All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Other sources for jwt token are configurable (#10)
- Cookie
- AuthorizationHeader (default)
- Raw PEM file content as an input for JwtAuthorizer (#15)
- Remove 'static lifetime requirement (#8)
No public API changes, no new features.
- KeyStore, KeySource refactor for better performance and security
- Allow non root OIDC issuer (issue #1)
- validation configuration (exp, nbf, aud, iss, disable_validation)
- more integration tests added
JwtAuthorizer.from_ec(),JwtAuthorizer.from_ed()imported PEM as DER resulting in failed validations
- Refresh configuration - simplification, minimal_refresh_interval removed (replaced by refresh_interval in KeyNotFound refresh strategy)
- integration tests, unit tests
- JwtAuthorizer::from_oidc(issuer_uri) - building from oidc discovery page
- JwtAuthorizer::layer() becomes async
- demo-server refactoring
- JwtAuthorizer creation simplified:
- JwtAuthorizer::from_* creates an instance, new() is not necessary anymore
- with_check() renamed to check()
- jwks store refresh configuration
- claims extractor (JwtClaims) without authorizer should not panic, should send a 500 error
- claims checker (stabilisation, tests, documentation)
- added missing WWW-Authenticate header to errors
- fix: when jwks store endpoint is unavailable response should be an error 500 (not 403)
- fix: panicking when a bearer token is missing in protected request (be6bf9fb)
- building the authorizer layer from rsa, ec, ed PEM files and from secret phrase (9bd99b2a)
Initial release