5.0.0

Security

• LoginRadius backend now validates callback state to prevent login CSRF.
• Odnoklassniki app backend now ignores untrusted callback API hosts and
  validates returned user details.
• Partial pipeline resume now requires session ownership or explicit external
  resume confirmation to prevent login CSRF.
• SAML responses are now validated against the original AuthnRequest when
  possible.
• Twilio backend now preserves HTTPS callback URLs and validates callback state
  to prevent login CSRF.

Fixed

• Auth0 OpenID Connect configuration now uses the correct base URLs.
• Authentication now handles invalid email addresses without crashing.
• Vend OAuth user IDs are now scoped by shop.
• VK app authentication now requires an auth key.

Removed

• Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef,
  Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users
  (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.
• Discontinued Google+ Sign-In backend (google-plus / GooglePlusAuth).