Overview Repositories Revisions Requests Users Attributes Meta

Revisions of apache2-mod_auth_openidc

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 831365 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 11) 
- Update to version 2.4.4
  * Security
    - prevent XSS and open redirect on OIDC session management OP iframe,
      introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
    - add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name
  * Bugfixes
    - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
      calling the session info hook and writing out a session update (twice); thanks @deisser
    - reverse order of creating HTML response and writing the (client-type)
      session cookie in the session info hook so the session data is actually saved; thanks @deisser
    - delete state cookie when it cannot be decoded/decrypted
    - avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
  * Features
    - add conditional expression to OIDCUnAuthAction to override auto-detection of
      non-browser requests; see #479; thanks @raro42 and @marcstern
  * Other
    - fixes for various compiler warnings/issues (older and newer versions of GCC)
    - add grant_types to dynamic client registration request [OIDC conformance test suite]
    - don't send access_token in user info request when method is set to POST
      [OIDC conformance test suite]
    - add recommended cache headers on backchannel logout response
      https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
    - allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite] (forwarded request 831329 from stroeder)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 825751 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 10) 
- Update to version 2.4.3
  * Bugfixes
    - prevent open redirect on refresh token requests
    - add new OIDCRedirectURLsAllowed primitive to handle post logout
      and refresh-return-to validation
      addresses #453; closes #466
    - when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
    - fix compilation against Apache 2.0
  * Features
    - add OIDCStateInputHeaders that allows configuring the header values 
      used to calculate the fingerprint of the state during authentication
    - added OIDCValidateIssuer primitive to allow for disabling of issuer 
      matching, helps to support multi-tenant applications i.e. Microsoft AAD
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 788232 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 9) 
- Update to version 2.4.2.1
  Changes since 2.4.1:
  * oops: fix json_deep_copy of claims
  * fix memory leak in OAuth 2.0 JWT validation
  * fix configured private/public key cleanup on process exit
  * allow for expressions in Require statements, see #469
  * always refresh keys from jwks_uri when there is no kid in the
    JWT header
  * destroy shared memory segments only in parent process; see #458
  * fix memory leaks introduced by #457
  * if content was already returned via html/http send then don't
    return 500 but send 200 to avoid extraneous internal error
    document text to be sent on some Apache 2.4.x versions
  * if OIDCPublicKeyFiles contains a certificate, the corresponding
    x5c, x5t and x5t#256 parameters will be added to the generated
    jwkset available at "<redirect_uri>?jwks=rsa"
  - fix: also add SameSite=None to by-value session cookies
  - try to fix graceful restart crash; see #458 (forwarded request 788227 from mnhauke)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 744159 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 7) 
- Update to version 2.4.0.3
Security
  * improve validation of the post-logout URL parameter on logout;
    thanks AIMOTO Norihito; closes #449
    [bsc#1153666], [CVE-2019-14857]
Bugfixes
  * changed storing POST params from localStorage to sessionStorage
    due to some issue of losing data in localStorage in Firefox
    (private mode); fixes #447 #441 (forwarded request 744137 from kstreitova)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 725544 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 6) 
update to 2.4.0 (forwarded request 725421 from stroeder)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 686338 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 5) 
- Update to version 2.3.11
  Features
  * dynamically pass query params to the authorization request
   + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
  * add session expiry info to session info hook response
    + session inactivity key is timeout now (was exp)
    + session expiry key is exp
  Other
  * allow compilation without memcache support on older platforms
    not providing apr_memcache.h (forwarded request 684786 from mnhauke)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 653617 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 2) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 645516 from Kristyna Streitova's avatar Kristyna Streitova (kstreitova) (revision 1) 
It can be probably needed because of fate#323817 and fate#324447
Displaying revisions 21 - 31 of 31
openSUSE Build Service is sponsored by
Places