Skip to content

release 2.4.16.1

Compare
Choose a tag to compare
@zandbelt zandbelt released this 26 Aug 15:03
· 50 commits to master since this release

Note that OIDCPKCEMethod none, OIDCSessionMaxDuration 0, OIDCCacheShmMax and OIDCStateCookiePrefix cannot be used in this release, see: #1256, #1252, #1260 and #1254 respectively.

Security

  • disable support for the RSA PKCS v1.5 JWE/JWT encryption algorithm as it is considered insecure due to the Marvin attack; it is removed from libcjose >= 0.6.2.3 as well; see GHSA-6x73-979p-x9jr

Features

  • add Relying Party support for the FAPI 2.0 Security Profile (OpenID Financial-grade API v2.0)
  • add Relying Party support for RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
    configured through the OIDCDPoPMode [off|optional|required] primitive (dpop_mode in the .conf file in multi-OP setups)
  • add support for RFC 9126 OAuth 2.0 Pushed Authorization Requests
    configured through OIDCProviderPushedAuthorizationRequestEndpoint and OIDCProviderAuthRequestMethod PAR
  • add the nbf claim to the Request Object
  • store the token_type in the session and make it available on the info hook together with the access_token
  • replace multi-provider .conf issuer_specific_redirect_uri boolean with response_require_iss boolean
    to require the Provider to pass the iss value in authorization responses, mitigating the OP mixup attack
  • return HTTP 502 when refreshing acces token or userinfo fails (default: 502_on_error)
  • add support for OIDCOAuthIntrospectionEndpointKeyPassword, i.e. to configure a password for accessing the private key file used for OAuth 2.0 token introspection
  • when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls

Bugfixes

  • allow overriding defined global configuration primitives to their default value on the individual vhost level
  • various fixes to applying default config values and disallowing global/vhost primitives in directory scopes
  • apply input/boundary checking on all configuration and multi-provider metadata values
  • memcache: correct dead server check on APR_NOTFOUND; see #1230; thanks @rpluem-vf
  • tighten up the aud claim validation for received ID tokens

Other

  • version 2.4.1.6 succesfully runs against the OpenID Certification test suite for the OIDC RP and FAPI2 RP profiles
  • packages for the recent Ubuntu Noble stable release are added to the Assets section below

Commercial

  • binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, SUSE Linux, Amazon Linux, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
  • support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via [email protected]