Release 1.5.2

What's New in v1.5.2

Bug Fixes

• Reject authorization code replay (#66): the token endpoint now detects reuse of an already-redeemed authorization code and
  rejects the request with a dedicated auth_code_reused error. Previously, replaying a used code could re-issue tokens. This hardens the authorization-code grant per OAuth 2.0
  §10.5 and OIDC Core §3.1.3.

• Accept cross-origin POST at /auth/authorize (#67): the CSRF middleware no longer rejects cross-origin POSTs to the authorize endpoint. This fixes the OIDC conformance test oidcc-ensure-post-request-succeeds. The endpoint already responds only with redirects, so cross-origin POST is the spec-required
  behavior per OIDC Core §3.1.2.1.

• Reject unsupported request and request_uri parameters (#68): /auth/authorize now rejects the request parameter with request_not_supported and the request_uri parameter with request_uri_not_supported, per OIDC Core 1.0 §6.1 / §5.1.2.6. Previously these were silently ignored, which lost any state / nonce carried inside the request object and failed the OIDC conformance test oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupported.