| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: apache2-mod_auth_openidc | Distribution: openSUSE Tumbleweed |
| Version: 2.4.19.1 | Vendor: openSUSE |
| Release: 2.2 | Build date: Tue Feb 17 14:36:48 2026 |
| Group: Productivity/Networking/Web/Servers | Build host: reproducible |
| Size: 874483 | Source RPM: apache2-mod_auth_openidc-2.4.19.1-2.2.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://github.com/zmartzone/mod_auth_openidc/ | |
| Summary: Apache2.x module for an OpenID Connect enabled Identity Provider | |
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Apache-2.0
* Tue Feb 17 2026 Petr Gajdos <pgajdos@suse.com>
- run the testsuite (make check)
* Tue Feb 10 2026 Petr Gajdos <pgajdos@suse.com>
- version update to 2.4.19.1
* backwards incompatible session format so existing sessions (created by versions
<=2.4.18.x) are invalid
* oauth: fix segfault when using OIDCOAuthVerifySharedKeys, regression since 2.4.16; closes #1373
* jwk: fix parsing RSA JWKs with only an x5c parameter (i.e. no n and e parameters)
- version update to 2.4.19
* cookie: support individual SameSite cookie settings on the session cookie, state cookie
and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite
* id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will be passed on
* passphrase: generate a crypto key when OIDCCryptoPassphrase is not set
* note that the OIDCCryptoPassphrase does need to be configured statically if you want sessions
to survive server restarts, or for a cluster that shares a session storage backend
* metadata: avoid double-free when validation of provider metadata fails
* response: avoid proto state memory leaks upon errors in response processing
* util/key.c: check for unsupported symmetric key hashing algorithms and avoid a memory
leak in such cases
* session: remove expired session from cache with oidc_session_kill instead of just clearing it
* memory: rewrite pconf pool memory allocation handling to avoid increasing memory (pool)
consumption over graceful restarts
* drop support for Apache 2.2
* redis: use SET..EX %d when storing cached data instead of the deprecated SETEX
* session/cookie: save 20-40 bytes on the session and client-cookie size
* request: set the OIDC_ERROR variables when PAR is configured but not enabled by the Provider
* code: avoid compiler warnings on curl_easy_setopt in http.c
* test: add more unit tests in test/test_*.c and migrate proto tests from test.c
* Tue Sep 09 2025 pgajdos@suse.com
- version update to 2.4.18
* add Valgrind target to Makefile and to Github Build action
* release 2.4.18
* revise test/check and code coverage functions
* revise autoconf/automake, split over subdirs now
* add tests for memcache TTL
* fix check OIDC_CONFIG_POS_TIMEOUT_UNSET for memcache TTL getter; #1345
* bump to 2.4.18dev
* fix parsing the value set via OIDCMemCacheConnectionsTTL and interpret it in
seconds correctly now (instead of microseconds); see #1345; thanks @rpluem
* use the server process pool for static variable allocation rather than the pconf pool
to prevents possible segmentation faults after (graceful) restarting the same process
* Tue Jun 24 2025 pgajdos@suse.com
- version update to 2.4.17.1
* fix usage of OIDCSessionType client-cookie:persistent:store_id_token; see #1331; thanks @rgcv
* fix usage of OIDCPreservePostTemplates, regression in 2.4.17; see #1325; thanks @perry19987
* javascript: use HTMLFormElement.prototype.submit.call(document.forms[0]) on all Javascript
auto-submit POST forms to prevent browser Javascript error: "form.submit is not a function"
* metrics: avoid possible segfault after restart twice; thanks @atzm
* code: refactor util.c into util/ directory
* allow adding a prefix to the cache (section) key through environment variable OIDC_CACHE_PREFIX
* Mon Jun 02 2025 pgajdos@suse.com
- build with hiredis for openSUSE only [bsc#1243922]
* Wed Apr 30 2025 pgajdos@suse.com
- version update to 2.4.17
* Features
- proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope
header/environment variable and make it available for Require claim scope: purposes,
if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet
* Bugfixes
- metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
- oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
and falling back to client_secret_basic after that; thanks François Kooman
- fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in.a
multi-provider setup; thanks Sami Korvonen
- allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP
output generation to the content handler (instead of user id check handler) for the following use cases:
OIDCProviderAuthRequestMethod POST
OIDCPreservePost On (both internal and template-based)
POST page for the implicit grant type
Request URI handler
internally generated POST logout page
session management RP iframe
session management logout HTML top-window redirect page
* Tue Apr 08 2025 pgajdos@suse.com
- version update to 2.4.16.11 (CVE-2025-31492 [bsc#1240893])
- fix protected content leakage when using OIDCProviderAuthRequestMethod POST, see:
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
- allow for regular Apache processing (e.g. setting response headers) when using OIDCProviderAuthRequestMethod POST
- core: complete case-insensitive protocol/hostname/domain-name comparisons
2.4.16.10
- core: compare hostnames and domains in a case insensitive way in:
oidc_request_check_cookie_domain
oidc_util_cookie_domain_valid
oidc_validate_redirect_url
oidc_cfg_parse_is_valid_url_scheme
oidc_discovery_target_link_uri_match
- cookie: fix oidc_util_cookie_domain_valid so that it checks the incoming request against OIDCCookieDomain
rather than the OIDCRedirectURI and displays the correct error message if they don't match
2.4.16.9
- cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
- authz: remove the Location header from HTML based step up authentication redirects
as it may conflict with its HTTP 200 status code and confuse middle boxes
- metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi
- metrics: upon exit, do write cached metrics into shared memory before exiting
* Fri Mar 14 2025 Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.4.16.8:
* add support for claim value counters in OIDCMetricsData
* do not reset Prometheus counters by default, only when
explicitly specified
* metrics: reset to 0 in case of an integer overflow
- build with pcre2
* Mon Feb 10 2025 pgajdos@suse.com
- version update to 2.4.16.7
01/29/2025
- add OIDCProfile to configure OpenID Connect profile behaviours for, so far "FAPI20" only, which configures:
Authentication Request method, DPoP, PKCE, ID token aud values requirements
token endpoint JWT authentication "aud" values, "iss" parameter requirement in authentication reponses
* Wed Dec 11 2024 pgajdos@suse.com
- version update to 2.4.16.6
12/05/2024
- metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
error entries the log [ERR invalid expire time in 'setex' command]
- avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
11/21/2024
- add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
- try and address metris cleanup segmentation fault on shutdown; see #1207
by not flushing metrics to the shared memory segment upon exit
11/14/2024
- allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- fix: default behaviour Lax
- fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
immediately after the first application request
- allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
falls back to its default browser behaviour (which should be Lax by spec)
11/07/2024
- info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response ("timeout")
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
10/23/2024
- metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
10/22/2024
- address warnings from static code analysis tool CodeChecker
10/04/2024
- ensure backwards compatibility with versions <2.4.16.x when a JSON array of string values
is provided in the "aud" claim of the ID token; required by (at least) Oracle IDCS
see #1272 and #1273; thanks @lufik and @tydalforce
- add OIDCIDTokenAudValues configuration primitive that allows for explicit (and exhaustive)
configuration of the list of accepted values in the "aud" claim of the ID token
e.g. as required for passing FAPI 2 conformance testing
09/27/2024
- correct usage of free() for json_dumps return values instead of cjose_get_dealloc()()
- use compact encoding and preserve order where appropriate for most calls to json_dumps
- replace json_dumps/free combos with oidc_util_encode_json
- refactor oidc_jwk_to_json
09/26/2024
- fix oidc_jwk_copy wrt. "x5t", which broke private_key_jwt authentication to Azure AD since 2.4.13
see #1269; thanks @uoe-pjackson
09/21/2024
- refactor state and userinfo
09/11/2024
- change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
09/09/2024
- fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
- improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
* Tue Sep 17 2024 pgajdos@suse.com
- version update to 2.4.16.3
09/06/2024
- allow overriding globally set OIDCCacheType back to shm in vhosts
- correct typo in child initialization routines when using multiple vhosts; closes #1208; thanks @studersi
this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
09/05/2024
- fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
08/29/2024
- fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
08/28/2024
- re-introduce OIDCSessionMaxDuration 0; see #1252
- add some resilience when both Forwarded and X-Forwarded-* are configured
- fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
- remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
08/26/2024
- fix parsing OIDCXForwardedHeaders; closes #1250; thanks @maltesmann
07/03/2024
- cfg/provider: use oidc_jwk_list_copy when merging client_keys
06/18/2024
- memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
06/08/2024
- support DPoP nonces to the userinfo endpoint
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session
06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
06/04/2024
- add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean
- tighten up the "aud" claim validation in ID tokens
- add support for the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-profile-ID2.html
05/30/2024
- add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
04/23/2024
- disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe
due to the Marvin attack and is removed from libcjose as well
04/05/2024
- add debug printout for OIDCUnAuthAction expression evaluation
04/03/2024
- when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
see #1205; thanks @ryanwilliamnicholls
04/02/2024
- major rewrite of config primitive handling:
- split out over different files, use header files consistently
- encapsulate config record with getters/setters
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- apply input/boundary checking on all configuration values, shared with provider metadata parsing
- various fixes to applying default config values and allowing primitives in vhost/directory scopes
- return HTTTP 502 when refreshing acces token or userinfo fails (default: "502_on_error")
- use a singleton token refresh mutex
- add support for OIDCOAuthIntrospectionEndpointKeyPassword
- bump to 2.4.16dev
04/01/2024
- release 2.4.15.7
03/29/2024
- fix OIDCUserInfoRefreshInterval, interval seconds would be interpreted as microseconds
* Mon Mar 25 2024 pgajdos@suse.com
- version update to 2.4.15.6
03/14/2024
- fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
avoid refreshing userinfo on each request until access token expiry
- store interval as JSON integer in session
- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
- release 2.4.15.6
03/13/2024
- fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees
conditionally define oidc_set_redis_connect_timeout
- fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees
- release 2.4.15.5
03/12/2024
- release 2.4.15.4
- fix setting the default PCKE method to "none" in a multi-provider setup
* Fri Feb 16 2024 Danilo Spinella <danilo.spinella@suse.com>
- Update to 2.4.15.3:
* for the complete list of changes, please have a look at ChangeLog
- Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set
and a crafted Cookie header is supplied, bsc#1219911
* Thu Nov 30 2023 Danilo Spinella <danilo.spinella@suse.com>
- update to 2.4.14.4:
* for the complete list of changes, please have a look at ChangeLog
/usr/lib64/apache2/mod_auth_openidc.so /usr/share/doc/packages/apache2-mod_auth_openidc /usr/share/doc/packages/apache2-mod_auth_openidc/AUTHORS /usr/share/doc/packages/apache2-mod_auth_openidc/ChangeLog /usr/share/doc/packages/apache2-mod_auth_openidc/README.md /usr/share/doc/packages/apache2-mod_auth_openidc/auth_openidc.conf /usr/share/licenses/apache2-mod_auth_openidc /usr/share/licenses/apache2-mod_auth_openidc/LICENSE.txt
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Apr 2 23:20:53 2026