release 2.4.16.6

Bugfixes

• metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache error entries the log [ERR invalid expire time in 'setex' command] (regression in 2.4.16-2.4.16.5)
• info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
  • properly reflect the (unmodified) inactivity timeout in the response (in thetimeout claim)
  • avoid refreshing an access token (since the session is not saved)
  • avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
• cookie: OIDCCookieSameSite default behaviour Lax
• cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
• cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy

Features

• cookie: allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
  • re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie immediately after the first application request
  • cookie: allows for a Disabled value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should be Lax by spec)
• http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2

Other

• metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
• code: address warnings from static code analysis tool CodeChecker
• init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.5

Bugfixes

• add backwards compatibility with versions older than 2.4.16.x wrt. ID token aud claim validation:
  accept the ID token when our client_id is provided as one of the values in a JSON array of string values in the aud claim; required by (at least) Oracle IDCS see #1272 and #1273; thanks @lufik and @tydalforce
• add OIDCIDTokenAudValues configuration primitive that allows for explicit - and exhaustive - configuration of the list of accepted values in the aud claim of the ID token i.e. as required for passing FAPI 2 conformance testing

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.4

Bugfixes

• add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke private_key_jwt authentication to Microsoft Entra ID / Azure AD since 2.4.13; see #1269; thanks @uoe-pjackson
• fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; regression in 2.4.16.1...2.4.16.3; see #1261; thanks @bbartke

Other

• change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
• use compact encoding and preserve claim order where appropriate for most cases of JSON/JWT serialization
• improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.3

Bugfixes

• fix segfault in child process initialization routine when using Redis and/or Metrics settings in vhosts; closes #1208; thanks @studersi and Brent van Laere
• fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
• allow overriding globally set OIDCCacheType back to shm in individual vhosts

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.2

Note that a custom OIDCCacheShmMax setting cannot be configured with this release.

Bugfixes

• fix regressions from the configuration rewrite in 2.4.16/2.4.16.1
  • fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
  • fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
• re-introduce OIDCSessionMaxDuration 0; see #1252; thanks @amitmun
• improve resilience in case both Forwarded and X-Forwarded-* headers are configured and only X-Forwarded-* is passed in

Other

• remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.1

Note that OIDCPKCEMethod none, OIDCSessionMaxDuration 0, OIDCCacheShmMax and OIDCStateCookiePrefix cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.

Security

• disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr

Features

• add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
• add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
  configured through the OIDCDPoPMode [off|optional|required] primitive (dpop_mode in the .conf file in multi-OP setups)
• add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
  configured through OIDCProviderPushedAuthorizationRequestEndpoint and OIDCProviderAuthRequestMethod PAR
• add the nbf claim to the Request Object
• store the token_type in the session and make it available on the info hook together with the access_token
• replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss boolean
  to require the Provider to pass the iss value in authorization responses, mitigating the OP mixup attack
• return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
• add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection
• when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls

Bugfixes

• allow overriding defined global configuration primitives to their default value on the individual vhost level
• various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
• apply input/boundary checking on all configuration and multi-provider metadata values
• memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
• tighten up the aud claim validation for received ID tokens

Other

• version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
• packages for the recent Ubuntu Noble stable release are added to the Assets section below

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16

superseded by 2.4.16.1 with a bugfix for parsing OIDCXForwardedHeaders, see: #1250

release 2.4.15.7

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix OIDCUserInfoRefreshInterval and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, Amazon Linux, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.15.6

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• use SameSite=Lax when OIDCCookieSameSite is On (also the default since 2.4.15) instead of Strict as overriding from Lax to Strict does not work reliably anymore (i.e. on Chrome with certain plugins)
• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements
• fix setting the default PKCE method to none in a multi-provider setup

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with:
  OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.15.3

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Security

• fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is supplied, see the advisory; thanks @olipo186

Bugfixes

• rewrite handling of parallel refresh token grant requests
  • temporarily cache the results of the refresh token grant for other (almost) parallel callers
  • fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
  • improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
• avoid crash when Forwarded is not present but OIDCXForwardedHeaders Forwarded is configured for it; see #1171; thanks @daviddpd
• set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]