0.5.0 (08/02/2021)¶ ↑
RP-Initiated Logout¶ ↑
The :oidc plugin can now do RP-Initiated Logout. It’s disabled by default, so read the docs to learn how to enable it.
Security¶ ↑
The :oauth_jwt (and by association, :oidc) plugin(s) verifies the claims of used JWT tokens. This is a very important security fix, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
A new auth method, generate_jti(claims), was added to the list of oauth_jwt plugin options. By default, it’ll hash the aud and iat claims together, but you can overwrite how this is done.