Mod Auth Openidc Versions Save

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix OIDCUserInfoRefreshInterval and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• use SameSite=Lax when OIDCCookieSameSite is On (also the default since 2.4.15) instead of Strict as overriding from Lax to Strict does not work reliably anymore (i.e. on Chrome with certain plugins)
• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements
• fix setting the default PKCE method to none in a multi-provider setup

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with: OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix OIDCPassClaimsAs environment broken in 2.4.15.4; see #1196; thanks @HolgerHees
• fix setting the default PKCE method to none in a multi-provider setup
• fix compilation without libhiredis; closes #1195 ; thanks @HolgerHees

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• signed_jwks_url: make the exp claim optional in signed JWK sets (OIDCProviderSignedJwksUri); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specification
• cache: hash the cache key if it is larger than 512 bytes so large cache key entries (i.e. for JWT tokens) are no longer a problem in unencrypted SHM cache configs, i.e. the default shared memory cache setup; see issues/discussions on "could not construct cache key since key size is too large"
• cache: fix debug printout of cache key in oidc_cache_get introduced in 2.4.15
• http: fix applying the default HTTP short retry interval setting and use 300ms as default value
• userinfo: fix setting the exp claim in userinfo signed JWTs (exp would be now+0) when no expires_in is returned by the OpenID Connect Provider
• userinfo: fix signed JWT caching (if enabled) when the TTL is set to 0 or "" which should apply the exp claim as the cache TTL
• refresh: fix for expires_in string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry and OIDCUserInfoRefreshInterval with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4
• authz: fix evaluation of Require claim statements for nested array claims
• authz: properly handle parse errors in Require claim <name>:<integer> statements

Other

• userinfo refresh: don't try to refresh the access token and retry when a connectivity error has occurred
• logout: don't try to revoke tokens on post-access-token-refresh or post-userinfo-refresh-errors logouts
• (internal) session state: represent timestamps as JSON integers instead of strings, as also returned from the info hook

Features

• signed_jwks_uri: accept verification key set formatted as either JWK or JWKS; see #1191; thanks @psteniusubi
• redis: enable TCP keepalive on Redis connections by default and make it configurable with: OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
• proto: accept strings as well as integers in the expires_in claim from the token endpoint to cater for non-spec compliant implementations
• userinfo: accept 0 in OIDCUserInfoRefreshInterval which will refresh userinfo on every request
• authz: add support for JSON real and null value matching in Require claim statements

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Security

• fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is supplied, see the advisory; thanks @olipo186

Bugfixes

• rewrite handling of parallel refresh token grant requests
  • temporarily cache the results of the refresh token grant for other (almost) parallel callers
  • fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#parallel-refresh-token-grants
  • improves handling of non-rollover refresh tokens since it avoids superfluous calls to the token endpoint
• avoid crash when Forwarded is not present but OIDCXForwardedHeaders Forwarded is configured for it; see #1171; thanks @daviddpd
• set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

commercial-binaries-only security patch release for CVE-2024-24814

The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

Bugfixes

• fix Prometheus output overlap and re-organize metric/label naming; closes #1161; see #1162 and #1160; thanks @studersi
• fix OIDCCacheType file on Windows and use apr_file_rename() in file cache backend instead of rename() to fix Windows file renaming issue; thanks @adg-mh

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.

New Defaults

• use Proof Key for Code Exchange (PKCE S256) by default; disable by configuring OIDCPKCEMethod none
• use SameSite cookies Strict by default; disable by configuring OIDCCookieSameSite Off
• apply ISO-8859-1 (latin1) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none for backwards compatibility

Bugfixes

• restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
• do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunke
• fix SSL server certificate validation when revoking tokens and apply OIDCSSLValidateServer setting rather than OIDCOAuthSSLValidateServer in oidc_revoke_tokens; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1141; thanks @mschmidt72
• make sure the shm cache entry size OIDCCacheShmEntrySizeMax is a multiple of 8 bytes, see #1067; thanks @sanzinger
• fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES

Features

• add metrics collection/observability capability with OIDCMetricsData and OIDCMetricsPublish, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
• generate or propagate the traceparent header on outgoing (and proxied) requests; ties the parent-id to the (8-byte hash of) the session or access token when available
• retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
• improve error message in case of curl timeouts
• add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the previous one
• add iat and exp claims to request objects; closes #1137
• populate User-Agent header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposes

Other

• return HTTP 500 on token refresh errors instead of HTTP 401
• use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
• remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
• use clang-format-17 for code formatting and reformat all code

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix OIDCRefreshAccessTokenBeforeExpiry when using it with logout_on_error or authenticate_on_error; see #1111; thanks @brandonk10
• improve behaviour when parallel refresh token grant requests occur on the same Apache server/host and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid corrupting the session by storing/overwriting an expired refresh token
• fix memory leak in oidc_refresh_token_grant: free the parsed id_token if returned from the token endpoint
• avoid potential process lifetime memory leak when mutex lock/unlock fails

Performance

• store userinfo refresh interval in session to avoid parsing Provider JSON metadata on each request
• fix performance issue with latin1 encoding when using OIDCPassClaimsAs <any> latin1 with large claim values
• skip re-validating cached provider metadata
• use process based locking for Redis caching instead of global locking

Features

• add options for authentication to OIDCOutgoingProxy; thanks @drzraf; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1107
• add support for custom preserve/restore POST data templates with OIDCPreservePostTemplates to be used when OIDCPreservePost is set to On; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), older Ubuntu and Debian distro's, SUSE Linux,, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077; this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598; thanks @adenix

Features

• add OIDCPassAccessToken Off option to disable (the default of) passing the access token and its expiry in the OIDC_access_token/OIDC_access_token_expires header/environment variables; thanks @mattias-asander
• allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
• support authenticate_on_error 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry to re-authenticate the user when refreshing the access token fails see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1084; thanks @xrammit
• add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
• add support for adding extra parameters to the Logout Request to the OP with OIDCLogoutRequestParams see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1096; thanks @smarsching

Other

• add a sanity alg/enc check on internal self-encrypted AES GCM JWTs
• increase performance of JQ filtering by caching JQ filtering results; default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via [email protected]
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]