Releases: OpenIDC/mod_auth_openidc
release 2.4.15.7
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix
OIDCUserInfoRefreshInterval
and interpret the interval as seconds, not as microseconds
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.15.6
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- use
SameSite=Lax
whenOIDCCookieSameSite
isOn
(also the default since 2.4.15) instead ofStrict
as overriding fromLax
toStrict
does not work reliably anymore (i.e. on Chrome with certain plugins) - signed_jwks_url: make the
exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification - cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "
could not construct cache key since key size is too large
" - cache: fix debug printout of cache key in
oidc_cache_get
introduced in 2.4.15 - http: fix applying the default HTTP short retry interval setting and use 300ms as default value
- userinfo: fix setting the
exp
claim in userinfo signed JWTs (exp
would benow+0
) when noexpires_in
is returned by the OpenID Connect Provider - userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the
exp
claim as the cache TTL - refresh: fix for
expires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes usingOIDCRefreshAccessTokenBeforeExpiry
andOIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4 - authz: fix evaluation of
Require claim
statements for nested array claims - authz: properly handle parse errors in
Require claim <name>:<integer>
statements - fix setting the default PKCE method to
none
in a multi-provider setup
Other
- userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
- logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
- (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook
Features
- signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
- redis: enable TCP keepalive on Redis connections by default and make it configurable with:
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
- proto: accept strings as well as integers in the
expires_in
claim from the token endpoint to cater for non-spec compliant implementations - userinfo: accept
0
inOIDCUserInfoRefreshInterval
which will refresh userinfo on every request - authz: add support for JSON
real
andnull
value matching inRequire claim
statements
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.15.3
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Security
- fix CVE-2024-24814: prevent DoS when
OIDCSessionType client-cookie
is set and a craftedCookie
header is supplied, see the advisory; thanks @olipo186
Bugfixes
- rewrite handling of parallel refresh token grant requests
- temporarily cache the results of the refresh token grant for other (almost) parallel callers
- fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
- improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
- avoid crash when Forwarded is not present but
OIDCXForwardedHeaders Forwarded
is configured for it; see #1171; thanks @daviddpd - set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.15.2
commercial-binaries-only security patch release for CVE-2024-24814
release 2.4.15.1
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
- fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
- fix
OIDCCacheType file
on Windows and useapr_file_rename()
in file cache backend instead ofrename()
to fix Windows file renaming issue; thanks @adg-mh
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.15
The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
New Defaults
- use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring
OIDCPKCEMethod none
- use SameSite cookies Strict by default; disable by configuring
OIDCCookieSameSite Off
- apply ISO-8859-1 (
latin1
) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; useOIDCPassClaimsAs <any> none
for backwards compatibility
Bugfixes
- restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar
OIDC_PARALLEL_REFRESH_NOT_ALLOWED
- do not apply
logout_on_error
andauthenticate_on_error
when a parallel refresh token request is detected see #1132; thanks @esunke - fix SSL server certificate validation when revoking tokens and apply
OIDCSSLValidateServer
setting rather thanOIDCOAuthSSLValidateServer
inoidc_revoke_tokens
; see #1141; thanks @mschmidt72 - make sure the shm cache entry size
OIDCCacheShmEntrySizeMax
is a multiple of 8 bytes, see #1067; thanks @sanzinger - fix Redis connnect retries and make it configurable through environment variable
OIDC_REDIS_MAX_TRIES
Features
- add metrics collection/observability capability with
OIDCMetricsData
andOIDCMetricsPublish
, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability - generate or propagate the
traceparent
header on outgoing (and proxied) requests; ties theparent-id
to the (8-byte hash of) the session or access token when available - retry failed outgoing HTTP requests and add options to configure it in
OIDCHTTPTimeoutLong
/OIDCHTTPTimeoutShort
- improve error message in case of curl timeouts
- add capability to seamlessly rollover
OIDCCryptoPassphrase
using a (temporary) 2nd value that holds the previous one - add
iat
andexp
claims to request objects; closes #1137 - populate
User-Agent
header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes
Other
- return HTTP 500 on token refresh errors instead of HTTP 401
- use only the
User-Agent
header as input for the state browser fingerprinting by default (noX-Forwarded-For
) - remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
- use clang-format-17 for code formatting and reformat all code
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.14.4
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
OIDCRefreshAccessTokenBeforeExpiry
when using it withlogout_on_error
orauthenticate_on_error
; see #1111; thanks @brandonk10 - improve behaviour when parallel refresh token grant requests occur on the same Apache server/host and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid corrupting the session by storing/overwriting an expired refresh token
- fix memory leak in
oidc_refresh_token_grant
: free the parsedid_token
if returned from the token endpoint - avoid potential process lifetime memory leak when mutex lock/unlock fails
Performance
- store userinfo refresh interval in session to avoid parsing Provider JSON metadata on each request
- fix performance issue with
latin1
encoding when usingOIDCPassClaimsAs <any> latin1
with large claim values - skip re-validating cached provider metadata
- use process based locking for Redis caching instead of global locking
Features
- add options for authentication to
OIDCOutgoingProxy
; thanks @drzraf; see #1107 - add support for custom preserve/restore POST data templates with
OIDCPreservePostTemplates
to be used whenOIDCPreservePost
is set toOn
; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.14.3
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix session updates on userinfo requests; see #1077; this bug was introduced in v2.4.11 with d9fff15; thanks @adenix
Features
- add
OIDCPassAccessToken Off
option to disable (the default of) passing the access token and its expiry in theOIDC_access_token
/OIDC_access_token_expires
header/environment variables; thanks @mattias-asander - allow relative values in
OIDCDefaultURL
andOIDCDefaultLoggedOutURL
- support
authenticate_on_error
2nd parameter value inOIDCRefreshAccessTokenBeforeExpiry
to re-authenticate the user when refreshing the access token fails see: #1084; thanks @xrammit - add
logout_on_error
andauthenticate_on_error
2nd parameter option toOIDCUserInfoRefreshInterval
- add support for adding extra parameters to the Logout Request to the OP with
OIDCLogoutRequestParams
see: #1096; thanks @smarsching
Other
- add a sanity
alg
/enc
check on internal self-encrypted AES GCM JWTs - increase performance of JQ filtering by caching JQ filtering results; default cache ttl is 10 min, configured through environment variable
OIDC_JQ_FILTER_CACHE_TTL
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.14.2
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
OIDCUnAutzAction auth
step up authentication - which in 2.4.14.1 would only work with an SSI enabledErrorDocument
- by reverting all401
/403
/302
/step up behaviour to <= 2.4.13.2; this re-introduces the limitation for step up authentication being restricted to a singleRequire
or aRequireAll
statement - avoid using encryption keys as signing keys for request objects and
private_key_jwt
token endpoint auth
Features
- add support for
extend_session=false
query parameter to the info hook to avoid extending the session on calls to the info hook
Other
- log the first Redis error as a warning before retrying
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com
release 2.4.14.1
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
- fix
RequireAny
behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
as the first non-matchingRequire claim
directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those - make
OIDCUnautzAction 302|auth
(i.e. step up authentication) work with multiple/nestedRequire claim
expressions e.g. usingRequireAny
andRequire not claim
- fix refreshing claims from the userinfo endpoint when no
id_token
claims are stored in the session since environment variableOIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION
has been set - fix memory leak when refreshing claims from the userinfo endpoint
Other
- to make
OIDCUnAutzAction 403
actually return 403 in Apache 2.4 it also needsAuthzSendForbiddenOnFailure
again, i.e. the fix in 2.4.14 for it was reverted
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com