release 2.4.16.10

Bugfixes

• core: use case insensitive protocol/hostname/domain comparisons everywhere

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.9

Bugfixes

• cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
• authz: remove the Location header from HTML based step up authentication responses as it may conflict with its HTTP 200 status code and confuse middle boxes
• metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi

Features

• metrics: write cached metrics into shared memory before exiting

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.8

Features

• metrics: add support for claim value counters in OIDCMetricsData, e.g.:
  OIDCMetricsData claim.id_token.amr claim.userinfo.gender
• metrics: do not reset Prometheus counters by default, only when explicitly specified
• metrics: reset to 0 in case of an integer overflow

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.7

Bugfixes

• config: fix OIDCProviderRevocationEndpoint (override) for values other than ""; closes #1301; thanks @tarteens
• config: add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1
• config: avoid NULL pointer dereferencing when no private keys have been configured
• http: avoid potentional memory leak on cURL handle if curl_easy_escape/curl_easy_unescape fails
• proto: correct the check for the optional token_type parameter returned from a token endpoint request
• util: avoid potential crash on non-conformant literal IPv6 addresses
• jose: prevent potential memory leaks when zlib compression (deflate) fails

Features

• add OIDCProfile to configure OpenID Connect profile behaviours e.g. FAPI20, see auth_openidc.conf
• http: report errors when curl_easy_setopt fails in outgoing HTTP requests

Other

• v2.4.16.7 is certified for the FAPI 2.0 Relying Party profiles, see: https://openid.net/certification/#FAPI2-RP .
• minor code changes all over the place to address issues reported by static code analysis software

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.6

Bugfixes

• metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache error entries the log [ERR invalid expire time in 'setex' command] (regression in 2.4.16-2.4.16.5)
• info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
  • properly reflect the (unmodified) inactivity timeout in the response (in thetimeout claim)
  • avoid refreshing an access token (since the session is not saved)
  • avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
• cookie: OIDCCookieSameSite default behaviour Lax
• cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
• cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy

Features

• cookie: allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
  • re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie immediately after the first application request
  • cookie: allows for a Disabled value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should be Lax by spec)
• http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2

Other

• metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
• code: address warnings from static code analysis tool CodeChecker
• init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.5

Bugfixes

• add backwards compatibility with versions older than 2.4.16.x wrt. ID token aud claim validation:
  accept the ID token when our client_id is provided as one of the values in a JSON array of string values in the aud claim; required by (at least) Oracle IDCS see #1272 and #1273; thanks @lufik and @tydalforce
• add OIDCIDTokenAudValues configuration primitive that allows for explicit - and exhaustive - configuration of the list of accepted values in the aud claim of the ID token i.e. as required for passing FAPI 2 conformance testing

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.4

Bugfixes

• add the missing copy of the "x5t" claim in oidc_jwk_copy, which broke private_key_jwt authentication to Microsoft Entra ID / Azure AD since 2.4.13; see #1269; thanks @uoe-pjackson
• fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; regression in 2.4.16.1...2.4.16.3; see #1261; thanks @bbartke

Other

• change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
• use compact encoding and preserve claim order where appropriate for most cases of JSON/JWT serialization
• improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.3

Bugfixes

• fix segfault in child process initialization routine when using Redis and/or Metrics settings in vhosts; closes #1208; thanks @studersi and Brent van Laere
• fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
• allow overriding globally set OIDCCacheType back to shm in individual vhosts

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.2

Note that a custom OIDCCacheShmMax setting cannot be configured with this release.

Bugfixes

• fix regressions from the configuration rewrite in 2.4.16/2.4.16.1
  • fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
  • fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
• re-introduce OIDCSessionMaxDuration 0; see #1252; thanks @amitmun
• improve resilience in case both Forwarded and X-Forwarded-* headers are configured and only X-Forwarded-* is passed in

Other

• remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

release 2.4.16.1

Note that OIDCPKCEMethod none, OIDCSessionMaxDuration 0, OIDCCacheShmMax and OIDCStateCookiePrefix cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.

Security

• disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr

Features

• add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
• add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
  configured through the OIDCDPoPMode [off|optional|required] primitive (dpop_mode in the .conf file in multi-OP setups)
• add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
  configured through OIDCProviderPushedAuthorizationRequestEndpoint and OIDCProviderAuthRequestMethod PAR
• add the nbf claim to the Request Object
• store the token_type in the session and make it available on the info hook together with the access_token
• replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss boolean
  to require the Provider to pass the iss value in authorization responses, mitigating the OP mixup attack
• return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
• add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection
• when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls

Bugfixes

• allow overriding defined global configuration primitives to their default value on the individual vhost level
• various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
• apply input/boundary checking on all configuration and multi-provider metadata values
• memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
• tighten up the aud claim validation for received ID tokens

Other

• version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
• packages for the recent Ubuntu Noble stable release are added to the Assets section below

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]