Bugfixes

• fix "graceful" restart for shm/redis cache backends; see #296
• fix public client configurations; also add support for endpoint authentication method none
• fix issue with the combination of shared memory (shm) cache and using encryption (OIDCCacheEncrypt On) where the cache value would be corrupted after the first (successful) retrieval

Features

• optionally remove request object parameters from the authorization request URL with copy_and_remove_from_request; see #294
• add regex substitution for *RemoteUserClaim; thanks @hihellobolke
• add issuer specific redirect URI option (issuer_specific_redirect_uri) for multi-provider setups to mitigate IDP mixup; see #291
• update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 and use header names prefixed with Sec-; depends on mod_token_binding >= 0.3.4 now

Other

• don't abort when mutex operations fail and printout textual descriptions of errors returned by mutex operations
• support paths that are relative to the Apache root dir for: OIDCHTMLErrorTemplate, OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCOAuthVerifyCertFiles, OIDCClientTokenEndpointCert, OIDCClientTokenEndpointKey, OIDCOAuthIntrospectionEndpointCert and OIDCOAuthIntrospectionEndpointKey
• properly support JSON boolean values in metadata .conf files
• add FreeBSD instructions to documentation; see #298

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Downloads" section
• Ubuntu Wily packages can also be used on Ubuntu Xenial, Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
• the Windows 64-bit binary was now compiled with Visual Studio 2017 and as such depends on the "Visual C++ Redistributable for Visual Studio 2015" that needs to be installed on older platforms first
• the Windows build needs OpenSSL 1.0.2 64 bit rather than OpenSSL 1.1.0

Bugfixes

• handle multiple values in X-Forwarded-* headers as to better support multiple chained reverse proxies in front of mod_auth_openidc
• fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
• remove A128GCM and A192GCM from the supported algorithms in the config file (and docs)

Features

• assume the default port when X-Forwarded-Proto has been set; closes #282 and may address #278
• support sending the authentication request via HTTP POST through HTML/Javascript autosubmit with OIDCProviderAuthRequestMethod
• support private_key_jwt and client_secret_jwt as client authentication methods for OAuth 2.0 bearer token introspection

Other

• log request headers when used and set
• printout support for libjq expressions at startup
• update (experimental) token binding support to https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 and depend on mod_token_binding >= 0.3.0
• refactored quite a bit of code to support compiler #define-d strings

Packaging Notes

• the libcjose 0.5.1 dependency (with a security fix and renaming) was packaged with release 2.3.0
• Ubuntu Wily packages can also be used on Xenial and Yakkety
• on Windows (64 bit) platforms you may need to update msvcr120.dll

Features

• support relative OIDCRedirectURI's; closes #200; thanks @moschlar
• add support for custom actions to take after authorization fails with OIDCUnAutzAction; see #263
  this enables step-up authentication scenarios when combined with the following:
  • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
  • add OIDCPathScope that is configurable on a per-path basis and concatenated with OIDCScope as static per-provider value
• support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured; see #233
• add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers; see #264
• support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
• support nested claim matching in Require directives; thanks @suttod
• support explicitly setting the kid of the private key in OIDCPrivateKeyFiles; thanks @suttod
• allow for a higher session inactivity timeout maximum value
• support JWT verification against multiple keys with no provided kid by looping over the provided keys (only works with cjose >= 0.5.0)
• allow for postfixing OIDCRemoteUser with the issuer value after applying a regex

Bugfixes

• fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
• fix cache fallback so it happens (when enabled) only after failure
• fix potential crash on prefork process exit when used with Redis cache backend
• don't assume that having OIDCCryptoPassphrase set means we should validate the config for
  AuthType openid-connect since it can now also be used to encrypt (auth20) cache entries
• avoid decoding a JSON object and logging an error when the input is NULL
  e.g. when claims have not been resolved because userinfo endpoint is not set
• make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
• avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc
• fix parse function of OIDCRequestObject configuration option; thanks @suttod
• avoid cleaning our own state cookie twice when it is expired
• fix caching of provider configuration metadata URLs and JWKs URIs when using OIDCCacheType file

Other

• improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
• change warn log about missing token binding ID to debug log
• improve documentation for OIDCCryptoPassphrase; closes #268
• enable JQ-based claims expression matching when compiled from source; see #178
• normalize cache backend logging

Packaging Notes

• libcjose version 0.5.1 with a security fix was released and packaged here; the module is backwards compatible with 0.4.1 though (see also the cjose package renaming notes with 2.2.0)
• Centos 6 RPMs depend on libhiredis-0.12 e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/
• on Windows (64 bit) platforms you may need to update msvcr120.dll

Features

• improved support for Single Page Applications, see here and here
  • add session info hook that is configurable through OIDCInfoHook
  • add AuthType auth-openidc option that allows both oauth20 and openid-connect behaviours on the same path
• add encryption for all cache entries instead of just session data through OIDCCacheEncrypt
• add cookie SameSite flag/policy through OIDCCookieSameSite
• return HTTP 200 on OPTIONS requests to (unauthenticated) oauth20 paths
• add fallback to a by-value session cookie if the primary session cache fails with OIDCSessionCacheFallbackToCookie
• add support for black- and/or white-listing claims with OIDCBlackListedClaims and OIDCWhiteListedClaims

Bugfixes

• fix clearing chunked session cookies on logout; closes #246; thanks @Jharmuth
• fix removing session state from cache on logout

Experimental

• add prototype token binding support in conjunction with mod_token_binding, see here
  • for state & session cookies, see here
  • for ID tokens with OpenID Connect Token Bound Authentication support
  • for Authorization Codes with OAuth 2.0 Token Binding for Authorization Codes

Packaging Notes

• the name of the cjose dependency changed for Debian and Ubuntu releases to be in line with the name in the official distributions: libcjose0; so an update to 2.2.0 via the provided packages requires re-installing the renamed libcjose0 package; you can use the binaries attached to this release or use the one in the Debian/Ubuntu distributions as long as you have version >= 0.4.1; that also holds for CentOS/Fedora
• the name of Debian and Ubuntu packages is more explicit now about the distribution that it is intended for; Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

This is a security release :

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

• scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

Bugfixes

• handle OIDCUnAuthAction after max session duration is exceeded; see #220; thanks @phybros
• fix parse OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
• correctly parse kid in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci

Other

• improve logging wrt. session management availability; closes #223
• handle only X-Requested-With: XMLHttpRequest as non-browser request; closes #228; thanks @mguillem
• improve error message on state timeout; closes #226; thanks @security4java
• a call to the refresh hook now also resets the session inactivity timeout

Packaging Notes

• Accompanying libcjose packages can be found in the 2.1.3 release
• Ubuntu Wily packages can also be used on Xenial and Yakkety
• Centos 6 RPMs depend on libhiredis-0.12 now e.g. from https://pkgs.org/centos-6/puias-unsupported-x86_64/

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.6 from the releases page going forward:

Those using AuthType oauth20 together with applications that interpret headers set by mod_auth_openidc on paths that disclose sensitive information are affected and should upgrade.

Security

• scrub headers for AuthType oauth20

On accessing paths protected with AuthType oauth20 no headers would be scrubbed before mod_auth_openidc sets its own headers, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc only if those headers are not set and overwritten by mod_auth_openidc itself.

This is a security maintenance/backport release for Debian/Ubuntu/CentOS distributions that carry 1.8.10.1; in general one should use >= 2.1.5 from the releases page going forward:

Those using AuthType openid-connect together with OIDCUnAuthAction pass on paths that disclose sensitive information based on the authenticated user are affected and should upgrade.

Security

• scrub headers on OIDCUnAuthAction pass; see #222

On accessing paths protected with OIDCUnAuthAction pass no headers would be scrubbed when a user is not authenticated, so malicious software/users could set OIDC_CLAIM_ and OIDCAuthNHeader headers that applications would interpret as set by mod_auth_openidc even though the user has no authenticated session.

Bugfixes

• use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; see #135