release 2.1.0

Bugfixes

• fix memory leak in oidc_jwk_to_json when repeatedly downloading keys from the jwks_uri
• fix JWT verification with multiple keys when no kid is present; closes #184; thanks @solsson
• use private_key_jwt client authentication only if a private key is configured; closes #189; thanks @solsson
• return error on session cache failure; closes #185; thanks @solsson
• handle non-integer exp/iat timestamps in JWTs; closes #187; thanks @drdivano
• don't include encryption keys from the jwks_uri when verifying JWTs with no kid specified
• fix A128KW/A192KW encryption key truncation for keys derived from the client secret requiring a key size < 256 bits
• truncate (metadata) files before (over)writing them
• fix null pointer segfault in debug printout in oidc_util_read_form_encoded_params
• fix parsing issue that would affect OIDCClientJwksUri usage in dynamic client registration
• urlencode provider URL cache key to fix file cache backend issue; closes #179, thanks @djahandarie

Features

• add remove_at_cache hook to invalidate cached access tokens, see #177
• support refreshing provider metadata based on timestamp and OIDCProviderMetadataRefreshInterval
• support for signed and/or encrypted Request URIs: http://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter
• support for signed and/or encrypted JWT responses returned from the userinfo endpoint: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
• support WebFinger Discovery with URL-style user identifiers using the disc-user parameter
• support presenting the access token to the userinfo endpoint in a POST parameter with OIDCUserInfoTokenMethod
• handle aggregated and distributed claims returned from the userinfo endpoint: http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
• printout warning about invalid http(s) URLs in metadata

Security

• check that a sub claim returned from the userinfo endpoint matches the one in the id_token
• refuse webfinger responses with an href value that is not on secure https

Other

• added test/oidc-rp-certification.sh script to run OIDC RP certification tests
• changes in logging so that results can be analyzed easier in the oidc-rp-certification.sh script
• added test/test-cmd tool to have command-line access to various JOSE-related operations