github zmartzone/lua-resty-openidc v1.9.0
release 1.9.0

7 hours ago

Features

  • added support for OAuth 2.0 Pushed Authorization Requests (PAR, RFC 9126) through the opt-in use_par option.
  • added support for OAuth 2.0 DPoP client proof generation (RFC 9449) through the opt-in use_dpop option.
  • added ES256, RS256, and PS256 signing support for DPoP proofs.
  • added DPoP nonce retry support for token and userinfo endpoint calls.
  • added DPoP authorization code binding through the dpop_jkt authorization request parameter.
  • added support for configuring the client assertion JWT signing algorithm with client_jwt_assertion_alg.
  • add redirect_after_logout_with_client_id option to send client_id on logout when id_token_hint is not available; see #518
  • keep pending authorization states separate within the same browser session so concurrent tabs do not overwrite state, nonce, PKCE verifier, or original redirect URI values; see #553.
  • prune stale and excess pending authorization states from the session during authorization requests, configurable with authorization_state_expires_in and authorization_state_max_number; see #553.

Security

  • do not use the shared JWT verification cache for bearer JWT validation calls that pass additional claim validators, preventing a token accepted by one validator set from bypassing a stricter validator set on cache hit.
  • scope DPoP nonces to the current request (via ngx.ctx) instead of mutating the shared opts table, preventing one session's DPoP nonce from leaking into another request.
  • validate DPoP token responses with token_type=DPoP and reject public JWKs that contain private key material.
  • added a security policy for privately reporting vulnerabilities.

Bugfixes

  • propagate errors returned by the lifecycle.on_created hook during authorization redirects.
  • fixed DPoP token endpoint nonce retry handling for authorization server responses that use the RFC 9449 use_dpop_nonce 400 challenge.
  • remember authorization server-provided DPoP nonces from successful token responses for subsequent token requests.
  • rebuild client assertion JWTs when retrying token endpoint calls after a DPoP nonce challenge.

Other

  • added maintenance automation for dependency updates and pull request contribution checks.
  • hardened the test Docker image by minimizing apt-installed packages and running the test suite as a non-root user.

Don't miss a new lua-resty-openidc release

NewReleases is sending notifications on new releases.