3/10/2016
- release 1.8.8

3/7/2016
- issue a warning if the "openid" scope is not requested

3/6/2016
- sanitize the OIDCAuthNHeader value before setting the header; thanks @rfk
- bump to 1.8.8rc7

3/5/2016
- log exact version of OpenSSL and EC/GCM/Redis support
- tidy up auth_openidc.conf docs
- bump to 1.8.8rc6

2/26/2016
- add option to refresh claims from the userinfo endpoint using OIDCUserInfoRefreshInterval; see #119
- merge id_token claims in to the set of claims used for authorization for Apache >=2.4; see #120
- bump to 1.8.8rc5

2/23/2016
- make state cookie a session cookie and clean expired cookies on entry (merge of fix-firefox-cookie-storage)
- fix HTML error template initialization in vhosts
- bump to 1.8.8rc4

2/22/2016
- don't authenticate (redirect/state) when X-Requested-With header exists; as suggested in #113
- bump to 1.8.8rc3

2/18/2016
- pass plain state to the token endpoint on code flows: https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
- fix loose (prefix-only) matching of cookie names
- allow passing OAuth bearer token as a cookie (OIDCOAuthAcceptTokenAs extension for PingAccess)
- bump to 1.8.8rc2

2/11/2016
- include token_endpoint_auth_method in dynamic client registration request, set to selected method from provider

2/10/2016
- Elliptic Curve support now requires OpenSSL 1.0.1 detection
- bump to 1.8.8rc1

1/14/2016
- add support for passing in OAuth bearer tokens as one or more of: header, post param or query param (OIDCOAuthAcceptTokenAs)
- bump to 1.8.8rc0

1/8/2016
- release 1.8.7

1/7/2016
- update copyright year

12/17/2015
- enforce strict matching of issuer in Discovery document against the originally requested issuer
- check iss/client_id if present in an authentication response
- push a hash of state to the token endpoint on code flows
- bump to 1.8.7rc4

12/9/2015
- improve debug logging around session management capabilities (i.e. enabled/disabled)
- return 404 for op/rp iframes if session management is not enabled
- bump to 1.8.7rc3

12/4/2015
- add support for RFC 7636 PKCE plain & S256 https://tools.ietf.org/html/rfc7636
- bump to 1.8.7rc2

12/3/2015
- fix crash when using a custom error template and the error description is NULL
- fix crash when target_link_uri is not a valid URI or parts are empty
- fix memory corruption when using custom html template across different server requests; closes #106
- bump to 1.8.7rc1

11/18/2015
- fix compiler warning on double sizeof call; close #103; thanks to @dcb314
- bump to 1.8.7rc0

10/26/2015
- add option to make session cookie persistent; closes #97
- release 1.8.6

10/19/2015
- add support for applying a custom HTML error template with OIDCHTMLErrorTemplate
- bump to 1.8.6rc3

10/12/2015
- check the cookie domain that the session was created for against the configured domain
- log a warning if the Set-Cookie value length is greater than 4093 bytes
- include and prioritize the X-Forwarded-Host header in hostname determination
- allow for missing Host header i.e. HTTP 1.0
- return DONE instead of HTTP_UNAUTHORIZED with Discovery page (prevent double HTML in HTTP 1.0)
- use apr_strnatcmp instead of strcmp in util.c and mod_auth_openidc.c
- bump to 1.8.6rc2

10/9/2015
- support subdomain cookies in OIDCCookieDomain checks; PR #96, thanks @pfiled
- bump to 1.8.6rc1

10/6/2015
- add key identifier ("kid") option to `OIDCOAuthVerifySharedKeys`, `OIDCOAuthVerifyCertFiles` and `OIDCPublicKeyFiles` configs
- bump to 1.8.6rc0

9/21/2015
- support (non-sid-based) HTTP logout: http://openid.net/specs/openid-connect-logout-1_0.html
- release 1.8.5

9/16/2015
- improve logging on provider/client/conf metadata parsing failures; closes #94
- bump to 1.8.5rc7

9/9/2015
- fix parsing of OIDCOAuthTokenExpiryClaim, thanks to @bester #90
- bump to 1.8.5rc6

9/4/2015
- add CSRF protection to external Discovery as well
- allow browser back after authorization response, see #89
- handle invalid (expired) authorization response state by sending the user to OIDCDefaultURL, see #86
- bump to 1.8.5rc5

8/26/2015
- add CSRF protection to Discovery
- bump to 1.8.5rc4

8/19/2015
- support encrypted JWTs using A192KW for key encryption and A192CBC-HS384 for content encryption
- bump to 1.8.5rc3

8/15/2015
- support encrypted JWTs using RSA-OAEP for key encryption and A128GCM,A192GCM,A256GCM for content encryption
- bump to 1.8.5rc2

8/4/2015
- support for OIDCUnAuthAction: how to act on unauthenticated requests (OIDCReturn401 is deprecated)
- bump to 1.8.5rc1

7/15/2015
- add authentication option for Redis server with OIDCRedisCachePassword
- bump to 1.8.5rc0

7/3/2015
- allow for compilation on Windows using VS 2013
- bump to 1.8.4

6/30/2015
- improve memcache logging: don't report cache misses as an error, thanks to @scottdear
- work around JSON timestamp print modifier issue (%lld) on some platforms, thanks to @ralphvanetten
- bump to 1.8.4rc3

6/24/2015
- support passing claims as environment variables (OIDCPassClaimsAs)
- bump to 1.8.4rc1

6/22/2015
- correct debug printout in oidc_util_read_form_encoded_params

6/20/2015
- avoid double free of JWT after parsing errors have been encountered
- bump to 1.8.4rc0

6/19/2015
- make public keys for encrypted access tokens available in OAuth-only configurations; fixes #74
- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
- release 1.8.3

6/15/2015
- add a complete JWT sample that includes validation of "exp" and "iat" to the test suite

6/10/2015
- allow JSON string values for the "active" claim in access token validation responses
- bump to 1.8.3rc4

6/7/2015
- improve error logging on non-supported JWT signing/encryption algorithms
- bump to 1.8.3rc3

5/31/2015
- merge id_token ("iss"!) and user info claims for authz processing
- bump to 1.8.3rc2

5/29/2015
- fix hash comparison when padded, thanks to @steverc as mentioned in #65
- fix post-logout URL being set to SSO URL
- add post-logout URL validation, thanks to @davidbernick
- bump to 1.8.3rc1

5/18/2015
- fix OpenSSL version detection for Elliptic Curve support in apr_jwt_signature_to_jwk_type: include opensslv.h
- fix hash length calculation for Elliptic Curve algorithms
- release 1.8.2

5/5/2015
- release 1.8.1

4/21/2015
- allow setting OIDCDiscoverURL inside of Directory and Location directives as well
- bump to 1.8.1rc5

4/20/2015
- allow setting OIDCCookie outside of Directory and Location directives as well
- bump to 1.8.1rc4

4/17/2015
- add support for applying regular expressions to OIDCRemoteUserClaim and OIDCOAuthRemoteUserClaim
- bump to 1.8.1rc3

4/12/2015
- make token expiry parsing of introspection result configurable (OIDCOAuthTokenExpiryClaim)
- increase SHM cache key size from 255 to 512 (allows for JWT access tokens cache keys for introspection result)
- bump to 1.8.1rc2

4/1/2015
- avoid timing attacks on symmetric key signature/hash comparisons as pointed out by @timmclean
- bump to 1.8.1rc1

3/19/2015
- merge #57: fix build with OpenSSL <1.0 re. apr_jws_signature_is_ec (thanks to @szakharchenko)

2/26/2015
- release 1.8.0

2/23/2015
- avoid including line feeds in header values (thanks to @forkbomber and @ekanthi)
- bump to 1.8.0rc5

2/16/2015
- fix free() crash on simple-valued error printouts
- fix returning keys without a "kid"
- fix searching for keys with a "x5t" thumbprint
- refactor response type handling; more strict matching of requested response type
- make compiled in Redis support optional
- fix oauth.introspection_endpoint_method in initialization
- bump to 1.8.0rc4

2/15/2015
- add support for configurable introspection HTTP method (OIDCOAuthIntrospectionEndpointMethod)
- add preliminary support for GET-style logout
- bump to 1.8.0rc2

2/12/2015
- add support for configuration of maximum session duration
- bump to 1.8.0rc1

2/9/2015
- check JWT signature against all configured keys (jwks_uri) if no "kid" is provided, not just the first one
- revise JOSE JWS handling part 2
- complete support for local JWT access token validation
- bump to 1.8.0rc0

2/5/2015
- fix symmetric key decryption of JWTs (A128CBC-HS256/A256CBC-HS512)
- sha256 client secrets before using them as symmetric keys for decryption
- extended decryption test coverage; avoid double printouts on error
- refactor JWT header parsing
- simplify JWK URI refresh handling
- release 1.7.3

2/4/2015
- revise JOSE JWK handling part 1
- change change target_uri parameter name to target_link_uri following draft-bradley-oauth-jwt-encoded-state-03
- extended tests with stubs
- refactor JWT validation (iss, exp, iat)
- fix memory leak with RSA key conversion in apr_jwk.c - apr_jwk_rsa_bio_to_key
- bump to 1.7.3rc4

1/25/2015
- Allow {... "error": null ...} in JSON responses. (@fatlotus)

1/22/2015
- fix configuration validation check where no config would be checked if OIDCProviderIssuer is set
  but both OIDRedirectURI and OIDCCryptoPassphrase are not set
- add preliminary support for local JWT access token validation
- bump to 1.7.3rc1
- sanitize set cookie syntax (get rid of extraneous ";")

1/21/2015
- add support for OIDCOAuthIntrospectionTokenParamName (incl. Google OAuth 2.0 access token validation)
- add a sample OAuth 2.0 config for Google access tokens to README.md
- release 1.7.2

- add APXS2_OPTS to configure.ac to accommodate RPM builds
- bump to 1.7.3rc0
- fix JWT timestamp (iat/exp) initialization issue
- fix README.md on Google's scope required for returning the "hd" claim

1/14/2015
- add Apache function stubs to enable extending the scope of tests
- add tests for oidc_proto_validate_access_token and oidc_proto_validate_code
- bump to 1.7.2rc3

1/12/2015
- improve accuracy of expired/invalid session handling

1/11/2015
- add error type and return values to JOSE functions
- fix return result on error in function that decrypts CEK
- bump to 1.7.2rc2

1/1/2015
- update copyright to 2015
- use json_int_t (seconds) for "exp" and "iat" fields, instead of apr_time_t (microseconds) 
- correct expiry debug printout
- bump to 1.7.2rc1

12/15/2014
- fix Redis reconnect behavior: avoid keep reconnecting after first failure
- bump to 1.7.2rc0

12/12/2014
- support passing cookies specified in OIDCPassCookies from browser on to OP/AS calls (for loadbalancing purposes)
- release 1.7.1
- document OIDCPassCookies in auth_openidc.conf

12/10/2014
- reconnect to the Redis server after I/O failure as raised in #43
- bump to 1.7.1rc4

12/8/2014
- return http 500 when detecting requests that will loop on return
- bump to 1.7.1rc3

12/3/2014
- require the expiring access_token on the refresh hook for XSRF protection
- pass error codes back to the caller when the refresh hook fails
- bump to 1.7.1rc2

12/2/2014
- improve handling of non-string (=non-compliant) error responses

11/26/2014
- make shared memory cache entry max size configurable through OIDCCacheShmEntrySizeMax
- add OIDCReturn401 configuration primitive
- bump to 1.7.1rc1

11/11/2014
- allow OIDCRedirectURI's with an empty path and fix crash; thanks to @CedricCabessa

11/9/2014
- support for adding configurable JSON parameters to Dynamic Client Registration requests

11/5/2014
- release 1.7.0

10/30/2014
- correct expires_in conversion
- first stab at HTML templating and make all html HTML 4.01 Strict compliant
- bump to 1.7.0rc4

10/29/2014
- document refresh flow

10/28/2014
- scrub all OIDC_ headers
- add support for the refresh_token flow + hook
- pass the expires_in as an absolute timestamp in OIDC_access_token_expires
- use a global mutex for the Redis cache
- bump to 1.7.0rc3

10/27/2014
- generalize support for OAuth 2.0 token introspection and conform to:
  https://tools.ietf.org/html/draft-ietf-oauth-introspection-00

10/26/2014
- support regular expressions in Require statements

10/24/2014
- add support for Redis cache backend; there's a dependency on hiredis headers/library now

10/21/2014
- refactor nonce generation and remove base64url padding from value

10/13/2014
- add libssl-dev to Debian control build dependencies
- release 1.6.0

10/6/2014
- apply html encoding to error display
- bump version number to 1.6.0rc4

10/2/2014
- avoid crash when downloading metadata from OIDCProviderMetadataURL fails
- set OIDCProviderMetadataURL retrieval interval to 24 hours
- return error on configurations mixing OIDCProviderMetadataURL and OIDCMetadataDir
- bump version number to 1.6.0rc3

10/1/2014
- support provider configuration from a metadata URL (OIDCProviderMetadataURL)
- bump version number to 1.6.0rc2

9/30/2014
- be less strict about issuer validation in metadata
- refactor metadata.c
- improve logging about userinfo endpoint

9/29/2014
- refactor cache so it is partitioned in to sections (i.e. avoid future key collisions)

9/25/2014
- add support for "x5c" JWK representation
- return JWKS on jwks_uri with content-type "application/json"

9/17/2014
- remove support for the X-Frame-Options as it is not needed in 302s
- create and use log macros that printout function name

9/16/2014
- support for passing runtime determined authentication request parameters in the discovery response
- include name/version in logs and bump to 1.6.0rc1
- don't use the X-Frame-Options by default

9/13/2014
- add support for the X-Frame-Options header as recommended by the spec

9/12/2014
- set expiry on state cookies; don't clear session cookie after cache miss or corruption
- fix JSON array memory leak in oauth.c

9/10/2014
- merge #34 (g10f), fix session management Javascript bug

9/3/2014
- improve error handling on hitting the redirect URI directly
- fix set_slot functions for algorithm/url used as default for dynamic registration
- rewording of auth_openidc.conf docs on JWK settings

9/1/2014
- add session management based on http://openid.net/specs/openid-connect-session-1_0.html (draft 21)

8/29/2014
- add configuration option to POST extra parameters to the token endpoint

8/26/2014
- correct cookie_path comparison
- release 1.5.5

8/20/2014
- correctly error out on flows where no id_token was provided ("token")

8/19/2014
- fix debug printout on open redirect prevention
- cleanup in-memory crypto context on shutdown
- use default of "/" for OIDCCookiePath to simplify quickstart/simple deployments
- disable OIDCMetadataDir in sample/default config file
- clear session cookie after cache miss or corruption

8/18/2014
- add HttpOnly flag to cookies by default; can be disabled by config

8/14/2014
- support for passing the id_token in multiple formats (claims|payload|serialized)
- release 1.5.4

8/13/2014
- pass the access_token in OIDC_access_token header to the application

8/9/2014
- merge #21 (Latinovic) to close #18 (big endian JWE issue)
- merge #20 (wadahiro), support for "none" JWT signing algorithm

8/1/2014
- fix cache initialization/destroy leak
- release 1.5.3

7/26/2014
- refactor http code; cleanup JSON encoding in client registration
- refactor padding handling in base64url encoding/decoding

7/20/2014
- check for open redirect on passed target_link_uri
- prevent JWE timing attacks on CEK; add JWE test
- include client_id and scope values in resolved access_token

7/1/2014
- pass JSON objects in app HTTP headers as plain JSON
- correct printout in id_token hash comparisons
- add more tests
- release 1.5.2

6/12/2014
- support third-party-initiated login as defined in the spec
- release 1.5.1
- fix PF OAuth 2.0 RS functionality after upgrading to jansson

6/6/2014
- more changes for Debian packaging (1.5-3)

6/5/2014
- do not set Secure cookies for plain HTTP
- add warning/errors when configured hosts/domains do not match
- release 1.5
- changes for Debian packaging

6/4/2014
- fix passing integer claims on non-Mac OS X systems
- fix claims-based authorization with integer values (@martinsrom)
- fix getting the id_token from request state and error logging
- add AUTHORS file with credits
- migrate README to Markdown README.md

6/3/2014
- change JSON parser from https://github.com/moriyoshi/apr-json to http://www.digip.org/jansson/

6/2/2014
- handle X-Forwarded-Proto/X-Forwarded-Port when running behind a proxy/load-balancer
- release version 1.4

6/1/2014
- compile with OpenSSL <1.0 and but then disable Elliptic Curve verification
- fix jwks_uri setting in nested vhosts
- use OpenSSL_add_all_digests in initialization and EVP_cleanup on shutdown

5/31/2014
- README additions/improvements

5/29/2014
- correct big endian detection
- allow for key identification in JWKs based on thumbprint (x5t)

5/24/2014
- add cache destroy function and destroy shm cache resources on shutdown

5/23/2014
- doc corrections to auth_openidc.conf

5/22/2014
- add implementation of OP-initiated-SSO based on:
  http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- fix nonce caching for replay prevention

5/21/2014
- correct README on enabling Google+ APIs before applying the sample Google configs
- fix AuthNHeader setting and allow server-wide config too
- avoid segfault on corrupted/non- JSON/JWT input

5/20/2014
- fix URL assembly when running on non-standard port
- release 1.3

5/17/2014
- support outgoing proxy using OIDCOutgoingProxy
- correct sample configs in documentation for missing OIDCCookiePath
- support OIDCCookiePath in server-wide config as well

5/13/2014
- support configurable (custom) query parameters in the authorization request

5/12/2014
- support encrypted JWTs using A128KW and A256KW for the Content Encryption Key
- support A256CBC-HS512 encrypted JWTs
- support custom client JWKs URI

5/8/2014
- support encrypted JWTs using RSA1_5 and A128CBC-HS256

5/2/2014
- do not use ap_get_remote_host for browser fingerprinting

5/1/2014
- split out custom client config into separate <issuer>.conf file
- allow to override client_contact, client_name and registration_token in .conf file
- remove OIDCRegistrationToken command for the static OP config

4/29/2014
- support JWT verification of ES256, ES384 and ES512 algorithms

4/28/2014
- support configurable response_mode (fragment, query or form_post)
- use nonce in all flows except for OP Google and flows "code" or "code token"

4/26/2014
- make client secret optional (support self-issued OP)

4/25/2014
- support Hybrid flows

4/24/2014
- fix using Bearer token Authorization header on JSON POST calls
- support using a Bearer token on client registration calls

4/22/2014
- match request and response type 
- check at_hash value on "token id_token" implicit flow
- use shared memory caching by default
- release 1.2

4/19/2014
- store response_type in state and make state a JSON object

4/18/2014
- support RSASSA-PSS token signing algorithms (PS256,PS384,PS512)

4/17/2014
- improve session inactivity timeout handling

4/16/2014
- set REMOTE_USER and HTTP headers on OAuth 2.0 protected paths

4/15/2014
- add session inactivity timeout
- register all supported response_types during client registration and try
  to pick the one that matches the configured default
- use long timeouts on JWK retrieval calls
- allow for non-null but empty query parameters on implicit authorization response
- simplify azp/aud and nonce handling
- change session_type naming (to "server-cache"/"client-cookie")

4/14/2014
- factor out JOSE related code

4/3/2014
- add configurable claim name for the REMOTE_USER variable, optionally postfixed with the  url-encoded
  issuer value; the default for the remote username is "sub@" now, makeing it unique across OPs
- some refactoring of id_token validation functions
- add INSTALL, move auth_openidc.conf to main directory
- release 1.1

3/28/2014
- fix Require claim name mismatch for Apache 2.4
- fix hmac method/printout naming artifacts from earlier
auto-search-and-replace
- release v1.0.1

3/27/2014
- initial import named mod_auth_openidc
- updated README
- fix debian/changelog
