release 1.5.0

This is quite a significant new release with the most important changes being verification of RSA signatures on tokens received from the token endpoint (required for passing OpenID Connect Certification) and the addition of a testbed. There are numerous other improvements across the board, some of which may impact existing installations, especially when using more advanced features.

Features

• verify RSA signatures on JWTs (id_token/access_token); thanks @venkatmarepalli
• provided explicit control over whether the access token gets renewed on expiry. If refresh fails, the user is redirected to the OP's authorization endpoint (disable with opts. renew_access_token_on_expiry = false)
• added support for configurable network timeouts
• add id_token_hint when calling end_session_endpoint

Bugfixes

• fixed case where openidc.introspect would accept invalid tokens if they contained an exp claim
• ensured id_token_hint uses the correct query string separator when opts.redirect_after_logout_uri is used together with redirect_after_logout_with_id_token_hint
• check that sub is always present in the id_token
• check that sub returned from the userinfo endpoint matches sub in the id_token
• leave opts alone when silently re-authenticating; see #119 and #120

Other

• add testbed / unit tests / coverage
• now uses cjson.safe when decoding JSON received from external sources for improved error handling
• rely on lua-resty-jwt validators for id_token and/or JWT access_token validation
• unify JWT access token and OIDC id_token validation