Skip to content

@zandbelt zandbelt released this Mar 25, 2020 · 11 commits to master since this release

This release fixes the SameSite Set-Cookie behaviour introduced in 2.4.1 when by-value session cookies are used, and it fixes a memory leak in an OAuth 2.0 Resource Server setup when using JWT token validation.

Bugfixes

  • also add SameSite=None to by-value session cookies
  • avoid memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
  • destroy shared memory segments only in parent process on shutdown/restart; see #458
  • if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions e.g. CentOS 7
  • fix configured private/public key cleanup on shutdown

Features

Packaging

  • the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
  • packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

This release was made possible thanks to sustaining sponsor GLUU.

Assets 7
Mar 24, 2020
change copyright to 2020
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

@zandbelt zandbelt released this Jan 30, 2020 · 36 commits to master since this release

This release primarily addresses upcoming changes in SameSite Set-Cookie behaviour in Chrome and Firefox, see: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Features

  • always add a SameSite value (default None) to the Set-Cookie header value; this can be overridden by using the environment variable OIDC_SET_COOKIE_APPEND, e.g.:
    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
  • add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter; thanks @absynth76
  • support login with OIDC session management; address #456; thanks Paolo Battino
  • support 407 option on OIDCUnAuthAction; thanks @dfsin-sa

Bugfixes

  • fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
  • enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
  • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); see #447 #441
  • improve validation of the post-logout URL to avoid an open redirect; closes #449
  • unset chunked cookies if setting a non-chunked cookie; thanks @alindeman

Other

  • make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
  • return 200 OK for backchannel logout if session not found
  • added an Alpine Linux Dockerfile =~ 20MB container size; thanks @absynth76
  • try to fix graceful restart crash; see #458; thanks @studersi

Packaging

  • the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful
  • packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

This release was made possible thanks to sustaining sponsor GLUU.

Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

Assets 7

@zandbelt zandbelt released this Nov 8, 2019 · 64 commits to master since this release

  • just tagging along
Assets 2

@zandbelt zandbelt released this Oct 3, 2019 · 69 commits to master since this release

Security

  • improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449

Bugfixes

  • changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441
Assets 2
Oct 3, 2019
2.4.0.2 oops
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Oct 2, 2019
improve validation of the post-logout URL; closes #449
- to avoid an open redirect; thanks AIMOTO Norihito
- release 2.4.0.1

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

@zandbelt zandbelt released this Aug 22, 2019 · 79 commits to master since this release

Important

  • version 2.4.0 carries quite a number of relatively small changes (see: Bugfixes and Features below) that are subtle but may impact runtime behavior nevertheless; you should verify an upgrade in a test environment before rolling out to production i.e. those who use claim environment variables will find that the names of these variables are now prefixed with REDIRECT_, see here
  • this release deprecates the OAuth 2.0 Resource Server functionality which is now implemented as a separate module mod_oauth2.

Bugfixes

  • URL-encode client_id/client_secret when using client_secret_basic according to: https://tools.ietf.org/html/rfc6749#section-2.3.1
  • fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin
  • fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses; closes #440; thanks @gobreak
  • fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK
  • fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443
  • fix JWT decryption crashing on non-null terminated input
  • fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic

Features

  • support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
  • make sure the content handler is called for every request to the configured Redirect URI so all Apache processing is executed (e.g. setting headers with mod_headers) before returning the response; thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
  • add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html
  • enable per-provider signing and encryption keys in multi-provider setups (with limitations)
  • no longer use the fixup handler for environment variable setting but do it as part of the authn handler
  • add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when refreshing an access token fails; thanks @rickyepoderi
  • be smart about picking the token endpoint authentication method when not configured explicitly: don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva

Other

  • remove option OIDCScrubRequestHeaders that allows for skipping scrubbing request headers, thus avoiding potentially insecure setups
  • log the original URL for expired state cookies, useful for debugging SPA/JS issues
  • add debug logs in oidc_proto_generate_random_string to allow for spotting lack of entropy in the random number generator (on VM environments) more easily
  • add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation: configure with APXS2_OPTS="-DUSE_URANDOM"
  • allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only

Packaging

  • the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), older Debian distro's, SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5, Mac OS X and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

This release was made possible thanks to sustaining sponsor GLUU.

Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

Assets 11

@zandbelt zandbelt released this Mar 13, 2019 · 131 commits to master since this release

Features

  • dynamically pass query params to the authorization request; closes #401
    • using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
  • add session expiry info to session info hook response
    • session inactivity key is timeout now (was exp)
    • session expiry key is exp

Other

  • allow compilation without memcache support on older platforms not providing apr_memcache.h

Packaging

  • the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section
  • Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise
  • packages for various other platforms such as Redhat Enterprise Linux 6, Redhat Enterprise Linux 7 Power PC (ppc64, ppc64le), SUSE LInux Enterprise Server, IBM HTTP Server 8.5.5 and Microsoft Windows 64bit are available under a commercial agreement via support@zmartzone.eu

This release was made possible thanks to sustaining sponsor GLUU.

Please consider sponsoring maintenance and development of mod_auth_openidc via Patreon.

Assets 11
Feb 25, 2019
dynamically pass query params to the authorization request; closes #401
- using `OIDCAuthRequestParams foo=#` and/or `OIDCPathAuthRequestParams
foo=#`
- thanks Philip Causin and Chris Blount
- bump to 2.3.11rc1

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
You can’t perform that action at this time.