release 1.8.0

zandbelt released this 26 Feb 16:32

· 1993 commits to master since this release

d1792bc

2015/03/16: fixed the erronous 32 bit upload of mod_auth_openidc-1.8.0-1.el6.x86_64.rpm

Features

more options for running as (only) an OAuth 2.0 Resource Server
- support for local JWT access token validation using OIDCOAuthVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyJwksUri, see https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server
- support configurable introspection HTTP method: can be POST (default) or GET
support configuration of a maximum session duration (OIDCSessionMaxDuration)

Bug Fixes

avoid including line feeds in header values (@forkbomber and @ekanthi)
- this is a security fix to prevent passing crafted header values in a reverse proxy setup
the response type must now strictly match the requested response type
fix free() crash on simple-valued error printouts
fix returning keys without a kid
fix searching for keys with a x5t thumbprint
fix oauth.introspection_endpoint_method initialization

Other

make Redis support conditional at compilation time using autoconf
preliminary support for GET-style logout (under development in the OIDC WG)

Assets 10