RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/pingidentity/mod_auth_openidc/releases below:

Releases · OpenIDC/mod_auth_openidc · GitHub

Releases: OpenIDC/mod_auth_openidc

Releases · OpenIDC/mod_auth_openidc

release 2.4.17.2

Bugfixes

fix regression in 2.4.17 for processing unauthenticated requests that generate HTML
content, e.g. OIDCProviderAuthRequestMethod POST and OIDCPreservePost On
when protected with Require claim statements rather than just Require valid-user.

Features

support the use of Elliptic Curve keys for private_key_jwt authentication at
the token- and introspection endpoints and make the signing algorithm configurable
for both RSA en EC keys; closes #1336; thanks @rjr162
allow suppressing warnings about (individual) X-Forwarded-* headers; see #1333
through environment variable OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE, e.g.:
SetEnvIfExpr true OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE=X-Forwarded-Proto

Packaging

added RHEL 10 RPM package

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

The RPM packages below are signed with the following RSA PGP key:

release 2.4.17.1

Bugfixes

metrics: avoid possible segfault after restart twice; thanks @atzm
fix usage of OIDCSessionType client-cookie:persistent:store_id_token; see #1331; thanks @rgcv
fix usage of OIDCPreservePostTemplates, regression in 2.4.17; see #1325; thanks @perry19987
javascript: use HTMLFormElement.prototype.submit.call(document.forms[0]) on all Javascript
auto-submit POST forms to prevent browser Javascript error: "form.submit is not a function"
which would occur when an element (i.e. the submit button) in a HTML form has a name or id
with a value "submit" and OIDCPreservePost is set to On

Features

allow adding a prefix to the cache (section) key through environment variable OIDC_CACHE_PREFIX

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

Update 20251018: the *-2 RPM packages are now signed with the following 2048 bit RSA PGP key:

release 2.4.17

Features

proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope header/environment variable and make it available for Require claim scope: purposes, if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet

Bugfixes

metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
and falling back to client_secret_basic after that; thanks François Kooman
fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in a multi-provider setup; thanks Sami Korvonen
allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP output generation to the content handler (instead of user id check handler) for the following use cases:
- OIDCProviderAuthRequestMethod POST
- OIDCPreservePost On (both internal and template-based)
- POST page for the implicit grant type
- Request URI handler
- internally generated POST logout page
- session management RP iframe
- session management logout HTML top-window redirect page

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.11

Security

request: fix protected content leakage when using OIDCProviderAuthRequestMethod POST; thanks @pjb1008; see:
GHSA-59jp-rwph-878r

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.10

Bugfixes

core: use case insensitive protocol/hostname/domain comparisons everywhere

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.9

Bugfixes

cookie: use case insensitive hostname/domain comparison in oidc_check_cookie_domain
authz: remove the Location header from HTML based step up authentication responses as it may conflict with its HTTP 200 status code and confuse middle boxes
metrics: avoid double-free on shutdown by not calling pthread_exit; fixes #1207; thanks @studersi

Features

metrics: write cached metrics into shared memory before exiting

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.8

Features

metrics: add support for claim value counters in OIDCMetricsData, e.g.:
OIDCMetricsData claim.id_token.amr claim.userinfo.gender
metrics: do not reset Prometheus counters by default, only when explicitly specified
metrics: reset to 0 in case of an integer overflow

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.7

Bugfixes

config: fix OIDCProviderRevocationEndpoint (override) for values other than ""; closes #1301; thanks @tarteens
config: add a configuration check for public/private keys when using DPoP; closes #1293; thanks @ahus1
config: avoid NULL pointer dereferencing when no private keys have been configured
http: avoid potentional memory leak on cURL handle if curl_easy_escape/curl_easy_unescape fails
proto: correct the check for the optional token_type parameter returned from a token endpoint request
util: avoid potential crash on non-conformant literal IPv6 addresses
jose: prevent potential memory leaks when zlib compression (deflate) fails

Features

add OIDCProfile to configure OpenID Connect profile behaviours e.g. FAPI20, see auth_openidc.conf
http: report errors when curl_easy_setopt fails in outgoing HTTP requests

Other

v2.4.16.7 is certified for the FAPI 2.0 Relying Party profiles, see: https://openid.net/certification/#FAPI2-RP .
minor code changes all over the place to address issues reported by static code analysis software

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.6

Bugfixes

metadata: fix caching of JWKs from jwks_uri when using the default expiry setting (i.e. not using OIDCJWKSRefreshInterval) and avoid fetching JWKs from the jwks_uri for each user login; also addresses Redis cache error entries the log [ERR invalid expire time in 'setex' command] (regression in 2.4.16-2.4.16.5)
info: fix requests to the info hook with extend_session=false; see #1279; thanks @fnieri-cdp
- properly reflect the (unmodified) inactivity timeout in the response (in thetimeout claim)
- avoid refreshing an access token (since the session is not saved)
- avoid refreshing claims from the user info endpoint, and possibly refreshing the access token
cookie: OIDCCookieSameSite default behaviour Lax
cookie: apply OIDCCookieSameSite Off/None properly to state cookies instead of always setting Lax
cache: avoid segfault and improve error reporting in case apr_temp_dir_get fails when a temp directory cannot be found on the system upon initaliizing cache mutexes and the file cache; see #1288; thanks @ErmakovDmitriy

Features

cookie: allow specific settings Strict|Lax|None|Disabled for OIDCCookieSameSite in addition to On(=Lax)|Off(=None)
- re-introduces the option to configure a Strict SameSite session cookie policy, which will turn the initial Lax session cookie - set upon receving the response to the Redirect URI - into a Strict session cookie immediately after the first application request
- cookie: allows for a Disabled value that does not set any SameSite flag on the cookies, in which case a browser falls back to its default browser behaviour (which should be Lax by spec)
http: add option to set local address for outgoing HTTP requests; see #1283; thanks @studersi using e.g. SetEnvIfExpr true OIDC_CURL_INTERFACE=192.168.10.2

Other

metadata: allow plain HTTP URLs in metadata elements jwks_uri and signed_jwks_uri to ensure backwards compatibility with <=2.4.15.7 and to support private/test deployments
code: address warnings from static code analysis tool CodeChecker
init: try and address metris cleanup segmentation fault on shutdown; see #1207 by not flushing metrics to the shared memory segment upon exit

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

release 2.4.16.5

Bugfixes

add backwards compatibility with versions older than 2.4.16.x wrt. ID token aud claim validation:
accept the ID token when our client_id is provided as one of the values in a JSON array of string values in the aud claim; required by (at least) Oracle IDCS see #1272 and #1273; thanks @lufik and @tydalforce
add OIDCIDTokenAudValues configuration primitive that allows for explicit - and exhaustive - configuration of the list of accepted values in the aud claim of the ID token i.e. as required for passing FAPI 2 conformance testing

Commercial

binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via sales@openidc.com
support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via sales@openidc.com

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4