release 1.4.3.1

Features

• add outgoing_proxy option to verify context
• printout remote username claim when not found, for debugging purposes

Bugfixes

• correct remote_user debug printout

release 1.4.3

Bugfixes

• use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV closes #26; thanks @niebardzo
• avoid memory leaks on JWT validation errors

release 1.4.2.1

Bugfixes

• correct iat slack validation defaults, see OpenIDC/mod_oauth2#20; thanks @DrakezulsMinimalism

release 1.4.2

Bugfixes

• set memory alignment of shm cache structs to 64 bytes so it runs on SPARC and ARM architectures; see #21 and #24; thanks @glenk
• pass missing argument to oauth2_error in _oauth2_dpop_jti_validate; thanks @abbra

Other

• configure: use include directory from APXS for Apache compilation; thanks @abbra
• add packages for Ubuntu Focal, CentOS 8 and Debian Buster

release 1.4.1

Features

• add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens

Bugfixes

• fix Apache cleanup routines; see #18 and OpenIDC/mod_oauth2#7
• avoid creating /dev/shm files for anonymous shared memory segments; see #18

release 1.4.0

Features

• separate OpenID client configs and named providers
• configurable state cookie handling for OpenID Connect; closes OpenIDC/ngx_openidc_module#6
• add configurable state and session cookie paths
• add support for PKCE
• add support for DPOP bound access tokens (draft spec)

Bugfixes

• fix parsing in oauth2_cfg_set_flag_slot
• fix session cache handler cloning

Other

• don't use automake config.h; closes #10; thanks @babelouest

release 1.3.0

• implement OpenID Connect 1.0 basics
• add session management
• use named caches and sessions
• change http request header function naming
• add generic endpoint config struct and ROPC client capability
• bugfixes

release 1.1.1

• return status code from HTTP callouts

release 1.1.0

• encapsulate oauth2_log_sink_t

release 1.0.1

Features

• add support for Apache Require claim <> directives