release 2.4.16.1
Note that OIDCPKCEMethod none
, OIDCSessionMaxDuration 0
, OIDCCacheShmMax
and OIDCStateCookiePrefix
cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.
Security
- disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr
Features
- add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
- add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
configured through theOIDCDPoPMode [off|optional|required]
primitive (dpop_mode
in the.conf
file in multi-OP setups) - add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
configured throughOIDCProviderPushedAuthorizationRequestEndpoint
andOIDCProviderAuthRequestMethod PAR
- add the
nbf
claim to the Request Object - store the
token_type
in the session and make it available on the info hook together with theaccess_token
- replace multi-provider
.conf
issuer_specific_redirect_uri
boolean withresponse_require_iss
boolean
to require the Provider to pass theiss
value in authorization responses, mitigating the OP mixup attack - return HTTP 502 when refreshing acces token or userinfo fails (default:
502_on_error
) - add support for
OIDCOAuthIntrospectionEndpointKeyPassword
, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection - when an expression is configured for
OIDCUnAuthAction
(i.e. in the 2nd argument), also apply it toOIDCUnAutzAction
so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls
Bugfixes
- allow overriding defined global configuration primitives to their default value on the individual vhost level
- various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
- apply input/boundary checking on all configuration and multi-provider metadata values
- memcache: correct dead server check on
APR_NOTFOUND
; see #1230; thanks @rpluem-vf - tighten up the
aud
claim validation for received ID tokens
Other
- version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
- packages for the recent Ubuntu Noble stable release are added to the Assets section below
Commercial
- binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
- support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]