ChangeLog

09/13/204
- cross-tenant requests are fixed with lua-resty session 4.0.x; closes #526
- release 1.8.0

09/09/2024
- merge support for lua-resty-session 4.x; see #489; closes #464 #480 #503; thanks @oldium @balajiv113
- add @oldium to the primary AUTHORS

08/25/2024
- don't return a zero-pixel image in logout for Firefox 128 and later
  see #521

03/11/2024
- handle the userinfo response as JWT; closes ##345; thanks @NatePlumm

03/10/2023
- when looking for a bearer token an exception occured if the
  Authorization header didn't contain any space character;
  see #473

02/03/2023
- release 1.7.6-3 of luarock pinning lua-resty-session dependency to
  not go beyond 3.1ß

30/01/2023
- release 1.7.6

01/13/2023
- when parsing JWKs with an x5c claim the claim was wronly assumed to
  be base64url encoded instead of base64 encoded;
  see #460

11/06/2022
- a new option local_redirect_path can be used is situations where the
  redirect_uri as is visible to lua-resty-openidc is not simply the path
  segment of the configured redirect_uri but something more
  complex. This is needed for example if a reverse proxy in front of
  your server adds a prefix of rewrites URIs in a more complex way;
  see #453

03/05/2022
- improved error message when expecting a Bearer token header and the
  header doesn't contain a space character; see #421

01/04/2022
- added support for OAuth 2.0 Form Post Response Mode.

12/23/2021
- use Github actions for docker-based CI; delete Travis files

12/21/2021
- release 1.7.5

12/17/2021
- added id_token and the token endpoint response as additional
  arguments to the on_authenticated lifecycle hook; see #413

11/19/2021
- added opts.discovery_expires_in in order to make cache expiry of
  OpenID Connect Discovery responses configurable.

11/06/2021
- added public functions that allow tokens to be revoked without
  destroying the current session; see #402; thanks to
  @thorstenfleischmann

- when the x5c claim of a JWK is an empty array it will be ignored
  rather than cause an error; see #406

- `authenticate`'s last parameter can now be an existing session
  rather than options for starting a new one: see #405; thanks to
  @thorstenfleischmann

09/23/2021
- if lifecyle handlers return truthy values they cause the operation
  they are handlers of to fail; see #384; thanks to @arcivanov

- added opts.cache_segment as option to shard the cache used by token
  introspection or JWT verification; see #399

09/22/2021
- made jwt_verify() and bearer_jwt_verify() use a separate cache named
  "jwt_verification" and introduced opts.jwt_verification_cache_ignore
  to disable caching completely; see #399

12/05/2020
- fixed a session leak in access_token() and for a very unlikely
  code-path in authenticate(); authenticate will still normally not
  close the session as users may want to use it after the method
  returns; see
  https://github.com/zmartzone/lua-resty-openidc#sessions-and-locking
  see #374

11/17/2020
- changed dependency on lua-resty-jwt to allow newer versions in
  luarocks packaging; see #363, #366, #362;
  thanks to @Darguelles and @kayano
- release 1.7.4

09/20/2020
- release 1.7.3

08/20/2020
- added optional support for RFC 7636 "Proof Key for Code Exchange"

04/08/2020
- openidc.call_userinfo_endpoint will now invoke the discovery
  endpoint if this has not been done before in order to detect the URI
  of the userinfo endpoint

02/06/2020
- ability to disable keepalive from lua-resty-http
  By disabling keepalive we disable the native connection pool,
  avoiding errors when dealing with invalid connections. This is
  specially useful when proxying ajax requests.

02/05/2020
- no longer echo the URI parameters back on default error page when
  OIDC provider returns an error in call to redirect_uri; see #306;
  thanks @barrelmaker97

10/02/2019
- when unauth_action is 'pass' and a token refresh fails the session
  will get marked as no longer authenticated and a proper error is
  returned; see #286; thanks @cretzel

07/15/2019
- release 1.7.2

07/09/2019
- added unauth_action='deny' to reject unauthenticated requests rather
  than start the authorization code grant flow; see #271; based on
  suggested change by @nmaniwa
- read introspection_endpoint from discovery document when present; see #255

05/01/2019
- performance enhancement by caching the result of ngx.req.get_headers
  during the authenticate call.
- added another lifecycle hook that is called when the session is
  regenerated after a token refresh

04/25/2019
- improved error handling when starting session; see #264; thanks @vershnik

03/18/2019
- fixed accidental use of global variable err in revoke_tokens_on_logout;
  see #253, #254; thanks @arcivanov
- fixed a few additional cases of using global symbols detected by lualint

03/15/2019
- allow to tap into authentication workflow by providing an option
  to specify lifecycle hooks via `opts.lifecycle`

03/07/2019
- made the checks for certain HTTP headers handle the case where
  multiple headers exist; thanks @ci42

03/06/2019
- don't overwrite opts.discovery when an error occurs calling the
  discovery endpoint; see #250

02/18/2019
- release 1.7.1

12/17/2018
- don't select one of the jwt token auth methods if the required key
  material is not present; see #238

11/13/2018
- fixed a bad error return value in certain setups of
  bearer_jwt_verify; see #234; thanks @JoshTheGoldfish

11/09/2018
- added support for the client_secret_jwt authentication method; see #229

11/08/2018
- added support for the private_key_jwt authentication method; see
  #217; thanks @pamiel

11/06/2018
- make sure opts.discovery is resolved when "iss" is returned as part of the
  authorization response; see #224 ; thanks @mijohansen

11/03/2018
- we no longer verify the issuer field of the discovery document points
  to a parent URI of the discovery document's location; see #219

10/19/2018
- release 1.7.0

10/18/2018
- add token revocation support on logout (opts.revoke_tokens_on_logout)

10/16/2018
- lua-resty-openidc now creates a new session whenever the token(s)
  are refreshed, trying to soften the impact when multiple requests
  race to refresh the token at the same time. See #190 and #209

10/11/2018
- url-encode client_id/client_secret; closes #204 and #205; thanks @grrolland
  https://tools.ietf.org/html/rfc6749#section-2.3.1
- make call_userinfo_endpoint a public function; closes #207; thanks @thomasleplus

10/8/2018
- make call_token_endpoint a public function

10/04/2018
- use session.start instead of session.open; see #174; thanks @thomasleplus

09/23/2018
- added redirect_uri option that specifies an absolute URI for the
  redirect URI. The existing redirect_uri_path option has been
  deprecated in favor of the new option.

09/17/2018
- added an optional "request decorator" option that can be used to augment
  the HTTP requests when lua-resty-openidc talks to the discovery,
  token or jwks endpoints.
- add support for Windows Integrated Authentication (WIA) with Active Directory
  Federation Services (AD FS) on Windows Server 2016 (or newer)

09/15/2018
- add an option to disable nonce parameter for broken OpenID Connect providers

09/14/2018
- deprecate `opt.secret` in favor of `opts.public_key` and `opts.symmetric_key`; thanks @dholth

09/06/2018
- bypass introspection cache on demand with introspection_cache_ignore; thanks @dmitriyblok

07/18/2018
- extract log function and log level constant to the module level to allow customization

07/05/2018
- add customized expiration time option for discovery and jwk cache; thanks @dhlin
- release 1.6.1

06/26/2018
- signature verification failed for RSA keys of a length different
  from 2048 bit when the JWK used a specific format; see #170

06/19/2018
- added post_logout_redirect_uri parameter that can be used to set
  the target after logging out of the OpenID Connect Provider ; see #168; thanks @thomasleplus

06/07/2018
- refer to updated lua-resty-jwt that supports OpenSSL 1.1.x ; see: #162; thanks @cdbattags
- release 1.6.0

05/29/2018
- when refreshing tokens the id token is now refreshed as well (if
  included inside the token response); see #158; thanks @grrolland

05/24/2018
- add Cache-Control no-cache header to authorization requests to avoid replays of state/nonce;
  see zmartzone/mod_auth_openidc#321

04/28/2018
- release 1.5.4

04/27/2018
- disabled support for "none" alg tokens introduced with 1.5.2 by default.
  If you want to enable it, you will now have to explicitly set the accept_none_alg
  option to true.
- id tokens using a signature algorithm not announced by the discovery
  endpoint are now rejected.
- you can now specify which signing algorithm you expect a bearer token to
  use in order to avoid being tricked into accepting a rogue token signed
  with a symmetric key when expecting an asymmetric cypher.
- added an option to reject tokens signed by an algorithm not supported by lua-resty-jwt

04/19/2018
- added support for passing bearer token as cookie
- added support introspection interval
- added support for passing request cookies on introspection call
- added passing introspection endpoint authorization method into openidc_call_token_endpoint call 

04/11/2018
- bugfix rare case where OP public key is starting with 0x80 byte, and thus resulting in
  systematic token signature verification error with message "too long"

02/08/2018
- added functions to manually request the invalidation of the caches; see #142

02/06/2018
- added more logging that may help debugging configuration; see #140; thanks @pamiel

01/30/2018
- add support for configuring an outgoing proxy; see #139
- release 1.5.3

01/28/2018
- correct iat checks: make sure it is not in the future rather than being too old; see #137

01/06/2018
- add support for Forwarded header; see #128
- add debug info about reasons for re-authentication; see #130

12/30/2017
- use X-Forwarded-Host header when building the redirect URI if present. See #128

12/14/2017
- release 1.5.2

12/13/2017
- ensure we don't log nil if initial JWT verification fails

12/08/2017
- avoid putting a negative TTL into the cache; closes #127; thanks @ChristianCiach and @gwkunze

12/04/2017
- allow setting ssl_verify to "false" on userinfo endpoint call; closes #125; thanks @hugomcfonseca

11/22/2017
- avoid that lua-resty-jwt is a dependency in an OAuth 2.0 RS remote validation setup; closes #124
- correct README.md around lua-resty-jwt requirement
- make handling of missing `jwks_uri` more robust

11/17/2017
- added support for verifying HMAC signatures on id tokens - it has
  already been supported for access tokens before
- fix handling of signatures using unsupported algorithms on id
  tokens. Such signatures will cause a warning to be logged but the id
  tokens are considered valid. access tokens signed with an
  unsupported algorithm are considered invalid. This is the same
  behavior as has been present in 1.4.1. See #122
- release 1.5.1

11/15/2017
- fix return of access_token when renew_access_token_on_expiry = false ; see #121

11/14/2017
- release 1.5.0

11/13/2017
- provided explicit control over whether the access token gets renewed
  on expiry. If refresh fails, the user is redirected to the OP's
  authorization endpoint.

11/06/2017
- added support for configurable network timeouts

11/01/2017
- now uses cjson.safe when decoding JSON received from external sources for improved error handling

10/30/2017
- fixed case where openidc.introspect would accept invalid tokens if they contained an exp claim

10/28/2017
- add id_token_hint when calling end_session_endpoint

10/27/2017
- ensured id_token_hint uses the correct query string separator when
  opts.redirect_after_logout_uri is used together with redirect_after_logout_with_id_token_hint

10/24/2017
- verify RSA signatures on JWTs (id_token/access_token); thanks @venkatmarepalli
- rely on lua-resty-jwt validators for id_token and/or JWT access_token validation
- unify JWT access token and OIDC id_token validation
- added many more tests

10/11/2017
- add testbed / unit tests; thanks @bodewig

10/05/2017
- check that sub is always present in the id_token
- check that sub returned from the userinfo endpoint matches sub in the id_token
- allow for id_tokens with alg set to "none" and no signature part
- add more logs

10/03/2017
- ignore any configured token_endpoint_auth_method that the library doesn't support (and log an error) and
  fall back to the first token_endpoint_auth_methods_supported the library can use; thanks @bodewig
- release 1.4.1

09/30/2017
- add `session_contents` option to configure which information/tokens get stored
  in the session in order to minimize the size of the session data; thanks @hanikesn

09/19/2017
- fix sample configs/spelling in README.md; thanks @kamilzabielski

08/29/2017
- add support for the display request parameter; thanks @JoshBarr

08/01/2017
- return HTTP 400 when Host header is not set; closes #68

08/01/2017
- apply iat_slack also to openidc.jwt_verify; thanks @nielsole
- properly deal with ngx.redirect's return value; thanks @bodewig
- fix access token cache ttl; closes #76
- support RFC7662-style token introspection by default
- release 1.4.0

07/03/2017
- adding option to add id_token_hint to op logout request; thanks @pgp44

07/01/2017
- fix `openidc_call_token_endpoint` when token validation fails; thanks @dereknex

06/01/2017
- make sure openidc_discover is called before refreshing the access token; thanks @gonzalad
- add `force_reauthorize` option that forces the auth flow to be executed; thanks @bodewig

05/31/2017
- allow optional claim specs when verifying JWT access tokens; thanks @bodewig
- return the raw bearer token from `openidc.bearer_jwt_verify`; thanks @bodewig
- release 1.3.2

05/23/2017
- add support for passing session options to resty.session; closes #56; thanks @gene1wood

05/18/2017
- add unauth_action "pass" option to .authenticate(); closes #53; thanks @dholth

05/14/2017
- renew access token on expiration with refresh token grant; thanks @gonzalad
- use ngx.time instead of os.time, everywhere now

04/29/2017
- support for prompt parameter during authorization, returning session data, and logout url override thanks @gdestuynder

03/27/2017
- avoid crashes when no session is found upon callback to the redirect_uri; may address #43
- release 1.3.1

02/28/2017
- add dist.ini for OpenResty OPM; should address #38

02/13/2017
- support RFC 7662 for token introspection: use exp for TTL cache control closes #35; thanks @iperdomo
- add @iperdomo to AUTHORS

02/09/2017
- change rockspec so all newer dependencies/Lua versions are allowed instead of a single static version

02/09/2017
- merge $24; thanks @hanikesn :
  - feature JWT validation through discovery
  - allow user-mode verification of tokens via separate function
  - improved handling of invalid JWT Tokens
- release 1.3.0

11/18/2016
- make the compact serialized form of the id_token available in the session data in enc_id_token; #closes #28
- release 1.2.3

11/17/2016
- validate discovery url against issuer field; closes #25
- release 1.2.2

10/12/2016
- document that we can luarocks for installation

8/31/2016
- add ChangeLog
- change rockspec so it installs as resty.openidc; closes #20; thanks @dholth
- release 1.2.1-0