release 2.4.13.2
Security
- CVE-2023-28625: prevent core dump when
OIDCStripCookiesis set and a craftedCookieheader is supplied
GHSA-f5xw-rvfr-24qr - fix code scanning alerts from 2 code scanning tools all over the place
Features
- add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,
i.e. client keys configured inOIDCPrivateKeyFiles/OIDCPublicKeyFiles, published onOIDCClientJwksUri
and used inprivate_key_jwtauthentication, encryptedid_token's, request objects/uri's,
but also statically configured provider keys inOIDCOAuthVerifyCertFilesandOIDCProviderVerifyCertFiles - record authorization errors in environment variable
OIDC_AUTHZ_ERROR
so its value can be used in logs e.g. with HTTP 401 responses in the access log:
LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
also log authorization errors withoidc_debuginstead ofoidc_info
Bugfixes
- fix for omitting the
kid#prefix inOIDCPublicKeyFiles/OIDCPrivateKeyFilesand other certificate configuration primitives when linked against OpenSSL <= 1.0.x - allow
target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup - correct cookie path printout in error log when
target_link_uridoes not matchOIDCCookiePath
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com