chore(deps): update dependency openidc/mod_auth_openidc to v2.4.19

[renovate]

This PR contains the following updates:

Package	Update	Change
OpenIDC/mod_auth_openidc	patch	2.4.16.11 -> v2.4.19

---

Release Notes

OpenIDC/mod_auth_openidc (OpenIDC/mod_auth_openidc)

v2.4.19: release 2.4.19

Compare Source

Note that this release changes the internal session format in a backwards incompatible way so existing sessions are invalid.

Features

• cookie: support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite
• id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will be passed on
• passphrase: generate a crypto key when OIDCCryptoPassphrase is not set
  note that the OIDCCryptoPassphrase does need to be configured statically if you want sessions to survive server restarts, or for a cluster that shares a session storage backend

Bugfixes

• metadata: avoid double-free when validation of provider metadata fails
• response: avoid proto state memory leaks upon errors in response processing
• util/key.c: check for unsupported symmetric key hashing algorithms and avoid a memory leak in such cases
• session: remove expired session from cache with oidc_session_kill instead of just clearing it

Other

• performance: store claims from the id_token and userinfo endpoint as JSON objects in the session - rather than strings - and avoid parsing/serializing overhead; results in up to 7% performance increase, depending on the number of claims stored; changes the internal session format in a backwards incompatible way so existing sessions are invalid!
• memory: rewrite pconf pool memory allocation handling to avoid increasing memory (pool) consumption over graceful restarts
• drop support for Apache 2.2
• redis: use SET..EX %d when storing cached data instead of the deprecated SETEX
• session/cookie: save 20-40 bytes on the session and client-cookie size
• request: set the OIDC_ERROR variables when PAR is configured but not enabled by the Provider
• code: avoid compiler warnings on curl_easy_setopt in http.c
• test: add more unit tests in test/test_*.c and migrate proto tests from test.c

Commercial

• binary packages for various other platforms such as Microsoft Windows, Red Hat Enterprise Linux 7, older Ubuntu and Debian distros, Oracle HTTP Server 12.x/14.x and IBM HTTP Server 9.x, are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The RPM packages below are signed with the following RSA PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----

v2.4.18: release 2.4.18

Compare Source

Bugfixes

• fix segmentation faults upon gracefully restarting the same process: use the server process pool for static variable allocation rather than the pconf pool (regression since 2.4.14)
• fix setting OIDCMemCacheConnectionsTTL: interpret the value correctly in seconds instead of microseconds (regression since 2.4.16); see #​1345; thanks @​rpluem

Other

• revise test/check and code coverage functions and split autoconf/automake over src and test subdirs

Packaging

• added Debian Trixie package

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

The RPM packages below are signed with the following RSA PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----

v2.4.17: release 2.4.17

Compare Source

Features

• proto: pass the scope parameter as returned from the token endpoint in the OIDC_scope header/environment variable and make it available for Require claim scope: purposes, if not available as a claim returned in the id_token or userinfo endpoint; thanks Amaury Buffet

Bugfixes

• metadata: fix parsing the OPs token_endpoint_auth_methods_supported and avoid the log error:
  oidc_metadata_provider_parse: oidc_provider_token_endpoint_auth_set: invalid value
  and falling back to client_secret_basic after that; thanks François Kooman
• fix memory leaks when using provider specific client keys and/or signed_jwks_uri_key in a multi-provider setup; thanks Sami Korvonen
• allow for regular Apache processing (e.g. setting response/security headers) by deferring HTML/HTTP output generation to the content handler (instead of user id check handler) for the following use cases:
  • OIDCProviderAuthRequestMethod POST
  • OIDCPreservePost On (both internal and template-based)
  • POST page for the implicit grant type
  • Request URI handler
  • internally generated POST logout page
  • session management RP iframe
  • session management logout HTML top-window redirect page

Commercial

• binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, and IBM AIX 7.x are available under a commercial agreement via [email protected]
• support for Redis/Valkey over TLS, Redis/Valkey (TLS) Sentinel, and Redis/Valkey (TLS) Cluster is available under a commercial license via [email protected]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.