ChangeLog

06/04/2026
- cache: honour the configured shm "max_key_size" when checking the key
  length; it was first rounded up to a multiple of 64 (minimum 64), so a
  smaller configured limit was never enforced - the rounded size now only
  dimensions the storage slot
- test: replace the suite-wide forked HTTP server (fixed port 8888 with
  path-routed callbacks serving fixtures) with a per-test loopback fixture
  (test/http_server.c) that scripts the response sequence for each outbound
  request and captures the requests for assertions, on a kernel-assigned or
  caller-chosen port via POSIX sockets and a pthread (no APR dependency)
- test: add unit tests raising line coverage of cfg.c, proto_cfg.c, dpop.c,
  ipc.c and the cache backends, exercising option parsing, config clone/merge,
  the IPC semaphore/mutex/shm NULL-guard and try-wait paths, the DPoP proof
  validation branches and the cache encryption/eviction/child-init paths
- test: split the cache suite into per-backend suites (cache, cache_file,
  cache_memcache, cache_redis) and add a "make check-parallel" target that runs
  the suites concurrently (one process per suite); this overlaps the backends'
  real-time TTL-expiry waits. also trim the per-site expiry waits (ttl/timeout
  2 + sleep 3 -> 1 + sleep 2, keeping a 1s margin against the 1s clock
  granularity), taking the suite from ~29s to ~21s serial and ~5s in parallel
- bump to 2.3.1dev

06/03/2026
- oauth2: re-validate the token "exp" on a verification-cache hit; the result
  cache TTL is independent of the token's own expiry, so a cached entry could
  previously be returned as valid after the token had already expired. On a hit
  with a passed "exp" the entry is dropped and the token re-verified under the
  configured policy (CWE-613)
- openidc: store the authentication-request nonce in the (encrypted) state and
  validate that the returned id_token's "nonce" claim matches it, per OpenID
  Connect Core 1.0 section 3.1.3.7 step 11; previously the nonce was sent but
  never checked, allowing id_token replay (CWE-294)
- openidc: bind a received id_token to the provider and the client by requiring
  its "iss" to equal the provider issuer and its "aud" to contain the configured
  client_id, per OpenID Connect Core 1.0 section 3.1.3.7; previously neither was
  checked, so an id_token minted for another client (or by another provider
  whose key happened to verify) was accepted (CWE-287)
- jose: add audience ("aud") validation (oauth2_jose_jwt_validate_aud), wired
  into JWT payload validation and enforced whenever an expected audience is set
  on the verify context; accepts both a single-string and an array "aud" claim
  per RFC 7519 section 4.1.3 (CWE-287)
- test: use >= 256-bit symmetric keys in the HS256 sign/verify test vectors, as
  enforced by cjose 0.6.2.6 (RFC 7518 section 3.2); recompute the affected HMAC
  signatures and skip "exp" validation for the exp-less example tokens
- jose: require the "exp" claim by default when verifying JWTs via a shared key
  or a JWKS URI, so a correctly signed token without "exp" is no longer accepted
  as non-expiring; set verify.exp=optional to restore the previous behaviour.
  EC-key and AWS ALB token types keep "exp" optional because they carry it in
  the JOSE header. Also add "nbf" (not-before) validation, configurable through
  verify.nbf (CWE-613)
- nginx: clamp the snprintf() return value before using it as the length of a
  fixed stack buffer when formatting configuration error messages; a long
  invalid variable name or expression could otherwise drive a memcpy()
  past the end of the 128-byte buffer (CWE-125)
- http: fix NULL-pointer dereference in the sanitized header set/add helper; the
  guard used && instead of || so a NULL request dereferenced request->header
  (CWE-476)
- ipc: fix NULL-pointer dereference in oauth2_ipc_mutex_free(); the guard used
  && instead of || so passing a NULL mutex dereferenced it (CWE-476)
- cfg: honour "envvars" target-pass setting; the getter tested the unrelated
  as_headers field, so an explicit envvars=off was ignored and claims plus the
  access_token were still exported into the subprocess environment (CWE-200)
- http: fix an invalid free / heap corruption when parsing X-Forwarded-Proto,
  X-Forwarded-Port or X-Forwarded-Host header values that start with a
  separator; the left-most-value helper returned an interior strtok() pointer
  that callers subsequently freed (CWE-763); also fixes a leak of the
  duplicated header value
- cache: fix a NULL-pointer dereference when a non-default cache
  passphrase_hash_algo is configured; a self-assignment left the local
  variable NULL so strcmp(NULL, "none") crashed every encrypted cache get/set
- cache: pass cache keys/values to Redis via redisCommandArgv() instead of
  building a command string that was passed as the redisCommand() printf-style
  format argument; prevents format-string exploitation and Redis
  command/argument injection through cache keys and values (CWE-134, CWE-74)
- jose: fix a memory leak of the decoded EVP_PKEY in the single-EC-key URL
  resolver (e.g. AWS ALB) on OpenSSL 3.x; found via Valgrind
- cache: zero-initialize the file-cache info header before writing it so the
  struct's alignment padding is no longer flushed to disk as uninitialised
  stack memory (reported by Valgrind as a write of uninitialised byte(s))
- release 2.3.0

06/02/2026
- jose: URL-encode the JWT "kid" before constructing the AWS ALB JWKs URL to
  prevent path traversal/injection (SSRF) into the outbound key request (CWE-918)
  thanks Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team
- jose: fix memory leak of the region string extracted from the ARN in the
  AWS ALB JWKs resolver
- dpop: reject a DPoP proof whose jwk header contains private key material
  per RFC 9449 section 4.3 step 7 (CWE-345)
  thanks Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team
- bump to 2.2.2dev

04/18/2026
- build: guard --coverage linker flag behind CODE_COVERAGE_ENABLED; thanks @kraj

04/02/2026
- release 2.2.1

03/25/2026
- proto: use strncasecmp on content type when obtaining a token from POST; closes #72; thanks @roubert
- code: correct strstr assignments to compile with glibc 2.43; closes #73; thanks @Saur2000
- link: add support for libtool version-info and bump to 1.0.0; closes #68; thanks @ararslan and @babelouest

02/03/2026
- code: assign strstr to char instead of const char to compile with globc 2.43
  see #70; thanks @babelouest

01/27/2026
- api: fix/complete returning HTTP status code from oauth2_token_verify (added in 2.2.0)

01/14/2026
- support adding custom parameters to the authentication request by adding the
 `authn_request_params` option for the OpenID Connect Client
- bump to 2.2.1dev

01/06/2026
- release 2.2.0

12/21/2025
- http: add support for HTTP retries (default 1) and HTTP retry interval (300 ms default)
- api: return HTTP status code from oauth2_token_verify

08/28/2025
- add oauth2_ipc_thread_mutex_t and use it for Redis, cURL and global lists
  to improve performance across multiple processes running on the same host
- bump to 2.2.0dev

08/08/2025
- release 2.1.1

07/31/2025
- fix URL decoding of HTTP request query parameters; see OpenIDC/ngx_openidc_module#24; thanks @drzraf

03/13/2025
- test: add a space after the status code in the HTTP responses; see curl/curl#16692 ; thanks @charles2910 and @bagder
- bump to 2.1.1dev

02/12/2025
- add updated AWS ALB JWKs retrieval supporting new "signer"/"region" logic and key rotation
  closes: https://github.com/OpenIDC/mod_oauth2/issues/73
- release 2.1.0

01/02/2024
- update copyright year to 2025

09/13/2024
- add support for introspection.token_param_name; closes #57

09/11/2024
- add (optional) JQ support with caching in oauth2_jq_filter
- add "json_payload_claim" claim option to oauth2_cfg_target_pass_t
- make oauth2_jwt_create public in jose.h and add a json_payload parameter
- nginx: fix memory leak in _oauth2_nginx_ssl_cert_set
- bump to 2.1.0dev

08/22/2024
- change LICENSE to Apache 2.0
- release 2.0.0

08/02/2024
- correct error log upon mismatch in "iss" claim: id_token->JWT

06/24/2024
- allow to use local file through file:// protocol for metadata or jwks; see #51; thanks @pladen
- bump to 1.6.4dev

06/24/2024
- release 1.6.3

06/20/2024
- nginx: add nginx_oauth2_set_require to be used with OAuth2Require etc.
  see OpenIDC/ngx_oauth2_module#7; thanks @smanolache and @pladen

06/19/2024
- add NGINX macros/functions for setting claim variables in the request context
  see OpenIDC/ngx_oauth2_module#7; thanks @smanolache and @pladen
- allow NGINX primitives in an if block within a location block in the http block
- bump to 1.6.3dev

06/05/2024
- release 1.6.2

05/31/2024
- refactor NGINX port extraction so it works with NGINX >= 1.27.0; closes #49; thanks @anpin
- add PCRE2_CFLAGS to cache/server object linking

03/11/2024
- release 1.6.1

03/08/2024
- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens to the NGINX binding

03/04/2024
- add support for Redis 6 ACL username based authentication; see: OpenIDC/mod_oauth2#63
- bump to 1.6.1dev

12/06/2023
- add support for the OAuth 2.0 Client Credentials grant type
- use libcurl version macro that works on older platforms
- release 1.6.0

11/08/2023
- update DPoP support to RFC 9449
- release 1.5.2

08/31/2023
- printout more cjose error details when errors occur verifying JWT access tokens

06/29/2023
- fix timing issue in check_openidc.c; closes #47
- bump to 1.5.2dev

04/19/2023
- add issuer validation for JWT access tokens when configured through OAuth2Verify metadata; closes #44; thanks @chris-crunchr
- release 1.5.1

04/14/2023
- add support for resolving provider metadata from a Discovery endpoint URL; see https://github.com/OpenIDC/ngx_openidc_module/issues/18
- bump to 1.5.1dev

03/22/2023
- add error logs about missing or invalid "active" boolean claim in introspection response

03/08/2023
- move repo to OpenIDC github organization

03/07/2023
- release 1.5.0

03/03/2023
- add support for regular expressions in Require statements; see https://github.com/zmartzone/mod_oauth2/discussions/39
- depend on libpcre2
- fix memory leak in _oauth2_jose_options_jwk_set_rsa_key when using OpenSSL 3.x
- bump to 1.5.0dev

03/01/2023
- add support for introspect.params; see https://github.com/zmartzone/mod_oauth2/discussions/44
- release 1.4.5.5

01/22/2023
- hack for el7/x86 where openssl 1.0.2 and openssl 1.1.1 are installed for respectively Apache and NGINX 1.20.1
- bump to 1.4.5.5rc0

01/21/2023
- revert header_add/header_set change
- release 1.4.5.4

01/20/2023
- don't add WWW-Authenticate header(s) but (over)write a single one; see zmartzone/mod_oauth2#42
- release 1.4.5.3

12/14/2022
- fix NGINX https schema detection
- bump to 1.4.5.3dev

12/06/2022
- change Apache module init info log
- release 1.4.5.2

11/30/2022
- initialize check_oauth2 properly; call OPENSSL_init_crypto for OpenSSL >= 1.1.0

11/23/2022
- add JANSSON_LIBS to apache/nginx LIBADD; closes #40; thanks @pskopnik
- bump to 1.4.5.2dev

08/22/2022
- fix concurrency issue when using OAuth2Verify metadata; see #37; thanks @rtitle
- fix memory leak in cURL writeback function
- release 1.4.5.1

07/28/2022
- fix memory leak when using OAuth2Verify metadata

07/27/2022
- use main request for Apache request contexts
- set refresh to true when getting jwsk_uri results from cache
- print warning when cjose_jws_verify fails
- avoid using cjose_jwk_retain because it is not thread safe
- release 1.4.5

06/24/2022
- add cjose, curl and ssl to liboauth2.pc.in
- add add curl and cjose flags to liboauth2_cache_la_CFLAGS

04/16/2022
- fix file cache so we do not try to remove a file that was cleaned just before; see #33
- fix tests for client_secret_jwt and private_key_jwt so encoded JWT comparison works for cjose >= 0.6.2
- release 1.4.4.2

03/06/2022
- add support for OpenSSL 3.0; closes #31
- bump to 1.5.0dev

03/03/2022
- fix race condition and potential crash in curl usage in oauth2_url_decode
  see zmartzone/mod_oauth2#27; thanks @rtitle
- release 1.4.4.1

12/23/2021
- allow deprecated declarations to build with OpenSSL 3.0; see #31
- release 1.4.4

12/22/2021
- hash the cache encryption key to a string instead of bytes
- Makefile.am improvements:
  - move OpenSSL libs go generic libraries so cache files compile with the right flags
  - use ${srcdir} to conform to distcheck
- add Github Actions CI; remove Travis

10/12/2021
- make outgoing_proxy an endpoint property
- accommodate for NULL key in oauth2_cache_get and oauth2_cache_set
- release 1.4.3.2

10/11/2021
- add outgoing_proxy option to verify context
- correct remote_user debug printout
- release 1.4.3.1

06/21/2021
- printout remote username claim when not found, for debugging purposes

06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV
  closes #26; thanks @niebardzo
- avoid memory leaks on JWT validation errors
- release 1.4.3

06/07/2021
- correct iat slack validation defaults, see https://github.com/zmartzone/mod_oauth2/discussions/20
  thanks @DrakezulsMinimalism
- release 1.4.2.1

05/28/2021
- add Travis and LGTM

05/25/2021
- set memory alignment of shm cache structs to 64 bytes; see #21 and #24
- release 1.4.2

04/19/2021
- apache: use include directory from APXS; thanks @abbra
- pass missing argument to oauth2_error in _oauth2_dpop_jti_validate; thanks @abbra

02/02/2021
- avoid creating files for anonymous shared memory segments; see #18
- release 1.4.1

01/30/2021
- fix Apache cleanup routines; see zmartzone/liboauth2#18 and zmartzone/mod_oauth2#7

01/26/2021
- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens
  https://tools.ietf.org/html/rfc8705; thanks @vdzhuvinov
 
12/23/2020
- use per-process semaphore locking to prevent multi-process issue; see #18
- release 1.4.0.1

12/21/2020
- release 1.4.0

12/03/2020
- add oauth2_cfg_openidc_set_options for configurable state cookie handling

12/02/2020
- cleanup OIDC expired/superfluous state cookies; closes zmartzone/ngx_openidc_module#6

11/13/2020
- add support for PKCE

11/12/2020
- separate OpenID client configs and named providers
- fix parsing in oauth2_cfg_set_flag_slot
- add configurable state and session cookie paths

11/11/2020
- fix session cache handler cloning
- support configurable cookie path for session cookie

11/09/2020
- refactored caching; use named caches consistently

11/08/2020
- use endpoint more consistently
- harmonize naming of endpoint, endpoint auth and ropc

11/07/2020
- don't use automake config.h; closes #10; thanks @babelouest

10/07/2020
- add support for DPOP bound access tokens
- bump to 1.4.0-dev

02/27/2020
- lock access to cache globals
- log corrections and improvements

02/26/2020
- resolve some TODOs; valgrind
- bump to 1.3.0

02/25/2020
- change to named sessions

02/21/2020
- add serialized id_token to session
- externalize oauth2_jose_jwt_verify and allow verification context to be NULL
- bump to 1.2.5

02/13/2020
- add userinfo endpoint request and claims
- bump to 1.2.4
- change to named cache configurations

02/10/2020
- implement session expiry checks
- bump to 1.2.3

02/05/2020
- add missing ROPC config functions
- bump to 1.2.2

02/04/2020
- add generic endpoint config struct and ROPC client capability
- bump to 1.2.1 and bump copyright year

01/31/2020
- sane session cfg defaults

09/12/2019
- change http request header function naming
- more openidc handling
- bump to 1.2.0

09/02/2019
- fix type (auth->client_secret_jwt.aud = NULL); closes #3; thanks @pengjiaoyang

08/19/2019
- add first outline of openidc and sessions

07/03/2019
- return status code from HTTP callouts
- bump to version 1.1.1

07/01/2019
- encapsulate oauth2_log_sink_t
- bump to version 1.1.0

05/20/2019
- add Apache Require claim authorization functions
- bump to version 1.0.1

03/22/2019
- initial import of version 1.0.0