Last Update: 2023-04-29 00:05:41 +0000

0.5.0 (08/02/2021)

RP-Initiated Logout

The :oidc plugin can now do RP-Initiated Logout. It’s disabled by default, so read the docs to learn how to enable it.


The :oauth_jwt (and by association, :oidc) plugin(s) verifies the claims of used JWT tokens. This is a very important security fix, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.

A new auth method, generate_jti(claims), was added to the list of oauth_jwt plugin options. By default, it’ll hash the aud and iat claims together, but you can overwrite how this is done.