Revisions of apache2-mod_auth_openidc
Dominique Leuenberger (dimstar_suse)
accepted
request 831365
from
Petr Gajdos (pgajdos)
(revision 11)
- Update to version 2.4.4 * Security - prevent XSS and open redirect on OIDC session management OP iframe, introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady - add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name * Bugfixes - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie, calling the session info hook and writing out a session update (twice); thanks @deisser - reverse order of creating HTML response and writing the (client-type) session cookie in the session info hook so the session data is actually saved; thanks @deisser - delete state cookie when it cannot be decoded/decrypted - avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP * Features - add conditional expression to OIDCUnAuthAction to override auto-detection of non-browser requests; see #479; thanks @raro42 and @marcstern * Other - fixes for various compiler warnings/issues (older and newer versions of GCC) - add grant_types to dynamic client registration request [OIDC conformance test suite] - don't send access_token in user info request when method is set to POST [OIDC conformance test suite] - add recommended cache headers on backchannel logout response https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite] - allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite] (forwarded request 831329 from stroeder)
Dominique Leuenberger (dimstar_suse)
accepted
request 825751
from
Petr Gajdos (pgajdos)
(revision 10)
- Update to version 2.4.3 * Bugfixes - prevent open redirect on refresh token requests - add new OIDCRedirectURLsAllowed primitive to handle post logout and refresh-return-to validation addresses #453; closes #466 - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265) - fix compilation against Apache 2.0 * Features - add OIDCStateInputHeaders that allows configuring the header values used to calculate the fingerprint of the state during authentication - added OIDCValidateIssuer primitive to allow for disabling of issuer matching, helps to support multi-tenant applications i.e. Microsoft AAD
Dominique Leuenberger (dimstar_suse)
accepted
request 788232
from
Petr Gajdos (pgajdos)
(revision 9)
- Update to version 2.4.2.1 Changes since 2.4.1: * oops: fix json_deep_copy of claims * fix memory leak in OAuth 2.0 JWT validation * fix configured private/public key cleanup on process exit * allow for expressions in Require statements, see #469 * always refresh keys from jwks_uri when there is no kid in the JWT header * destroy shared memory segments only in parent process; see #458 * fix memory leaks introduced by #457 * if content was already returned via html/http send then don't return 500 but send 200 to avoid extraneous internal error document text to be sent on some Apache 2.4.x versions * if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and x5t#256 parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa" - fix: also add SameSite=None to by-value session cookies - try to fix graceful restart crash; see #458 (forwarded request 788227 from mnhauke)
Dominique Leuenberger (dimstar_suse)
accepted
request 744159
from
Petr Gajdos (pgajdos)
(revision 7)
- Update to version 2.4.0.3 Security * improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449 [bsc#1153666], [CVE-2019-14857] Bugfixes * changed storing POST params from localStorage to sessionStorage due to some issue of losing data in localStorage in Firefox (private mode); fixes #447 #441 (forwarded request 744137 from kstreitova)
Dominique Leuenberger (dimstar_suse)
accepted
request 725544
from
Petr Gajdos (pgajdos)
(revision 6)
update to 2.4.0 (forwarded request 725421 from stroeder)
Dominique Leuenberger (dimstar_suse)
accepted
request 686338
from
Petr Gajdos (pgajdos)
(revision 5)
- Update to version 2.3.11 Features * dynamically pass query params to the authorization request + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=# * add session expiry info to session info hook response + session inactivity key is timeout now (was exp) + session expiry key is exp Other * allow compilation without memcache support on older platforms not providing apr_memcache.h (forwarded request 684786 from mnhauke)
Yuchen Lin (maxlin_factory)
accepted
request 677627
from
Kristyna Streitova (kstreitova)
(revision 4)
Dominique Leuenberger (dimstar_suse)
accepted
request 670308
from
Kristyna Streitova (kstreitova)
(revision 3)
Dominique Leuenberger (dimstar_suse)
accepted
request 653617
from
Factory Maintainer (factory-maintainer)
(revision 2)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 645516
from
Kristyna Streitova (kstreitova)
(revision 1)
It can be probably needed because of fate#323817 and fate#324447
Displaying revisions 21 - 31 of 31