Skip to content

Releases: zmartzone/lua-resty-openidc

release 1.8.0

13 Sep 15:40
Compare
Choose a tag to compare

Features

Security

  • fix cross-tenant requests; see #526

Bugfixes

  • don't return a zero-pixel image in logout for Firefox 128 and later; see #521
  • when looking for a bearer token an exception occured if the Authorization header didn't contain any space character; see #473

release 1.7.6

30 Jan 18:14
Compare
Choose a tag to compare

Features

  • a new option local_redirect_path can be used in situations where the redirect_uri as is visible to lua-resty-openidc is not simply the path segment of the configured redirect_uri but something more complex. This is needed for example if a reverse proxy in front of your server adds a prefix or rewrites URIs in a more complex way; see #453
  • improved error message when expecting a Bearer token header and the header doesn't contain a space character; see #421
  • added support for OAuth 2.0 Form Post Response Mode.

Bugfixes

  • when parsing JWKs with an x5c claim the claim was wronly assumed to be base64url encoded instead of base64 encoded; see #460

release 1.7.5

21 Dec 15:24
Compare
Choose a tag to compare

Features

  • added id_token and the token endpoint response as additional arguments to the on_authenticated lifecycle hook; see #413
  • added opts.discovery_expires_in in order to make cache expiry of OpenID Connect Discovery responses configurable.
  • added public functions that allow tokens to be revoked without destroying the current session; see #402; thanks to @thorstenfleischmann
  • authenticate's last parameter can now be an existing session rather than options for starting a new one: see #405; thanks to @thorstenfleischmann
  • added opts.cache_segment as option to shard the cache used by token introspection or JWT verification; see #399
  • made jwt_verify() and bearer_jwt_verify() use a separate cache named "jwt_verification" and introduced opts.jwt_verification_cache_ignore to disable caching completely; see #399

Bugfixes

  • when the x5c claim of a JWK is an empty array it will be ignored rather than cause an error; see #406
  • if lifecyle handlers return truthy values they cause the operation they are handlers of to fail; see #384; thanks to @arcivanov
  • fixed a session leak in access_token() and for a very unlikely code-path in authenticate(); authenticate will still normally not close the session as users may want to use it after the method returns; see https://github.com/zmartzone/lua-resty-openidc#sessions-and-locking; see #374

release 1.7.4

17 Nov 16:45
Compare
Choose a tag to compare

release 1.7.3

10 Sep 15:26
Compare
Choose a tag to compare

Features

  • added optional support for RFC 7636 "Proof Key for Code Exchange" aka. PKCE; see #320
  • ability to disable keepalive from lua-resty-http; by disabling keepalive we disable the native connection pool, avoiding errors when dealing with invalid connections; this is specially useful when proxying AJAX requests; see #307; thanks @Dudssource

Bugfixes

  • when unauth_action is pass and a token refresh fails the session will get marked as no longer authenticated and a proper error is returned; see #286; thanks @cretzel
  • no longer echo the URI parameters back on default error page when OIDC provider returns an error in call to redirect_uri; see #306; thanks @barrelmaker97
  • ensure discovery has been attempted when calling userinfo endpoint

Other

  • allow OPM installation with newer lua-resty-http versions; see #279; thanks @GUI
  • fix failed installing dependency lua-resty-jwt;see #327; thanks @kg0r0

release 1.7.2

16 Jul 17:23
Compare
Choose a tag to compare

Features

  • added unauth_action=deny to reject unauthenticated requests rather than start the authorization code grant flow; see #271; based on suggested change by @nmaniwa
  • read introspection_endpoint from discovery document when present; see #255
  • allow to tap into authentication workflow by providing an option to specify lifecycle hooks via opts.lifecycle
    • added another lifecycle hook that is called when the session is regenerated after a token refresh

Bugfixes

  • improved error handling when starting session; see #264; thanks @vershnik
  • fixed accidental use of global variable err in revoke_tokens_on_logout; see #253, #254; thanks @arcivanov
  • made the checks for certain HTTP headers handle the case where multiple headers exist; thanks @ci42
  • don't overwrite opts.discovery when an error occurs calling the discovery endpoint; see #250

Other

  • performance enhancement by caching the result of ngx.req.get_headers during the authenticate call.
  • fixed a few additional cases of using global symbols detected by lualint

release 1.7.1

18 Feb 06:00
Compare
Choose a tag to compare

Note that opts.secret and opts.redirect_uri_path are now deprecated and will be removed in a next release; a warning is issued in the log now.

Bugfixes

  • don't select one of the jwt token auth methods if the required key material is not present; see #238
  • fixed a bad error return value in certain setups of bearer_jwt_verify; see #234; thanks @JoshTheGoldfish
  • make sure opts.discovery is resolved when iss is returned as part of the authorization response; see #224 ; thanks @mijohansen

Features

  • added support for the client_secret_jwt authentication method; see #229
  • added support for the private_key_jwt authentication method; see #217; thanks @pamiel

Other

  • remove strict iss check in Discovery metadata document; see #219 (may help Azure AD setups)

release 1.7.0

19 Oct 12:46
Compare
Choose a tag to compare

Note that opts.secret and opts.redirect_uri_path are now deprecated and will be removed in a next release; a warning is issued in the log now.

Bugfixes

Features

  • added redirect_uri option that specifies a relative or absolute redirect URI; redirect_uri_path is now deprecated
  • add token revocation support on logout with opts.revoke_tokens_on_logout; thanks @oleeander
  • bypass introspection cache on demand with opts.introspection_cache_ignore; thanks @dmitriyblok
  • add opts.use_nonce option to avoid sending a nonce parameter to broken OpenID Connect providers; see #193; thanks @thewilli
  • added opts.http_request_decorator option that can be used to augment the HTTP requests when accessing discovery, token or jwks endpoints; thanks @bodewig
  • add support for a public client (i.e. without a client secret) to support Windows Integrated Authentication (WIA) with Active Directory Federation Services (AD FS) on Windows Server 2016 (or newer)

Other

  • extract log function and log level constant to the module level to allow customization
  • make call_userinfo_endpoint a public function; see #207; thanks @thomasleplus
  • make call_token_endpoint a public function

release 1.6.1

05 Jul 07:48
Compare
Choose a tag to compare

Bugfixes

  • fix signature verification for RSA keys of a length different from 2048 bit when the JWK used a specific format; see #170

Features

  • add customized expiration time option jwk_expires_in for Discovery documents and JWKs cache; thanks @dhlin
  • added post_logout_redirect_uri parameter that can be used to set the target after logging out of the OpenID Connect Provider ; see #168; thanks @thomasleplus

release 1.6.0

07 Jun 09:54
Compare
Choose a tag to compare
  • refer to updated lua-resty-jwt that supports OpenSSL 1.1.x ; see: #162; thanks @cdbattags
  • when refreshing tokens the id_token is now refreshed as well (if included inside the token response); see #158; thanks @grrolland
  • add Cache-Control: no-cache header to authorization requests to avoid replays of state/nonce; see zmartzone/mod_auth_openidc#321