ChangeLog

02/15/2024
- refactor zlib compression routines and add error checks
- bump to 2.4.15.4dev

02/13/2024
- release 2.4.15.3

02/12/2024
- set Redis default retry interval time to 300 milliseconds (instead of 0.5ms) and make it configurable
- rewrite handling of parallel refresh token grant requests
  - temporarily cache the results of the refresh token grant for other (almost) parallel callers
  - fixes handing on the same server, and improves clustered handling through a best-effort distributed cached lock
  - improves handling of non-rollover refresh tokens since it avoids unnecessary repeated calls to
    the token endpoint, unnecessary token issuance and possibly corruption because different tokens  "live"
    temporarily in the same (conceptual) session in parallel before the session is stored (and the last one wins)
- bump to 2.4.15.3dev

02/06/2024
- CVE-2024-24814: prevent DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied
  https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
- release 2.4.15.2

01/31/2024
- avoid crash when Forwarded is not present but OIDCXForwardedHeaders is configured for it; see #1171; thanks @daviddpd
- bump to 2.4.15.2dev

01/30/2024
- release 2.4.15.1

01/22/2024
- refactor metrics and fix Prometheus output overlap; closes #1161; see #1162 and #1160; thanks @studersi
- bump to 2.4.15.1rc0

01/17/2024
- use `apr_file_rename` in file cache backend to fix issue with renaming files on windows

01/09/2024
- release 2.4.15

12/29/2023
- fix Redis connnect retries and make it configurable through environment variable OIDC_REDIS_MAX_TRIES
- bump to 2.4.15rc14

12/28/2023
- set memory alignment of shm cache structs to 64 bytes; see #1067
  should fix running on Raspberry PI / ARMv7 32 bits (arm32v7)
- make sure the shm cache entry size is a multiple of 8 bytes, see #1067; thanks @sanzinger
- bump to 2.4.15rc13

12/22/2023
- generate 20-byte lowercase hexadecimal session identifiers

12/20/2023
- generate or propagate traceparent header using OIDCTraceParent; closes #1152; thanks @studersi
- include hostname,port and process id in User-Agent header on outgoing requests
- bump to 2.4.15rc12

12/19/2023
- metrics update:
  - rename "requests" class to "provider"
  - don't include label name in metric name
  - add HTTP response code and connectivity counters
  - reset counters in shared memory rather than removing
  - performance
- bump to 2.4.15rc11

12/18/2023
- metrics refactoring and extension
- bump to 2.4.15rc10

12/15/2023
- add (and fix) more metrics, including provider requests, authorization and cache
- bump to 2.4.15rc9

12/14/2023
- add metrics collection capability, configured with OIDCMetricsData and retrieved through OIDCMetricsPublish
- bump to 2.4.15rc8

11/30/2023
- fix SSL server certificate validation when revoking tokens
  apply `OIDCSSLValidateServer` setting rather than `OIDCOAuthSSLValidateServer` in `oidc_revoke_tokens`
  see https://github.com/OpenIDC/mod_auth_openidc/discussions/1141; thanks @mschmidt72
- bump to 2.4.15rc7

11/27/2023
- use clang-format-17 for code formatting and reformat all code

11/23/2023
- add iat and exp claims to request object; closes #1137
- bump to 2.4.15rc6

11/22/2023
- populate User-Agent header in outgoing HTTP requests with mod_auth_openidc, libcurl and OpenSSL
  version information and log it for debugging purposes
- bump to 2.4.15rc5

11/08/2023
- improve error message in case of curl timeouts
- bump to 2.4.15rc4

11/02/2023
- apply ISO-8859-1 ("latin1") as default encoding mechanism for claim values passed in headers and environment
  variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs <any> none"
  for backwards compatibility
- bump to 2.4.15rc3

11/01/2023
- avoid warnings on cache misses (regression introduced in 2.4.15rc1)
- bump to 2.4.15rc2

10/31/2023
- add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the old one
- bump to 2.4.15rc1
- remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
- use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
  as cloud environments increasingly use dynamic proxy IPs in front
- use PKCE S256 by default; disable by configuring "OIDCPKCEMethod none"
- use SameSite cookies Strict by default; disable by configuring "OIDCCookieSameSite Off"
 
10/30/2023
- do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
  see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunke
- restore backwards compatibility wrt. allowing parallel refresh token requests by default, and add an
  option to prevent that (i.e. in case of rolling refresh tokens) using envvar OIDC_PARALLEL_REFRESH_NOT_ALLOWED
- return HTTP 500 on token refresh errors instead of HTTP 401
- retry failed outgoing HTTP requests and add options to configure it in OIDCHTTPTimeoutLong/OIDCHTTPTimeoutShort
- bump to 2.4.15rc0
  
10/12/2023
- release 2.4.14.4

10/11/2023
- improve behaviour when parallel refresh token grant requests occur on the same Apache server/host
  and rolling refresh tokens are issued; synchronize using a global refresh token lock and avoid
  corrupting the session by storing/overwriting an expired refresh token
- bump to 2.4.14.4rc6

09/22/2023
- performance: store userinfo refresh interval in session to avoid parsing JSON on each request
- fix memory leak in oidc_refresh_token_grant: free the parsed id_token that is returned
- bump to 2.4.14.4rc5

09/20/2023
- performance: skip re-validating cached provider metadata
- performance: use process based locking instead of global locking for Redis caching
- avoid potential process lifetime memory leak when mutex lock/unlock fails

09/19/2023
- fix performance issue with latin1 encoding when using OIDCPassClaimsAs <any> latin1
- add options for authentication to OIDCOutgoingProxy; thanks @drzraf
  see https://github.com/OpenIDC/mod_auth_openidc/discussions/1107
- add support for custom preserve/restore POST data templates with OIDCPreservePostTemplates
  to be used when OIDCPreservePost is set to On; the hard-coded internal templates are added to
  the test directory as an example; closes #195 (yeah...); thanks @kerrermanisNL and @spiazzi
- bump to 2.4.14.4rc3

09/14/2023
- fix `OIDCRefreshAccessTokenBeforeExpiry` when using it with `logout_on_error` or `authenticate_on_error`
  see #1111; thanks @brandonk10
- bump to 2.4.14.4rc0

09/05/2023
- release 2.4.14.3

08/25/2023
- add support for adding extra parameters to the Logout Request to the OP with OIDCLogoutRequestParams
  see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1096
- bump to 2.4.14.3rc7

08/13/2023
- increase performance of JQ filtering by caching JQ filtering results
  default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL
- bump to 2.4.14.3rc5

07/25/2023
- support "authenticate_on_error" 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry 
  to reauthenticate the user when refreshing the access token fails
  see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1084; thanks @xrammit
- add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
- bump to 2.4.14.3rc4

07/18/2023
- allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
- bump to 2.4.14.3rc3

07/14/2023
- fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077
  this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598
- bump to 2.4.14.3rc2

07/12/2023
- add a sanity alg/enc check on self-encrypted AES GCM JWTs
- add `OIDCPassAccessToken Off` option to disable (the default of) passing the access token and its expiry
  in the OIDC_access_token/OIDC_access_token_expires header/environment variables; thanks @mattias-asander
- bump to 2.4.14.3rc1

06/05/2023
- avoid using encryption keys as signing keys for request objects and private_key_jwt token endpoint auth
- log the first Redis error as a warning before retrying
- release 2.4.14.2

05/30/2023
- revert all 401/403/302/stepup behaviour to <= 2.4.13.2
- bump to 2.4.14.2rc1

05/25/2023
- add support for extend_session=false query parameter to the info hook
  to avoid extending the session on calls to the info hook
- bump to 2.4.14.2rc0

05/24/2023
- fix RequireAny behaviour on 401/403/302: revert 9d6192b2ab0716d8f7d2a29754a80b6ab1e804eb for non-stepup authentication cases
- make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/complex Require expressions e.g. RequireAny
- release 2.4.14.1

05/17/2023
- fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session
- fix memory leak when refreshing claims from the userinfo endpoint
- bump to 2.4.14.1rc0
- fix docs on OIDCUnAutzAction 403 in auth_openidc.conf because we no longer rely on Apache 2.4's AuthzSendForbiddenOnFailure On to return 403

05/15/2023
- release 2.4.14

05/05/2023
- add exec support to OIDCClientSecret; see #1056; thanks @sealor

05/04/2023
- cater for libapr/libapr-util version 1.2.x
- bump to 2.4.14rc13

04/27/2023
- increase default OIDCCacheShmMax to 10000

04/25/2023
- add options to avoid revoking tokens before logout
  as some OPs may kill their SSO session that would make subsequent logout fail;
  configure an empty string in OIDCProviderRevocationEndpoint or set the
  OIDC_DONT_REVOKE_TOKENS_BEFORE_LOGOUT environment variable
- bump to 2.4.14rc12

04/24/2023
- preserve linefeeds in text areas with OIDCPreservePost On
  by changing the order of the "type=hidden" in the restore Javascript page
  see: https://github.com/OpenIDC/mod_auth_openidc/discussions/717
  thanks @paulQdata and @jansmets

04/23/2023
- add environment variable OIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION option to not store
  the claims in the id_token in the session, to avoid storing claims that are not used anyway
  and/or overlap with userinfo claims
- bump to 2.4.14rc11

04/21/2023
- use compressed serialized JSON for encrypted cache entries instead of signed JWTs, reducing cache entry size
- refactor (internal) encrypted JWTs handling
  - remove support for obsoleted internal signed JWTs
  - add resilience for corrupted metadata and jwks_uri cache entries

04/20/2023
- allow defining OIDCPassIDTokenAs on a per-location/directory level; also fixes resetting back to "claims" in vhosts
- turn of caching by default for `OIDCPassUserInfoAs signed_jwt`
- use compressed serialized JSON for encrypted state and session cookies, reducing their size; thanks @hihellobolke
- bump to 2.4.14rc10

04/19/2023
- add support for using Elliptic Curve keys with `OIDCPassUserInfoAs signed_jwt`
- bump to 2.4.14rc9

04/18/2023
- support calling the refresh token grant before doing RP-initiated logout
  when the environment variable OIDC_REFRESH_TOKENS_BEFORE_LOGOUT is set
  may be used to supply a (fresh or non-cached) id_token_hint logout request parameter
- add support for returning the serialized id_token as id_token_hint from the info hook
- fix crash when using a multi-provider setup and Provider has signed_jwks_uri set but
  the conf file does not define signed_jwks_uri_key
- correct return value from oidc_cache_shm_destroy to avoid misleading
  "cache destroy function failed" error messages
- bump to 2.4.14rc8

04/16/2023
- OIDCUnAutzAction auth for stepup authentication now immediately returns a 302 instead
  of a 200 HTML page with a meta refresh tag and a Location header
- also fix OIDCUnAutzAction 403 so it does not rely on AuthzSendForbiddenOnFailure
- bump to 2.4.14rc7

04/13/2023
- fix session cookie decompression error with OIDCSessionType client-cookie; closes #1046; thanks @oss-aimoto
  this would occur when the uncompressed JWT is larger than 4 times the compressed JWT
    oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:901: oidc_jose_zlib_uncompress]: inflate failed
    oidc_session_decode: could not verify secure JWT: cache value possibly corrupted
  https://github.com/OpenIDC/mod_auth_openidc/pull/1047
- add option to strip the AES GCM header from encrypted state/session JWTs with env var OIDC_JWT_STRIP_HDR=true
- bump to 2.4.14rc6

04/11/2023
- add caching of signed userinfo JWTs; default cache time is set to the "exp" claim, can be configured/disabled with:
    SetEnvIfExpr true "OIDC_USERINFO_SIGNED_JWT_CACHE_TTL=0" 
  be careful when setting "jti", "nbf", "iat" and" "exp" claims in the OIDCUserInfoClaimsExpr filter since they may
  overload the cache with entries per-user/per-timestamp if the result differs from the previous request
- bump to 2.4.14rc5

04/11/2023
- add OIDCFilterClaimsExpr that allows for processing claims in the both the id_token and claims from the
  userinfo endpoint before storing them in the session, after applying (optional) blacklisting/whitelisting
  on the toplevel keys; only available when compiled/linked with libjq
- fix memory access error using default value for OIDCPassUserInfoAs
- bump to 2.4.14rc4

04/10/2023
- add support for OIDCUserInfoClaimsExpr that allows for processing claims returned from the userinfo
  endpoint with a JQ-based expression before propagating them according to OIDCPassUserInfoAs claims|json|signed_jwt
  (ie. does not work for "OIDCPassUserInfoAs jwt"), and is only available when compiled/linked with libjq
- allow OIDCPassUserInfoAs directive in Location/Directory contexts  
- fix memory leak when using JQ-based expressions in "Require claims_expr"
- bump to 2.4.14rc3

04/09/2023
- make sure mod_auth_openidc runs before mod_proxy so calls to the redirect URI are never proxied
  and no separate Location directive or ProxyPass exception for OIDCRedirectURI is required (anymore)
- handle discovery in the content handler so regular Apache processing applies to the HTTP/HTML response
- bump to 2.4.14rc2

04/09/2023
- return 40x instead of 200 on all (authorization) error responses
- correct backwards compatibility with <2.4.14 for state mismatch/timeout handling
- bump to 2.4.14rc1

04/07/2023
- deprecate OIDCHTMLErrorTemplate and rely on standard Apache error handling capabilities by default
  environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available in ErrorDocument
  backwards compatibility is retained by setting "OIDCHTMLErrorTemplate deprecated"
- bump to 2.4.14rc0

04/07/2023
- add support for passing on claims resolved from the userinfo endpoint in a JWT signed by
  mod_auth_openidc using `OIDCPassUserInfoAs signed_jwt[:<name>]`  with the keys configured
  in OIDCPrivateKeyFiles/OIDCPublicKeyFiles
- add support for overriding the default header/environment variable names in
  `OIDCPassUserInfoAs json:<name>` (default: "OIDC_userinfo_json")
  and
  `OIDCPassUserInfoAs jwt:<name>` (default: "OIDC_userinfo_jwt")
- bump to 2.4.13.3rc3

04/06/2023
- merge client_signing_keys and client_encryption_keys into client_keys
  since we detect the usage type correctly now
- bump to 2.4.13.3rc2

04/04/2023
- support configuration of dedicated signing and encryption keys in the primitives:
  OIDCPublicKeyFiles, OIDCPrivateKeyFiles, OIDCProviderVerifyCertFiles, OIDCOAuthVerifySharedKeys and OIDCOAuthVerifyCertFiles
  by using the prefix "sig:" or "enc:" in the value; using this in OIDCPublicKeyFiles also
  publishes separate "use: sig" and/or "use: enc" keys on the client jwks_uri <redirect_uri>?jwks=rsa
- fix: don't immediately refresh of JWKs from (signed)_jwks_uri if "kid" was not set in JWT, but try the cache first
- fix: properly respect "use" attribute (sig/enc) in signing, verification and encryption
- bump to 2.4.13.3rc1

04/03/2023
- generate Elliptic Curve "kid" using curve identifier with htonl in network byte order
  so "make check" works on big endian platforms
- include openssl/err.h in config.c to avoid compiler warning with OpenSSL 1.0.x
- bump to 2.4.13.3rc0

04/03/2023
- release 2.4.13.2

04/01/2023
- allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
- correct error log in target_link_uri matching

03/28/2023
- CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
  https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
- replace apr_strnatcmp/strcmp with _oidc_strcmp and replace strncmp with _oidc_strncmp
- handle OpenSSL initialization in new oidc_pre_config_init function:
  this allows omitting "kid" in OIDCPublicKeyFiles (ao.) when linked against OpenSSL 1.0.x

03/27/2023
- fix code scanning alerts
- bump to 2.4.13.2rc2
  
03/24/2023
- add support for Elliptic Curve signing/encryption keys in addtion to RSA keys,
  i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri
  and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,
  but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
- refactor Docker tests make targets; add test/Makefile
- bump to 2.4.13.2rc1

03/24/2023
- record authorization errors in environment variable OIDC_AUTHZ_ERROR
  so its value can be used in logs e.g. with HTTP 401 responses:
    LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined
- log authorization errors with oidc_debug instead of oidc_info
- bump to 2.4.13.2rc0

03/10/2023
- fix oidc_jwk_list_copy and usage of OIDCProviderVerifyCertFiles
- release 2.4.13.1

03/10/2023
- shm cache: increase default maximum number of active sessions from 500 to 2000
- shm cache: allow configuration of max 1Mb of session data for a single session
- use deep-copy and cleanup functions for server and provider configs; fixes overriding server-level keys in vhost configs
- release 2.4.13

03/09/2023
- add support for OP "signed_jwks_uri" with "OIDCProviderSignedJwksUri <uri> <jwk>"
- don't pull JWKs when the id_token was signed with a symmetric key
- don't immediately refresh of JWKs from (signed)_jwks_uri if "kid" was not set in JWT, but try the cache first
- warn about incorrect configurations not setting OIDCCryptoPassphrase; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1030
- bump to 2.4.13rc5

03/08/2023
- move repo to OpenIDC github organization

03/02/2023
- allow setting minumum and maximum versions of TLS used in HTTPs calls via libcurl environment
  variable CURLOPT_SSL_OPTIONS e.g.:
  SetEnvIfExpr true "CURLOPT_SSL_OPTIONS=CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_MAX_TLSv1_3" ; bump to 2.4.13rc3
- bump to 2.4.13rc3

03/01/2023
- revert accidentally removed libbrotli code in jose.c
- bump to 2.4.13rc2

02/19/2023
- add optional - compilation time support - for brotli compression of session and state cookies

02/17/2023
- avoid (small) memory leak when using OpenSSL 3.x when setting public/private keys
  (over graceful restarts) in the config and/or importing JWKs with x5c specs
- compress session and state cookies; add zlib as a dependency
- bump to 2.4.13rc0

01/27/2023
- increase maximum allowed size of HTTP responses (e.g. from token endpoint) to 10Mb; see #998; thanks @mikehearn
- do a sanity check on the individual size of claim values stored in the session, warn about blacklisting if > 8Kb
- bump to 2.4.12.4rc2

01/23/2023
- release 2.4.12.3

01/20/2023
- add OIDCProviderVerifyCertFiles option to statically configure ID token validation keys; see #989; thanks @madsfreek
- fix bug in OIDCOAuthVerifyCertFiles where cert(s) would be cast to apr_hash_t instead of apr_array_header_t; see #990; thanks @bommo1
- bump to 2.4.12.3rc0

12/28/2022
- update sample/test Dockerfile to Ubuntu Jammy

12/13/2022
- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
  see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
- release 2.4.12.2

12/08/2022
- simplify redis context code
- bump to 2.4.12.2rc1

11/18/2022
- allow overriding the type of lock used at compile time with OIDC_LOCK
- bump to 2.4.12.2rc0

11/15/2022
- release 2.4.12.1

11/13/2022
- switch to using apr_generate_random_bytes instead of apr_uuid_get to generate session identifiers
  so there's no longer a (rather implicit) dependency on a libapr that is compiled againt libuuid
  on Linux platforms; see #431, #603 and #694; thanks @amitnarang28
- cache file backend fix: delete the correct file upon logout; closes #955; thanks @damisanet
- bump to 2.4.12.1rc5

11/08/2022
- add option to use ISO-8859-1 encoding for propagated claim values by adding
  "latin1" option to OIDCPassClaimsAs <> latin1; see #957; thanks @nvchaudhari1991
  Note that the encoding - including the existing "base64url" - apply to both header and
  environment variables as well now.
- bump to 2.4.12.1rc4

10/26/2022
- OIDCProviderMetadataRefreshInterval was interpreted in microseconds instead
  of the documented and intended seconds; setting in to seconds would effectively
  turn of caching and pull the configuration document on each request
- bump to 2.4.12.1rc3

10/25/2022
- define APLOG_TRACE1 if it does not exist
- bump to 2.4.12.1rc2

10/20/2022
- CI: add memory and semaphore checks on various distro's
- correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
- fix printout of cache mutex errors in cache/common.c
- prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
  which is apparently required for (some) ARM based builds (and CI)
- bump to 2.4.12.1rc1
- fix potential memory leak in proto.c when oidc_util_create_symmetric_key fails
- fix potential memory leak in proto.c when oidc_proto_validate_access_token fails (at_hash validation)

10/19/2022
- fix cleanup of semaphores on graceful restarts; see #522, closes #458
  simplify mutex/shm cleanup without semaphores because we track the parent process anyway; 
- bump to 2.4.12.1rc0

10/17/2022
- release 2.4.12

10/15/2022
- add option to set a username for Redis authentication via OIDCRedisCacheUsername
- bump to 2.4.11.4rc7

10/14/2022
- set minimum number of default memcache threads to 0 to retain backwards compatibility
  see #916
- support OIDCSessionInactivityTimeout values greater than 30 days when using Memcache
  see #936, thanks @takesson
- bump to 2.4.11.4rc6

10/03/2022
- add -fPIC to test and test-cmd compilation; see #925
- bump to 2.4.11.4rc5

09/23/2022
- allow for step-up discovery with an external URL using HTML refresh 
  fixes behaviour on CentOS 7/8 when combined with ProxyPass
- bump to 2.4.11.4rc4

09/12/2022
- add options to retrieve the configuration document only or pull keys from the JWKS URI;
  for certification purposes
- check ID token signed response algorithm on backchannel logout_token and retrieve its
  configuration value from the client metadata file; for certification purposes
- register request_object_signing_alg in dynamic client registration when using request_uri;
  for certification purposes
- bump to 2.4.11.4rc3

09/08/2022
- store access token obtained from backchannel in session over the one returned
  in the frontchannel for "code token" and "code id_token token" flows; for 
  certification purposes
- apply exact length matching for at_hash and c_hash validation; for certification purposes
- increase size of the output buffer when using libpcre2 for substitution; closes #915
- bump to 2.4.11.4rc2
- allow setting connection pool parameters for Memcache server connections;
  see #916; thanks @rpluem-vf

08/24/2022
- avoid using $< in Makefile
- allow storing the id_token in a client-cookie based session; see #812 and #888
- bump to 2.4.11.4rc1

08/22/2022
- add oidc_util_strcasestr
- bump to 2.4.11.4rc0

08/22/2022
- release 2.4.11.3

08/15/2022
- avoid memory leak when using PCRE2 regular expressions with array matching; closes #902; thanks @smanolache
- avoid memory leak when cjose_jws_get_plaintext fails; closes #903; thanks @smanolache
- bump to 2.4.11.3rc4

05/20/2022
- fix handling of IPv6 based logout URLs; thanks @@codemaker219
- bump to 2.4.11.3rc1

05/16/2022
- Use optionally provided sid and iss request parameters during front channel
  logout; see #855; thanks @rpluem-vf

05/06/2022
- support Forwarded header in addition to X-Forwarded-*; see #853; thanks @studersi
- bump to 2.4.11.3rc0

05/05/2022
- release 2.4.11.2

05/04/2022
- add support for Apache expressions in OIDCPathAuthRequestParams and OIDCPathScope; see #594
- bump to 2.4.11.2rc2

04/22/2022
- add no Cache-Control headers to logout request response; see #846; thanks @blackwhiser1
- bump to 2.4.11.2rc1

04/06/2022
- don't strip the header from encrypted JWTs as future versions of cjose may use compact
  encoding for JWEs; this slightly increases state cookie size, by-value session cookies
  and encrypted cache contents again at the benefit of forward cjose compatibility
- bump to 2.4.11.2rc0

03/29/2022
- release 2.4.11.1

03/28/2022
- correct registration_endpoint_json naming in auth_openidc.conf documentation 

03/21/2022
- fix OIDCUnAuthAction pass, see #790
- bump to 2.4.11.1rc5

03/18/2022
- fix make check; add @smanolache to the AUTHORS file
- bump to 2.4.11.1rc4

03/17/2022
- fix memory leaks over graceful restarts: use s->process->pconf pool instead of
  the s->process->pool in oidc_slog and oidc_cache_shm_cfg_create
  closes #823 and #824; thanks @smanolache

03/14/2022
- fix temporary cache file naming; see #777

03/08/2022
- fix a 2nd race condition in the file cache backend; see #777; thanks @dbakker and @blackwhiser1
- bump to 2.4.11.1rc3

03/04/2022
- add support for OpenSSL 3.0
- remove test-cmd jwk2cert command
- bump to 2.4.11.1rc2

02/28/2022
- add a check to make sure URLs do not contain unencoded Unicode characters; see #796; thanks @cnico
- bump to 2.4.11.1rc1

02/27/2022
- document Apache 2.4 behavior on OIDCUnAutzAction 403; see #795; thanks @candlerb

02/04/2022
- correct ap_hook_insert_filter function signature in stub.c, part 2; closes #784; thanks @stroeder

02/03/2022
- add Valgrind Github action
- warn about mismatch between incoming X-Forwarded-* headers and OIDCXForwardedHeaders configuration
- avoid using %llu print formatter and switch to %lu for unsigned long so it works cross platform
- bump to 2.4.11.1rc0

01/26/2022
- improve handling session duration expiry when combined with OIDCUnAuthAction or Discovery
  also clear r->user in oidc_session_kill for such cases; see #778
- release 2.4.11

01/24/2022
- fix race condition in file cache backend reading truncated files under load; see #777; thanks @dbakker
- bump to 2.4.11rc7

01/23/2022
- fix regular expressions in Require statements
- bump to 2.4.11rc6

01/22/2022
- no longer defer Discovery to the content handler to allow RequireAll and Require not directives
  see #770; closes #775; thanks @rajeevn1
- bump to 2.4.11rc5

01/17/2022
- terminate on startup when the crypto passphrase generated by "exec:" is empty; see #767
- bump to 2.4.11rc4

01/15/2022
- correct printout of session id and remote user tuple for new sessions
- avoid debug printout of payload as header when the latter is stripped

01/14/2022
- fix: avoid crash when using pcre2 for claims matching: don't pass NULL for errorstr
- add administrative session revocation capability <redirect_uri>?revoke_session=<uuid>
- bump to 2.4.11rc3

01/12/2022
- add AM_PROG_CC_C_O to configure.ac (at least for RHEL 7.7); see #765; thanks @bitmagewb
- include <openssl/bn.h> in jose.c to compile with OpenSSL 1.0.x
- fix parameters to get_current_url in oidc_handle_unauthorized_user22
- bump to 2.4.11rc2

01/06/2022
- improve detection of suspicious redirect URLs; add test list
- bump to 2.4.11rc1

12/24/2021
- make interpretation of X-Forwarded-* headers configurable, defaulting to none
  so mod_auth_openidc running behind a reverse proxy that sets X-Forwarded-* headers
  needs explicit configuration of OIDCXForwardedHeaders
- bump to 2.4.11rc0

12/21/2021
- add "x5t" to JWT header in private_key_jwt client assertions; for interop with Azure AD
- add CI Github workflow over Travis
- bump to 2.4.10.1rc4

12/16/2021
- make X-Frame-Options header returned on OIDC front-channel logout requests configurable
  through OIDCLogoutXFrameOptions; closes #464
- bump to 2.4.10.1rc3

12/15/2021
- remove typedef for oidc_pcre to avoid compiler errors

12/02/2021
- add support for libpcre2; see #740
- bump to 2.4.10.1rc2

12/01/2021
- allow authorization on info requests, see #746
- bump to 2.4.10rc1

11/28/2021
- install taking into account DESTDIR; see #674; thanks @alerque

11/11/2021
- correct ap_hook_insert_filter function signature in stub.c; closes #732; thanks @stroeder
- bump to 2.4.10.1rc0

11/10/2021
- release 2.4.10

11/03/2021
- add redirect/text options to OIDCUnAutzAction; see #715; thanks @chrisinmtown
- bump to 2.4.10rc1

11/02/2021
- add check for Sec-Fetch-Dest header != "document" value to auto-detect requests that are not
  capable of handling an authentication round trip to the Provider;
  see https://github.com/zmartzone/mod_auth_openidc/discussions/714; thanks @studersi
- bump to 2.4.10rc0

10/28/2021
- use apxs to link the module in Makefile.am
- bump to 2.4.9.5rc8

10/27/2021
- fix regexp substition crash using OIDCRemoteUserClaim; thanks @nneul; closes #720
- backport ap_get_exec_line, supporting the "exec:" option in OIDCCryptoPassphrase
- add check for Sec-Fetch-Mode header != "navigate" value to auto-detect XML HTTP Requests
- bump to 2.4.9.5rc7

10/22/2021
- complete usage of autoconf/automake; see #674
- bump to 2.4.9.5rc4

10/20/2021
- fix parallel builds (on Debian) for now
- bump to 2.4.9.5rc1

10/19/2021
- log require claims failure on info level
- bump to 2.4.9.5rc0

09/09/2021
- fix memory leak when parsing JWT access token fails (in RS mode)

09/07/2021
- reorganize Redis code for extensibility

09/03/2021
- return HTTP 200 for OPTIONS requests in auth-openidc mixed mode
- don't apply claims based authorization for OPTIONS requests
  so paths protected with Require claim directives will now also
  return HTTP 200 for OPTIONS requests
- fix typo in 2.2 authorization routine

09/03/2021
- don't apply authz in discovery process; fixes 2.4.9.3
- apply OIDCRedirectURLsAllowed setting to target_link_uri; closes #672; thanks @Meheni
- release 2.4.9.4

08/26/2021
- don't apply authz to the redirect URI; fixes ac5686495a51bc93e257e42bfdc9c9c46252feb1
- bump to 2.4.9.3

08/20/2021
- fix graceful restart (regression); see #458; thanks @Foxite
- bump to 2.4.9.2

08/18/2021
- preserve session cookie in the event of a cache backend failure
- update the id_token in the session cache if one is provided while refreshing the access token

08/13/2021
- fix retried Redis commands after a reconnect; thanks @iainh
- release 2.4.9.1

07/22/2021
- use redisvCommand to avoid crash with crafted key when using Redis without encryption; thanks @thomas-chauchefoin-sonarsource
- replace potentially harmful backslashes with forward slashes when validating redirection URLs; thanks @thomas-chauchefoin-sonarsource
- release 2.4.9
- don't use DEFAULT_LIMIT_REQUEST_LINE constant; since it does not exist in Apache 2.2.x

07/15/2021
- verify that "alg" is not none in logout_token explicitly
- make session not found on backchannel logout produce a log warning instead of error
- don't clear POST params authn on token revocation; thanks @iainh
- bump to 2.4.9rc0

07/02/2021
- handle discovery in the content handler
- return OK in the content handler for calls to the redirect URI and when preserving POST data

06/25/2021
- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
  thanks @oss-aimoto

06/21/2021
- strip A256GCM JWT header from encrypted JWTS used for state cookies, cache encryption and by-value session cookies
  resulting in smaller cookies and reduced cache content size

06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
- bump to 2.4.9-dev

06/04/2021
- fix a problem where the host and port are calculated incorrectly, when you use literal ipv6 address.

06/02/2021
- do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.:
  SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true 
- release 2.4.8.4

06/01/2021
- avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page
  see also f5959d767b0eec4856d561cbaa6d2262a52da551 and #484; at least Debian Buster was affected
- release 2.4.8.3

05/18/2021
- make error "session corrupted: no issuer found in session" a warning only so a logout call for a
  non-existing session no longer produces error messages

05/08/2021
- store timestamps in session in seconds to avoid string conversion problems on some (libapr-1)
  platform build/run combinations, causing "maximum session duration exceeded" errors
- bump to 2.4.8.2

05/07/2021
- add OIDCClientTokenEndpointKeyPassword option to allow the use of an encrypted private key
- release 2.4.8.1

04/30/2021
- fix potential crash when Content-Type is not set in POST requests; thanks Tatsuhiko Yasumatsu of JPCERT/CC
- release 2.4.8

04/21/2021
- on OAuth 2.0 RS token scope/claim 401 error, add environment variable for usage with mod_headers,
  instead of adding a header ourselves; see #572; usage, e.g;
    Header always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
- bump to 2.4.8-dev

04/13/2021
- add OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout options to configure Redis timeouts
- bump to 2.4.7.2

04/12/2021
- fix memory leaks when caching fails
- bump to 2.4.7.1

04/04/2021
- improve documentation on OIDCPreservePost
- release 2.4.7

04/01/2021
- bump to 2.4.7rc1

02/16/2021
- remove session from cache before clearing it.

02/12/2021
- add maximum session lifetime (exp), inactivity timeout (timeout) and remote_user to OIDCInfoHook
- bump to 2.4.7-dev

02/08/2021
- return 400 instead of 500 when state cookie matching fails
- release 2.4.6

02/03/2021
- avoid displaying the client_secret in debug logs

01/28/2021
- avoid segmentation fault when hitting an endpoint configured with AuthType openid-connect
  in an OAuth 2.0 only setup; see #529

01/23/2021
- fix semaphore cleanup on graceful restarts; see #522

01/12/2021
- fix inconsistent public/private keys loading order; closes #515

12/17/2020
- remove support for https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state

12/10/2020
- add "base64url" option to OIDCPassClaimsAs primitive; closes #417

12/09/2020
- add Redis database selection option with OIDCRedisCacheDatabase; closes #423
- optimize Redis AUTH execution once per connection

12/07/2020
- don't set SameSite=None on cookies when on plain http

12/03/2020
- add environment variable to control libcURL CURLOPT_SSL_OPTIONS behaviors
  e.g.: SetEnvIfExpr true CURLOPT_SSL_OPTIONS=CURLSSLOPT_NO_REVOKE

11/23/2020
- release 2.4.5
- make sure the module compiles with Apache 2.2 for passphrase exec:
- bump to 2.4.6-dev

11/19/2020
- ensure that "sub" is returned from the userinfo endpoint following https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
  prevents potential ID spoofing; thanks Christian Fries of Ruhr-University Bochum
- don't printout JSON errors about NULL characters in error log; thanks Christian Fries of Ruhr-University Bochum
- restrict printout of JSON parsing errors to 4096 bytes; thanks Christian Fries of Ruhr-University Bochum
- bump to 2.4.5rc6

11/5/2020
- fix content processing for info and JWKs handler so mod_headers etc. works; closes #497
- bump to 2.4.5rc5

11/2/2020
- improve sanity checking on Redis reply
- bump to 2.4.5rc4

10/30/2020
- disable caching token introspection results by setting OIDCOAuthTokenIntrospectionInterval to -1; thanks @wadahiro
- bump to 2.4.5rc3

10/27/2020
- config check on OIDCCryptoPassphrase in OAuth 2.0 RS setup with cache encryption enabled
- bump to 2.4.5rc2

10/22/2020
- hash define expression option to OIDCUnAuthAction so it compiles for Apache 2.2; fixes 1461634
- bump to 2.4.5rc1
- add exec support to OIDCCryptoPassphrase
 
10/19/2020
- delete stale session cookies that aren't in the cache
- allow OIDCDiscoverURL to be a relative URL

10/08/2020
- add OIDCCABundlePath for configuring path to curl CA bundle

09/22/2020
- avoid Apache 2.4 appending 401 HTML document text to step-up authentication HTML refresh page; closes #484
- bump to 2.4.5rc0

09/21/2020
- populate AUTH_TYPE when performing authentication; thanks @spanglerco

09/19/2020
- enable authentication of sub-requests when the main request doesn't require
  authentication; thanks @spanglerco

09/03/2020
- add SameSite attribute on cookie clearance / logout; thanks @v0gler
- bump to 2.4.4.1

09/01/2020
- forward port Tufin patches
- always set session cookie same site policy to Lax
- disable cookie domain check
- unset host headers for metadata URL retrieval
- bump to 2.4.4-tufin

09/01/2020
- avoid GCC 9 compiler warnings
- release 2.4.4

08/28/2020
- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc)
- terminate backchannel logout with DONE instead of OK to avoid authz error 500
- bump to 2.4.4rc8

08/18/2020
- add recommended cache headers on backchannel logout response
  https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8
- bump to 2.4.4rc7

08/10/2020
- add new OIDCStateCookiePrefix primitive for the state cookie prefix

08/01/2020
- add conditional expression to OIDCUnAuthAction; see #479; thanks @raro42 and @marcstern
- bump to 2.4.4rc6

07/31/2020
- reverse order of creating HTML response and adding session cookie; thanks @deisser
- bump to 2.4.4rc5

07/30/2020
- fix doubled Set-Cookie behaviour when using `client-cookie`, calling the session info hook
  and writing out a session update (twice); thanks @deisser
- bump to 2.4.4rc4

07/27/2020
- prevent XSS and open redirect on OIDC session managemement OP iframe with OIDCRedirectURLsAllowed
  thanks Andrew Brady
- bump to 2.4.4rc3

07/22/2020
- delete state cookie when it cannot be decoded/decrypted
- bump to 2.4.4rc2

07/03/2020
- fix for loop initial declarations to not require c99 for compilation (RHEL 6)
- add ap_expr.h include in stub.c (RHEL 6)
- bump to 2.4.4rc1

06/30/2020
- add grant_types to dynamic client registration request
- don't send access_token in user info request when method is set to POST; conform OIDC test suite 4.0.5
- bump to 2.4.4rc0

06/10/2020
- prevent open redirect on refresh token requests
  add new OIDCRedirectURLsAllowed primitive to handle post logout and refresh-return-to validation
  addresses #453; closes #466
- release 2.4.3

06/09/2020
- fix complex expressions crash when compiled from source with libjq; closes #472
  thanks vincentscharf0803
  introduced by OIDCStateInputHeaders addition in 2.4.3rc0
- bump to 2.4.3rc1

05/11/2020
- added OIDCValidateIssuer to allow for disabling of issuer matching.  helps to support multi-tenant applications.

05/02/2020
- when stripping cookies, add a space between cookies in the resulting header (required by RFC 6265)
- move oidc_parse_config inside MODULE_MAGIC_NUMBER_MAJOR to make sure the module compiles with Apache 2.0

04/25/2020
- add OIDCStateInputHeaders that allows configuring the header values used to calculate the fingerprint of the state during authentication
- bump to 2.4.3rc0

03/25/2020
- oops: fix json_deep_copy of claims
- release 2.4.2.1

03/24/2020
- fix memory leak in OAuth 2.0 JWT validation; closes #470; thanks Conrad Thukral
- fix configured private/public key cleanup on process exit

03/21/2020
- allow for expressions in Require statements, see #469; thanks @wwaaron
  also see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements
- bump to 2.4.2rc5

03/19/2020
- always refresh keys from jwks_uri when there is no kid in the JWT header
- bump to 2.4.2rc4

03/15/2020
- destroy shared memory segments only in parent process; see #458
- bump to 2.4.2rc3

03/10/2020
- fix memory leaks introduced by #457
- bump to 2.4.2rc2

02/19/2020
- if content was already returned via html/http send then don't return 500
  but send 200 to avoid extraneous internal error document text to be sent
  on some Apache 2.4.x versions e.g. CentOS 7
- bump to 2.4.2rc1

02/03/2020
- if OIDCPublicKeyFiles contains a certificate, the corresponding x5c, x5t and x5t#256 
  parameters will be added to the generated jwkset available at "<redirect_uri>?jwks=rsa"
  thanks @absynth76
- fix: also add SameSite=None to by-value session cookies
- bump to 2.4.2rc0

01/30/2020
- try to fix graceful restart crash; see #458
- release 2.4.1

01/29/2020
- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes
  this can be overridden by using, e.g.:
    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
- release 2.4.1rc6

01/22/2020
- URL encode logout url in session management JS; thanks Paolo Battino
- bump to 2.4.1rc5

01/15/2020
- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
  useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.:
    SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=SameSite=None
- bump to 2.4.1rc4

01/08/2020
- support 407 option on OIDCUnAuthAction

12/09/2019
- fix parsing of values from metadata files when the default is non-NULL (e.g. UNSET)
- enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see #435
- bump to 2.4.1rc2
- support login with OIDC session management; address #456
- bump to 2.4.1rc3

12/05/2019
- add the possibility to use a public key instead of a certificate for OIDCPublicKeyFiles parameter
- added an alpine dockerfile =~ 20MB container size

12/04/2019
- return 200 OK for backchannel logout if session not found
- bump to 2.4.1rc1

11/19/2019
- make cleaning of expired state cookies log with a warning rather than an error; thanks Pavel Drobov
- bump to 2.4.1rc0

10/03/2019
- improve validation of the post-logout URL parameter on logout; thanks AIMOTO Norihito; closes #449
- release 2.4.0.3
- clear any existing chunked cookies when setting a non-chunked cookie; prevents login loops in some scenarios

08/28/2019
- fixes #447 #441 : changed storing POST params from localStorage to
  sessionStorage due to some issue of losing data in localStorage in Firefox
  (private mode) 

08/22/2019
- release 2.4.0

08/16/2019
- revert 3d95b4a3fbc493c6acc745626ac33143eb4968bf: don't return early from the content handler

08/15/2019
- be smart about picking the token endpoint authentication method when not configured explicitly:
  don't choose the first one published by the OP but prefer client_secret_basic if that is listed as well
  see: panva/node-oidc-provider#514; thanks @richard-drummond and @panva
- bump to 2.4.0rc24

08/12/2019
- fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic

08/12/2019
- fix JWT decryption crashing on non-null terminated input
- bump to 2.4.0rc23

08/09/2019
- add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to kill the session when
  refreshing an access token fails; thanks @rickyepoderi
- bump to 2.4.0rc22

08/08/2019
- no longer use the fixup handler for environment variable setting but do it as part of the authn handler
- bump to 2.4.0rc21

08/04/2019
- avoid decoding non-form-encoded POST data; closes #443
- bump to 2.4.0rc20

08/02/2019
- return DONE from the content handler early to prevent triggering other content handlers
- fix `OIDCOAuthAcceptTokenAs post` so POST data is propagated and not lost; see #443
- bump to 2.4.0rc19

07/10/2019
- fix RSA JWK "x5c" parsing issue (e.g. when parsing "n" fails): explicitly set the "kid" into to JWK
- bump to 2.4.0rc18

06/19/2019
- fix regression bug that includes a HTTP 500 message after rendering content
- bump to 2.4.0rc17

06/14/2019
- fix regression bug when no per-provider keys have been configured and private_key_jwt is used
- bump to 2.4.0rc15

06/06/2019
- use per-provider signing keys in private_key_jwt authentication towards token endpoint
- bump to 2.4.0rc14

06/05/2019
- avoid passing empty key set for JWT decryption (solve but introduced in 2.4.0rc12)
- bump to 2.4.0rc13

06/03/2019
- enable per-provider signing and encryption keys; limitations:
  - for request object signing and id_token decryption only
  - take the first configured key, no kid specification
  - no publishing of key information on client endpoints
  - no userinfo JWT decryption
  - no composite claims decryption
  - no backchannel logout with encrypted logout token (inherent)
- bump to 2.4.0rc12

05/31/2019
- make sure the content handler is called for every request to the configured Redirect URI so all
  Apache processing is executed (e.g. setting headers with mod_headers) before returning the response
  thanks Don Sengpiehl (NB: this may affect browser behavior and backwards compatibility)
- add ability to view session info in HTML via the session info hook: <redirect_uri)?info=html
- bump to 2.4.0rc11

05/24/2019
- fix oidc_proto_html_post auto-post-submit so it no longer results in duplicate parentheses
  closes #440; thanks @gobreak
- bump to 2.4.0rc10

05/21/2019
- log the original URL for expired state cookies, useful for debugging SPA/JS issues

05/17/2019
- allow removing an access token from the cache ("remove_at_cache") when running in OAuth 2.0 RS mode only
- support refresh and access tokens revocation from an RFC 7009 endpoint upon OIDC session logout
- bump to 2.4.0rc9

05/03/2019
- fix (cached) parsing of OIDCOAuthServerMetadataURL; thanks Lance Fannin
- bump to 2.4.0rc5

05/02/2019
- correct caching for OIDCOAuthServerMetadataURL
- bump to 2.4.0rc4

04/21/2019
- remove option to skip scrubbing request headers (thus avoiding potentionally insecure setups)
- bump to 2.4.0rc3

04/19/2019
- add USE_URANDOM compile time option to use /dev/urandom explicitly for non-blocking random number generation
  configure with APXS2_OPTS="-DUSE_URANDOM"
- bump to 2.4.0rc2

04/15/2019
- add debug logs in oidc_proto_generate_random_string
- URL-encode client_id/client_secret when using client_secret_basic according to: https://tools.ietf.org/html/rfc6749#section-2.3.1
- bump to 2.4.0rc1

04/09/2019
- deprecate the OAuth 2.0 Resource Server functionality
- bump to 2.4.0rc0

03/13/2019
- release 2.3.11

02/26/2019
- add session expiry to session info hook response (and change inactivity timeout key)
- bump to 2.3.11rc2

02/25/2019
- add option to dynamically pass query parameters to the authorization request; closes #401
- bump to 2.3.11rc1

01/31/2019
- support conditional compilation of memcache support
- bump to 2.3.11rc0

01/22/2019
- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann
- release 2.3.10.2

01/16/2019
- fix bug in current URL detection where query parameters would be duplicated; see #420; thanks @jreynaert
- release 2.3.10.1

12/31/2018
- fix warning printout in oidc_delete_oldest_state_cookies
- release 2.3.10

12/16/2018
- fix encryption buffer tag length mismatch

12/06/2018
- retain the unparsed URL path in current/original URL determination, and thereby preserve
  and support URL-encoded characters in paths when redirecting back to the original URL
- add state to code exchange token requests only in multi-provider setups; see #402
- optionally delete the oldest state cookie(s); see #399
- bump to 2.3.10rc3

11/29/2018
- add support for refreshing an access token associated with an OIDC session using OIDCRefreshAccessTokenBeforeExpiry
- bump to 2.3.10rc0

11/15/2018
- release 2.3.9

11/13/2018
- fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last 
- bump to 2.3.9rc7

11/12/2018
- fix OAuth 2.0 RS config check when OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
- bump to 2.3.9rc6

10/24/2018
- add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt:
  OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens
  when running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.
- bump to 2.3.9rc5

10/17/2018
- ignore/trim spaces in X-Forwarded-* headers
- deal with forwarding proxy setups; see #395 ; thanks @archzone
- bump to 2.3.9rc4

10/02/2018
- improve OIDC backchannel logout based on config/Discover
  - add OIDCProviderBackChannelLogoutSupported config primitive
  - parse/interpret `backchannel_logout_supported` in Discovery document
- add `id_token_token_binding_cnf`: `tbh` to dynamic client registration metadata
- bump to 2.3.9rc3

10/01/2018
- support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
- bump to 2.3.9rc2

10/01/2018
- add test-cmd command to generate hashes base64urlencoded inputs (cnf/tbh claims)

09/30/2018
- support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding
- bump to 2.3.9rc1

09/16/2018
- support nested arrays in Require claim authorization evaluation; see #392; thanks @hpbieker
- bump to 2.3.9rc0

09/12/2018
- fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
- release 2.3.8

08/30/2018
- add LGTM code quality badges, see #385; thanks @xcorail
- fix 3 LGTM alerts

08/23/2018
- improve auto-detection of XMLHttpRequests via Accept header; see #331
- bump to 2.3.8rc5

08/15/2018
- initialize test_proto_authorization_request properly; see #382; thanks @jdennis
- add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
- bump to 2.3.8rc4

08/14/2018
- allow usage with LibreSSL; closes #380; thanks @hihellobolke
- bump to 2.3.8rc3

08/04/2018
- don't return content with 503 since it will turn the HTTP status code into a 200; see #331
- bump to 2.3.8rc2

08/03/2018
- add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
- make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
- bump to 2.3.8rc1

07/30/2018
- fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann

07/25/2018
- fix reading access_token form POST parameters when combined with `AuthType auth-openidc`; see #376; thanks Nicolas Salerno
- bump to 2.3.8rc0

07/06/2018
- abort when string length for remote user name substitution is larger than 255 characters
- release 2.3.7

07/04/2018
- fix Redis concurrency issue when used with multiple vhosts
- bump to 2.3.7rc4 and 2.3.7rc5

06/29/2018
- add support for authorization server metadata with OIDCOAuthServerMetadataURL as in RFC 8414
- bump to 2.3.7rc3

06/23/2018
- refactor session object creation
- bump to 2.3.7rc2

06/22/2018
- clear session cookie and contents if cache corruption is detected
- bump to 2.3.7rc0
- use apr_pstrdup when setting r->user
- reserve 255 characters in remote username substition instead of 50
- bump to 2.3.7rc1

06/15/2018
- add check to detect session cache corruption for server-based caches and cached static metadata
- release 2.3.6

05/29/2018
- avoid using pipelining for Redis
- bump to 2.3.6rc4

05/28/2018
- send Basic header in OAuth www-authenticate response if that's the only accepted method; thanks @puiterwijk

05/28/2018
- refactor Redis cache backend to solve issues on AUTH errors: a) memory leak and b) redisGetReply lagging behind
- adjust copyright year/org
- bump to 2.3.6rc3

05/23/2018
- fix buffer overflow in shm cache key set strcpy; thanks @kyprizel
- bump to 2.3.6rc2

05/22/2018
- turn missing session_state from warning into a debug statement
- fix missing "return" on error return from the OP; see #345; thanks @gergan
- bump to 2.3.6rc1

05/19/2018
- explicitly set encryption kid so we're compatible with cjose >= 0.6.0
- bump to 2.3.6rc0

05/18/2018
- fix encoding of preserved POST data; see #338; thanks @timpuri
- avoid buffer overflow in shm cache key construction; thanks @kyprizel
- release 2.3.5

05/08/2018
- compile with with Libressl; closes #358; thanks @hihellobolke
- bump to 2.3.5rc0

04/27/2018
- avoid crash when a relative logout URL parameter is passed in; thanks Vivien Delenne 
- release 2.3.4

03/22/2018
- interpret X-Forwarded-Host when doing XSRF protection on the after-logout URL; see #341; thanks @pepe79
- bump to 2.3.4rc4

02/06/2018
- add support for passing an access token in a HTTP Basic authentication password; thanks @puiterwijk
- bump to 2.3.4rc3

01/26/2018
- send session management Javascript logging to debug; thanks @kerrermanisNL

01/25/2018
- add Cache-Control no-cache header to authorization requests to avoid replays of state/nonce; see #321
- bump to 2.3.4rc2

01/23/2018
- add explicit endpoint authentication method "bearer_access_token"

12/29/2017
- correct documentation on kid usage for OIDCOAuthVerifyCertFiles; closes #318

12/21/2017
- fix compiler warnings for OpenSSL 1.1.x
- bump to 2.3.4rc1

11/21/2017
- fix bug where endpoint authentication method "private_key_jwt" would not co-exist with "none"
- bump to 2.3.4rc0

11/16/2017
- add support for passing userinfo as a JSON object or JWT; see #311
- release 2.3.3

11/13/2017
- add support for authentication to the introspection endpoint with a bearer token using OIDCOAuthIntrospectionClientAuthBearerToken; thanks @cristichiru
- bump to 2.3.3rc3

11/08/2017
- address a number of static code analysis issues
- bump to 2.3.3rc2

10/10/2017
- avoid crash when no scheme is set on OIDCProviderMetadataURL; closes #303; thanks @iconoeugen
- bump to 2.3.3rc1

10/6/2017
- avoid crash when no OIDCOAuthClientID is set for remote access token validation
- don't enforce "iat" slack checks on locally validaed JWT access tokens
- bump to 2.3.3rc0

09/18/2017
- release 2.3.2

09/11/2017
- fix "graceful" restart for shm/redis cache backends; see #296
- bump to 2.3.2rc8

09/05/2017
- optionally remove request object parameters from the authorization request URL with "copy_and_remove_from_request"; see #294
- bump to 2.3.2rc7

08/29/2017
- properly support JSON boolean values in metadata .conf files
- add regex substitution for *RemoteUserClaim; thanks @hihellobolke
- bump to 2.3.2rc6

08/27/2017
- add issuer specific redirect URI option ("issuer_specific_redirect_uri") for multi-provider setups to mitigate IDP mixup
- bump to 2.3.2rc5

08/20/2017
- fix public clients; add endpoint authentication method "none"
- bump to 2.3.2rc4

08/02/2017
- update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01
  and use header names prefixed with "Sec-"; depends on mod_token_binding >= 0.3.4 now
- bump to 2.3.2rc3

08/01/2017
- don't abort when mutex operations fail
- printout textual descriptions of errors returned by mutex operations
- bump to 2.3.2rc2

07/28/2017
- fix issue with the combination of shared memory (shm) cache and using encryption (OIDCCacheEncrypt On)
  where the cache value would be corrupted after the first (successful) retrieval
- bump to 2.3.2rc1

07/27/2017
- support paths that are relative to the Apache root dir for:
  OIDCHTMLErrorTemplate, OIDCPublicKeyFiles, OIDCPrivateKeyFiles,
  OIDCOAuthVerifyCertFiles, OIDCClientTokenEndpointCert, OIDCClientTokenEndpointKey,
  OIDCOAuthIntrospectionEndpointCert and OIDCOAuthIntrospectionEndpointKey
- bump to 2.3.2rc0

07/19/2017
- handle multiple values in X-Forwarded-* headers as to better support chains of reverse proxies in front of mod_auth_openidc
- log request headers in oidc_util_hdr_in_get
- release 2.3.1

07/13/2017
- remove A128GCM/A192GCM from the supported algorithms in docs/auth_openidc.conf
  because cjose doesn't support A128GCM and A192GCM (yet)
- bump to 2.3.1rc5

07/09/2017
- refactor oidc_get_current_url_port so that it assumes the default port when
  X-Forwarded-Proto has been set; closes #282 and may address #278
- bump to 2.3.1rc4

07/07/2017
- use the defined name (`Provided-Token-Binding-ID`) for the provided token binding ID HTTP header
  see: https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00#section-2.1
  depends on mod_token_binding >= 0.3.0 now
- bump to 2.3.1rc3

06/29/2017
- support sending the authentication request via HTTP POST through HTML/Javascript autosubmit
- bump to 2.3.1rc2

06/28/2017
- support private_key_jwt and client_secret_jwt as client authentication methods for token introspection
- bump to 2.3.1rc1

06/22/2017
- fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
- bump to 2.3.1rc0

06/13/2017
- release 2.3.0

06/07/2017
- fix file cache backend: allow caching of non-filename friendly keys such as configuration URLs and JWKs URIs
- enable JQ-based claims expression matching when compiled from source with --with-jq=<dir>, e.g.:
  Require claims_expr '.aud == "ac_oic_client" and (.scope | index("profile") != null)'
- normalize cache backend logging
- bump to 2.3.0rc3

06/06/2017
- avoid cleaning our own state cookie twice when it is expired
- bump to 2.3.0rc2

06/02/2017
- refactor remote user handling so it allows for postfixing with the issuer value after applying the regex
- bump to 2.3.0rc1

05/31/2017
- add support for custom actions to take after authorization fails with OIDCUnAutzAction
  this enables stepup authentication scenarios when combined with the following:
- add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
- add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value
- support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured
- add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers
- bump to 2.3.0rc0

05/30/2017
- support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
- support nested claim matching in Require directives; thanks @suttod
- support explicitly setting the "kid" of the private key in OIDCPrivateKeyFiles; thanks @suttod

05/25/2017
- fix cache fallback so it happens (when enabled) only after failure

05/19/2017
- make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
- bump to 2.2.1rc6

05/18/2017
- fix parse function of OIDCRequestObject configuration option; thanks @suttod 

05/17/2017
- avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc

05/14/2017
- support JWT verification against multiple keys with no provided kid by looping over the provided keys with cjose 0.5.0
- remove OIDC RP certification files; moved to separate repository

05/04/2017
- improve documentation for OIDCCryptoPassphrase; closes #268

04/30/2017
- fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
- bump to 2.2.1rc5

04/29/2017
- correctly log success/failure in cache_file_set
- avoid decoding a JSON object and logging an error when the input is NULL
  e.g. when claims have not been resolved because userinfo endpoint is not set

04/20/2017
- support relative RedirectURIs; closes #200; thanks @moschlar
- don't assume that having OIDCCryptPassphrase set means we should validate the config for
  openid-connect since it can now also be used to encrypt (auth20) cache entries
- bump to 2.2.1rc4

04/08/2017
- fix potential crash on prefork process exit when used with Redis cache backend (3x)
- bump to 2.2.1rc3

04/06/2017
- change warn log about missing token binding ID to debug log

04/05/2017
- allow for high session inactivity timeout max value
- improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
- bump to 2.2.1rc0

03/30/2017
- merge feature branch back to master:
  - better support for Single Page Applications, see:
    https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications
    - add session info hook that is configurable through OIDCInfoHook
    - add "AuthType auth-openidc" option that allows both "oauth20" and "openid-connect" on the same path
  - add encryption for all cache entries instead of just session data through OIDCCacheEncrypt
  - add cookie SameSite flag/policy through OIDCCookieSameSite
  - return HTTP 200 on OPTIONS requests to (unauthenticated) "oauth20" paths
  - add fallback to a by-value session cookie if the primary session cache fails with OIDCSessionCacheFallbackToCookie
  - add support for black- and/or white-listing claims with OIDCBlackListedClaims and OIDCWhiteListedClaims
  - add prototype token binding support in conjunction with:
    https://github.com/zmartzone/mod_token_binding:
    - for state & session cookies, see:
      https://github.com/TokenBinding/Internet-Drafts
    - for ID tokens with OpenID Connect Token Bound Authentication support, see:
      http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
    - for Authorization Codes with OAuth 2.0 Token Binding for Authorization Codes, see:
       https://tools.ietf.org/html/draft-ietf-oauth-token-binding
  - refactoring:
    - refactor session state, proto state and headers into getters/setters functions
    - refactor PKCE support
  - fix removing session state from cache on logout
  - fix clearing chunked session cookies on logout; closes #246; thanks @Jharmuth
- release 2.2.0

02/20/2017
- security fix: scrub headers for "AuthType oauth20"
- release 2.1.6 

02/15/2017
- improve logging of session max duration and session inactivity timeout
- refactor so that the call to the refresh hook also resets the session inactivity timeout and passes tokens down

02/14/2017
- treat only "X-Requested-With: XMLHttpRequest" header as a non-browser client; closes #228 ; thanks @mguillem
- improve error message on state timeout; closes #226; thanks @security4java

02/09/2017
- correctly parse "kid" in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci
- bump to 2.1.6rc2

02/07/2017
- fix parsing of mandatory/optional attribute in OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
- bump to 2.1.6rc1

02/06/2017
- improve logging around the availability of session management; closes #223

02/02/2017
- interpret OIDCUnAuthAction also when the maximum session duration has been exceeded; see #220
- bump to 2.1.6rc0

01/30/2017
- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user
- release 2.1.5

01/29/2017
- fix error message about passing id_token with session type client-cookie; mentioned in #220
- bump to 2.1.5rc0

01/25/2017
- release 2.1.4

01/18/2017
- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke

01/14/2017
- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
- bump to 2.1.4rc1

01/10/2017
- don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not "response_mode"

01/2/2017
- remove trailing linebreaks from input in test-cmd tool
- bump copyright year to 2017

12/14/2016
- support Libre SSL, see #205, thanks @AliceWonderMiscreations
- update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
- bump to 2.1.4rc0

12/13/2016
- release 2.1.3

12/12/2016
- don't rollover session id's and keep the same session cookie name for cache storage over session updates
- bump to 2.1.3rc0

11/19/2016
- release 2.1.2

11/18/2016
- fix crash when searching for keys with a kid, there's no initial match and x5t values exist for the non-matching keys; closes #196

11/9/2016
- remove stale claims from session when refreshing them from the userinfo endpoint fails; addresses #194
- release 2.1.1

11/8/2016
- log readable error messages when memcache operations fail

11/6/2016
- fix memory leak when skipping jwks_uri keys with a non-matching "use" value

11/4/2016
- always restore id_token/claims on sub-requests so e.g. listing claims-protected subdirectories will work
- remove obsolete functions for storing the session in the request state
- bump to 2.1.1rc0

11/3/2016
- remove obsolete sessions from session cache; thanks @stevedave

11/1/2016
- release version 2.1.0

10/28/2016
- don't include encryption keys from the jwks_uri when verifying a JWT and no kid has been specified
- fix memory leaks in composite claim handling

10/27/2016
- handle aggregated and distributed claims from the userinfo endpoint
- only pick private_key_jwt token endpoint authentication if a private key is configured; closes #189
- bump to 2.0.1rc7

10/24/2016
- add OpenID Connect RP certification test script
- handle non-integer exp/iat timestamps; closes #187; thanks @drdivano

10/21/2016
- bugfix: first truncate files before writing them
- support refreshing provider metadata based on timestamp and OIDCProviderMetadataRefreshInterval

10/20/2016
- bugfix: correctly truncate encryption keys derived from client secret for algorithms that require a key size < 256 bits
- add test/test-cmd tool
- bugfix: return error on session cache failures; closes #185; thanks @solsson
- bump to 2.0.1rc6

10/18/2016
- bugfix: JWTs with a header that doesn't specify a `kid` that would not validate when used with more than 1 key; closes #184; thanks @solsson
- bump to 2.0.1rc5

10/13/2016
- urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie

10/9/2016
- fix null pointer segfault in debug printout in oidc_util_read_form_encoded_params
- fix OIDCOAuthAcceptTokenAs parsing flaw introduced in 2.0.0rc5
- bump to 2.0.1rc4

10/2/2016
- support presenting the access token to the userinfo endpoint in a POST parameter
- bump to 2.0.1rc3

9/30/2016
- support WebFinger Discovery with URL-style user identifiers

9/28/2016
- fix memory leak in oidc_jwk_to_json
- add "remove_at_cache" hook; addresses #177
- bump to 2.0.1rc2

9/27/2016
- add support for Request URI with signed and/or encrypted Request Objects
- bump to 2.0.1rc1

9/22/2016
- refuse webfinger responses with an href value that is not on secure https
- add userinfo JWT response verification and decryption

9/20/2016
- log the JWT header before optional decryption is applied

9/19/2016
- check that a sub claim returned from the userinfo endpoint matches the one in the id_token
- fix issue in oidc_metadata_parse_url so that static default would not be honored
  - this only affected server-wide OIDCClientJwksUri usage in dynamic client registration
- non-functional changes for OIDC RP certification:
  - explicitly log the client authentication method when calling the token endpoint
  - log the keys that are included for token verification
- bump to 2.0.1rc0

9/9/2016
- fix overriding provider token endpoint auth with static config when not set in .conf file
- don't add our own cookies to the incoming headers
- allow stripping cookies from the Cookie header sent to the application/backend with OIDCStripCookies
- release 2.0.0

9/5/2016
- encapsulate (sub-)directory config handling and fix merging so values can be set back to default values in subdirs
- bump to 2.0.0rc5

9/2/2016
- fix JWK creation when no client secret is set e.g. in Implicit flows; closes #168; thanks @asc1
- bump to 2.0.0rc4

9/1/2016
- fix HTML decoding of OIDCPreservePost data; closes #165
- limit max POST data size to 1Mb
- allow chunked data in POST handling; revise handler
- change preserve POST JSON data format to urlencoded for performance reasons

8/31/2016
- allow setting the token endpoint authentication method in the .conf file (for dynamic client registration that sets the .client)

8/30/2016
- pass refresh token in header/environment variable with OIDCPassRefreshToken; thanks Amit Joshi
- fix front-channel img-style logout with newer versions of PingFederate that don't send an Accept: image/png header

8/29/2016
- preserve POST data across authentication requests and discovery with OIDCPreservePost
- bump to 2.0.0rc3

8/24/2016
- fix parsing of OIDCOAuthAcceptTokenAs to accept options following ":"
- bump to 2.0.0rc2

8/5/2016
- delete the debian directory
- rename OIDCOAuthTokenEndpointCert/Key to OIDCOAuthIntrospectionEndpointCert/Key
- pre-release 2.0.0rc1

7/30/2016
- encrypt state/session JWT cookies and session JWT cache values for non-shm storages

7/29/2016
- use cjose - https://github.com/cisco/cjose (master) - for JOSE functions
- use stricter input parsing functions for configuration values
- bump to 2.0.0rc0

7/21/2016
- support TLS client authentication to token and introspection endpoints
- bump to 1.9.0rc3

7/19/2016
- add support for chunked session cookies; closes #153; thanks @glatzert 
- bump to 1.9.0rc2

7/9/2016
- fix Elliptic Curve signature verification for corrupted input
- support OpenSSL 1.1.x
- bump to 1.9.0rc1

7/5/2016
- use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; closes #151; thanks @gwollman
- use signed JWTs for state/session cookies
- achieve smaller client-cookie sizes for regular cases; no id_token is stored in the session:
  - (optional) id_token_hint no longer available in session management calls (logout/prompt=none) with "OIDCSessionType client-cookie"
  - "OIDCPassIDTokenAs serialized" is not available with "OIDCSessionType client-cookie"
- bump to 1.9.0rc0

6/27/2016
- use EVP_CIPHER_CTX_new to avoid compilation errors with OpenSSL 1.1.0
- release 1.8.10

6/22/2016
- don't use local port setting for current URL determination when X-Forwarded-Host has been set
- bump to 1.8.10rc4

6/20/2016
- fix memory leak in OAuth access token introspection result caching (introduced only in 1.8.10rc0)
- fix setting private_key_jwt or client_secret_jwt with OIDCProviderTokenEndpointAuth
- bump to 1.8.10rc3

6/19/2016
- allow setting OIDCRemoteUserClaim with values obtained from the userinfo endpoint; thanks @steve-dave
- fix OIDCUnAuthAction pass mode for Apache 2.4 and in case `Require claim` primitives used for 2.4 and 2.2; thanks @steve-dave
- bump to 1.8.10rc2

6/15/2016
- add support for JWT based client authentication to the token endpoint (client_secret_jwt, private_key_jwt)
- bump to 1.8.10rc1

6/9/2016
- add per-path configurable token introspection result cache expiry with OIDCOAuthTokenIntrospectionInterval
- bump to 1.8.10rc0

6/5/2016
- release 1.8.9

5/9/2016
- support 410 option on OIDCUnAuthAction; closes #141
- bump to 1.8.9rc6

5/1/2016
- avoid segmentation fault on invalid OIDC configuration when OIDCRedirectURI is not set; fixes #138; thanks @brianwcook
- bump to 1.8.9rc5

4/18/2016
- fix get_current_url (proxy) case where r->parsed_uri.path would be null

4/13/2016
- improve X-Forwarded-Host handling over Host in a) port detection and b) remove port from host value
- bump to 1.8.9rc4

4/10/2016
- do not require OIDCClientSecret in configs; allows for Implicit grant without setting a dummy client secret; closes #130
- allow for public clients calling the token endpoint
- bump to 1.8.9rc3

4/9/2016
- ensure that claims from id_token are available for authz also when OIDCPassIDTokenAs does not contain "claims"; closes #129
- bump to 1.8.9rc2

4/3/2016
- return WWW-Authenticate header and error messages on OAuth paths where access is not granted; closes #124; thanks @spinto
- bump to 1.8.9rc1

4/1/2016
- apr_jwe_decrypt_content_aesgcm() null terminate string, #128, thanks @jdennis
- bump to 1.8.9rc0

3/10/2016
- release 1.8.8

3/7/2016
- issue a warning if the "openid" scope is not requested

3/6/2016
- sanitize the OIDCAuthNHeader value before setting the header; thanks @rfk
- bump to 1.8.8rc7

3/5/2016
- log exact version of OpenSSL and EC/GCM/Redis support
- tidy up auth_openidc.conf docs
- bump to 1.8.8rc6

2/26/2016
- add option to refresh claims from the userinfo endpoint using OIDCUserInfoRefreshInterval; see #119
- merge id_token claims in to the set of claims used for authorization for Apache >=2.4; see #120
- bump to 1.8.8rc5

2/23/2016
- make state cookie a session cookie and clean expired cookies on entry (merge of fix-firefox-cookie-storage)
- fix HTML error template initialization in vhosts
- bump to 1.8.8rc4

2/22/2016
- don't authenticate (redirect/state) when X-Requested-With header exists; as suggested in #113
- bump to 1.8.8rc3

2/18/2016
- pass plain state to the token endpoint on code flows: https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
- fix loose (prefix-only) matching of cookie names
- allow passing OAuth bearer token as a cookie (OIDCOAuthAcceptTokenAs extension for PingAccess)
- bump to 1.8.8rc2

2/11/2016
- include token_endpoint_auth_method in dynamic client registration request, set to selected method from provider

2/10/2016
- Elliptic Curve support now requires OpenSSL 1.0.1 detection
- bump to 1.8.8rc1

1/14/2016
- add support for passing in OAuth bearer tokens as one or more of: header, post param or query param (OIDCOAuthAcceptTokenAs)
- bump to 1.8.8rc0

1/8/2016
- release 1.8.7

1/7/2016
- update copyright year

12/17/2015
- enforce strict matching of issuer in Discovery document against the originally requested issuer
- check iss/client_id if present in an authentication response
- push a hash of state to the token endpoint on code flows
- bump to 1.8.7rc4

12/9/2015
- improve debug logging around session management capabilities (i.e. enabled/disabled)
- return 404 for op/rp iframes if session management is not enabled
- bump to 1.8.7rc3

12/4/2015
- add support for RFC 7636 PKCE plain & S256 https://tools.ietf.org/html/rfc7636
- bump to 1.8.7rc2

12/3/2015
- fix crash when using a custom error template and the error description is NULL
- fix crash when target_link_uri is not a valid URI or parts are empty
- fix memory corruption when using custom html template across different server requests; closes #106
- bump to 1.8.7rc1

11/18/2015
- fix compiler warning on double sizeof call; close #103; thanks to @dcb314
- bump to 1.8.7rc0

10/26/2015
- add option to make session cookie persistent; closes #97
- release 1.8.6

10/19/2015
- add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
- bump to 1.8.6rc3

10/12/2015
- check the cookie domain that the session was created for against the configured domain
- log a warning if the Set-Cookie value length is greater than 4093 bytes
- include and prioritize the X-Forwarded-Host header in hostname determination
- allow for missing Host header i.e. HTTP 1.0
- return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
- use apr_strnatcmp instead of strcmp in util.c and mod_auth_openidc.c
- bump to 1.8.6rc2

10/9/2015
- support subdomain cookies in OIDCCookieDomain checks; PR #96, thanks @pfiled
- bump to 1.8.6rc1

10/6/2015
- add key identifier ("kid") option to `OIDCOAuthVerifySharedKeys`, `OIDCOAuthVerifyCertFiles` and `OIDCPublicKeyFiles` configs
- bump to 1.8.6rc0

9/21/2015
- support (non-sid-based) HTTP logout: http://openid.net/specs/openid-connect-logout-1_0.html
- release 1.8.5

9/16/2015
- improve logging on provider/client/conf metadata parsing failures; closes #94
- bump to 1.8.5rc7

9/9/2015
- fix parsing of OIDCOAuthTokenExpiryClaim, thanks to @bester #90
- bump to 1.8.5rc6

9/4/2015
- add CSRF protection to external Discovery as well
- allow browser back after authorization response, see #89
- handle invalid (expired) authorization response state by sending the user to OIDCDefaultURL, see #86
- bump to 1.8.5rc5

8/26/2015
- add CSRF protection to Discovery
- bump to 1.8.5rc4

8/19/2015
- support encrypted JWTs using A192KW for key encryption and A192CBC-HS384 for content encryption
- bump to 1.8.5rc3

8/15/2015
- support encrypted JWTs using RSA-OAEP for key encryption and A128GCM,A192GCM,A256GCM for content encryption
- bump to 1.8.5rc2

8/4/2015
- support for OIDCUnAuthAction: how to act on unauthenticated requests (OIDCReturn401 is deprecated)
- bump to 1.8.5rc1

7/15/2015
- add authentication option for Redis server with OIDCRedisCachePassword
- bump to 1.8.5rc0

7/3/2015
- allow for compilation on Windows using VS 2013
- bump to 1.8.4

6/30/2015
- improve memcache logging: don't report cache misses as an error, thanks to @scottdear
- work around JSON timestamp print modifier issue (%lld) on some platforms, thanks to @ralphvanetten
- bump to 1.8.4rc3

6/24/2015
- support passing claims as environment variables (OIDCPassClaimsAs)
- bump to 1.8.4rc1

6/22/2015
- correct debug printout in oidc_util_read_form_encoded_params

6/20/2015
- avoid double free of JWT after parsing errors have been encountered
- bump to 1.8.4rc0

6/19/2015
- make public keys for encrypted access tokens available in OAuth-only configurations; fixes #74
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
- release 1.8.3

6/15/2015
- add a complete JWT sample that includes validation of "exp" and "iat" to the test suite

6/10/2015
- allow JSON string values for the "active" claim in access token validation responses
- bump to 1.8.3rc4

6/7/2015
- improve error logging on non-supported JWT signing/encryption algorithms
- bump to 1.8.3rc3

5/31/2015
- merge id_token ("iss"!) and user info claims for authz processing
- bump to 1.8.3rc2

5/29/2015
- fix hash comparison when padded, thanks to @steverc as mentioned in #65
- fix post-logout URL being set to SSO URL
- add post-logout URL validation, thanks to @davidbernick
- bump to 1.8.3rc1

5/18/2015
- fix OpenSSL version detection for Elliptic Curve support in apr_jwt_signature_to_jwk_type: include opensslv.h
- fix hash length calculation for Elliptic Curve algorithms
- release 1.8.2

5/5/2015
- release 1.8.1

4/21/2015
- allow setting OIDCDiscoverURL inside of Directory and Location directives as well
- bump to 1.8.1rc5

4/20/2015
- allow setting OIDCCookie outside of Directory and Location directives as well
- bump to 1.8.1rc4

4/17/2015
- add support for applying regular expressions to OIDCRemoteUserClaim and OIDCOAuthRemoteUserClaim
- bump to 1.8.1rc3

4/12/2015
- make token expiry parsing of introspection result configurable (OIDCOAuthTokenExpiryClaim)
- increase SHM cache key size from 255 to 512 (allows for JWT access tokens cache keys for introspection result)
- bump to 1.8.1rc2

4/1/2015
- avoid timing attacks on symmetric key signature/hash comparisons as pointed out by @timmclean
- bump to 1.8.1rc1

3/19/2015
- merge #57: fix build with OpenSSL <1.0 re. apr_jws_signature_is_ec (thanks to @szakharchenko)

2/26/2015
- release 1.8.0

2/23/2015
- avoid including line feeds in header values (thanks to @forkbomber and @ekanthi)
- bump to 1.8.0rc5

2/16/2015
- fix free() crash on simple-valued error printouts
- fix returning keys without a "kid"
- fix searching for keys with a "x5t" thumbprint
- refactor response type handling; more strict matching of requested response type
- make compiled in Redis support optional
- fix oauth.introspection_endpoint_method in initialization
- bump to 1.8.0rc4

2/15/2015
- add support for configurable introspection HTTP method (OIDCOAuthIntrospectionEndpointMethod)
- add preliminary support for GET-style logout
- bump to 1.8.0rc2

2/12/2015
- add support for configuration of maximum session duration
- bump to 1.8.0rc1

2/9/2015
- check JWT signature against all configured keys (jwks_uri) if no "kid" is provided, not just the first one
- revise JOSE JWS handling part 2
- complete support for local JWT access token validation
- bump to 1.8.0rc0

2/5/2015
- fix symmetric key decryption of JWTs (A128CBC-HS256/A256CBC-HS512)
- sha256 client secrets before using them as symmetric keys for decryption
- extended decryption test coverage; avoid double printouts on error
- refactor JWT header parsing
- simplify JWK URI refresh handling
- release 1.7.3

2/4/2015
- revise JOSE JWK handling part 1
- change change target_uri parameter name to target_link_uri following draft-bradley-oauth-jwt-encoded-state-03
- extended tests with stubs
- refactor JWT validation (iss, exp, iat)
- fix memory leak with RSA key conversion in apr_jwk.c - apr_jwk_rsa_bio_to_key
- bump to 1.7.3rc4

1/25/2015
- Allow {... "error": null ...} in JSON responses. (@fatlotus)

1/22/2015
- fix configuration validation check where no config would be checked if OIDCProviderIssuer is set
  but both OIDRedirectURI and OIDCCryptoPassphrase are not set
- add preliminary support for local JWT access token validation
- bump to 1.7.3rc1
- sanitize set cookie syntax (get rid of extraneous ";")

1/21/2015
- add support for OIDCOAuthIntrospectionTokenParamName (incl. Google OAuth 2.0 access token validation)
- add a sample OAuth 2.0 config for Google access tokens to README.md
- release 1.7.2

- add APXS2_OPTS to configure.ac to accommodate RPM builds
- bump to 1.7.3rc0
- fix JWT timestamp (iat/exp) initialization issue
- fix README.md on Google's scope required for returning the "hd" claim

1/14/2015
- add Apache function stubs to enable extending the scope of tests
- add tests for oidc_proto_validate_access_token and oidc_proto_validate_code
- bump to 1.7.2rc3

1/12/2015
- improve accuracy of expired/invalid session handling

1/11/2015
- add error type and return values to JOSE functions
- fix return result on error in function that decrypts CEK
- bump to 1.7.2rc2

1/1/2015
- update copyright to 2015
- use json_int_t (seconds) for "exp" and "iat" fields, instead of apr_time_t (microseconds) 
- correct expiry debug printout
- bump to 1.7.2rc1

12/15/2014
- fix Redis reconnect behavior: avoid keep reconnecting after first failure
- bump to 1.7.2rc0

12/12/2014
- support passing cookies specified in OIDCPassCookies from browser on to OP/AS calls (for loadbalancing purposes)
- release 1.7.1
- document OIDCPassCookies in auth_openidc.conf

12/10/2014
- reconnect to the Redis server after I/O failure as raised in #43
- bump to 1.7.1rc4

12/8/2014
- return http 500 when detecting requests that will loop on return
- bump to 1.7.1rc3

12/3/2014
- require the expiring access_token on the refresh hook for XSRF protection
- pass error codes back to the caller when the refresh hook fails
- bump to 1.7.1rc2

12/2/2014
- improve handling of non-string (=non-compliant) error responses

11/26/2014
- make shared memory cache entry max size configurable through OIDCCacheShmEntrySizeMax
- add OIDCReturn401 configuration primitive
- bump to 1.7.1rc1

11/11/2014
- allow OIDCRedirectURI's with an empty path and fix crash; thanks to @CedricCabessa

11/9/2014
- support for adding configurable JSON parameters to Dynamic Client Registration requests

11/5/2014
- release 1.7.0

10/30/2014
- correct expires_in conversion
- first stab at HTML templating and make all html HTML 4.01 Strict compliant
- bump to 1.7.0rc4

10/29/2014
- document refresh flow

10/28/2014
- scrub all OIDC_ headers
- add support for the refresh_token flow + hook
- pass the expires_in as an absolute timestamp in OIDC_access_token_expires
- use a global mutex for the Redis cache
- bump to 1.7.0rc3

10/27/2014
- generalize support for OAuth 2.0 token introspection and conform to:
  https://tools.ietf.org/html/draft-ietf-oauth-introspection-00

10/26/2014
- support regular expressions in Require statements

10/24/2014
- add support for Redis cache backend; there's a dependency on hiredis headers/library now

10/21/2014
- refactor nonce generation and remove base64url padding from value

10/13/2014
- add libssl-dev to Debian control build dependencies
- release 1.6.0

10/6/2014
- apply html encoding to error display
- bump version number to 1.6.0rc4

10/2/2014
- avoid crash when downloading metadata from OIDCProviderMetadataURL fails
- set OIDCProviderMetadataURL retrieval interval to 24 hours
- return error on configurations mixing OIDCProviderMetadataURL and OIDCMetadataDir
- bump version number to 1.6.0rc3

10/1/2014
- support provider configuration from a metadata URL (OIDCProviderMetadataURL)
- bump version number to 1.6.0rc2

9/30/2014
- be less strict about issuer validation in metadata
- refactor metadata.c
- improve logging about userinfo endpoint

9/29/2014
- refactor cache so it is partitioned in to sections (i.e. avoid future key collisions)

9/25/2014
- add support for "x5c" JWK representation
- return JWKS on jwks_uri with content-type "application/json"

9/17/2014
- remove support for the X-Frame-Options as it is not needed in 302s
- create and use log macros that printout function name

9/16/2014
- support for passing runtime determined authentication request parameters in the discovery response
- include name/version in logs and bump to 1.6.0rc1
- don't use the X-Frame-Options by default

9/13/2014
- add support for the X-Frame-Options header as recommended by the spec

9/12/2014
- set expiry on state cookies; don't clear session cookie after cache miss or corruption
- fix JSON array memory leak in oauth.c

9/10/2014
- merge #34 (g10f), fix session management Javascript bug

9/3/2014
- improve error handling on hitting the redirect URI directly
- fix set_slot functions for algorithm/url used as default for dynamic registration
- rewording of auth_openidc.conf docs on JWK settings

9/1/2014
- add session management based on http://openid.net/specs/openid-connect-session-1_0.html (draft 21)

8/29/2014
- add configuration option to POST extra parameters to the token endpoint

8/26/2014
- correct cookie_path comparison
- release 1.5.5

8/20/2014
- correctly error out on flows where no id_token was provided ("token")

8/19/2014
- fix debug printout on open redirect prevention
- cleanup in-memory crypto context on shutdown
- use default of "/" for OIDCCookiePath to simplify quickstart/simple deployments
- disable OIDCMetadataDir in sample/default config file
- clear session cookie after cache miss or corruption

8/18/2014
- add HttpOnly flag to cookies by default; can be disabled by config

8/14/2014
- support for passing the id_token in multiple formats (claims|payload|serialized)
- release 1.5.4

8/13/2014
- pass the access_token in OIDC_access_token header to the application

8/9/2014
- merge #21 (Latinovic) to close #18 (big endian JWE issue)
- merge #20 (wadahiro), support for "none" JWT signing algorithm

8/1/2014
- fix cache initialization/destroy leak
- release 1.5.3

7/26/2014
- refactor http code; cleanup JSON encoding in client registration
- refactor padding handling in base64url encoding/decoding

7/20/2014
- check for open redirect on passed target_link_uri
- prevent JWE timing attacks on CEK; add JWE test
- include client_id and scope values in resolved access_token

7/1/2014
- pass JSON objects in app HTTP headers as plain JSON
- correct printout in id_token hash comparisons
- add more tests
- release 1.5.2

6/12/2014
- support third-party-initiated login as defined in the spec
- release 1.5.1
- fix PF OAuth 2.0 RS functionality after upgrading to jansson

6/6/2014
- more changes for Debian packaging (1.5-3)

6/5/2014
- do not set Secure cookies for plain HTTP
- add warning/errors when configured hosts/domains do not match
- release 1.5
- changes for Debian packaging

6/4/2014
- fix passing integer claims on non-Mac OS X systems
- fix claims-based authorization with integer values (@martinsrom)
- fix getting the id_token from request state and error logging
- add AUTHORS file with credits
- migrate README to Markdown README.md

6/3/2014
- change JSON parser from https://github.com/moriyoshi/apr-json to http://www.digip.org/jansson/

6/2/2014
- handle X-Forwarded-Proto/X-Forwarded-Port when running behind a proxy/load-balancer
- release version 1.4

6/1/2014
- compile with OpenSSL <1.0 and but then disable Elliptic Curve verification
- fix jwks_uri setting in nested vhosts
- use OpenSSL_add_all_digests in initialization and EVP_cleanup on shutdown

5/31/2014
- README additions/improvements

5/29/2014
- correct big endian detection
- allow for key identification in JWKs based on thumbprint (x5t)

5/24/2014
- add cache destroy function and destroy shm cache resources on shutdown

5/23/2014
- doc corrections to auth_openidc.conf

5/22/2014
- add implementation of OP-initiated-SSO based on:
  http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- fix nonce caching for replay prevention

5/21/2014
- correct README on enabling Google+ APIs before applying the sample Google configs
- fix AuthNHeader setting and allow server-wide config too
- avoid segfault on corrupted/non- JSON/JWT input

5/20/2014
- fix URL assembly when running on non-standard port
- release 1.3

5/17/2014
- support outgoing proxy using OIDCOutgoingProxy
- correct sample configs in documentation for missing OIDCCookiePath
- support OIDCCookiePath in server-wide config as well

5/13/2014
- support configurable (custom) query parameters in the authorization request

5/12/2014
- support encrypted JWTs using A128KW and A256KW for the Content Encryption Key
- support A256CBC-HS512 encrypted JWTs
- support custom client JWKs URI

5/8/2014
- support encrypted JWTs using RSA1_5 and A128CBC-HS256

5/2/2014
- do not use ap_get_remote_host for browser fingerprinting

5/1/2014
- split out custom client config into separate <issuer>.conf file
- allow to override client_contact, client_name and registration_token in .conf file
- remove OIDCRegistrationToken command for the static OP config

4/29/2014
- support JWT verification of ES256, ES384 and ES512 algorithms

4/28/2014
- support configurable response_mode (fragment, query or form_post)
- use nonce in all flows except for OP Google and flows "code" or "code token"

4/26/2014
- make client secret optional (support self-issued OP)

4/25/2014
- support Hybrid flows

4/24/2014
- fix using Bearer token Authorization header on JSON POST calls
- support using a Bearer token on client registration calls

4/22/2014
- match request and response type 
- check at_hash value on "token id_token" implicit flow
- use shared memory caching by default
- release 1.2

4/19/2014
- store response_type in state and make state a JSON object

4/18/2014
- support RSASSA-PSS token signing algorithms (PS256,PS384,PS512)

4/17/2014
- improve session inactivity timeout handling

4/16/2014
- set REMOTE_USER and HTTP headers on OAuth 2.0 protected paths

4/15/2014
- add session inactivity timeout
- register all supported response_types during client registration and try
  to pick the one that matches the configured default
- use long timeouts on JWK retrieval calls
- allow for non-null but empty query parameters on implicit authorization response
- simplify azp/aud and nonce handling
- change session_type naming (to "server-cache"/"client-cookie")

4/14/2014
- factor out JOSE related code

4/3/2014
- add configurable claim name for the REMOTE_USER variable, optionally postfixed with the  url-encoded
  issuer value; the default for the remote username is "sub@" now, makeing it unique across OPs
- some refactoring of id_token validation functions
- add INSTALL, move auth_openidc.conf to main directory
- release 1.1

3/28/2014
- fix Require claim name mismatch for Apache 2.4
- fix hmac method/printout naming artifacts from earlier
auto-search-and-replace
- release v1.0.1

3/27/2014
- initial import named mod_auth_openidc
- updated README
- fix debian/changelog