Hello community, here is the log from the commit of package apache2-mod_auth_openidc for openSUSE:Factory checked in at 2019-08-24 18:45:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc" Sat Aug 24 18:45:07 2019 rev:6 rq:725544 version:2.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes 2019-03-20 13:19:57.609334102 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.7948/apache2-mod_auth_openidc.changes 2019-08-24 18:45:07.869764682 +0200 @@ -1,0 +2,56 @@ +Thu Aug 22 20:40:24 UTC 2019 - Michael Ströder <mich...@stroeder.com> + +- Update to version 2.4.0 + +Important + * version 2.4.0 carries quite a number of relatively small changes (see: + Bugfixes and Features below) that are subtle but may impact runtime + behavior nevertheless; you should verify an upgrade in a test environment + before rolling out to production + * this release deprecates the OAuth 2.0 Resource Server functionality + which is now implemented as a separate module mod_oauth2. + +Bugfixes + * URL-encode client_id/client_secret when using client_secret_basic according to: + https://tools.ietf.org/html/rfc6749#section-2.3.1 + * fix parsing and caching of OIDCOAuthServerMetadataURL; thanks Lance Fannin + * fix oidc_proto_html_post auto-post-submit so it no longer results in + duplicate parentheses; closes #440; thanks @gobreak + * fix RSA JWK x5c parsing issue (e.g. when parsing n fails): explicitly set the kid into to JWK + * fix OIDCOAuthAcceptTokenAs post so POST data is propagated and not lost; see #443 + * fix JWT decryption crashing on non-null terminated input + * fix not clearing claims in session when setting claims to null; closes #445; thanks @FilipVujicic + +Features + * support refresh and access tokens revocation from an RFC 7009 endpoint + upon OIDC session logout + * make sure the content handler is called for every request to the + configured Redirect URI so all Apache processing is executed (e.g. + setting headers with mod_headers) before returning the response; thanks + Don Sengpiehl (NB: this may affect browser behavior and backwards + compatibility) + * add ability to view session info in HTML via the session info hook via <redirect_uri)?info=html + * enable per-provider signing and encryption keys in multi-provider setups (with limitations) + * no longer use the fixup handler for environment variable setting but do it as part of the authn handler + * add logout_on_error option to OIDCRefreshAccessTokenBeforeExpiry to + kill the session when refreshing an access token fails; thanks @rickyepoderi + * be smart about picking the token endpoint authentication method when + not configured explicitly: don't choose the first one published by the OP + but prefer client_secret_basic if that is listed as well see: + panva/node-oidc-provider#514; thanks @richard-drummond and @panva + +Other + * remove option OIDCScrubRequestHeaders that allows for skipping + scrubbing request headers, thus avoiding potentially insecure setups + * log the original URL for expired state cookies, useful for debugging + SPA/JS issues + * add debug logs in oidc_proto_generate_random_string to allow for + spotting lack of entropy in the random number generator (on VM + environments) more easily + * add USE_URANDOM compile time option to use /dev/urandom explicitly for + non-blocking random number generation: configure with + APXS2_OPTS="-DUSE_URANDOM" + * allow removing an access token from the cache ("remove_at_cache") when + running in OAuth 2.0 RS mode only + +------------------------------------------------------------------- Old: ---- apache2-mod_auth_openidc-2.3.11.tar.gz New: ---- apache2-mod_auth_openidc-2.4.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_auth_openidc.spec ++++++ --- /var/tmp/diff_new_pack.IEENFF/_old 2019-08-24 18:45:08.661764606 +0200 +++ /var/tmp/diff_new_pack.IEENFF/_new 2019-08-24 18:45:08.661764606 +0200 @@ -19,7 +19,7 @@ %define apxs %{_sbindir}/apxs2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) Name: apache2-mod_auth_openidc -Version: 2.3.11 +Version: 2.4.0 Release: 0 Summary: Apache2.x module for an OpenID Connect enabled Identity Provider License: Apache-2.0 ++++++ apache2-mod_auth_openidc-2.3.11.tar.gz -> apache2-mod_auth_openidc-2.4.0.tar.gz ++++++ ++++ 3219 lines of diff (skipped)