ChangeLog

10/10/2017
- avoid crash when no scheme is set on OIDCProviderMetadataURL; closes #303; thanks @iconoeugen
- bump to 2.3.3rc1

10/6/2017
- avoid crash when no OIDCOAuthClientID is set for remote access token validation
- don't enforce "iat" slack checks on locally validaed JWT access tokens
- bump to 2.3.3rc0

09/18/2017
- release 2.3.2

09/11/2017
- fix "graceful" restart for shm/redis cache backends; see #296
- bump to 2.3.2rc8

09/05/2017
- optionally remove request object parameters from the authorization request URL with "copy_and_remove_from_request"; see #294
- bump to 2.3.2rc7

08/29/2017
- properly support JSON boolean values in metadata .conf files
- add regex substitution for *RemoteUserClaim; thanks @hihellobolke
- bump to 2.3.2rc6

08/27/2017
- add issuer specific redirect URI option ("issuer_specific_redirect_uri") for multi-provider setups to mitigate IDP mixup
- bump to 2.3.2rc5

08/20/2017
- fix public clients; add endpoint authentication method "none"
- bump to 2.3.2rc4

08/02/2017
- update experimental token binding support to https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01
  and use header names prefixed with "Sec-"; depends on mod_token_binding >= 0.3.4 now
- bump to 2.3.2rc3

08/01/2017
- don't abort when mutex operations fail
- printout textual descriptions of errors returned by mutex operations
- bump to 2.3.2rc2

07/28/2017
- fix issue with the combination of shared memory (shm) cache and using encryption (OIDCCacheEncrypt On)
  where the cache value would be corrupted after the first (successful) retrieval
- bump to 2.3.2rc1

07/27/2017
- support paths that are relative to the Apache root dir for:
  OIDCHTMLErrorTemplate, OIDCPublicKeyFiles, OIDCPrivateKeyFiles,
  OIDCOAuthVerifyCertFiles, OIDCClientTokenEndpointCert, OIDCClientTokenEndpointKey,
  OIDCOAuthIntrospectionEndpointCert and OIDCOAuthIntrospectionEndpointKey
- bump to 2.3.2rc0

07/19/2017
- handle multiple values in X-Forwarded-* headers as to better support chains of reverse proxies in front of mod_auth_openidc
- log request headers in oidc_util_hdr_in_get
- release 2.3.1

07/13/2017
- remove A128GCM/A192GCM from the supported algorithms in docs/auth_openidc.conf
  because cjose doesn't support A128GCM and A192GCM (yet)
- bump to 2.3.1rc5

07/09/2017
- refactor oidc_get_current_url_port so that it assumes the default port when
  X-Forwarded-Proto has been set; closes #282 and may address #278
- bump to 2.3.1rc4

07/07/2017
- use the defined name (`Provided-Token-Binding-ID`) for the provided token binding ID HTTP header
  see: https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00#section-2.1
  depends on mod_token_binding >= 0.3.0 now
- bump to 2.3.1rc3

06/29/2017
- support sending the authentication request via HTTP POST through HTML/Javascript autosubmit
- bump to 2.3.1rc2

06/28/2017
- support private_key_jwt and client_secret_jwt as client authentication methods for token introspection
- bump to 2.3.1rc1

06/22/2017
- fix bug where token_endpoint_auth set to private_key_jwt would fail to provide the credential if client_secret wasn't set
- bump to 2.3.1rc0

06/13/2017
- release 2.3.0

06/07/2017
- fix file cache backend: allow caching of non-filename friendly keys such as configuration URLs and JWKs URIs
- enable JQ-based claims expression matching when compiled from source with --with-jq=<dir>, e.g.:
  Require claims_expr '.aud == "ac_oic_client" and (.scope | index("profile") != null)'
- normalize cache backend logging
- bump to 2.3.0rc3

06/06/2017
- avoid cleaning our own state cookie twice when it is expired
- bump to 2.3.0rc2

06/02/2017
- refactor remote user handling so it allows for postfixing with the issuer value after applying the regex
- bump to 2.3.0rc1

05/31/2017
- add support for custom actions to take after authorization fails with OIDCUnAutzAction
  this enables stepup authentication scenarios when combined with the following:
- add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
- add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value
- support 3rd-party-init-SSO with additional authentication request params when a single static provider has been configured
- add support for an empty OIDCClaimPrefix; can be used with OIDCWhiteListedClaims to protect selected headers
- bump to 2.3.0rc0

05/30/2017
- support sending Authorization Request as "request" object in addition to "request_uri"; thanks @suttod
- support nested claim matching in Require directives; thanks @suttod
- support explicitly setting the "kid" of the private key in OIDCPrivateKeyFiles; thanks @suttod

05/25/2017
- fix cache fallback so it happens (when enabled) only after failure

05/19/2017
- make OIDCStripCookies work on AuthType oauth20 paths; closes #273; thanks Michele Danieli
- bump to 2.2.1rc6

05/18/2017
- fix parse function of OIDCRequestObject configuration option; thanks @suttod 

05/17/2017
- avoid crash when the X-Forwarded-Proto header is not correctly set by a reverse proxy in front of mod_auth_openidc

05/14/2017
- support JWT verification against multiple keys with no provided kid by looping over the provided keys with cjose 0.5.0
- remove OIDC RP certification files; moved to separate repository

05/04/2017
- improve documentation for OIDCCryptoPassphrase; closes #268

04/30/2017
- fix wrong return value for cache_file_set in the file cache backend (OIDCCacheType file); thanks Ernani Joppert Pontes Martins
- bump to 2.2.1rc5

04/29/2017
- correctly log success/failure in cache_file_set
- avoid decoding a JSON object and logging an error when the input is NULL
  e.g. when claims have not been resolved because userinfo endpoint is not set

04/20/2017
- support relative RedirectURIs; closes #200; thanks @moschlar
- don't assume that having OIDCCryptPassphrase set means we should validate the config for
  openid-connect since it can now also be used to encrypt (auth20) cache entries
- bump to 2.2.1rc4

04/08/2017
- fix potential crash on prefork process exit when used with Redis cache backend (3x)
- bump to 2.2.1rc3

04/06/2017
- change warn log about missing token binding ID to debug log

04/05/2017
- allow for high session inactivity timeout max value
- improve error message in oidc_util_http_send when ap_pass_brigade fails and mention possible interference with mod_deflate
- bump to 2.2.1rc0

03/30/2017
- merge feature branch back to master:
  - better support for Single Page Applications, see:
    https://github.com/pingidentity/mod_auth_openidc/wiki/Single-Page-Applications
    - add session info hook that is configurable through OIDCInfoHook
    - add "AuthType auth-openidc" option that allows both "oauth20" and "openid-connect" on the same path
  - add encryption for all cache entries instead of just session data through OIDCCacheEncrypt
  - add cookie SameSite flag/policy through OIDCCookieSameSite
  - return HTTP 200 on OPTIONS requests to (unauthenticated) "oauth20" paths
  - add fallback to a by-value session cookie if the primary session cache fails with OIDCSessionCacheFallbackToCookie
  - add support for black- and/or white-listing claims with OIDCBlackListedClaims and OIDCWhiteListedClaims
  - add prototype token binding support in conjunction with:
    https://github.com/zmartzone/mod_token_binding:
    - for state & session cookies, see:
      https://github.com/TokenBinding/Internet-Drafts
    - for ID tokens with OpenID Connect Token Bound Authentication support, see:
      http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
    - for Authorization Codes with OAuth 2.0 Token Binding for Authorization Codes, see:
       https://tools.ietf.org/html/draft-ietf-oauth-token-binding
  - refactoring:
    - refactor session state, proto state and headers into getters/setters functions
    - refactor PKCE support
  - fix removing session state from cache on logout
  - fix clearing chunked session cookies on logout; closes #246; thanks @Jharmuth
- release 2.2.0

02/20/2017
- security fix: scrub headers for "AuthType oauth20"
- release 2.1.6 

02/15/2017
- improve logging of session max duration and session inactivity timeout
- refactor so that the call to the refresh hook also resets the session inactivity timeout and passes tokens down

02/14/2017
- treat only "X-Requested-With: XMLHttpRequest" header as a non-browser client; closes #228 ; thanks @mguillem
- improve error message on state timeout; closes #226; thanks @security4java

02/09/2017
- correctly parse "kid" in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci
- bump to 2.1.6rc2

02/07/2017
- fix parsing of mandatory/optional attribute in OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
- bump to 2.1.6rc1

02/06/2017
- improve logging around the availability of session management; closes #223

02/02/2017
- interpret OIDCUnAuthAction also when the maximum session duration has been exceeded; see #220
- bump to 2.1.6rc0

01/30/2017
- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user
- release 2.1.5

01/29/2017
- fix error message about passing id_token with session type client-cookie; mentioned in #220
- bump to 2.1.5rc0

01/25/2017
- release 2.1.4

01/18/2017
- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke

01/14/2017
- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
- bump to 2.1.4rc1

01/10/2017
- don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not "response_mode"

01/2/2017
- remove trailing linebreaks from input in test-cmd tool
- bump copyright year to 2017

12/14/2016
- support Libre SSL, see #205, thanks @AliceWonderMiscreations
- update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
- bump to 2.1.4rc0

12/13/2016
- release 2.1.3

12/12/2016
- don't rollover session id's and keep the same session cookie name for cache storage over session updates
- bump to 2.1.3rc0

11/19/2016
- release 2.1.2

11/18/2016
- fix crash when searching for keys with a kid, there's no initial match and x5t values exist for the non-matching keys; closes #196

11/9/2016
- remove stale claims from session when refreshing them from the userinfo endpoint fails; addresses #194
- release 2.1.1

11/8/2016
- log readable error messages when memcache operations fail

11/6/2016
- fix memory leak when skipping jwks_uri keys with a non-matching "use" value

11/4/2016
- always restore id_token/claims on sub-requests so e.g. listing claims-protected subdirectories will work
- remove obsolete functions for storing the session in the request state
- bump to 2.1.1rc0

11/3/2016
- remove obsolete sessions from session cache; thanks @stevedave

11/1/2016
- release version 2.1.0

10/28/2016
- don't include encryption keys from the jwks_uri when verifying a JWT and no kid has been specified
- fix memory leaks in composite claim handling

10/27/2016
- handle aggregated and distributed claims from the userinfo endpoint
- only pick private_key_jwt token endpoint authentication if a private key is configured; closes #189
- bump to 2.0.1rc7

10/24/2016
- add OpenID Connect RP certification test script
- handle non-integer exp/iat timestamps; closes #187; thanks @drdivano

10/21/2016
- bugfix: first truncate files before writing them
- support refreshing provider metadata based on timestamp and OIDCProviderMetadataRefreshInterval

10/20/2016
- bugfix: correctly truncate encryption keys derived from client secret for algorithms that require a key size < 256 bits
- add test/test-cmd tool
- bugfix: return error on session cache failures; closes #185; thanks @solsson
- bump to 2.0.1rc6

10/18/2016
- bugfix: JWTs with a header that doesn't specify a `kid` that would not validate when used with more than 1 key; closes #184; thanks @solsson
- bump to 2.0.1rc5

10/13/2016
- urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie

10/9/2016
- fix null pointer segfault in debug printout in oidc_util_read_form_encoded_params
- fix OIDCOAuthAcceptTokenAs parsing flaw introduced in 2.0.0rc5
- bump to 2.0.1rc4

10/2/2016
- support presenting the access token to the userinfo endpoint in a POST parameter
- bump to 2.0.1rc3

9/30/2016
- support WebFinger Discovery with URL-style user identifiers

9/28/2016
- fix memory leak in oidc_jwk_to_json
- add "remove_at_cache" hook; addresses #177
- bump to 2.0.1rc2

9/27/2016
- add support for Request URI with signed and/or encrypted Request Objects
- bump to 2.0.1rc1

9/22/2016
- refuse webfinger responses with an href value that is not on secure https
- add userinfo JWT response verification and decryption

9/20/2016
- log the JWT header before optional decryption is applied

9/19/2016
- check that a sub claim returned from the userinfo endpoint matches the one in the id_token
- fix issue in oidc_metadata_parse_url so that static default would not be honored
  - this only affected server-wide OIDCClientJwksUri usage in dynamic client registration
- non-functional changes for OIDC RP certification:
  - explicitly log the client authentication method when calling the token endpoint
  - log the keys that are included for token verification
- bump to 2.0.1rc0

9/9/2016
- fix overriding provider token endpoint auth with static config when not set in .conf file
- don't add our own cookies to the incoming headers
- allow stripping cookies from the Cookie header sent to the application/backend with OIDCStripCookies
- release 2.0.0

9/5/2016
- encapsulate (sub-)directory config handling and fix merging so values can be set back to default values in subdirs
- bump to 2.0.0rc5

9/2/2016
- fix JWK creation when no client secret is set e.g. in Implicit flows; closes #168; thanks @asc1
- bump to 2.0.0rc4

9/1/2016
- fix HTML decoding of OIDCPreservePost data; closes #165
- limit max POST data size to 1Mb
- allow chunked data in POST handling; revise handler
- change preserve POST JSON data format to urlencoded for performance reasons

8/31/2016
- allow setting the token endpoint authentication method in the .conf file (for dynamic client registration that sets the .client)

8/30/2016
- pass refresh token in header/environment variable with OIDCPassRefreshToken; thanks Amit Joshi
- fix front-channel img-style logout with newer versions of PingFederate that don't send an Accept: image/png header

8/29/2016
- preserve POST data across authentication requests and discovery with OIDCPreservePost
- bump to 2.0.0rc3

8/24/2016
- fix parsing of OIDCOAuthAcceptTokenAs to accept options following ":"
- bump to 2.0.0rc2

8/5/2016
- delete the debian directory
- rename OIDCOAuthTokenEndpointCert/Key to OIDCOAuthIntrospectionEndpointCert/Key
- pre-release 2.0.0rc1

7/30/2016
- encrypt state/session JWT cookies and session JWT cache values for non-shm storages

7/29/2016
- use cjose - https://github.com/cisco/cjose (master) - for JOSE functions
- use stricter input parsing functions for configuration values
- bump to 2.0.0rc0

7/21/2016
- support TLS client authentication to token and introspection endpoints
- bump to 1.9.0rc3

7/19/2016
- add support for chunked session cookies; closes #153; thanks @glatzert 
- bump to 1.9.0rc2

7/9/2016
- fix Elliptic Curve signature verification for corrupted input
- support OpenSSL 1.1.x
- bump to 1.9.0rc1

7/5/2016
- use AUTHZ_DENIED instead of HTTP_UNAUTHORIZED in oidc_authz_checker; closes #151; thanks @gwollman
- use signed JWTs for state/session cookies
- achieve smaller client-cookie sizes for regular cases; no id_token is stored in the session:
  - (optional) id_token_hint no longer available in session management calls (logout/prompt=none) with "OIDCSessionType client-cookie"
  - "OIDCPassIDTokenAs serialized" is not available with "OIDCSessionType client-cookie"
- bump to 1.9.0rc0

6/27/2016
- use EVP_CIPHER_CTX_new to avoid compilation errors with OpenSSL 1.1.0
- release 1.8.10

6/22/2016
- don't use local port setting for current URL determination when X-Forwarded-Host has been set
- bump to 1.8.10rc4

6/20/2016
- fix memory leak in OAuth access token introspection result caching (introduced only in 1.8.10rc0)
- fix setting private_key_jwt or client_secret_jwt with OIDCProviderTokenEndpointAuth
- bump to 1.8.10rc3

6/19/2016
- allow setting OIDCRemoteUserClaim with values obtained from the userinfo endpoint; thanks @steve-dave
- fix OIDCUnAuthAction pass mode for Apache 2.4 and in case `Require claim` primitives used for 2.4 and 2.2; thanks @steve-dave
- bump to 1.8.10rc2

6/15/2016
- add support for JWT based client authentication to the token endpoint (client_secret_jwt, private_key_jwt)
- bump to 1.8.10rc1

6/9/2016
- add per-path configurable token introspection result cache expiry with OIDCOAuthTokenIntrospectionInterval
- bump to 1.8.10rc0

6/5/2016
- release 1.8.9

5/9/2016
- support 410 option on OIDCUnAuthAction; closes #141
- bump to 1.8.9rc6

5/1/2016
- avoid segmentation fault on invalid OIDC configuration when OIDCRedirectURI is not set; fixes #138; thanks @brianwcook
- bump to 1.8.9rc5

4/18/2016
- fix get_current_url (proxy) case where r->parsed_uri.path would be null

4/13/2016
- improve X-Forwarded-Host handling over Host in a) port detection and b) remove port from host value
- bump to 1.8.9rc4

4/10/2016
- do not require OIDCClientSecret in configs; allows for Implicit grant without setting a dummy client secret; closes #130
- allow for public clients calling the token endpoint
- bump to 1.8.9rc3

4/9/2016
- ensure that claims from id_token are available for authz also when OIDCPassIDTokenAs does not contain "claims"; closes #129
- bump to 1.8.9rc2

4/3/2016
- return WWW-Authenticate header and error messages on OAuth paths where access is not granted; closes #124; thanks @spinto
- bump to 1.8.9rc1

4/1/2016
- apr_jwe_decrypt_content_aesgcm() null terminate string, #128, thanks @jdennis
- bump to 1.8.9rc0

3/10/2016
- release 1.8.8

3/7/2016
- issue a warning if the "openid" scope is not requested

3/6/2016
- sanitize the OIDCAuthNHeader value before setting the header; thanks @rfk
- bump to 1.8.8rc7

3/5/2016
- log exact version of OpenSSL and EC/GCM/Redis support
- tidy up auth_openidc.conf docs
- bump to 1.8.8rc6

2/26/2016
- add option to refresh claims from the userinfo endpoint using OIDCUserInfoRefreshInterval; see #119
- merge id_token claims in to the set of claims used for authorization for Apache >=2.4; see #120
- bump to 1.8.8rc5

2/23/2016
- make state cookie a session cookie and clean expired cookies on entry (merge of fix-firefox-cookie-storage)
- fix HTML error template initialization in vhosts
- bump to 1.8.8rc4

2/22/2016
- don't authenticate (redirect/state) when X-Requested-With header exists; as suggested in #113
- bump to 1.8.8rc3

2/18/2016
- pass plain state to the token endpoint on code flows: https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
- fix loose (prefix-only) matching of cookie names
- allow passing OAuth bearer token as a cookie (OIDCOAuthAcceptTokenAs extension for PingAccess)
- bump to 1.8.8rc2

2/11/2016
- include token_endpoint_auth_method in dynamic client registration request, set to selected method from provider

2/10/2016
- Elliptic Curve support now requires OpenSSL 1.0.1 detection
- bump to 1.8.8rc1

1/14/2016
- add support for passing in OAuth bearer tokens as one or more of: header, post param or query param (OIDCOAuthAcceptTokenAs)
- bump to 1.8.8rc0

1/8/2016
- release 1.8.7

1/7/2016
- update copyright year

12/17/2015
- enforce strict matching of issuer in Discovery document against the originally requested issuer
- check iss/client_id if present in an authentication response
- push a hash of state to the token endpoint on code flows
- bump to 1.8.7rc4

12/9/2015
- improve debug logging around session management capabilities (i.e. enabled/disabled)
- return 404 for op/rp iframes if session management is not enabled
- bump to 1.8.7rc3

12/4/2015
- add support for RFC 7636 PKCE plain & S256 https://tools.ietf.org/html/rfc7636
- bump to 1.8.7rc2

12/3/2015
- fix crash when using a custom error template and the error description is NULL
- fix crash when target_link_uri is not a valid URI or parts are empty
- fix memory corruption when using custom html template across different server requests; closes #106
- bump to 1.8.7rc1

11/18/2015
- fix compiler warning on double sizeof call; close #103; thanks to @dcb314
- bump to 1.8.7rc0

10/26/2015
- add option to make session cookie persistent; closes #97
- release 1.8.6

10/19/2015
- add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
- bump to 1.8.6rc3

10/12/2015
- check the cookie domain that the session was created for against the configured domain
- log a warning if the Set-Cookie value length is greater than 4093 bytes
- include and prioritize the X-Forwarded-Host header in hostname determination
- allow for missing Host header i.e. HTTP 1.0
- return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
- use apr_strnatcmp instead of strcmp in util.c and mod_auth_openidc.c
- bump to 1.8.6rc2

10/9/2015
- support subdomain cookies in OIDCCookieDomain checks; PR #96, thanks @pfiled
- bump to 1.8.6rc1

10/6/2015
- add key identifier ("kid") option to `OIDCOAuthVerifySharedKeys`, `OIDCOAuthVerifyCertFiles` and `OIDCPublicKeyFiles` configs
- bump to 1.8.6rc0

9/21/2015
- support (non-sid-based) HTTP logout: http://openid.net/specs/openid-connect-logout-1_0.html
- release 1.8.5

9/16/2015
- improve logging on provider/client/conf metadata parsing failures; closes #94
- bump to 1.8.5rc7

9/9/2015
- fix parsing of OIDCOAuthTokenExpiryClaim, thanks to @bester #90
- bump to 1.8.5rc6

9/4/2015
- add CSRF protection to external Discovery as well
- allow browser back after authorization response, see #89
- handle invalid (expired) authorization response state by sending the user to OIDCDefaultURL, see #86
- bump to 1.8.5rc5

8/26/2015
- add CSRF protection to Discovery
- bump to 1.8.5rc4

8/19/2015
- support encrypted JWTs using A192KW for key encryption and A192CBC-HS384 for content encryption
- bump to 1.8.5rc3

8/15/2015
- support encrypted JWTs using RSA-OAEP for key encryption and A128GCM,A192GCM,A256GCM for content encryption
- bump to 1.8.5rc2

8/4/2015
- support for OIDCUnAuthAction: how to act on unauthenticated requests (OIDCReturn401 is deprecated)
- bump to 1.8.5rc1

7/15/2015
- add authentication option for Redis server with OIDCRedisCachePassword
- bump to 1.8.5rc0

7/3/2015
- allow for compilation on Windows using VS 2013
- bump to 1.8.4

6/30/2015
- improve memcache logging: don't report cache misses as an error, thanks to @scottdear
- work around JSON timestamp print modifier issue (%lld) on some platforms, thanks to @ralphvanetten
- bump to 1.8.4rc3

6/24/2015
- support passing claims as environment variables (OIDCPassClaimsAs)
- bump to 1.8.4rc1

6/22/2015
- correct debug printout in oidc_util_read_form_encoded_params

6/20/2015
- avoid double free of JWT after parsing errors have been encountered
- bump to 1.8.4rc0

6/19/2015
- make public keys for encrypted access tokens available in OAuth-only configurations; fixes #74
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
- release 1.8.3

6/15/2015
- add a complete JWT sample that includes validation of "exp" and "iat" to the test suite

6/10/2015
- allow JSON string values for the "active" claim in access token validation responses
- bump to 1.8.3rc4

6/7/2015
- improve error logging on non-supported JWT signing/encryption algorithms
- bump to 1.8.3rc3

5/31/2015
- merge id_token ("iss"!) and user info claims for authz processing
- bump to 1.8.3rc2

5/29/2015
- fix hash comparison when padded, thanks to @steverc as mentioned in #65
- fix post-logout URL being set to SSO URL
- add post-logout URL validation, thanks to @davidbernick
- bump to 1.8.3rc1

5/18/2015
- fix OpenSSL version detection for Elliptic Curve support in apr_jwt_signature_to_jwk_type: include opensslv.h
- fix hash length calculation for Elliptic Curve algorithms
- release 1.8.2

5/5/2015
- release 1.8.1

4/21/2015
- allow setting OIDCDiscoverURL inside of Directory and Location directives as well
- bump to 1.8.1rc5

4/20/2015
- allow setting OIDCCookie outside of Directory and Location directives as well
- bump to 1.8.1rc4

4/17/2015
- add support for applying regular expressions to OIDCRemoteUserClaim and OIDCOAuthRemoteUserClaim
- bump to 1.8.1rc3

4/12/2015
- make token expiry parsing of introspection result configurable (OIDCOAuthTokenExpiryClaim)
- increase SHM cache key size from 255 to 512 (allows for JWT access tokens cache keys for introspection result)
- bump to 1.8.1rc2

4/1/2015
- avoid timing attacks on symmetric key signature/hash comparisons as pointed out by @timmclean
- bump to 1.8.1rc1

3/19/2015
- merge #57: fix build with OpenSSL <1.0 re. apr_jws_signature_is_ec (thanks to @szakharchenko)

2/26/2015
- release 1.8.0

2/23/2015
- avoid including line feeds in header values (thanks to @forkbomber and @ekanthi)
- bump to 1.8.0rc5

2/16/2015
- fix free() crash on simple-valued error printouts
- fix returning keys without a "kid"
- fix searching for keys with a "x5t" thumbprint
- refactor response type handling; more strict matching of requested response type
- make compiled in Redis support optional
- fix oauth.introspection_endpoint_method in initialization
- bump to 1.8.0rc4

2/15/2015
- add support for configurable introspection HTTP method (OIDCOAuthIntrospectionEndpointMethod)
- add preliminary support for GET-style logout
- bump to 1.8.0rc2

2/12/2015
- add support for configuration of maximum session duration
- bump to 1.8.0rc1

2/9/2015
- check JWT signature against all configured keys (jwks_uri) if no "kid" is provided, not just the first one
- revise JOSE JWS handling part 2
- complete support for local JWT access token validation
- bump to 1.8.0rc0

2/5/2015
- fix symmetric key decryption of JWTs (A128CBC-HS256/A256CBC-HS512)
- sha256 client secrets before using them as symmetric keys for decryption
- extended decryption test coverage; avoid double printouts on error
- refactor JWT header parsing
- simplify JWK URI refresh handling
- release 1.7.3

2/4/2015
- revise JOSE JWK handling part 1
- change change target_uri parameter name to target_link_uri following draft-bradley-oauth-jwt-encoded-state-03
- extended tests with stubs
- refactor JWT validation (iss, exp, iat)
- fix memory leak with RSA key conversion in apr_jwk.c - apr_jwk_rsa_bio_to_key
- bump to 1.7.3rc4

1/25/2015
- Allow {... "error": null ...} in JSON responses. (@fatlotus)

1/22/2015
- fix configuration validation check where no config would be checked if OIDCProviderIssuer is set
  but both OIDRedirectURI and OIDCCryptoPassphrase are not set
- add preliminary support for local JWT access token validation
- bump to 1.7.3rc1
- sanitize set cookie syntax (get rid of extraneous ";")

1/21/2015
- add support for OIDCOAuthIntrospectionTokenParamName (incl. Google OAuth 2.0 access token validation)
- add a sample OAuth 2.0 config for Google access tokens to README.md
- release 1.7.2

- add APXS2_OPTS to configure.ac to accommodate RPM builds
- bump to 1.7.3rc0
- fix JWT timestamp (iat/exp) initialization issue
- fix README.md on Google's scope required for returning the "hd" claim

1/14/2015
- add Apache function stubs to enable extending the scope of tests
- add tests for oidc_proto_validate_access_token and oidc_proto_validate_code
- bump to 1.7.2rc3

1/12/2015
- improve accuracy of expired/invalid session handling

1/11/2015
- add error type and return values to JOSE functions
- fix return result on error in function that decrypts CEK
- bump to 1.7.2rc2

1/1/2015
- update copyright to 2015
- use json_int_t (seconds) for "exp" and "iat" fields, instead of apr_time_t (microseconds) 
- correct expiry debug printout
- bump to 1.7.2rc1

12/15/2014
- fix Redis reconnect behavior: avoid keep reconnecting after first failure
- bump to 1.7.2rc0

12/12/2014
- support passing cookies specified in OIDCPassCookies from browser on to OP/AS calls (for loadbalancing purposes)
- release 1.7.1
- document OIDCPassCookies in auth_openidc.conf

12/10/2014
- reconnect to the Redis server after I/O failure as raised in #43
- bump to 1.7.1rc4

12/8/2014
- return http 500 when detecting requests that will loop on return
- bump to 1.7.1rc3

12/3/2014
- require the expiring access_token on the refresh hook for XSRF protection
- pass error codes back to the caller when the refresh hook fails
- bump to 1.7.1rc2

12/2/2014
- improve handling of non-string (=non-compliant) error responses

11/26/2014
- make shared memory cache entry max size configurable through OIDCCacheShmEntrySizeMax
- add OIDCReturn401 configuration primitive
- bump to 1.7.1rc1

11/11/2014
- allow OIDCRedirectURI's with an empty path and fix crash; thanks to @CedricCabessa

11/9/2014
- support for adding configurable JSON parameters to Dynamic Client Registration requests

11/5/2014
- release 1.7.0

10/30/2014
- correct expires_in conversion
- first stab at HTML templating and make all html HTML 4.01 Strict compliant
- bump to 1.7.0rc4

10/29/2014
- document refresh flow

10/28/2014
- scrub all OIDC_ headers
- add support for the refresh_token flow + hook
- pass the expires_in as an absolute timestamp in OIDC_access_token_expires
- use a global mutex for the Redis cache
- bump to 1.7.0rc3

10/27/2014
- generalize support for OAuth 2.0 token introspection and conform to:
  https://tools.ietf.org/html/draft-ietf-oauth-introspection-00

10/26/2014
- support regular expressions in Require statements

10/24/2014
- add support for Redis cache backend; there's a dependency on hiredis headers/library now

10/21/2014
- refactor nonce generation and remove base64url padding from value

10/13/2014
- add libssl-dev to Debian control build dependencies
- release 1.6.0

10/6/2014
- apply html encoding to error display
- bump version number to 1.6.0rc4

10/2/2014
- avoid crash when downloading metadata from OIDCProviderMetadataURL fails
- set OIDCProviderMetadataURL retrieval interval to 24 hours
- return error on configurations mixing OIDCProviderMetadataURL and OIDCMetadataDir
- bump version number to 1.6.0rc3

10/1/2014
- support provider configuration from a metadata URL (OIDCProviderMetadataURL)
- bump version number to 1.6.0rc2

9/30/2014
- be less strict about issuer validation in metadata
- refactor metadata.c
- improve logging about userinfo endpoint

9/29/2014
- refactor cache so it is partitioned in to sections (i.e. avoid future key collisions)

9/25/2014
- add support for "x5c" JWK representation
- return JWKS on jwks_uri with content-type "application/json"

9/17/2014
- remove support for the X-Frame-Options as it is not needed in 302s
- create and use log macros that printout function name

9/16/2014
- support for passing runtime determined authentication request parameters in the discovery response
- include name/version in logs and bump to 1.6.0rc1
- don't use the X-Frame-Options by default

9/13/2014
- add support for the X-Frame-Options header as recommended by the spec

9/12/2014
- set expiry on state cookies; don't clear session cookie after cache miss or corruption
- fix JSON array memory leak in oauth.c

9/10/2014
- merge #34 (g10f), fix session management Javascript bug

9/3/2014
- improve error handling on hitting the redirect URI directly
- fix set_slot functions for algorithm/url used as default for dynamic registration
- rewording of auth_openidc.conf docs on JWK settings

9/1/2014
- add session management based on http://openid.net/specs/openid-connect-session-1_0.html (draft 21)

8/29/2014
- add configuration option to POST extra parameters to the token endpoint

8/26/2014
- correct cookie_path comparison
- release 1.5.5

8/20/2014
- correctly error out on flows where no id_token was provided ("token")

8/19/2014
- fix debug printout on open redirect prevention
- cleanup in-memory crypto context on shutdown
- use default of "/" for OIDCCookiePath to simplify quickstart/simple deployments
- disable OIDCMetadataDir in sample/default config file
- clear session cookie after cache miss or corruption

8/18/2014
- add HttpOnly flag to cookies by default; can be disabled by config

8/14/2014
- support for passing the id_token in multiple formats (claims|payload|serialized)
- release 1.5.4

8/13/2014
- pass the access_token in OIDC_access_token header to the application

8/9/2014
- merge #21 (Latinovic) to close #18 (big endian JWE issue)
- merge #20 (wadahiro), support for "none" JWT signing algorithm

8/1/2014
- fix cache initialization/destroy leak
- release 1.5.3

7/26/2014
- refactor http code; cleanup JSON encoding in client registration
- refactor padding handling in base64url encoding/decoding

7/20/2014
- check for open redirect on passed target_link_uri
- prevent JWE timing attacks on CEK; add JWE test
- include client_id and scope values in resolved access_token

7/1/2014
- pass JSON objects in app HTTP headers as plain JSON
- correct printout in id_token hash comparisons
- add more tests
- release 1.5.2

6/12/2014
- support third-party-initiated login as defined in the spec
- release 1.5.1
- fix PF OAuth 2.0 RS functionality after upgrading to jansson

6/6/2014
- more changes for Debian packaging (1.5-3)

6/5/2014
- do not set Secure cookies for plain HTTP
- add warning/errors when configured hosts/domains do not match
- release 1.5
- changes for Debian packaging

6/4/2014
- fix passing integer claims on non-Mac OS X systems
- fix claims-based authorization with integer values (@martinsrom)
- fix getting the id_token from request state and error logging
- add AUTHORS file with credits
- migrate README to Markdown README.md

6/3/2014
- change JSON parser from https://github.com/moriyoshi/apr-json to http://www.digip.org/jansson/

6/2/2014
- handle X-Forwarded-Proto/X-Forwarded-Port when running behind a proxy/load-balancer
- release version 1.4

6/1/2014
- compile with OpenSSL <1.0 and but then disable Elliptic Curve verification
- fix jwks_uri setting in nested vhosts
- use OpenSSL_add_all_digests in initialization and EVP_cleanup on shutdown

5/31/2014
- README additions/improvements

5/29/2014
- correct big endian detection
- allow for key identification in JWKs based on thumbprint (x5t)

5/24/2014
- add cache destroy function and destroy shm cache resources on shutdown

5/23/2014
- doc corrections to auth_openidc.conf

5/22/2014
- add implementation of OP-initiated-SSO based on:
  http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- fix nonce caching for replay prevention

5/21/2014
- correct README on enabling Google+ APIs before applying the sample Google configs
- fix AuthNHeader setting and allow server-wide config too
- avoid segfault on corrupted/non- JSON/JWT input

5/20/2014
- fix URL assembly when running on non-standard port
- release 1.3

5/17/2014
- support outgoing proxy using OIDCOutgoingProxy
- correct sample configs in documentation for missing OIDCCookiePath
- support OIDCCookiePath in server-wide config as well

5/13/2014
- support configurable (custom) query parameters in the authorization request

5/12/2014
- support encrypted JWTs using A128KW and A256KW for the Content Encryption Key
- support A256CBC-HS512 encrypted JWTs
- support custom client JWKs URI

5/8/2014
- support encrypted JWTs using RSA1_5 and A128CBC-HS256

5/2/2014
- do not use ap_get_remote_host for browser fingerprinting

5/1/2014
- split out custom client config into separate <issuer>.conf file
- allow to override client_contact, client_name and registration_token in .conf file
- remove OIDCRegistrationToken command for the static OP config

4/29/2014
- support JWT verification of ES256, ES384 and ES512 algorithms

4/28/2014
- support configurable response_mode (fragment, query or form_post)
- use nonce in all flows except for OP Google and flows "code" or "code token"

4/26/2014
- make client secret optional (support self-issued OP)

4/25/2014
- support Hybrid flows

4/24/2014
- fix using Bearer token Authorization header on JSON POST calls
- support using a Bearer token on client registration calls

4/22/2014
- match request and response type 
- check at_hash value on "token id_token" implicit flow
- use shared memory caching by default
- release 1.2

4/19/2014
- store response_type in state and make state a JSON object

4/18/2014
- support RSASSA-PSS token signing algorithms (PS256,PS384,PS512)

4/17/2014
- improve session inactivity timeout handling

4/16/2014
- set REMOTE_USER and HTTP headers on OAuth 2.0 protected paths

4/15/2014
- add session inactivity timeout
- register all supported response_types during client registration and try
  to pick the one that matches the configured default
- use long timeouts on JWK retrieval calls
- allow for non-null but empty query parameters on implicit authorization response
- simplify azp/aud and nonce handling
- change session_type naming (to "server-cache"/"client-cookie")

4/14/2014
- factor out JOSE related code

4/3/2014
- add configurable claim name for the REMOTE_USER variable, optionally postfixed with the  url-encoded
  issuer value; the default for the remote username is "sub@" now, makeing it unique across OPs
- some refactoring of id_token validation functions
- add INSTALL, move auth_openidc.conf to main directory
- release 1.1

3/28/2014
- fix Require claim name mismatch for Apache 2.4
- fix hmac method/printout naming artifacts from earlier
auto-search-and-replace
- release v1.0.1

3/27/2014
- initial import named mod_auth_openidc
- updated README
- fix debian/changelog