release 2.4.15.7

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix OIDCUserInfoRefreshInterval and interpret the interval as seconds, not as microseconds

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.6

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• use SameSite=Lax when OIDCCookieSameSite is On (also the default since 2.4.15) instead of Strict as overriding from Lax to Strict does not work reliably anymore (i.e. on Chrome with certain plugins)
• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements
• fix setting the default PKCE method to none in a multi-provider setup

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with:
  OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.3

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Security

• fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is supplied, see the advisory; thanks @olipo186

Bugfixes

• rewrite handling of parallel refresh token grant requests
  • temporarily cache the results of the refresh token grant for other (almost) parallel callers
  • fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
  • improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
• avoid crash when Forwarded is not present but OIDCXForwardedHeaders Forwarded is configured for it; see #1171; thanks @daviddpd
• set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15.2

commercial-binaries-only security patch release for CVE-2024-24814

release 2.4.15.1

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
• fix OIDCCacheType file on Windows and use apr_file_rename() in file cache backend instead of rename() to fix Windows file renaming issue; thanks @adg-mh

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.15

The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

New Defaults

• use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring OIDCPKCEMethod none
• use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
• apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none for backwards compatibility

Bugfixes

• restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
• do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see #1132; thanks @esunke
• fix SSL server certificate validation when revoking tokens and apply OIDCSSLValidateServer setting rather than OIDCOAuthSSLValidateServer in oidc_revoke_tokens; see #1141; thanks @mschmidt72
• make sure the shm cache entry size OIDCCacheShmEntrySizeMax is a multiple of 8 bytes, see #1067; thanks @sanzinger
• fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES

Features

• add metrics collection/observability capability with OIDCMetricsData and OIDCMetricsPublish, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
• generate or propagate the traceparent header on outgoing (and proxied) requests; ties the parent-id to the (8-byte hash of) the session or access token when available
• retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
• improve error message in case of curl timeouts
• add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the previous one
• add iat and exp claims to request objects; closes #1137
• populate User-Agent header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes

Other

• return HTTP 500 on token refresh errors instead of HTTP 401
• use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
• remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
• use clang-format-17 for code formatting and reformat all code

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.14.4

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix OIDCRefreshAccessTokenBeforeExpiry when using it with logout_on_error or authenticate_on_error; see #1111; thanks @brandonk10
• improve behaviour when parallel refresh token grant requests occur on the same Apache server/host and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid corrupting the session by storing/overwriting an expired refresh token
• fix memory leak in oidc_refresh_token_grant: free the parsed id_token if returned from the token endpoint
• avoid potential process lifetime memory leak when mutex lock/unlock fails

Performance

• store userinfo refresh interval in session to avoid parsing Provider JSON metadata on each request
• fix performance issue with latin1 encoding when using OIDCPassClaimsAs <any> latin1 with large claim values
• skip re-validating cached provider metadata
• use process based locking for Redis caching instead of global locking

Features

• add options for authentication to OIDCOutgoingProxy; thanks @drzraf; see #1107
• add support for custom preserve/restore POST data templates with OIDCPreservePostTemplates to be used when OIDCPreservePost is set to On; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.14.3

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix session updates on userinfo requests; see #1077; this bug was introduced in v2.4.11 with d9fff15; thanks @adenix

Features

• add OIDCPassAccessToken Off option to disable (the default of) passing the access token and its expiry in the OIDC_access_token/OIDC_access_token_expires header/environment variables; thanks @mattias-asander
• allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
• support authenticate_on_error 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry to re-authenticate the user when refreshing the access token fails see: #1084; thanks @xrammit
• add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
• add support for adding extra parameters to the Logout Request to the OP with OIDCLogoutRequestParams see: #1096; thanks @smarsching

Other

• add a sanity alg/enc check on internal self-encrypted AES GCM JWTs
• increase performance of JQ filtering by caching JQ filtering results; default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.14.2

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix OIDCUnAutzAction auth step up authentication - which in 2.4.14.1 would only work with an SSI enabled ErrorDocument - by reverting all 401/403/302/step up behaviour to <= 2.4.13.2; this re-introduces the limitation for step up authentication being restricted to a single Require or a RequireAll statement
• avoid using encryption keys as signing keys for request objects and private_key_jwt token endpoint auth

Features

• add support for extend_session=false query parameter to the info hook to avoid extending the session on calls to the info hook

Other

• log the first Redis error as a warning before retrying

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.14.1

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix RequireAny behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
  as the first non-matching Require claim directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those
• make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/nested Require claim expressions e.g. using RequireAny and Require not claim
• fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session since environment variable OIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION has been set
• fix memory leak when refreshing claims from the userinfo endpoint

Other

• to make OIDCUnAutzAction 403 actually return 403 in Apache 2.4 it also needs AuthzSendForbiddenOnFailure again, i.e. the fix in 2.4.14 for it was reverted

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com