Revisions of apache2-mod_auth_openidc
Kristyna Streitova (kstreitova)
accepted
request 850712
from
Michael Ströder (stroeder)
(revision 29)
- Update to version 2.4.5 * Features - disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1 - add exec support to OIDCCryptoPassphrase - delete stale session cookies that aren't in the cache - allow OIDCDiscoverURL to be a relative URL - add OIDCCABundlePath for configuring path to curl CA bundle * Bugfixes - enable authentication of sub-requests when the main request doesn't require authentication - fix content processing for info and JWKs handler so mod_headers etc. work; closes #497 - avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484 - add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled - populate AUTH_TYPE when performing authentication - improve sanity checking on Redis reply * Security - ensure that sub is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse; prevents potential ID spoofing - don't printout JSON errors about NULL characters in error log - restrict printout of JSON parsing errors to 4096 bytes
buildservice-autocommit
accepted
request 833400
from
Petr Gajdos (pgajdos)
(revision 28)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 833319
from
Michael Ströder (stroeder)
(revision 27)
- Update to version 2.4.4.1 * Bugfixes - add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes * Packaging - the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0
buildservice-autocommit
accepted
request 831365
from
Petr Gajdos (pgajdos)
(revision 26)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 831329
from
Michael Ströder (stroeder)
(revision 25)
- Update to version 2.4.4 * Security - prevent XSS and open redirect on OIDC session management OP iframe, introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady - add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name * Bugfixes - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie, calling the session info hook and writing out a session update (twice); thanks @deisser - reverse order of creating HTML response and writing the (client-type) session cookie in the session info hook so the session data is actually saved; thanks @deisser - delete state cookie when it cannot be decoded/decrypted - avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP * Features - add conditional expression to OIDCUnAuthAction to override auto-detection of non-browser requests; see #479; thanks @raro42 and @marcstern * Other - fixes for various compiler warnings/issues (older and newer versions of GCC) - add grant_types to dynamic client registration request [OIDC conformance test suite] - don't send access_token in user info request when method is set to POST [OIDC conformance test suite] - add recommended cache headers on backchannel logout response https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite] - allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite]
buildservice-autocommit
accepted
request 825751
from
Petr Gajdos (pgajdos)
(revision 24)
baserev update by copy to link target
Petr Gajdos (pgajdos)
committed
(revision 23)
Petr Gajdos (pgajdos)
accepted
request 825719
from
Michael Ströder (stroeder)
(revision 22)
- Update to version 2.4.3 * Bugfixes - prevent open redirect on refresh token requests - add new OIDCRedirectURLsAllowed primitive to handle post logout and refresh-return-to validation addresses #453; closes #466 - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265) - fix compilation against Apache 2.0 * Features - add OIDCStateInputHeaders that allows configuring the header values used to calculate the fingerprint of the state during authentication - added OIDCValidateIssuer primitive to allow for disabling of issuer matching, helps to support multi-tenant applications i.e. Microsoft AAD
buildservice-autocommit
accepted
request 788232
from
Petr Gajdos (pgajdos)
(revision 21)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 788227
from
Martin Hauke (mnhauke)
(revision 20)
- Update to version 2.4.2.1 Changes since 2.4.1: * oops: fix json_deep_copy of claims * fix memory leak in OAuth 2.0 JWT validation * fix configured private/public key cleanup on process exit * allow for expressions in Require statements, see #469 * always refresh keys from jwks_uri when there is no kid in the JWT header * destroy shared memory segments only in parent process; see #458 * fix memory leaks introduced by #457 * if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions * if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and x5t#256 parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa" - fix: also add SameSite=None to by-value session cookies - try to fix graceful restart crash; see #458
buildservice-autocommit
accepted
request 780843
from
Lars Vogdt (lrupp)
(revision 19)
baserev update by copy to link target
Lars Vogdt (lrupp)
accepted
request 780794
from
Michael Ströder (stroeder)
(revision 18)
- Update to version 2.4.1 * This release primarily addresses upcoming changes in SameSite Set-Cookie behaviour in Chrome and Firefox
buildservice-autocommit
accepted
request 744159
from
Petr Gajdos (pgajdos)
(revision 17)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 744137
from
Kristyna Streitova (kstreitova)
(revision 16)
- Update to version 2.4.0.3 Security * improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449 [bsc#1153666], [CVE-2019-14857] Bugfixes * changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441
Petr Gajdos (pgajdos)
accepted
request 739556
from
Richard Brown (RBrownSUSE)
(revision 14)
Remove obsolete Groups tag (fate#326485)
buildservice-autocommit
accepted
request 725544
from
Petr Gajdos (pgajdos)
(revision 13)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 725421
from
Michael Ströder (stroeder)
(revision 12)
update to 2.4.0
buildservice-autocommit
accepted
request 686338
from
Petr Gajdos (pgajdos)
(revision 11)
baserev update by copy to link target
Petr Gajdos (pgajdos)
accepted
request 684786
from
Martin Hauke (mnhauke)
(revision 10)
- Update to version 2.3.11 Features * dynamically pass query params to the authorization request + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=# * add session expiry info to session info hook response + session inactivity key is timeout now (was exp) + session expiry key is exp Other * allow compilation without memcache support on older platforms not providing apr_memcache.h
Displaying revisions 41 - 60 of 69