@zandbelt zandbelt released this Jul 6, 2018 · 16 commits to master since this release

Assets 12

You are strongly advised to upgrade to 2.3.7 when using Redis caching across multiple vhosts in the same Apache server.

Bugfixes

  • fix Redis concurrency issue when used with multiple vhosts which would lead to cache corruption and random cache entry swaps
  • clear session cookie and contents if cache corruption is detected to avoid looping
  • abort when string length for remote user name substitution is >=255 characters (e.g. in Distinguished Names) and deal with lengths >50

Features

  • add support for authorization server metadata Discovery documents with OIDCOAuthServerMetadataURL in OAuth 2.0 Resource Server setups as specified in RFC 8414

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this Jun 15, 2018 · 36 commits to master since this release

Assets 12

Bugfixes

  • avoid using pipelining for Redis since it produces unreliable results with some Redis implementations (i.e. AWS ElastiCache Redis in clustered mode)
  • fix buffer overflow in shm cache key set strcpy; thanks @kyprizel
  • avoid memory leak in redis cache backend when an error occurs authenticating to a Redis server

Other

  • add check to detect session cache corruption for server-based caches
  • add check to detect (static) metadata cache corruption
  • explicitly set kid in encrypted request object; ensures compatibility with cjose >= 0.6.0
  • turn missing session_state from warning into a debug statement; do not clutter logs
  • send Basic header in OAuth 2.0 www-authenticate response if Basic auth is the only accepted method (instead of Bearer); thanks @puiterwijk

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this May 18, 2018 · 50 commits to master since this release

Assets 12

Bugfixes

  • avoid values that are too long in shm cache key construction; thanks @kyprizel
  • fix encoding of preserved POST data; see #338; thanks @timpuri

Other

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this Apr 27, 2018 · 54 commits to master since this release

Assets 12

Bugfixes

  • add Cache-Control no-cache response header to authorization requests to avoid replays of state/nonce from the browser's cache; see #321
  • avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne
  • interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @pepe79
  • fix bug where endpoint authentication method private_key_jwt would not co-exist with none

Features

  • add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
  • add explicit endpoint authentication method bearer_access_token
  • send session management Javascript logging to debug; thanks @kerrermanisNL

Other

  • correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318
  • fix compiler warnings for OpenSSL 1.1.x

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this Nov 16, 2017 · 74 commits to master since this release

Assets 11

Features

  • add support for passing claims resolved from the UserInfo endpoint as a JSON object or (when available) as a JWT with OIDCPassUserInfoAs; closes #311
  • add support for authentication to the introspection endpoint with a bearer token using OIDCOAuthIntrospectionClientAuthBearerToken; thanks @cristichiru (works in OAuth 2.0 mode only, does not mix with OIDC setups because of a bug in 2.3.3)

Bugfixes

  • avoid crash when no scheme is set on OIDCProviderMetadataURL; closes #303; thanks @iconoeugen
  • avoid crash when no OIDCOAuthClientID is set for remote access token validation
  • don't enforce iat checks on locally validated JWT access tokens (e.g. as issued by Keycloak)

Other

  • the Github repository is transferred to ZmartZone IAM
  • a number of compiler/static/runtime code analysis issues were addressed

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this Sep 18, 2017 · 86 commits to master since this release

Assets 11

Bugfixes

  • fix "graceful" restart for shm/redis cache backends; see #296
  • fix public client configurations; also add support for endpoint authentication method none
  • fix issue with the combination of shared memory (shm) cache and using encryption (OIDCCacheEncrypt On) where the cache value would be corrupted after the first (successful) retrieval

Features

  • optionally remove request object parameters from the authorization request URL with copy_and_remove_from_request; see #294
  • add regex substitution for *RemoteUserClaim; thanks @hihellobolke
  • add issuer specific redirect URI option (issuer_specific_redirect_uri) for multi-provider setups to mitigate IDP mixup; see #291
  • update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 and use header names prefixed with Sec-; depends on mod_token_binding >= 0.3.4 now

Other

  • don't abort when mutex operations fail and printout textual descriptions of errors returned by mutex operations
  • support paths that are relative to the Apache root dir for: OIDCHTMLErrorTemplate, OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCOAuthVerifyCertFiles, OIDCClientTokenEndpointCert, OIDCClientTokenEndpointKey, OIDCOAuthIntrospectionEndpointCert and OIDCOAuthIntrospectionEndpointKey
  • properly support JSON boolean values in metadata .conf files
  • add FreeBSD instructions to documentation; see #298

Packaging

  • the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Downloads" section
  • Ubuntu Wily packages can also be used on Ubuntu Xenial, Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
  • the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

@zandbelt zandbelt released this Jul 19, 2017 · 119 commits to master since this release

Assets 11

Bugfixes

  • handle multiple values in X-Forwarded-* headers as to better support multiple chained reverse proxies in front of mod_auth_openidc
  • fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
  • remove A128GCM and A192GCM from the supported algorithms in the config file (and docs)

Features

  • assume the default port when X-Forwarded-Proto has been set; closes #282 and may address #278
  • support sending the authentication request via HTTP POST through HTML/Javascript autosubmit with OIDCProviderAuthRequestMethod
  • support private_key_jwt and client_secret_jwt as client authentication methods for OAuth 2.0 bearer token introspection

Other

  • log request headers when used and set
  • printout support for libjq expressions at startup
  • update (experimental) token binding support to https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 and depend on mod_token_binding >= 0.3.0
  • refactored quite a bit of code to support compiler #define-d strings

Packaging Notes

  • the libcjose 0.5.1 dependency (with a security fix and renaming) was packaged with release 2.3.0
  • Ubuntu Wily packages can also be used on Xenial and Yakkety
  • on Windows (64 bit) platforms you may need to update msvcr120.dll

@zandbelt zandbelt released this Jun 13, 2017 · 139 commits to master since this release

Assets 21

Features

  • support relative OIDCRedirectURI's; closes #200; thanks @moschlar
  • add support for custom actions to take after authorization fails with OIDCUnAutzAction; see #263
    this enables step-up authentication scenarios when combined with the following:
    • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
    • add OIDCPathScope that is configurable on a per-path basis and concatenated with OIDCScope as static per-provider value
  • support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
  • add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers; see #264
  • support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
  • support nested claim matching in Require directives; thanks @suttod
  • support explicitly setting the kid of the private key in OIDCPrivateKeyFiles; thanks @suttod
  • allow for a higher session inactivity timeout maximum value
  • support JWT verification against multiple keys with no provided kid by looping over the provided keys (only works with cjose >= 0.5.0)
  • allow for postfixing OIDCRemoteUser with the issuer value after applying a regex

Bugfixes

  • fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
  • fix cache fallback so it happens (when enabled) only after failure
  • fix potential crash on prefork process exit when used with Redis cache backend
  • don't assume that having OIDCCryptoPassphrase set means we should validate the config for
    AuthType openid-connect since it can now also be used to encrypt (auth20) cache entries
  • avoid decoding a JSON object and logging an error when the input is NULL
    e.g. when claims have not been resolved because userinfo endpoint is not set
  • make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
  • avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
  • fix parse function of OIDCRequestObject configuration option; thanks @suttod
  • avoid cleaning our own state cookie twice when it is expired
  • fix caching of provider configuration metadata URLs and JWKs URIs when using OIDCCacheType file

Other

  • improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
  • change warn log about missing token binding ID to debug log
  • improve documentation for OIDCCryptoPassphrase; closes #268
  • enable JQ-based claims expression matching when compiled from source; see #178
  • normalize cache backend logging

Packaging Notes

  • libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
  • Centos 6 RPMs depend on libhiredis-0.12 e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/
  • on Windows (64 bit) platforms you may need to update msvcr120.dll
Jun 7, 2017
normalize cache backend logging
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
May 30, 2017
step-up authentication with 2.3.0rc0
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>