This is a security fix release with minor incompatibilities from earlier version
with regards to the behavior of `jwt.Verify()` function
[Security Fix]
* `jwt.Verify()` had improperly used the `"alg"` header from the JWS message
when `jwt.WithKeySet()` option was used (potentially allowing exploits
described in https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
This has been fixed by ONLY trusting the keys that you provide and
using the `"alg"` header from the keys themselves. (#375, #381)
As a side effect, `jwt.WithKeySet()` requires that all applicable keys
to contain a valid `"alg"` header. Without this we cannot safely choose a key to use,
and hence verification will fail.
The requirement for the `"alg"` header on keys is an INCOMPATIBLE behavior.
This may break existing code, if the key does not already have an `"alg"` header.
[New features]
* `jwt.Settings()` and `jwt.WithFlattenAudience(bool)` has been added
to control how the "aud" claim is serialized into JSON. When this
is enabled, all JWTs with a single "aud" claim will serialize
the field as a single string, instead of an array of strings with
a single element, i.e.:
// jwt.WithFlattenAudience(true)
{"aud": "foo"}
// jwt.WithFlattenAudience(false)
{"aud": ["foo"]}
This setting has a global effect.
[Bug fixes]
* jwt.Validate now returns true if the value in `nbf` field is exactly
the same as what the clock returns (e.g. token.nbf == time.Now())