release 2.4.15.6

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• use SameSite=Lax when OIDCCookieSameSite is On (also the default since 2.4.15) instead of Strict as overriding from Lax to Strict does not work reliably anymore (i.e. on Chrome with certain plugins)
• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements
• fix setting the default PKCE method to none in a multi-provider setup

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with:
  OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]