Features
- added support for OAuth 2.0 Pushed Authorization Requests (PAR, RFC 9126) through the opt-in
use_paroption. - added support for OAuth 2.0 DPoP client proof generation (RFC 9449) through the opt-in
use_dpopoption. - added ES256, RS256, and PS256 signing support for DPoP proofs.
- added DPoP nonce retry support for token and userinfo endpoint calls.
- added DPoP authorization code binding through the
dpop_jktauthorization request parameter. - added support for configuring the client assertion JWT signing algorithm with
client_jwt_assertion_alg. - add
redirect_after_logout_with_client_idoption to sendclient_idon logout whenid_token_hintis not available; see #518 - keep pending authorization states separate within the same browser session so concurrent tabs do not overwrite state, nonce, PKCE verifier, or original redirect URI values; see #553.
- prune stale and excess pending authorization states from the session during authorization requests, configurable with
authorization_state_expires_inandauthorization_state_max_number; see #553.
Security
- do not use the shared JWT verification cache for bearer JWT validation calls that pass additional claim validators, preventing a token accepted by one validator set from bypassing a stricter validator set on cache hit.
- scope DPoP nonces to the current request (via
ngx.ctx) instead of mutating the shared opts table, preventing one session's DPoP nonce from leaking into another request. - validate DPoP token responses with
token_type=DPoPand reject public JWKs that contain private key material. - added a security policy for privately reporting vulnerabilities.
Bugfixes
- propagate errors returned by the
lifecycle.on_createdhook during authorization redirects. - fixed DPoP token endpoint nonce retry handling for authorization server responses that use the RFC 9449
use_dpop_nonce400 challenge. - remember authorization server-provided DPoP nonces from successful token responses for subsequent token requests.
- rebuild client assertion JWTs when retrying token endpoint calls after a DPoP nonce challenge.
Other
- added maintenance automation for dependency updates and pull request contribution checks.
- hardened the test Docker image by minimizing apt-installed packages and running the test suite as a non-root user.