2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports
Features
- merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the
iss
claim inRequire claim
directives (when not returned from the user info endpoint) - improve error logging on encountering non-supported JWT signing/encryption algorithms
- allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
- make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
Bugfixes
- fix
at_hash
andc_hash
comparisons when the input is padded (thanks @steverc, issue #65) - perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
- fix post-logout URL being set to SSO URL
Packaging
- the
*bpo70*.deb
packages will work on Debian Wheezy and Ubuntu Precise - the regular
*.deb
packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic