OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
OIDCUserInfoRefreshInterval
and interpret the interval as seconds, not as microseconds (broken in 2.4.15.6)Commercial
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
SameSite=Lax
when OIDCCookieSameSite
is On
(also the default since 2.4.15) instead of Strict
as overriding from Lax
to Strict
does not work reliably anymore (i.e. on Chrome with certain plugins)exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specificationcould not construct cache key since key size is too large
"oidc_cache_get
introduced in 2.4.15exp
claim in userinfo signed JWTs (exp
would be now+0
) when no expires_in
is returned by the OpenID Connect Providerexp
claim as the cache TTLexpires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry
and OIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4Require claim
statements for nested array claimsRequire claim <name>:<integer>
statementsnone
in a multi-provider setupOther
Features
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
expires_in
claim from the token endpoint to cater for non-spec compliant implementations0
in OIDCUserInfoRefreshInterval
which will refresh userinfo on every requestreal
and null
value matching in Require claim
statementsCommercial
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
OIDCPassClaimsAs environment
broken in 2.4.15.4; see #1196; thanks @HolgerHeesnone
in a multi-provider setuplibhiredis
; closes #1195 ; thanks @HolgerHeesCommercial
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
exp
claim optional in signed JWK sets (OIDCProviderSignedJwksUri
); see #1182; thanks @psteniusubi; ensures interoperability with the OpenID Federation specificationcould not construct cache key since key size is too large
"oidc_cache_get
introduced in 2.4.15exp
claim in userinfo signed JWTs (exp
would be now+0
) when no expires_in
is returned by the OpenID Connect Providerexp
claim as the cache TTLexpires_in
string values returned from the token endpoint that would be interpreted as 0; this fixes using OIDCRefreshAccessTokenBeforeExpiry
and OIDCUserInfoRefreshInterval
with (older) Azure AD configs that would result in a token refresh on every request since 2.4.15 or a 401 in 2.4.14.4Require claim
statements for nested array claimsRequire claim <name>:<integer>
statementsOther
Features
OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
expires_in
claim from the token endpoint to cater for non-spec compliant implementations0
in OIDCUserInfoRefreshInterval
which will refresh userinfo on every requestreal
and null
value matching in Require claim
statementsCommercial
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Security
OIDCSessionType client-cookie
is set and a crafted Cookie
header is supplied, see the advisory; thanks @olipo186Bugfixes
OIDCXForwardedHeaders Forwarded
is configured for it; see #1171; thanks @daviddpdCommercial
commercial-binaries-only security patch release for CVE-2024-24814
The 2.4.15.x releases change a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
Bugfixes
OIDCCacheType file
on Windows and use apr_file_rename()
in file cache backend instead of rename()
to fix Windows file renaming issue; thanks @adg-mhCommercial
The 2.4.15 release changes a number of default settings to their more secure and standards-compliant values. In rare cases this may break existing configurations which can be restored as described below. Nevertheless it is recommended to update the environment to accommodate to the new defaults.
New Defaults
OIDCPKCEMethod none
OIDCCookieSameSite Off
latin1
) as default encoding mechanism for claim values passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use OIDCPassClaimsAs <any> none
for backwards compatibilityBugfixes
OIDC_PARALLEL_REFRESH_NOT_ALLOWED
logout_on_error
and authenticate_on_error
when a parallel refresh token request is detected see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunkeOIDCSSLValidateServer
setting rather than OIDCOAuthSSLValidateServer
in oidc_revoke_tokens
; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1141; thanks @mschmidt72OIDCCacheShmEntrySizeMax
is a multiple of 8 bytes, see #1067; thanks @sanzingerOIDC_REDIS_MAX_TRIES
Features
OIDCMetricsData
and OIDCMetricsPublish
, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Observability
traceparent
header on outgoing (and proxied) requests; ties the parent-id
to the (8-byte hash of) the session or access token when availableOIDCHTTPTimeoutLong
/OIDCHTTPTimeoutShort
OIDCCryptoPassphrase
using a (temporary) 2nd value that holds the previous oneiat
and exp
claims to request objects; closes #1137User-Agent
header in outgoing HTTP requests with host, port, process-id, mod_auth_openidc, libcurl and OpenSSL version information and log it for debugging purposesOther
User-Agent
header as input for the state browser fingerprinting by default (no X-Forwarded-For
)Commercial
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
OIDCRefreshAccessTokenBeforeExpiry
when using it with logout_on_error
or authenticate_on_error
; see #1111; thanks @brandonk10oidc_refresh_token_grant
: free the parsed id_token
if returned from the token endpointPerformance
latin1
encoding when using OIDCPassClaimsAs <any> latin1
with large claim valuesFeatures
OIDCOutgoingProxy
; thanks @drzraf; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1107
OIDCPreservePostTemplates
to be used when OIDCPreservePost
is set to On
; the hard-coded internal templates are added to the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazziCommercial
Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate
is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument
. The environment variable strings REDIRECT_OIDC_ERROR
and REDIRECT_OIDC_ERROR_DESC
are available for display purposes.
Bugfixes
Features
OIDCPassAccessToken Off
option to disable (the default of) passing the access token and its expiry in the OIDC_access_token
/OIDC_access_token_expires
header/environment variables; thanks @mattias-asanderOIDCDefaultURL
and OIDCDefaultLoggedOutURL
authenticate_on_error
2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry
to re-authenticate the user when refreshing the access token fails see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1084; thanks @xrammitlogout_on_error
and authenticate_on_error
2nd parameter option to OIDCUserInfoRefreshInterval
OIDCLogoutRequestParams
see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1096; thanks @smarschingOther
alg
/enc
check on internal self-encrypted AES GCM JWTsOIDC_JQ_FILTER_CACHE_TTL
Commercial