Bugfixes
- bugfix rare case where OP public key is starting with 0x80 byte, and thus resulting in systematic token signature verification error with message "too long"
Features
- added support for passing bearer token as cookie with
opts. auth_accept_token_as - added support introspection interval with
opts.introspection_interval - added support for passing request cookies on introspection call with
opts.pass_cookies - added passing introspection endpoint authorization method into
openidc_call_token_endpointcall - tighten JWT verification
- disabled support for "none" alg tokens introduced with 1.5.2 by default; If you want to enable it, you will now have to explicitly set the
accept_none_alg optiontotrue - id tokens using a signature algorithm not announced by the discovery endpoint are now rejected.
- you can now specify which signing algorithm you expect a bearer token to use in order to avoid being tricked into accepting a rogue token signed with a symmetric key when expecting an asymmetric cypher.
- added an option to reject tokens signed by an algorithm not supported by lua-resty-jwt
- disabled support for "none" alg tokens introduced with 1.5.2 by default; If you want to enable it, you will now have to explicitly set the
Other