Last Friday, September 9th 2016, I released a brand new version of mod_auth_openidc, the module that implements OpenID Connect RP and OAuth 2.0 RS functionality for the Apache webserver. So what’s the big deal with it and why does it have a new major version number?
The biggest change is that all JSON Signing and Encryption (JOSE) operations are now handled through a separate 3rd-party library. That library is cjose, an excellent open source project started by Matt Miller from Cisco which allows mod_auth_openidc to rely on a dedicated library for all crypto related operations. Since that library will have its own update and release pace this should result in better security overall for deployments e.g.: no backporting of JOSE/crypto fixes in the module is required, just update the cjose library.
The JOSE library also makes it easy to create JSON Web Tokens and use them to securely store all state that the module needs to keep track of. So now all state storage is protected by wrapping it in to a JWT and encrypting and signing it with the pre-configured passphrase. This allows for a secure deployment in shared cache/storage environments. For example one can now use a public memcache cluster across a bunch of Apache servers without having to worry that the session state can be accessed or altered by some 3rd-party internal administrator that also happens to have access to the same memcache cluster because of another application using it. The same thing holds for Redis storage or file-based storage.
On top of that, an encrypted and signed JWT stored in a temporary state cookie is used to keep track of the request state between the authentication requests that the module sends out and the corresponding authentication responses that it receives from the Provider.
One other change that is also worth mentioning is the support for so-called “chunked” cookies. This means that a large cookie value is now split out over a number of smaller cookies. This in its turn allows for client-side session management, i.e. storing all session related state in a client-side cookie rather than using any server-side storage/dependency, without the risk of running over session cookie limits all too easily – which happened quite a lot with certain Providers out there previously.
Well, there’s a lot more good stuff in 2.0.0 that you can see for yourself here: https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.0.0. Let me know if you have any feedback!