release 3.2.1; depend on liboauth2 1.4.1

zandbelt · zandbelt · commit c8a259a36568 · 2021-02-01T11:35:57.000+01:00
with support for RFC 8705 mTLS Client Certificate bound access tokens

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@zmartzone.eu&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,6 @@
-01/25/2021
-- add TLS Client Certificate bound access token support
+02/01/2021
+- depend on liboauth2 1.4.1 with support for RFC 8705 mTLS Client Certificate bound access tokens
+- release 3.2.1
 
 12/22/2020
 - depend on liboauth2 1.4.0
diff --git a/README.md b/README.md
@@ -18,6 +18,13 @@ AuthType oauth2
 OAuth2TokenVerify jwks_uri https://pingfed:9031/ext/one jwks_uri.ssl_verify=false
 ```
 
+RFC 8705 Mutual TLS Certificate (optionally) Bound JWT Bearer Access Token validation with a known JWK
+```apache
+AuthType oauth2
+OAuth2TokenVerify jwk "{\"kty\":\"RSA\",\"kid\":\"one\",\"use\":\"sig\",\"n\":\"12SBWV_4xU8sBEC2IXcakiDe3IrrUcnIHexfyHG11Kw-EsrZvOy6PrrcqfTr1GcecyWFzQvUr61DWESrZWq96vd08_iTIWIny8pU5dlCoC7FsHU_onUQI1m4gQ3jNr00KhH878vrBVdr_T-zuOYQQOBRMEyFG-I4nb91zO1n2gcpQHeabJw3JIC9g65FCpu8DSw8uXQ1hVfGUDZAK6iwncNZ1uqN4HhRGNevFXT7KVG0cNS8S3oF4AhHafFurheVxh714R2EseTVD_FfLn2QTlCss_73YIJjzn047yKmAx5a9zuun6FKiISnMupGnHShwVoaS695rDmFvj7mvDppMQ\",\"e\":\"AQAB\" }" type=mtls&mtls.policy=optional
+SSLVerifyClient optional_no_ca
+```
+
 For a detailed overview of configuration options see the `oauth2.conf` Apache configuration file in this directory.
 
 ## Features
diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_oauth2],[3.2.0],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_oauth2],[3.2.1],[hans.zandbelt@zmartzone.eu])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -32,11 +32,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1])
 AC_SUBST(APR_CFLAGS)
 AC_SUBST(APR_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.0])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.1])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.0])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.1])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 
diff --git a/oauth2.conf b/oauth2.conf
@@ -20,20 +20,20 @@
 #
 # <type>     <value>    <description>                             <options> (provided in query-encoded format)
 #
-# introspect <url>      RFC7662 introspection URL                 introspect.ssl_verify, introspect.auth, introspect.cache, introspect.expiry,
-# jwks_uri   <url>      JWKS URI that serves the public keys      jwks_uri.ssl_verify, jwks_uri.cache, jwks_uri.expiry,
+# introspect <url>      RFC7662 introspection URL                 introspect.ssl_verify, introspect.auth, introspect.cache, introspect.expiry, type
+# jwks_uri   <url>      JWKS URI that serves the public keys      jwks_uri.ssl_verify, jwks_uri.cache, jwks_uri.expiry, type,
 #                                                                 verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-# jwk        <json>     JWK JSON representation of a symmetric    kid (overrides kid in JWK), verify.iss, verify.exp, verify.iat,
+# jwk        <json>     JWK JSON representation of a symmetric    kid (overrides kid in JWK), verify.iss, verify.exp, verify.iat, type,
 #                       key or a public key                       verify.iat.slack_before, verify.iat.slack_after
 # metadata   <url>      RFC8414 Authorization Server Metadata     metadata.ssl_verify, introspect.*, jwks_uri.*
 #                       URL that contains a JWKs URI in jwks_uri
-# plain      <string>   symmetric key (password) in plain text    kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-# base64     <string>   base64-encoded symmetric key              kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-# base64url  <string>   base64url-encoded symmetric key           kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-# hex        <string>   hex-encoded symmetric key                 kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
-# pem        <string>   PEM formatted X.509 certificate           kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
+# plain      <string>   symmetric key (password) in plain text    kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
+# base64     <string>   base64-encoded symmetric key              kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
+# base64url  <string>   base64url-encoded symmetric key           kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
+# hex        <string>   hex-encoded symmetric key                 kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
+# pem        <string>   PEM formatted X.509 certificate           kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
 #                       that contains an RSA public key
-# pubkey     <string>   PEM formatted RSA public key              kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
+# pubkey     <string>   PEM formatted RSA public key              kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
 # eckey_uri  <url>      URL on wich the Elliptic Curve key is     eckey_uri.ssl_verify, eckey_uri.cache, eckey_uri.expiry,
 #                       published as a PEM (Amazon ALB specific)  verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
 #                       
@@ -48,6 +48,7 @@
 # verify.iat               skip|optional|required    how to validate the "iat" claim in the JWT: skip it, verify if present, require claim to be present and validate
 # verify.iat.slack_before  <number>                  acceptable clock drift in seconds for the "iat" claim: anything issued before now-number will be rejected
 # verify.iat.slack_after   <number>                  acceptable clock drift in seconds for the "iat" claim: anything issued after now+number will be rejected
+# type                     [mtls|dpop]               type of proof of possession, mtls.policy=[optional|required]
 # cache                    <string>                  cache backend name for access token validation results,
 #                                                    default is "default", otherwise must refer to a named cache defined with OAuth2Cache
 # expiry                   <number>                  cache expiry in seconds for access token validation results
