| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: apache2-mod_auth_openidc | Distribution: openSUSE Tumbleweed |
| Version: 2.4.16.6 | Vendor: openSUSE |
| Release: 1.1 | Build date: Wed Dec 11 14:55:46 2024 |
| Group: Productivity/Networking/Web/Servers | Build host: reproducible |
| Size: 879536 | Source RPM: apache2-mod_auth_openidc-2.4.16.6-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://github.com/zmartzone/mod_auth_openidc/ | |
| Summary: Apache2.x module for an OpenID Connect enabled Identity Provider | |
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Apache-2.0
* Wed Dec 11 2024 pgajdos@suse.com
- version update to 2.4.16.6
12/05/2024
- metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval)
and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache
error entries the log [ERR invalid expire time in 'setex' command]
- avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found
on the system upon initalizing cache mutexes and file cache; see #1288; thanks @ErmakovDmitriy
11/21/2024
- add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi
using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2
- try and address metris cleanup segmentation fault on shutdown; see #1207
by not flushing metrics to the shared memory segment upon exit
11/14/2024
- allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- fix: default behaviour Lax
- fix: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial
Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie
immediately after the first application request
- allows for a "Disabled" value that does not set any SameSite flag on the cookies, in which case a browser
falls back to its default browser behaviour (which should be Lax by spec)
11/07/2024
- info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response ("timeout")
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
10/23/2024
- metadata: allow plain HTTP URLs in metadata elements `jwks_uri` and `signed_jwks_uri`
to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
10/22/2024
- address warnings from static code analysis tool CodeChecker
10/04/2024
- ensure backwards compatibility with versions <2.4.16.x when a JSON array of string values
is provided in the "aud" claim of the ID token; required by (at least) Oracle IDCS
see #1272 and #1273; thanks @lufik and @tydalforce
- add OIDCIDTokenAudValues configuration primitive that allows for explicit (and exhaustive)
configuration of the list of accepted values in the "aud" claim of the ID token
e.g. as required for passing FAPI 2 conformance testing
09/27/2024
- correct usage of free() for json_dumps return values instead of cjose_get_dealloc()()
- use compact encoding and preserve order where appropriate for most calls to json_dumps
- replace json_dumps/free combos with oidc_util_encode_json
- refactor oidc_jwk_to_json
09/26/2024
- fix oidc_jwk_copy wrt. "x5t", which broke private_key_jwt authentication to Azure AD since 2.4.13
see #1269; thanks @uoe-pjackson
09/21/2024
- refactor state and userinfo
09/11/2024
- change warnings about not passing unknown claim types into debug messages; see #1263; thanks @nclarkau
09/09/2024
- fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
- improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
* Tue Sep 17 2024 pgajdos@suse.com
- version update to 2.4.16.3
09/06/2024
- allow overriding globally set OIDCCacheType back to shm in vhosts
- correct typo in child initialization routines when using multiple vhosts; closes #1208; thanks @studersi
this fixes possible segmentation faults when using Redis and Metrics settings in vhosts
09/05/2024
- fix OIDCCacheShmMax min/max settings; see #1260; thanks @bbartke
08/29/2024
- fix setting OIDCPKCEMethod none; closes #1256; thanks @eoliphan
08/28/2024
- re-introduce OIDCSessionMaxDuration 0; see #1252
- add some resilience when both Forwarded and X-Forwarded-* are configured
- fix disabled OIDCStateCookiePrefix command; closes #1254; thanks @damisanet
- remove support for OIDCHTMLErrorTemplate, deprecated since 2.4.14
08/26/2024
- fix parsing OIDCXForwardedHeaders; closes #1250; thanks @maltesmann
07/03/2024
- cfg/provider: use oidc_jwk_list_copy when merging client_keys
06/18/2024
- memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
06/08/2024
- support DPoP nonces to the userinfo endpoint
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session
06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
06/04/2024
- add (client) support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- replace multi-provider .conf "issuer_specific_redirect_uri" boolean with "response_require_iss" boolean
- tighten up the "aud" claim validation in ID tokens
- add support for the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-profile-ID2.html
05/30/2024
- add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
04/23/2024
- disable support for the RSA PKCS v1.5 JWE encryption algorithm as it is deemed unsafe
due to the Marvin attack and is removed from libcjose as well
04/05/2024
- add debug printout for OIDCUnAuthAction expression evaluation
04/03/2024
- when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
see #1205; thanks @ryanwilliamnicholls
04/02/2024
- major rewrite of config primitive handling:
- split out over different files, use header files consistently
- encapsulate config record with getters/setters
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- apply input/boundary checking on all configuration values, shared with provider metadata parsing
- various fixes to applying default config values and allowing primitives in vhost/directory scopes
- return HTTTP 502 when refreshing acces token or userinfo fails (default: "502_on_error")
- use a singleton token refresh mutex
- add support for OIDCOAuthIntrospectionEndpointKeyPassword
- bump to 2.4.16dev
04/01/2024
- release 2.4.15.7
03/29/2024
- fix OIDCUserInfoRefreshInterval, interval seconds would be interpreted as microseconds
* Mon Mar 25 2024 pgajdos@suse.com
- version update to 2.4.15.6
03/14/2024
- fix userinfo refresh interval parsing; closes #1200; thanks @HolgerHees
avoid refreshing userinfo on each request until access token expiry
- store interval as JSON integer in session
- use SameSite=Lax when OIDCCookieSameSite is On (also by default) instead of
Strict as overriding from Lax to Strict does not work reliably anymore (Chrome)
- release 2.4.15.6
03/13/2024
- fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees
conditionally define oidc_set_redis_connect_timeout
- fix `OIDCPassClaimsAs environment` bug introduced in 2.4.15.4; see #1196; thanks @HolgerHees
- release 2.4.15.5
03/12/2024
- release 2.4.15.4
- fix setting the default PCKE method to "none" in a multi-provider setup
* Fri Feb 16 2024 Danilo Spinella <danilo.spinella@suse.com>
- Update to 2.4.15.3:
* for the complete list of changes, please have a look at ChangeLog
- Fix CVE-2024-24814, DoS when `OIDCSessionType client-cookie` is set
and a crafted Cookie header is supplied, bsc#1219911
* Thu Nov 30 2023 Danilo Spinella <danilo.spinella@suse.com>
- update to 2.4.14.4:
* for the complete list of changes, please have a look at ChangeLog
* Tue Dec 20 2022 Michael Ströder <michael@stroeder.com>
- update to 2.4.12.2
* Security
- CVE-2022-23527: prevent open redirect in default setup when
OIDCRedirectURLsAllowed is not configured
see: GHSA-q6f2-285m-gr53
* Features
- allow overriding the type of lock used at compile time with OIDC_LOCK
* Tue Nov 15 2022 Michael Ströder <michael@stroeder.com>
- update to 2.4.12.1
* Features
- add option to use ISO-8859-1 encoding for propagated claim values by
adding latin1 option to OIDCPassClaimsAs <> latin1; see #957
- Note that the encoding - including the existing "base64url" - apply to
both header and environment variables as well now
* Bugfixes
- switch to using apr_generate_random_bytes instead of apr_uuid_get to
generate session identifiers so there's no longer a (rather implicit)
dependency on a libapr that is compiled against libuuid on Linux
platforms; see #431, #603 and #694
- fix cache file backend: delete the correct file upon logout; closes #955
- fix cleanup of semaphores on graceful restarts; see #522, closes #458
- fix OIDCProviderMetadataRefreshInterval since it was interpreted in
microseconds instead of the documented and intended seconds; setting in
to seconds would effectively turn of caching and pull the configuration
document on each request
- define APLOG_TRACE1 if it does not exist
- correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
- fixed printout of cache mutex errors in cache/common.c
- prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
which is apparently required for (some) ARM based builds
- fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
- fix potential memory leak in proto.c when oidc_proto_validate_access_token
fails (at_hash validation)
* Mon Oct 17 2022 Michael Ströder <michael@stroeder.com>
- update to 2.4.12
* Features
- allow storing the id_token in a client-cookie based session; see #812 and #888
- allow setting connection pool parameters for Memcache server connections; see #916
- add option to set a username for Redis authentication via OIDCRedisCacheUsername
- register request_object_signing_alg in dynamic client registration when using request_uri
* Bugfixes
- increase size of the output buffer when using libpcre2 for substitution; closes #915
- support OIDCSessionInactivityTimeout values greater than 30 days
when using Memcache; see #936
- allow for step-up discovery with an external URL using HTML refresh;
fixes behaviour on CentOS 7/8 when combined with ProxyPass
- apply exact length matching for at_hash and c_hash validation
- store access token obtained from backchannel in session over the one
returned in the frontchannel for code token and code id_token token flows
- check ID token signed response algorithm on backchannel logout_token
and retrieve its configuration value from the client metadata file
* Tue Aug 23 2022 Michael Ströder <michael@stroeder.com>
- update to 2.4.11.3
* Bugfixes
- avoid memory leak when using PCRE2 regular expressions with
array matching; closes #902
- avoid memory leak when cjose_jws_get_plaintext fails; closes #903
- fix handling of IPv6 based logout URLs
* Features
- Use optionally provided sid and iss request parameters during
front channel logout; see #855
- support Forwarded header in addition to X-Forwarded-*; see #853
* Mon Jul 25 2022 Michael Ströder <michael@stroeder.com>
- removed obsolete BuildRequires autoconf and automake
- update to 2.4.11.2
+ release 2.4.11.2
* Features
- add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594
* Bugfixes
- add Cache-Control headers to logout response; see #846; thanks @blackwhiser1
* Other
- don't strip the header from encrypted JWTs as future versions of cjose may use compact
- encoding for JWEs; this slightly increases state cookie size, by-value session cookies
- and encrypted cache contents again at the benefit of forward cjose compatibility
+ release 2.4.11.1
* Bugfixes
- fix OIDCUnAuthAction pass not passing claims for authenticated users, see #790, thanks @cm0s
- fix race conditions in the file cache backend, see #777, thanks @dbakker and @blackwhiser1
- fix memory leaks over graceful restarts, see #823 and #824, thanks @smanolache
- avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
- add a check to make sure URLs do not contain unencoded Unicode characters, see #796, thanks @cnico
* Features
- warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
- add support for OpenSSL 3.0
* Other
- remove test-cmd jwk2cert command
- correct ap_hook_insert_filter function signature in stub.c, part 2, closes #784, thanks @stroeder
- add Valgrind Github action
+ release 2.4.11
* Bugfixes
- fix use of regular expressions in Require statements
- no longer defer multi-OP Discovery to the content handler to allow RequireAll and Require not directives in multi-OP setups; closes #775; thanks @rajeevn1
- improve handling session duration expiry when combined with OIDCUnAuthAction pass or Discovery; see #778
- terminate on startup when the crypto passphrase generated by exec: is empty; see #767
- allow authorization on info requests, see #746
- avoid debug printout of payload as header when the latter is stripped
- fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker
* Features
- make interpretation of X-Forwarded-* headers configurable, defaulting to none so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers needs explicit configuration of OIDCXForwardedHeaders
- make X-Frame-Options header returned on OIDC front-channel logout requests configurable through OIDCLogoutXFrameOptions; closes #464
- add x5t to JWT header in private_key_jwt client assertions; for interop with Azure AD; see #762; thanks @juur
- improve detection of suspicious redirect URLs; add test list
- add administrative session revocation capability via <redirect_uri>?revoke_session=<sessionid>
* Packaging
- add support for libpcre2; see #740
- add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
- include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
- install taking into account DESTDIR; see #674; thanks @alerque
+ release 2.4.10
* Features
- add check for Sec-Fetch-Dest header != "document" value and Sec-Fetch-Mode header != "navigate" to auto-detect requests that are not capable of handling an authentication round trip to the Provider; see #714; thanks @studersi
- add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
- log require claims failure on info level
- backport ap_get_exec_line, supporting the exec: option in OIDCCryptoPassphrase to Apache 2.2
* Bugfixes
- return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
- don't apply claims based authorization for OPTIONS requests so paths protected with Require claim directives will now also return HTTP 200 for OPTIONS requests
- fix memory leak when parsing JWT access token fails (in RS mode)
- fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720
* Packaging
- complete usage of autoconf/automake; see #674
- add .deb for Debian Bullseye
* Fri Sep 03 2021 Michael Ströder <michael@stroeder.com>
- update to 2.4.9.4
* Security
- prevent open redirect by applying OIDCRedirectURLsAllowed setting to
target_link_uri; closes #672
* Bugfixes
- don't apply authz in discovery process; fixes step up authentication
when combined with Discovery
* Fri Aug 27 2021 Michael Ströder <michael@stroeder.com>
- update to 2.4.9.3
* Bugfixes
- don't apply authz to the redirect URI; fixes ac56864
* Tue Aug 24 2021 pgajdos@suse.com
- use declared tarball
* Mon Aug 23 2021 Michael Ströder <michael@stroeder.com>
- update to 2.4.9.2
* Bugfixes
- fix graceful restart (regression); see #458
* Features
- preserve session cookie in the event of a cache backend failure
- update the id_token in the session cache if one is provided while
refreshing the access token
* Fri Aug 13 2021 Michael Ströder <michael@stroeder.com>
- update to 2.4.9.1
fix retried Redis commands after a reconnect; see #642
* Fri Jul 23 2021 Michael Ströder <michael@stroeder.com>
- Update to version 2.4.9
* Security
- use redisvCommand to avoid crash with crafted key when using Redis
without encryption; thanks @thomas-chauchefoin-sonarsource
- replace potentially harmful backslashes with forward slashes when
validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
- avoid XSS vulnerability when using OIDCPreservePost On and supplying
URLs that contain single quotes; thanks @oss-aimoto
- return OK in the content handler for calls to the redirect URI and when
preserving POST data; prevent (intermittent) disclosure of content
hosted at a (non-vanity) redirect URI location
- use encrypted JWTs for storing encrypted cache contents and
avoid using static AAD/IV; thanks @niebardzo
* Bugfixes
- verify that alg is not none in logout_token explicitly
- don't clear POST params authn on token revocation; thanks @iainh
- fix a problem where the host and port are calculated incorrectly when using literal ipv6 address.
* Other
- make session not found on backchannel logout produce a log warning instead of error
- handle discovery in the content handler
- strip A256GCM JWT header from encrypted JWTs used for state cookies,
cache encryption and by-value session cookies resulting in smaller
cookies and reduced cache content size
- Fix CVE-2021-32785 format string bug via hiredis
(CVE-2021-32785, bsc#1188638)
- Fix CVE-2021-32786 open redirect in logout functionality
(CVE-2021-32786, bsc#1188639)
* Wed Jun 02 2021 Michael Ströder <michael@stroeder.com>
- Use autogen.sh to generate missing configure script
- Update to version 2.4.8.4
* Bugfixes
- do not send state timeout HTML document when OIDCDefaultURL is set;
this can be overridden by using e.g.:
SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true
- avoid Apache 2.4 appending 400/302(200/404) HTML document text to
state timeout HTML info page see also f5959d7 and #484; at least Debian
Buster was affected
* Other
- make error "session corrupted: no issuer found in session" a warning
only so a logout call for a non-existing session no longer produces
error messages
* Tue May 18 2021 Michael Ströder <michael@stroeder.com>
- Update to version 2.4.8.2
* store timestamps in session in seconds to avoid string conversion
problems on some (libapr-1) platform build/run combinations, causing
"maximum session duration exceeded" errors
* Fri May 07 2021 Michael Ströder <michael@stroeder.com>
- Update to version 2.4.8.1
* Bugfixes
- fix potential crash when the Content-Type header is not set in POST requests
- avoid jwt/proto_state json_object memory leaks on cache failures
- when an OAuth 2.0 RS token scope/claim authorization (401 ) error
occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for
usage with mod_headers, instead of adding a header ourselves; see #572
* Features
- add options to configure Redis connectivity timeouts with
OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
- add OIDCClientTokenEndpointKeyPassword option to set a private key
password for the client's private key to be used against the token
endpoint; see #576
* Mon Apr 12 2021 pgajdos@suse.com
- test package
* Sun Apr 11 2021 Andreas Stieger <andreas.stieger@gmx.de>
- fix installation path on Factory (boo#1184572)
- switch to bootstrapped tarball
- package the license, docs and sample config
* Mon Apr 05 2021 Michael Ströder <michael@stroeder.com>
- Update to version 2.4.7
* Bugfixes
- avoid logged-out sessions remaining (valid) in the session cache:
remove session from cache before clearing it; see #542
* Features
- add maximum session lifetime (exp), inactivity timeout (timeout)
and remote_user to OIDCInfoHook; closes #541
* Security
- add opt-out on sub check in userinfo endpoint response using the
(undocumented) OIDC_NO_USERINFO_SUB environment variable,
for backwards (but insecure) compatibility, see #544
* Dependencies
- libcjose >= 0.5.1
- if your distribution does not provide libcjose in its package repository,
recent packages for a number of platforms are available from the "Assets"
section in release 2.4.0
* Thu Apr 01 2021 pgajdos@suse.com
- require hiredis only for newer distros than SLE-15 [jsc#SLE-11726]
* Thu Feb 18 2021 pgajdos@suse.com
- re-download tarball
* Wed Feb 17 2021 Michael Ströder <michael@stroeder.com>
- Update to version 2.4.6
* Bugfixes
- don't set SameSite=None on cookies when on plain http
- fix semaphore cleanup on graceful restarts; see #522
- fix inconsistent public/private keys loading order; closes #515
- return HTTP 400 Bad Request instead of 500 Internal Server Error when state cookie matching fails
- optimize Redis AUTH execution once per connection
- avoid segmentation fault when hitting an endpoint configured with
AuthType openid-connect in an OAuth 2.0 only setup; see #529
- make sure the module compiles with Apache 2.2 for passphrase exec:
* Features
- add Redis database selection option with OIDCRedisCacheDatabase; closes #423
- add base64url option to OIDCPassClaimsAs primitive; closes #417
- add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors e.g.:
- SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE
- removed support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
* Security
- avoid displaying the client_secret in debug logs
* Dependencies
- libcjose >= 0.5.1
/usr/lib/apache2/mod_auth_openidc.so /usr/share/doc/packages/apache2-mod_auth_openidc /usr/share/doc/packages/apache2-mod_auth_openidc/AUTHORS /usr/share/doc/packages/apache2-mod_auth_openidc/ChangeLog /usr/share/doc/packages/apache2-mod_auth_openidc/README.md /usr/share/doc/packages/apache2-mod_auth_openidc/auth_openidc.conf /usr/share/licenses/apache2-mod_auth_openidc /usr/share/licenses/apache2-mod_auth_openidc/LICENSE.txt
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Jan 12 02:11:34 2025