Release 1.7.6

Features

• a new option local_redirect_path can be used in situations where the redirect_uri as is visible to lua-resty-openidc is not simply the path segment of the configured redirect_uri but something more complex. This is needed for example if a reverse proxy in front of your server adds a prefix or rewrites URIs in a more complex way; see #453
• improved error message when expecting a Bearer token header and the header doesn't contain a space character; see #421
• added support for OAuth 2.0 Form Post Response Mode.

Bugfixes

• when parsing JWKs with an x5c claim the claim was wronly assumed to be base64url encoded instead of base64 encoded; see #460

release 1.7.5

Features

• added id_token and the token endpoint response as additional arguments to the on_authenticated lifecycle hook; see #413
• added opts.discovery_expires_in in order to make cache expiry of OpenID Connect Discovery responses configurable.
• added public functions that allow tokens to be revoked without destroying the current session; see #402; thanks to @thorstenfleischmann
• authenticate's last parameter can now be an existing session rather than options for starting a new one: see #405; thanks to @thorstenfleischmann
• added opts.cache_segment as option to shard the cache used by token introspection or JWT verification; see #399
• made jwt_verify() and bearer_jwt_verify() use a separate cache named "jwt_verification" and introduced opts.jwt_verification_cache_ignore to disable caching completely; see #399

Bugfixes

• when the x5c claim of a JWK is an empty array it will be ignored rather than cause an error; see #406
• if lifecyle handlers return truthy values they cause the operation they are handlers of to fail; see #384; thanks to @arcivanov
• fixed a session leak in access_token() and for a very unlikely code-path in authenticate(); authenticate will still normally not close the session as users may want to use it after the method returns; see https://github.com/zmartzone/lua-resty-openidc#sessions-and-locking; see #374

release 1.7.4

• changed dependency on lua-resty-jwt to allow newer versions in luarocks packaging; see #363, #366, #362; thanks to @Darguelles and @kayano

release 1.7.3

Features

• added optional support for RFC 7636 "Proof Key for Code Exchange" aka. PKCE; see #320
• ability to disable keepalive from lua-resty-http; by disabling keepalive we disable the native connection pool, avoiding errors when dealing with invalid connections; this is specially useful when proxying AJAX requests; see #307; thanks @Dudssource

Bugfixes

• when unauth_action is pass and a token refresh fails the session will get marked as no longer authenticated and a proper error is returned; see #286; thanks @cretzel
• no longer echo the URI parameters back on default error page when OIDC provider returns an error in call to redirect_uri; see #306; thanks @barrelmaker97
• ensure discovery has been attempted when calling userinfo endpoint

Other

• allow OPM installation with newer lua-resty-http versions; see #279; thanks @GUI
• fix failed installing dependency lua-resty-jwt;see #327; thanks @kg0r0

release 1.7.2

Features

• added unauth_action=deny to reject unauthenticated requests rather than start the authorization code grant flow; see #271; based on suggested change by @nmaniwa
• read introspection_endpoint from discovery document when present; see #255
• allow to tap into authentication workflow by providing an option to specify lifecycle hooks via opts.lifecycle
  • added another lifecycle hook that is called when the session is regenerated after a token refresh

Bugfixes

• improved error handling when starting session; see #264; thanks @vershnik
• fixed accidental use of global variable err in revoke_tokens_on_logout; see #253, #254; thanks @arcivanov
• made the checks for certain HTTP headers handle the case where multiple headers exist; thanks @ci42
• don't overwrite opts.discovery when an error occurs calling the discovery endpoint; see #250

Other

• performance enhancement by caching the result of ngx.req.get_headers during the authenticate call.
• fixed a few additional cases of using global symbols detected by lualint

release 1.7.1

Note that opts.secret and opts.redirect_uri_path are now deprecated and will be removed in a next release; a warning is issued in the log now.

Bugfixes

• don't select one of the jwt token auth methods if the required key material is not present; see #238
• fixed a bad error return value in certain setups of bearer_jwt_verify; see #234; thanks @JoshTheGoldfish
• make sure opts.discovery is resolved when iss is returned as part of the authorization response; see #224 ; thanks @mijohansen

Features

• added support for the client_secret_jwt authentication method; see #229
• added support for the private_key_jwt authentication method; see #217; thanks @pamiel

Other

• remove strict iss check in Discovery metadata document; see #219 (may help Azure AD setups)

release 1.7.0

Note that opts.secret and opts.redirect_uri_path are now deprecated and will be removed in a next release; a warning is issued in the log now.

Bugfixes

• deprecate opts.secret in favor of opts.public_key and opts.symmetric_key; see #196; thanks @dholth
• url-encode client_id/client_secret following https://tools.ietf.org/html/rfc6749#section-2.3.1; closes #204; thanks @grrolland
• use session.start instead of session.open to allow better control over session lifetime using lua-resty-session primitives; see #174; thanks @thomasleplus
• soften the impact of token refresh race condition by creating a new session when tokens are refreshed; see #190; thanks @luisviman

Features

• added redirect_uri option that specifies a relative or absolute redirect URI; redirect_uri_path is now deprecated
• add token revocation support on logout with opts.revoke_tokens_on_logout; thanks @oleeander
• bypass introspection cache on demand with opts.introspection_cache_ignore; thanks @dmitriyblok
• add opts.use_nonce option to avoid sending a nonce parameter to broken OpenID Connect providers; see #193; thanks @thewilli
• added opts.http_request_decorator option that can be used to augment the HTTP requests when accessing discovery, token or jwks endpoints; thanks @bodewig
• add support for a public client (i.e. without a client secret) to support Windows Integrated Authentication (WIA) with Active Directory Federation Services (AD FS) on Windows Server 2016 (or newer)

Other

• extract log function and log level constant to the module level to allow customization
• make call_userinfo_endpoint a public function; see #207; thanks @thomasleplus
• make call_token_endpoint a public function

release 1.6.1

Bugfixes

• fix signature verification for RSA keys of a length different from 2048 bit when the JWK used a specific format; see #170

Features

• add customized expiration time option jwk_expires_in for Discovery documents and JWKs cache; thanks @dhlin
• added post_logout_redirect_uri parameter that can be used to set the target after logging out of the OpenID Connect Provider ; see #168; thanks @thomasleplus

release 1.6.0

• refer to updated lua-resty-jwt that supports OpenSSL 1.1.x ; see: #162; thanks @cdbattags
• when refreshing tokens the id_token is now refreshed as well (if included inside the token response); see #158; thanks @grrolland
• add Cache-Control: no-cache header to authorization requests to avoid replays of state/nonce; see OpenIDC/mod_auth_openidc#321

release 1.5.4

Bugfixes

• bugfix rare case where OP public key is starting with 0x80 byte, and thus resulting in systematic token signature verification error with message "too long"

Features

• added support for passing bearer token as cookie with opts. auth_accept_token_as
• added support introspection interval with opts.introspection_interval
• added support for passing request cookies on introspection call with opts.pass_cookies
• added passing introspection endpoint authorization method into openidc_call_token_endpoint call
• tighten JWT verification
  • disabled support for "none" alg tokens introduced with 1.5.2 by default; If you want to enable it, you will now have to explicitly set the accept_none_alg option to true
  • id tokens using a signature algorithm not announced by the discovery endpoint are now rejected.
  • you can now specify which signing algorithm you expect a bearer token to use in order to avoid being tricked into accepting a rogue token signed with a symmetric key when expecting an asymmetric cypher.
  • added an option to reject tokens signed by an algorithm not supported by lua-resty-jwt

Other

• added functions to manually request the invalidation of the caches; see #142
• added more logging that may help debugging configuration; see #140; thanks @pamiel