- Update to version 2.4.5
  * Features
    - disable caching token introspection results by setting
      OIDCOAuthTokenIntrospectionInterval to -1
    - add exec support to OIDCCryptoPassphrase
    - delete stale session cookies that aren't in the cache
    - allow OIDCDiscoverURL to be a relative URL
    - add OIDCCABundlePath for configuring path to curl CA bundle
  * Bugfixes
    - enable authentication of sub-requests when the main request
      doesn't require authentication
    - fix content processing for info and JWKs handler so mod_headers etc. 
      work; closes #497
    - avoid Apache 2.4 appending 401 HTML document text to step-up 
      authentication HTML refresh page; closes #484
    - add config check for OIDCCryptoPassphrase in OAuth 2.0 RS setup with 
      cache encryption enabled
    - populate AUTH_TYPE when performing authentication
    - improve sanity checking on Redis reply
  * Security
    - ensure that sub is returned from the userinfo endpoint following
      https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse;
      prevents potential ID spoofing
    - don't printout JSON errors about NULL characters in error log
    - restrict printout of JSON parsing errors to 4096 bytes

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.4.4.1
  * Bugfixes
    - add SameSite=None attribute on cookie clearance / logout and make sure it works in OP iframes
  * Packaging
    - the libcjose >= 0.5.1 binaries that this module depends on are available from the "Assets" section in release 2.4.0

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.4.4
  * Security
    - prevent XSS and open redirect on OIDC session management OP iframe,
      introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
    - add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name
  * Bugfixes
    - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
      calling the session info hook and writing out a session update (twice); thanks @deisser
    - reverse order of creating HTML response and writing the (client-type)
      session cookie in the session info hook so the session data is actually saved; thanks @deisser
    - delete state cookie when it cannot be decoded/decrypted
    - avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
  * Features
    - add conditional expression to OIDCUnAuthAction to override auto-detection of
      non-browser requests; see #479; thanks @raro42 and @marcstern
  * Other
    - fixes for various compiler warnings/issues (older and newer versions of GCC)
    - add grant_types to dynamic client registration request [OIDC conformance test suite]
    - don't send access_token in user info request when method is set to POST
      [OIDC conformance test suite]
    - add recommended cache headers on backchannel logout response
      https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
    - allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite]

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to version 2.4.3
  * Bugfixes
    - prevent open redirect on refresh token requests
    - add new OIDCRedirectURLsAllowed primitive to handle post logout
      and refresh-return-to validation
      addresses #453; closes #466
    - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
    - fix compilation against Apache 2.0
  * Features
    - add OIDCStateInputHeaders that allows configuring the header values 
      used to calculate the fingerprint of the state during authentication
    - added OIDCValidateIssuer primitive to allow for disabling of issuer 
      matching, helps to support multi-tenant applications i.e. Microsoft AAD

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.4.2.1
  Changes since 2.4.1:
  * oops: fix json_deep_copy of claims
  * fix memory leak in OAuth 2.0 JWT validation
  * fix configured private/public key cleanup on process exit
  * allow for expressions in Require statements, see #469
  * always refresh keys from jwks_uri when there is no kid in the
    JWT header
  * destroy shared memory segments only in parent process; see #458
  * fix memory leaks introduced by #457
  * if content was already returned via html/http send then don't
    return 500 but send 200 to avoid extraneous internal error
    document text to be sent on some Apache 2.4.x versions
  * if OIDCPublicKeyFiles contains a certificate, the corresponding
    x5c, x5t and x5t#256 parameters will be added to the generated
    jwkset available at "<redirect_uri>?jwks=rsa"
  - fix: also add SameSite=None to by-value session cookies
  - try to fix graceful restart crash; see #458

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.4.1
  * This release primarily addresses upcoming changes in
    SameSite Set-Cookie behaviour in Chrome and Firefox

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.4.0.3
Security
  * improve validation of the post-logout URL parameter on logout;
    thanks AIMOTO Norihito; closes #449
    [bsc#1153666], [CVE-2019-14857]
Bugfixes
  * changed storing POST params from localStorage to sessionStorage
    due to some issue of losing data in localStorage in Firefox
    (private mode); fixes #447 #441

• Files Changed
• Browse Source

revert

• Files Changed
• Browse Source

Remove obsolete Groups tag (fate#326485)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

update to 2.4.0

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to version 2.3.11
  Features
  * dynamically pass query params to the authorization request
   + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
  * add session expiry info to session info hook response
    + session inactivity key is timeout now (was exp)
    + session expiry key is exp
  Other
  * allow compilation without memcache support on older platforms
    not providing apr_memcache.h

• Files Changed
• Browse Source