release 2.4.17.1

Bugfixes

• metrics: avoid possible segfault after restart twice; thanks @atzm
• fix usage of OIDCSessionType client-cookie:persistent:store_id_token; see #1331; thanks @rgcv
• fix usage of OIDCPreservePostTemplates, regression in 2.4.17; see #1325; thanks @perry19987
• javascript: use HTMLFormElement.prototype.submit.call(document.forms[0]) on all Javascript
  auto-submit POST forms to prevent browser Javascript error: "form.submit is not a function"
  which would occur when an element (i.e. the submit button) in a HTML form has a name or id
  with a value "submit" and OIDCPreservePost is set to On

Features

• allow adding a prefix to the cache (section) key through environment variable OIDC_CACHE_PREFIX

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The PGP key used to sign the RPM packages below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaEwIQBYJKwYBBAHaRw8BAQdAMhstLnHoehAQ8AOdLN6nl2RgJeUHCkRgKhDK
izSuJvO0HU9wZW5JREMgPHN1cHBvcnRAb3BlbmlkYy5jb20+iJMEExYKADsWIQT4
oHt962hwmgLKJBuu4XmyuPQSmgUCaEwIQAIbAwULCQgHAgIiAgYVCgkICwIEFgID
AQIeBwIXgAAKCRCu4XmyuPQSmgK/AP9LQGrmEvBia1vZNQc6OqPwhRN5TM5wdAmU
RrNK8hwEygEAj3Jeb3CfX9zJh5uJc25UgQxvyxtw+O4eOgmZgvVqpQA=
=aVmp
-----END PGP PUBLIC KEY BLOCK-----

release 2.4.17

Features

• proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope header/environment variable and make it available for Require claim scope: purposes, if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet

Bugfixes

• metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
  oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
  and falling back to client_secret_basic after that; thanks François Kooman
• fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in.a multi-provider setup; thanks Sami Korvonen
• allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP output generation to the content handler (instead of user id check handler) for the following use cases:
  • OIDCProviderAuthRequestMethod POST
  • OIDCPreservePost On (both internal and template-based)
  • POST page for the implicit grant type
  • Request URI handler
  • internally generated POST logout page
  • session management RP iframe
  • session management logout HTML top-window redirect page

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.11

Security

• request: fix protected content leakage when using OIDCProviderAuthRequestMethod POST; thanks @pjb1008; see:
  GHSA-59jp-rwph-878r

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.10

Bugfixes

• core: use case insensitive protocol/hostname/domain comparisons everywhere

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.9

Bugfixes

• cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
• authz: remove the Location header from HTML based step up authentication responses as it may conflict with its HTTP 200 status code and confuse middle boxes
• metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi

Features

• metrics: write cached metrics into shared memory before exiting

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.8

Features

• metrics: add support for claim value counters in OIDCMetricsData, e.g.:
  OIDCMetricsData claim.id_token.amr claim.userinfo.gender
• metrics: do not reset Prometheus counters by default, only when explicitly specified
• metrics: reset to 0 in case of an integer overflow

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.7

Bugfixes

• config: fix OIDCProviderRevocationEndpoint (override) for values other than ""; closes #1301; thanks @tarteens
• config: add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1
• config: avoid NULL pointer dereferencing when no private keys have been configured
• http: avoid potentional memory leak on cURL handle if curl_easy_escape/curl_easy_unescape fails
• proto: correct the check for the optional token_type parameter returned from a token endpoint request
• util: avoid potential crash on non-conformant literal IPv6 addresses
• jose: prevent potential memory leaks when zlib compression (deflate) fails

Features

• add OIDCProfile to configure OpenID Connect profile behaviours e.g. FAPI20, see auth_openidc.conf
• http: report errors when curl_easy_setopt fails in outgoing HTTP requests

Other

• v2.4.16.7 is certified for the FAPI 2.0 Relying Party profiles, see: https://openid.net/certification/#FAPI2-RP .
• minor code changes all over the place to address issues reported by static code analysis software

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.6

Bugfixes

• metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache error entries the log [ERR invalid expire time in 'setex' command] (regression in 2.4.16-2.4.16.5)
• info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
  • properly reflect the (unmodified) inactivity timeout in the response (in thetimeout claim)
  • avoid refreshing an access token (since the session is not saved)
  • avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
• cookie: OIDCCookieSameSite default behaviour Lax
• cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
• cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy

Features

• cookie: allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
  • re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie immediately after the first application request
  • cookie: allows for a Disabled value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should be Lax by spec)
• http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2

Other

• metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
• code: address warnings from static code analysis tool CodeChecker
• init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.5

Bugfixes

• add backwards compatibility with versions older than 2.4.16.x wrt. ID token aud claim validation:
  accept the ID token when our client_id is provided as one of the values in a JSON array of string values in the aud claim; required by (at least) Oracle IDCS see #1272 and #1273; thanks @lufik and @tydalforce
• add OIDCIDTokenAudValues configuration primitive that allows for explicit - and exhaustive - configuration of the list of accepted values in the aud claim of the ID token i.e. as required for passing FAPI 2 conformance testing

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.4

Bugfixes

• add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke private_key_jwt authentication to Microsoft Entra ID / Azure AD since 2.4.13; see #1269; thanks @uoe-pjackson
• fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; regression in 2.4.16.1...2.4.16.3; see #1261; thanks @bbartke

Other

• change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
• use compact encoding and preserve claim order where appropriate for most cases of JSON/JWT serialization
• improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]