Releases: OpenIDC/mod_auth_openidc
Releases · OpenIDC/mod_auth_openidc
release 1.5.5
Features
- set HttpOnly by default on cookies, override using OIDCCookieHTTPOnly [On|Off]
- use default of "/" for OIDCCookiePath
Bugs
- fix debug printout on open redirect prevention and code response validation
- cleanup in-memory crypto context on shutdown
- clear session cookie after cache miss or corruption
Other
- disable OIDCMetadataDir in sample config since it may be overlooked
- use FQDN for sample hostname in sample configs since Google requires that
- make implicit post javascript HTML 4.01 Strict compliant
- provide Wheezy backports as uploaded to the Debian repositories
release 1.5.4
Bugs
- fix big endian issue #18 and fix Debian auto-builds on PPC/MIPS (@latinovic)
- remove ownership sentence from disclaimer text that conflicts with license
Features
- support "none" JWS algorithm in signature validation for "code" flow (@wadahiro)
- pass the "access_token" to the application in the OIDC_access_token header
- add support for passing the id_token to the application in multiple formats (claims,payload,serialized)
Packaging
- add separate packages for Debian 7 (Wheezy) and Debian Testing (Jessie) and Ubuntu 14.04 (Trusty)
- RHEL packages available through https://github.com/wadahiro/mod_auth_openidc_rpmbuild_container/releases
release 1.5.3
Bugs
- fix cache initialization/destroy leak
Features
- prevent JWE timing attacks on CEK
- check for open redirect on passed target_link_uri
- change target_uri parameter name to target_link_uri in IDP-init-SSO
- include client_id and scope values in resolved access_token (OAuth 2.0)
Other
- convert warning on claim evaluation to debug printout
- add note on restricting access to specific Google Apps domain(s)
Packaging
- add separate .deb packages for Debian Jessie/Ubuntu Trusty and Debian Wheezy
release 1.5.2
Bugs
- fix PF OAuth 2.0 RS functionality after upgrading to jansson
Features
- pass JSON objects in app HTTP headers as plain JSON
Other
- correct printout in hash comparison function and use apr_strnatcmp
- add more (JOSE) "unit" tests
- autoconf libapr and include test code in distribution
release 1.5.1
Packaging
- Changes to Debian packaging for 1.5.1-1 as uploaded to mentors.debian.org
Features
- support for 3rd-party initiated SSO as defined in the OpenID Connect core spec (section 4.)
- enable per-module logging for Apache 2.4
Documentation
- various corrections to README.md and auth_openidc.conf
release 1.5
Features
- change JSON parser from apr-json to jansson
NOTE: there's a new compilation and runtime dependency on libjansson now
so make sure to run ./autogen.sh/configure again when compiling - add warning/errors when configured hosts/domains do not match
Bugs
- fix claims-based authorization with integer values (@martinsrom)
- do not set Secure cookies on plain HTTP