

19 Mar 10:23

zandbelt

v2.4.16.9

8dd6c86

release 2.4.16.9

Bugfixes

cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
authz: remove the Location header from HTML based step up authentication responses as it may conflict with its HTTP 200 status code and confuse middle boxes
metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi

Features

metrics: write cached metrics into shared memory before exiting

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Contributors

studersi

Assets 9

17 Feb 08:05

zandbelt

v2.4.16.8

6ebf7e8

release 2.4.16.8

Features

metrics: add support for claim value counters in OIDCMetricsData, e.g.:
OIDCMetricsData claim.id_token.amr claim.userinfo.gender
metrics: do not reset Prometheus counters by default, only when explicitly specified
metrics: reset to 0 in case of an integer overflow

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Assets 9

29 Jan 19:49

zandbelt

v2.4.16.7

65d9365

release 2.4.16.7

Bugfixes

config: fix OIDCProviderRevocationEndpoint (override) for values other than ""; closes #1301; thanks @tarteens
config: add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1
config: avoid NULL pointer dereferencing when no private keys have been configured
http: avoid potentional memory leak on cURL handle if curl_easy_escape/curl_easy_unescape fails
proto: correct the check for the optional token_type parameter returned from a token endpoint request
util: avoid potential crash on non-conformant literal IPv6 addresses
jose: prevent potential memory leaks when zlib compression (deflate) fails

Features

add OIDCProfile to configure OpenID Connect profile behaviours e.g. FAPI20, see auth_openidc.conf
http: report errors when curl_easy_setopt fails in outgoing HTTP requests

Other

v2.4.16.7 is certified for the FAPI 2.0 Relying Party profiles, see: https://openid.net/certification/#FAPI2-RP .
minor code changes all over the place to address issues reported by static code analysis software

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

Contributors

ahus1 and tarteens

Assets 9

Uh oh!

Releases: OpenIDC/mod_auth_openidc

release 2.4.18.1

Uh oh!

release 2.4.18

Contributors

Uh oh!

release 2.4.17.2

Contributors

Uh oh!

release 2.4.17.1

Contributors

Uh oh!

release 2.4.17

Uh oh!

release 2.4.16.11

Contributors

Uh oh!

release 2.4.16.10

Uh oh!

release 2.4.16.9

Contributors

Uh oh!

release 2.4.16.8

Uh oh!

release 2.4.16.7

Contributors

Uh oh!