1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
08/08/2025
- release 2.1.1
07/31/2025
- fix URL decoding of HTTP request query parameters; see OpenIDC/ngx_openidc_module#24; thanks @drzraf
03/13/2025
- test: add a space after the status code in the HTTP responses; see curl/curl#16692 ; thanks @charles2910 and @bagder
- bump to 2.1.1dev
02/12/2025
- add updated AWS ALB JWKs retrieval supporting new "signer"/"region" logic and key rotation
closes: https://github.com/OpenIDC/mod_oauth2/issues/73
- release 2.1.0
01/02/2024
- update copyright year to 2025
09/13/2024
- add support for introspection.token_param_name; closes #57
09/11/2024
- add (optional) JQ support with caching in oauth2_jq_filter
- add "json_payload_claim" claim option to oauth2_cfg_target_pass_t
- make oauth2_jwt_create public in jose.h and add a json_payload parameter
- nginx: fix memory leak in _oauth2_nginx_ssl_cert_set
- bump to 2.1.0dev
08/22/2024
- change LICENSE to Apache 2.0
- release 2.0.0
08/02/2024
- correct error log upon mismatch in "iss" claim: id_token->JWT
06/24/2024
- allow to use local file through file:// protocol for metadata or jwks; see #51; thanks @pladen
- bump to 1.6.4dev
06/24/2024
- release 1.6.3
06/20/2024
- nginx: add nginx_oauth2_set_require to be used with OAuth2Require etc.
see OpenIDC/ngx_oauth2_module#7; thanks @smanolache and @pladen
06/19/2024
- add NGINX macros/functions for setting claim variables in the request context
see OpenIDC/ngx_oauth2_module#7; thanks @smanolache and @pladen
- allow NGINX primitives in an if block within a location block in the http block
- bump to 1.6.3dev
06/05/2024
- release 1.6.2
05/31/2024
- refactor NGINX port extraction so it works with NGINX >= 1.27.0; closes #49; thanks @anpin
- add PCRE2_CFLAGS to cache/server object linking
03/11/2024
- release 1.6.1
03/08/2024
- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens to the NGINX binding
03/04/2024
- add support for Redis 6 ACL username based authentication; see: OpenIDC/mod_oauth2#63
- bump to 1.6.1dev
12/06/2023
- add support for the OAuth 2.0 Client Credentials grant type
- use libcurl version macro that works on older platforms
- release 1.6.0
11/08/2023
- update DPoP support to RFC 9449
- release 1.5.2
08/31/2023
- printout more cjose error details when errors occur verifying JWT access tokens
06/29/2023
- fix timing issue in check_openidc.c; closes #47
- bump to 1.5.2dev
04/19/2023
- add issuer validation for JWT access tokens when configured through OAuth2Verify metadata; closes #44; thanks @chris-crunchr
- release 1.5.1
04/14/2023
- add support for resolving provider metadata from a Discovery endpoint URL; see https://github.com/OpenIDC/ngx_openidc_module/issues/18
- bump to 1.5.1dev
03/22/2023
- add error logs about missing or invalid "active" boolean claim in introspection response
03/08/2023
- move repo to OpenIDC github organization
03/07/2023
- release 1.5.0
03/03/2023
- add support for regular expressions in Require statements; see https://github.com/zmartzone/mod_oauth2/discussions/39
- depend on libpcre2
- fix memory leak in _oauth2_jose_options_jwk_set_rsa_key when using OpenSSL 3.x
- bump to 1.5.0dev
03/01/2023
- add support for introspect.params; see https://github.com/zmartzone/mod_oauth2/discussions/44
- release 1.4.5.5
01/22/2023
- hack for el7/x86 where openssl 1.0.2 and openssl 1.1.1 are installed for respectively Apache and NGINX 1.20.1
- bump to 1.4.5.5rc0
01/21/2023
- revert header_add/header_set change
- release 1.4.5.4
01/20/2023
- don't add WWW-Authenticate header(s) but (over)write a single one; see zmartzone/mod_oauth2#42
- release 1.4.5.3
12/14/2022
- fix NGINX https schema detection
- bump to 1.4.5.3dev
12/06/2022
- change Apache module init info log
- release 1.4.5.2
11/30/2022
- initialize check_oauth2 properly; call OPENSSL_init_crypto for OpenSSL >= 1.1.0
11/23/2022
- add JANSSON_LIBS to apache/nginx LIBADD; closes #40; thanks @pskopnik
- bump to 1.4.5.2dev
08/22/2022
- fix concurrency issue when using OAuth2Verify metadata; see #37; thanks @rtitle
- fix memory leak in cURL writeback function
- release 1.4.5.1
07/28/2022
- fix memory leak when using OAuth2Verify metadata
07/27/2022
- use main request for Apache request contexts
- set refresh to true when getting jwsk_uri results from cache
- print warning when cjose_jws_verify fails
- avoid using cjose_jwk_retain because it is not thread safe
- release 1.4.5
06/24/2022
- add cjose, curl and ssl to liboauth2.pc.in
- add add curl and cjose flags to liboauth2_cache_la_CFLAGS
04/16/2022
- fix file cache so we do not try to remove a file that was cleaned just before; see #33
- fix tests for client_secret_jwt and private_key_jwt so encoded JWT comparison works for cjose >= 0.6.2
- release 1.4.4.2
03/06/2022
- add support for OpenSSL 3.0; closes #31
- bump to 1.5.0dev
03/03/2022
- fix race condition and potential crash in curl usage in oauth2_url_decode
see zmartzone/mod_oauth2#27; thanks @rtitle
- release 1.4.4.1
12/23/2021
- allow deprecated declarations to build with OpenSSL 3.0; see #31
- release 1.4.4
12/22/2021
- hash the cache encryption key to a string instead of bytes
- Makefile.am improvements:
- move OpenSSL libs go generic libraries so cache files compile with the right flags
- use ${srcdir} to conform to distcheck
- add Github Actions CI; remove Travis
10/12/2021
- make outgoing_proxy an endpoint property
- accommodate for NULL key in oauth2_cache_get and oauth2_cache_set
- release 1.4.3.2
10/11/2021
- add outgoing_proxy option to verify context
- correct remote_user debug printout
- release 1.4.3.1
06/21/2021
- printout remote username claim when not found, for debugging purposes
06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV
closes #26; thanks @niebardzo
- avoid memory leaks on JWT validation errors
- release 1.4.3
06/07/2021
- correct iat slack validation defaults, see https://github.com/zmartzone/mod_oauth2/discussions/20
thanks @DrakezulsMinimalism
- release 1.4.2.1
05/28/2021
- add Travis and LGTM
05/25/2021
- set memory alignment of shm cache structs to 64 bytes; see #21 and #24
- release 1.4.2
04/19/2021
- apache: use include directory from APXS; thanks @abbra
- pass missing argument to oauth2_error in _oauth2_dpop_jti_validate; thanks @abbra
02/02/2021
- avoid creating files for anonymous shared memory segments; see #18
- release 1.4.1
01/30/2021
- fix Apache cleanup routines; see zmartzone/liboauth2#18 and zmartzone/mod_oauth2#7
01/26/2021
- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens
https://tools.ietf.org/html/rfc8705; thanks @vdzhuvinov
12/23/2020
- use per-process semaphore locking to prevent multi-process issue; see #18
- release 1.4.0.1
12/21/2020
- release 1.4.0
12/03/2020
- add oauth2_cfg_openidc_set_options for configurable state cookie handling
12/02/2020
- cleanup OIDC expired/superfluous state cookies; closes zmartzone/ngx_openidc_module#6
11/13/2020
- add support for PKCE
11/12/2020
- separate OpenID client configs and named providers
- fix parsing in oauth2_cfg_set_flag_slot
- add configurable state and session cookie paths
11/11/2020
- fix session cache handler cloning
- support configurable cookie path for session cookie
11/09/2020
- refactored caching; use named caches consistently
11/08/2020
- use endpoint more consistently
- harmonize naming of endpoint, endpoint auth and ropc
11/07/2020
- don't use automake config.h; closes #10; thanks @babelouest
10/07/2020
- add support for DPOP bound access tokens
- bump to 1.4.0-dev
02/27/2020
- lock access to cache globals
- log corrections and improvements
02/26/2020
- resolve some TODOs; valgrind
- bump to 1.3.0
02/25/2020
- change to named sessions
02/21/2020
- add serialized id_token to session
- externalize oauth2_jose_jwt_verify and allow verification context to be NULL
- bump to 1.2.5
02/13/2020
- add userinfo endpoint request and claims
- bump to 1.2.4
- change to named cache configurations
02/10/2020
- implement session expiry checks
- bump to 1.2.3
02/05/2020
- add missing ROPC config functions
- bump to 1.2.2
02/04/2020
- add generic endpoint config struct and ROPC client capability
- bump to 1.2.1 and bump copyright year
01/31/2020
- sane session cfg defaults
09/12/2019
- change http request header function naming
- more openidc handling
- bump to 1.2.0
09/02/2019
- fix type (auth->client_secret_jwt.aud = NULL); closes #3; thanks @pengjiaoyang
08/19/2019
- add first outline of openidc and sessions
07/03/2019
- return status code from HTTP callouts
- bump to version 1.1.1
07/01/2019
- encapsulate oauth2_log_sink_t
- bump to version 1.1.0
05/20/2019
- add Apache Require claim authorization functions
- bump to version 1.0.1
03/22/2019
- initial import of version 1.0.0
|
