release 1.5.4

Bugfixes

• bugfix rare case where OP public key is starting with 0x80 byte, and thus resulting in systematic token signature verification error with message "too long"

Features

• added support for passing bearer token as cookie with opts. auth_accept_token_as
• added support introspection interval with opts.introspection_interval
• added support for passing request cookies on introspection call with opts.pass_cookies
• added passing introspection endpoint authorization method into openidc_call_token_endpoint call
• tighten JWT verification
  • disabled support for "none" alg tokens introduced with 1.5.2 by default; If you want to enable it, you will now have to explicitly set the accept_none_alg option to true
  • id tokens using a signature algorithm not announced by the discovery endpoint are now rejected.
  • you can now specify which signing algorithm you expect a bearer token to use in order to avoid being tricked into accepting a rogue token signed with a symmetric key when expecting an asymmetric cypher.
  • added an option to reject tokens signed by an algorithm not supported by lua-resty-jwt

Other

• added functions to manually request the invalidation of the caches; see #142
• added more logging that may help debugging configuration; see #140; thanks @pamiel

release 1.5.3

Features

• add support for configuring an outgoing proxy (requires lua-resty-http >= 0.12; see #139; thanks @grrolland
• add support for running behind reverse proxy by interpreting X-Forwarded-Host/ Forwarded-Host and X-Forwarded-Proto/Forwarded-Proto headers; see #128

Bugfixes

• correct iat checks: make sure it is not in the future rather than being too old; see #137; thanks @pamiel

release 1.5.2

Bugfixes

• avoid that lua-resty-jwt is an unneccessary dependency in an OAuth 2.0 RS remote validation setup; closes #124
• allow setting ssl_verify to false on userinfo endpoint call; closes #125
• avoid putting a negative TTL into the cache; closes #127
• make handling of missing jwks_uri more robust
• ensure we don't log nil if initial JWT verification fails

release 1.5.1

Bugfixes

• fix return of access_token when renew_access_token_on_expiry = false ; see #121
• restore backwards compatible behavior of accepting non-supported signatures on id_token's received on a backchannel call to the token endpoint in an OIDC flow

Features

• added support for verifying HMAC signatures on ID tokens (was supported for JWT access tokens only); see #122

release 1.5.0

This is quite a significant new release with the most important changes being verification of RSA signatures on tokens received from the token endpoint (required for passing OpenID Connect Certification) and the addition of a testbed. There are numerous other improvements across the board, some of which may impact existing installations, especially when using more advanced features.

Features

• verify RSA signatures on JWTs (id_token/access_token); thanks @venkatmarepalli
• provided explicit control over whether the access token gets renewed on expiry. If refresh fails, the user is redirected to the OP's authorization endpoint (disable with opts. renew_access_token_on_expiry = false)
• added support for configurable network timeouts
• add id_token_hint when calling end_session_endpoint

Bugfixes

• fixed case where openidc.introspect would accept invalid tokens if they contained an exp claim
• ensured id_token_hint uses the correct query string separator when opts.redirect_after_logout_uri is used together with redirect_after_logout_with_id_token_hint
• check that sub is always present in the id_token
• check that sub returned from the userinfo endpoint matches sub in the id_token
• leave opts alone when silently re-authenticating; see #119 and #120

Other

• add testbed / unit tests / coverage
• now uses cjson.safe when decoding JSON received from external sources for improved error handling
• rely on lua-resty-jwt validators for id_token and/or JWT access_token validation
• unify JWT access token and OIDC id_token validation

release 1.4.1

Features

• add session_contents option to configure which information/tokens get stored
  in the session in order to minimize the size of the session data; thanks @hanikesn
• add support for the display request parameter; thanks @JoshBarr

Bugfixes

• ignore any configured token_endpoint_auth_method that the library doesn't support (and log an error) and
  fall back to the first token_endpoint_auth_methods_supported the library can use; thanks @bodewig
• return HTTP 400 when Host header is not set; closes #68

release 1.4.0

Features

• support RFC7662-style token introspection by default
• apply iat_slack also to openidc.jwt_verify; thanks @nielsole
• adding option to add id_token_hint to op logout request; thanks @pgp44
• add force_reauthorize option that forces the auth flow to be executed; thanks @bodewig

Bugfixes

• properly deal with ngx.redirect's return value; thanks @bodewig
• fix access token cache ttl; closes #76
• fix openidc_call_token_endpoint when token validation fails; thanks @dereknex
• make sure openidc_discover is called before refreshing the access token; thanks @gonzalad

release 1.3.2

Features

• allow optional claim specs when verifying JWT access tokens; thanks @bodewig
• return the raw bearer token from openidc.bearer_jwt_verify; thanks @bodewig
• add support for passing session options to resty.session; closes #56; thanks @gene1wood
• add unauth_action "pass" option to .authenticate(); closes #53; thanks @dholth
• renew access token on expiration with refresh token grant; thanks @gonzalad
• support for prompt parameter during authorization, returning session data, and logout url override; thanks @gdestuynder

Bugfixes

• guard call to openidc_discover against repeated use; thanks @bodewig

release 1.3.1

Bugfixes

• avoid crashes when no session is found upon callback to the redirect_uri; may address #43; thanks @venkatmarepalli and @bungle

Features

• support RFC 7662 for token introspection
• use opts.expiry_claim for TTL cache control; closes #35; thanks @iperdomo

Packaging

• change rockspec so all newer dependencies/Lua versions of packages are allowed
• add dist.ini for OpenResty OPM; addresses #38

release 1.3.0

• merge #24; thanks @hanikesn :
  • feature JWT validation through discovery
  • allow user-mode verification of tokens via separate function
  • improved handling of invalid JWT Tokens
• be less strict about the versions of dependencies in the luarocks spec (-02)