0.5.0 (08/02/2021)¶ ↑
RP-Initiated Logout¶ ↑
The :oidc
plugin can now do RP-Initiated Logout. It’s disabled by default, so read the docs to learn how to enable it.
Security¶ ↑
The :oauth_jwt
(and by association, :oidc
) plugin(s) verifies the claims of used JWT tokens. This is a very important security fix, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
A new auth method, generate_jti(claims)
, was added to the list of oauth_jwt plugin options. By default, it’ll hash the aud
and iat
claims together, but you can overwrite how this is done.