Releases: zmartzone/lua-resty-openidc
Releases · zmartzone/lua-resty-openidc
release 1.8.0
release 1.7.6
Features
- a new option local_redirect_path can be used in situations where the redirect_uri as is visible to lua-resty-openidc is not simply the path segment of the configured redirect_uri but something more complex. This is needed for example if a reverse proxy in front of your server adds a prefix or rewrites URIs in a more complex way; see #453
- improved error message when expecting a Bearer token header and the header doesn't contain a space character; see #421
- added support for OAuth 2.0 Form Post Response Mode.
Bugfixes
- when parsing JWKs with an x5c claim the claim was wronly assumed to be base64url encoded instead of base64 encoded; see #460
release 1.7.5
Features
- added id_token and the token endpoint response as additional arguments to the on_authenticated lifecycle hook; see #413
- added opts.discovery_expires_in in order to make cache expiry of OpenID Connect Discovery responses configurable.
- added public functions that allow tokens to be revoked without destroying the current session; see #402; thanks to @thorstenfleischmann
authenticate
's last parameter can now be an existing session rather than options for starting a new one: see #405; thanks to @thorstenfleischmann- added opts.cache_segment as option to shard the cache used by token introspection or JWT verification; see #399
- made jwt_verify() and bearer_jwt_verify() use a separate cache named "jwt_verification" and introduced opts.jwt_verification_cache_ignore to disable caching completely; see #399
Bugfixes
- when the x5c claim of a JWK is an empty array it will be ignored rather than cause an error; see #406
- if lifecyle handlers return truthy values they cause the operation they are handlers of to fail; see #384; thanks to @arcivanov
- fixed a session leak in access_token() and for a very unlikely code-path in authenticate(); authenticate will still normally not close the session as users may want to use it after the method returns; see https://github.com/zmartzone/lua-resty-openidc#sessions-and-locking; see #374
release 1.7.4
- changed dependency on
lua-resty-jwt
to allow newer versions in luarocks packaging; see #363, #366, #362; thanks to @Darguelles and @kayano
release 1.7.3
Features
- added optional support for RFC 7636 "Proof Key for Code Exchange" aka. PKCE; see #320
- ability to disable keepalive from
lua-resty-http
; by disabling keepalive we disable the native connection pool, avoiding errors when dealing with invalid connections; this is specially useful when proxying AJAX requests; see #307; thanks @Dudssource
Bugfixes
- when
unauth_action
ispass
and a token refresh fails the session will get marked as no longer authenticated and a proper error is returned; see #286; thanks @cretzel - no longer echo the URI parameters back on default error page when OIDC provider returns an error in call to
redirect_uri
; see #306; thanks @barrelmaker97 - ensure discovery has been attempted when calling userinfo endpoint
Other
release 1.7.2
Features
- added
unauth_action=deny
to reject unauthenticated requests rather than start the authorization code grant flow; see #271; based on suggested change by @nmaniwa - read introspection_endpoint from discovery document when present; see #255
- allow to tap into authentication workflow by providing an option to specify lifecycle hooks via
opts.lifecycle
- added another lifecycle hook that is called when the session is regenerated after a token refresh
Bugfixes
- improved error handling when starting session; see #264; thanks @vershnik
- fixed accidental use of global variable
err
inrevoke_tokens_on_logout
; see #253, #254; thanks @arcivanov - made the checks for certain HTTP headers handle the case where multiple headers exist; thanks @ci42
- don't overwrite opts.discovery when an error occurs calling the discovery endpoint; see #250
Other
- performance enhancement by caching the result of
ngx.req.get_headers
during the authenticate call. - fixed a few additional cases of using global symbols detected by lualint
release 1.7.1
Note that opts.secret
and opts.redirect_uri_path
are now deprecated and will be removed in a next release; a warning is issued in the log now.
Bugfixes
- don't select one of the jwt token auth methods if the required key material is not present; see #238
- fixed a bad error return value in certain setups of
bearer_jwt_verify
; see #234; thanks @JoshTheGoldfish - make sure opts.discovery is resolved when
iss
is returned as part of the authorization response; see #224 ; thanks @mijohansen
Features
- added support for the
client_secret_jwt
authentication method; see #229 - added support for the
private_key_jwt
authentication method; see #217; thanks @pamiel
Other
- remove strict
iss
check in Discovery metadata document; see #219 (may help Azure AD setups)
release 1.7.0
Note that opts.secret
and opts.redirect_uri_path
are now deprecated and will be removed in a next release; a warning is issued in the log now.
Bugfixes
- deprecate
opts.secret
in favor ofopts.public_key
andopts.symmetric_key
; see #196; thanks @dholth - url-encode
client_id
/client_secret
following https://tools.ietf.org/html/rfc6749#section-2.3.1; closes #204; thanks @grrolland - use
session.start
instead ofsession.open
to allow better control over session lifetime usinglua-resty-session
primitives; see #174; thanks @thomasleplus - soften the impact of token refresh race condition by creating a new session when tokens are refreshed; see #190; thanks @luisviman
Features
- added
redirect_uri
option that specifies a relative or absolute redirect URI;redirect_uri_path
is now deprecated - add token revocation support on logout with
opts.revoke_tokens_on_logout
; thanks @oleeander - bypass introspection cache on demand with
opts.introspection_cache_ignore
; thanks @dmitriyblok - add
opts.use_nonce
option to avoid sending a nonce parameter to broken OpenID Connect providers; see #193; thanks @thewilli - added
opts.http_request_decorator
option that can be used to augment the HTTP requests when accessingdiscovery
,token
orjwks
endpoints; thanks @bodewig - add support for a public client (i.e. without a client secret) to support Windows Integrated Authentication (WIA) with Active Directory Federation Services (AD FS) on Windows Server 2016 (or newer)
Other
- extract log function and log level constant to the module level to allow customization
- make
call_userinfo_endpoint
a public function; see #207; thanks @thomasleplus - make
call_token_endpoint
a public function
release 1.6.1
Bugfixes
- fix signature verification for RSA keys of a length different from 2048 bit when the JWK used a specific format; see #170
Features
- add customized expiration time option
jwk_expires_in
for Discovery documents and JWKs cache; thanks @dhlin - added
post_logout_redirect_uri
parameter that can be used to set the target after logging out of the OpenID Connect Provider ; see #168; thanks @thomasleplus
release 1.6.0
- refer to updated
lua-resty-jwt
that supports OpenSSL 1.1.x ; see: #162; thanks @cdbattags - when refreshing tokens the
id_token
is now refreshed as well (if included inside the token response); see #158; thanks @grrolland - add
Cache-Control: no-cache
header to authorization requests to avoid replays of state/nonce; see zmartzone/mod_auth_openidc#321