v0.20.3

Allows multipart content type as alternative to x-www-form-urlencoded…

v0.20.2

openid: Merge duplicate aud claim values (#283)

v0.20.1

Uses query instead of fragment when handling unsupported response typ…

v0.20.0: oauth2: Resolves several issues related to revokation (#281)

This patch resolves several issues related to token revokation as well as duplicate authorize code usage:

* oauth2: Revoking access or refresh tokens should revoke past and future tokens too
* oauth2: Revoke access and refresh tokens when authorize code is used twice

Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.

Closes #278
Closes #280

v0.19.8

authorize: Fixes implicit detection in error writer (#277)

v0.19.7: openid: Use claims.RequestedAt for a reference of "now" (#276)

Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.

v0.19.6

openid: Issue ID Token on implicit code flow as well

v0.19.5

jwt: Add JTI to counter missing nonce

v0.19.4

core: Checks scopes before dispatching handlers (#272)

v0.19.3

openid: Resolves timing issues in JWT strategy (#271)