release 1.5.4

Bugfixes

• bugfix rare case where OP public key is starting with 0x80 byte, and thus resulting in systematic token signature verification error with message "too long"

Features

• added support for passing bearer token as cookie with opts. auth_accept_token_as
• added support introspection interval with opts.introspection_interval
• added support for passing request cookies on introspection call with opts.pass_cookies
• added passing introspection endpoint authorization method into openidc_call_token_endpoint call
• tighten JWT verification
  • disabled support for "none" alg tokens introduced with 1.5.2 by default; If you want to enable it, you will now have to explicitly set the accept_none_alg option to true
  • id tokens using a signature algorithm not announced by the discovery endpoint are now rejected.
  • you can now specify which signing algorithm you expect a bearer token to use in order to avoid being tricked into accepting a rogue token signed with a symmetric key when expecting an asymmetric cypher.
  • added an option to reject tokens signed by an algorithm not supported by lua-resty-jwt

Other

• added functions to manually request the invalidation of the caches; see #142
• added more logging that may help debugging configuration; see #140; thanks @pamiel