12/06/2023
- add support for the OAuth 2.0 Client Credentials grant type
- use libcurl version macro that works on older platforms
- release 1.6.0

11/08/2023
- update DPoP support to RFC 9449
- release 1.5.2

08/31/2023
- printout more cjose error details when errors occur verifying JWT access tokens

06/29/2023
- fix timing issue in check_openidc.c; closes #47
- bump to 1.5.2dev

04/19/2023
- add issuer validation for JWT access tokens when configured through OAuth2Verify metadata; closes #44; thanks @chris-crunchr
- release 1.5.1

04/14/2023
- add support for resolving provider metadata from a Discovery endpoint URL; see https://github.com/OpenIDC/ngx_openidc_module/issues/18
- bump to 1.5.1dev

03/22/2023
- add error logs about missing or invalid "active" boolean claim in introspection response

03/08/2023
- move repo to OpenIDC github organization

03/07/2023
- release 1.5.0

03/03/2023
- add support for regular expressions in Require statements; see https://github.com/zmartzone/mod_oauth2/discussions/39
- depend on libpcre2
- fix memory leak in _oauth2_jose_options_jwk_set_rsa_key when using OpenSSL 3.x
- bump to 1.5.0dev

03/01/2023
- add support for introspect.params; see https://github.com/zmartzone/mod_oauth2/discussions/44
- release 1.4.5.5

01/22/2023
- hack for el7/x86 where openssl 1.0.2 and openssl 1.1.1 are installed for respectively Apache and NGINX 1.20.1
- bump to 1.4.5.5rc0

01/21/2023
- revert header_add/header_set change
- release 1.4.5.4

01/20/2023
- don't add WWW-Authenticate header(s) but (over)write a single one; see zmartzone/mod_oauth2#42
- release 1.4.5.3

12/14/2022
- fix NGINX https schema detection
- bump to 1.4.5.3dev

12/06/2022
- change Apache module init info log
- release 1.4.5.2

11/30/2022
- initialize check_oauth2 properly; call OPENSSL_init_crypto for OpenSSL >= 1.1.0

11/23/2022
- add JANSSON_LIBS to apache/nginx LIBADD; closes #40; thanks @pskopnik
- bump to 1.4.5.2dev

08/22/2022
- fix concurrency issue when using OAuth2Verify metadata; see #37; thanks @rtitle
- fix memory leak in cURL writeback function
- release 1.4.5.1

07/28/2022
- fix memory leak when using OAuth2Verify metadata

07/27/2022
- use main request for Apache request contexts
- set refresh to true when getting jwsk_uri results from cache
- print warning when cjose_jws_verify fails
- avoid using cjose_jwk_retain because it is not thread safe
- release 1.4.5

06/24/2022
- add cjose, curl and ssl to liboauth2.pc.in
- add add curl and cjose flags to liboauth2_cache_la_CFLAGS

04/16/2022
- fix file cache so we do not try to remove a file that was cleaned just before; see #33
- fix tests for client_secret_jwt and private_key_jwt so encoded JWT comparison works for cjose >= 0.6.2
- release 1.4.4.2

03/06/2022
- add support for OpenSSL 3.0; closes #31
- bump to 1.5.0dev

03/03/2022
- fix race condition and potential crash in curl usage in oauth2_url_decode
  see zmartzone/mod_oauth2#27; thanks @rtitle
- release 1.4.4.1

12/23/2021
- allow deprecated declarations to build with OpenSSL 3.0; see #31
- release 1.4.4

12/22/2021
- hash the cache encryption key to a string instead of bytes
- Makefile.am improvements:
  - move OpenSSL libs go generic libraries so cache files compile with the right flags
  - use ${srcdir} to conform to distcheck
- add Github Actions CI; remove Travis

10/12/2021
- make outgoing_proxy an endpoint property
- accommodate for NULL key in oauth2_cache_get and oauth2_cache_set
- release 1.4.3.2

10/11/2021
- add outgoing_proxy option to verify context
- correct remote_user debug printout
- release 1.4.3.1

06/21/2021
- printout remote username claim when not found, for debugging purposes

06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV
  closes #26; thanks @niebardzo
- avoid memory leaks on JWT validation errors
- release 1.4.3

06/07/2021
- correct iat slack validation defaults, see https://github.com/zmartzone/mod_oauth2/discussions/20
  thanks @DrakezulsMinimalism
- release 1.4.2.1

05/28/2021
- add Travis and LGTM

05/25/2021
- set memory alignment of shm cache structs to 64 bytes; see #21 and #24
- release 1.4.2

04/19/2021
- apache: use include directory from APXS; thanks @abbra
- pass missing argument to oauth2_error in _oauth2_dpop_jti_validate; thanks @abbra

02/02/2021
- avoid creating files for anonymous shared memory segments; see #18
- release 1.4.1

01/30/2021
- fix Apache cleanup routines; see zmartzone/liboauth2#18 and zmartzone/mod_oauth2#7

01/26/2021
- add support for RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens
  https://tools.ietf.org/html/rfc8705; thanks @vdzhuvinov
 
12/23/2020
- use per-process semaphore locking to prevent multi-process issue; see #18
- release 1.4.0.1

12/21/2020
- release 1.4.0

12/03/2020
- add oauth2_cfg_openidc_set_options for configurable state cookie handling

12/02/2020
- cleanup OIDC expired/superfluous state cookies; closes zmartzone/ngx_openidc_module#6

11/13/2020
- add support for PKCE

11/12/2020
- separate OpenID client configs and named providers
- fix parsing in oauth2_cfg_set_flag_slot
- add configurable state and session cookie paths

11/11/2020
- fix session cache handler cloning
- support configurable cookie path for session cookie

11/09/2020
- refactored caching; use named caches consistently

11/08/2020
- use endpoint more consistently
- harmonize naming of endpoint, endpoint auth and ropc

11/07/2020
- don't use automake config.h; closes #10; thanks @babelouest

10/07/2020
- add support for DPOP bound access tokens
- bump to 1.4.0-dev

02/27/2020
- lock access to cache globals
- log corrections and improvements

02/26/2020
- resolve some TODOs; valgrind
- bump to 1.3.0

02/25/2020
- change to named sessions

02/21/2020
- add serialized id_token to session
- externalize oauth2_jose_jwt_verify and allow verification context to be NULL
- bump to 1.2.5

02/13/2020
- add userinfo endpoint request and claims
- bump to 1.2.4
- change to named cache configurations

02/10/2020
- implement session expiry checks
- bump to 1.2.3

02/05/2020
- add missing ROPC config functions
- bump to 1.2.2

02/04/2020
- add generic endpoint config struct and ROPC client capability
- bump to 1.2.1 and bump copyright year

01/31/2020
- sane session cfg defaults

09/12/2019
- change http request header function naming
- more openidc handling
- bump to 1.2.0

09/02/2019
- fix type (auth->client_secret_jwt.aud = NULL); closes #3; thanks @pengjiaoyang

08/19/2019
- add first outline of openidc and sessions

07/03/2019
- return status code from HTTP callouts
- bump to version 1.1.1

07/01/2019
- encapsulate oauth2_log_sink_t
- bump to version 1.1.0

05/20/2019
- add Apache Require claim authorization functions
- bump to version 1.0.1

03/22/2019
- initial import of version 1.0.0
