10/13/2014
- add libssl-dev to Debian control build dependencies
- release 1.6.0

10/6/2014
- apply html encoding to error display
- bump version number to 1.6.0rc4

10/2/2014
- avoid crash when downloading metadata from OIDCProviderMetadataURL fails
- set OIDCProviderMetadataURL retrieval interval to 24 hours
- return error on configurations mixing OIDCProviderMetadataURL and OIDCMetadataDir
- bump version number to 1.6.0rc3

10/1/2014
- support provider configuration from a metadata URL (OIDCProviderMetadataURL)
- bump version number to 1.6.0rc2

9/30/2014
- be less strict about issuer validation in metadata
- refactor metadata.c
- improve logging about userinfo endpoint

9/29/2014
- refactor cache so it is partitioned in to sections (i.e. avoid future key collisions)

9/25/2014
- add support for "x5c" JWK representation
- return JWKS on jwks_uri with content-type "application/json"

9/17/2014
- remove support for the X-Frame-Options as it is not needed in 302s
- create and use log macros that printout function name

9/16/2014
- support for passing runtime determined authentication request parameters in the discovery response
- include name/version in logs and bump to 1.6.0rc1
- don't use the X-Frame-Options by default

9/13/2014
- add support for the X-Frame-Options header as recommended by the spec

9/12/2014
- set expiry on state cookies; don't clear session cookie after cache miss or corruption
- fix JSON array memory leak in oauth.c

9/10/2014
- merge #34 (g10f), fix session management Javascript bug

9/3/2014
- improve error handling on hitting the redirect URI directly
- fix set_slot functions for algorithm/url used as default for dynamic registration
- rewording of auth_openidc.conf docs on JWK settings

9/1/2014
- add session management based on http://openid.net/specs/openid-connect-session-1_0.html (draft 21)

8/29/2014
- add configuration option to POST extra parameters to the token endpoint

8/26/2014
- correct cookie_path comparison
- release 1.5.5

8/20/2014
- correctly error out on flows where no id_token was provided ("token")

8/19/2014
- fix debug printout on open redirect prevention
- cleanup in-memory crypto context on shutdown
- use default of "/" for OIDCCookiePath to simplify quickstart/simple deployments
- disable OIDCMetadataDir in sample/default config file
- clear session cookie after cache miss or corruptoin

8/18/2014
- add HttpOnly flag to cookies by default; can be disabled by config

8/14/2014
- support for passing the id_token in multiple formats (claims|payload|serialized)
- release 1.5.4

8/13/2014
- pass the access_token in OIDC_access_token header to the application

8/9/2014
- merge #21 (Latinovic) to close #18 (big endian JWE issue)
- merge #20 (wadahiro), support for "none" JWT signing algorithm

8/1/2014
- fix cache initialization/destroy leak
- release 1.5.3

7/26/2014
- refactor http code; cleanup JSON encoding in client registration
- refactor padding handling in base64url encoding/decoding

7/20/2014
- check for open redirect on passed target_link_uri
- prevent JWE timing attacks on CEK; add JWE test
- include client_id and scope values in resolved access_token

7/1/2014
- pass JSON objects in app HTTP headers as plain JSON
- correct printout in id_token hash comparisons
- add more tests
- release 1.5.2

6/12/2014
- support third-party-initiated login as defined in the spec
- release 1.5.1
- fix PF OAuth 2.0 RS functionality after upgrading to jansson

6/6/2014
- more changes for Debian packaging (1.5-3)

6/5/2014
- do not set Secure cookies for plain HTTP
- add warning/errors when configured hosts/domains do not match
- release 1.5
- changes for Debian packaging

6/4/2014
- fix passing integer claims on non-Mac OS X systems
- fix claims-based authorization with integer values (@martinsrom)
- fix getting the id_token from request state and error logging
- add AUTHORS file with credits
- migrate README to Markdown README.md

6/3/2014
- change JSON parser from https://github.com/moriyoshi/apr-json to http://www.digip.org/jansson/

6/2/2014
- handle X-Forwarded-Proto/X-Forwarded-Port when running behind a proxy/load-balancer
- release version 1.4

6/1/2014
- compile with OpenSSL <1.0 and but then disable Elliptic Curve verification
- fix jwks_uri setting in nested vhosts
- use OpenSSL_add_all_digests in initialization and EVP_cleanup on shutdown

5/31/2014
- README additions/improvements

5/29/2014
- correct big endian detection
- allow for key identification in JWKs based on thumbprint (x5t)

5/24/2014
- add cache destroy function and destroy shm cache resources on shutdown

5/23/2014
- doc corrections to auth_openidc.conf

5/22/2014
- add implementation of OP-initiated-SSO based on:
  http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- fix nonce caching for replay prevention

5/21/2014
- correct README on enabling Google+ APIs before applying the sample Google configs
- fix AuthNHeader setting and allow server-wide config too
- avoid segfault on corrupted/non- JSON/JWT input

5/20/2014
- fix URL assembly when running on non-standard port
- release 1.3

5/17/2014
- support outgoing proxy using OIDCOutgoingProxy
- correct sample configs in documentation for missing OIDCCookiePath
- support OIDCCookiePath in server-wide config as well

5/13/2014
- support configurable (custom) query parameters in the authorization request

5/12/2014
- support encrypted JWTs using A128KW and A256KW for the Content Encryption Key
- support A256CBC-HS512 encrypted JWTs
- support custom client JWKs URI

5/8/2014
- support encrypted JWTs using RSA1_5 and A128CBC-HS256

5/2/2014
- do not use ap_get_remote_host for browser fingerprinting

5/1/2014
- split out custom client config into separate <issuer>.conf file
- allow to override client_contact, client_name and registration_token in .conf file
- remove OIDCRegistrationToken command for the static OP config

4/29/2014
- support JWT verification of ES256, ES384 and ES512 algorithms

4/28/2014
- support configurable response_mode (fragment, query or form_post)
- use nonce in all flows except for OP Google and flows "code" or "code token"

4/26/2014
- make client secret optional (support self-issued OP)

4/25/2014
- support Hybrid flows

4/24/2014
- fix using Bearer token Authorization header on JSON POST calls
- support using a Bearer token on client registration calls

4/22/2014
- match request and response type 
- check at_hash value on "token id_token" implicit flow
- use shared memory caching by default
- release 1.2

4/19/2014
- store response_type in state and make state a JSON object

4/18/2014
- support RSASSA-PSS token signing algorithms (PS256,PS384,PS512)

4/17/2014
- improve session inactivity timeout handling

4/16/2014
- set REMOTE_USER and HTTP headers on OAuth 2.0 protected paths

4/15/2014
- add session inactivity timeout
- register all supported response_types during client registration and try
  to pick the one that matches the configured default
- use long timeouts on JWK retrieval calls
- allow for non-null but empty query parameters on implicit authorization response
- simplify azp/aud and nonce handling
- change session_type naming (to "server-cache"/"client-cookie")

4/14/2014
- factor out JOSE related code

4/3/2014
- add configurable claim name for the REMOTE_USER variable, optionally postfixed with the  url-encoded
  issuer value; the default for the remote username is "sub@" now, makeing it unique across OPs
- some refactoring of id_token validation functions
- add INSTALL, move auth_openidc.conf to main directory
- release 1.1

3/28/2014
- fix Require claim name mismatch for Apache 2.4
- fix hmac method/printout naming artifacts from earlier
auto-search-and-replace
- release v1.0.1

3/27/2014
- initial import named mod_auth_openidc
- updated README
- fix debian/changelog
