release 2.4.14.1

Note that as of release 2.4.14 the use of OIDCHTMLErrorTemplate is deprecated and one should instead rely on standard Apache error handling capabilities, optionally customized through ErrorDocument. The environment variable strings REDIRECT_OIDC_ERROR and REDIRECT_OIDC_ERROR_DESC are available for display purposes.

Bugfixes

• fix RequireAny behaviour on 401/403/302: revert 9d6192b for non-stepup authentication cases
  as the first non-matching Require claim directive would immediately lead to an authorization error instead of continuing to process all Require statements to match any of those
• make OIDCUnautzAction 302|auth (i.e. step up authentication) work with multiple/nested Require claim expressions e.g. using RequireAny and Require not claim
• fix refreshing claims from the userinfo endpoint when no id_token claims are stored in the session since environment variable OIDC_DONT_STORE_ID_TOKEN_CLAIMS_IN_SESSION has been set
• fix memory leak when refreshing claims from the userinfo endpoint

Other

• to make OIDCUnAutzAction 403 actually return 403 in Apache 2.4 it also needs AuthzSendForbiddenOnFailure again, i.e. the fix in 2.4.14 for it was reverted

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
• support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com