6/12/2014
- support third-party-initiated login as defined in the spec

6/6/2014
- more changes for Debian packaging (1.5-3)

6/5/2014
- do not set Secure cookies for plain HTTP
- add warning/errors when configured hosts/domains do not match
- release 1.5
- changes for Debian packaging

6/4/2014
- fix passing integer claims on non-Mac OS X systems
- fix claims-based authorization with integer values (@martinsrom)
- fix getting the id_token from request state and error logging
- add AUTHORS file with credits
- migrate README to Markdown README.md

6/3/2014
- change JSON parser from https://github.com/moriyoshi/apr-json to http://www.digip.org/jansson/

6/2/2014
- handle X-Forwarded-Proto/X-Forwarded-Port when running behind a proxy/load-balancer
- release version 1.4

6/1/2014
- compile with OpenSSL <1.0 and but then disable Elliptic Curve verification
- fix jwks_uri setting in nested vhosts
- use OpenSSL_add_all_digests in initialization and EVP_cleanup on shutdown

5/31/2014
- README additions/improvements

5/29/2014
- correct big endian detection
- allow for key identification in JWKs based on thumbprint (x5t)

5/24/2014
- add cache destroy function and destroy shm cache resources on shutdown

5/23/2014
- doc corrections to auth_openidc.conf

5/22/2014
- add implementation of OP-initiated-SSO based on:
  http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- fix nonce caching for replay prevention

5/21/2014
- correct README on enabling Google+ APIs before applying the sample Google configs
- fix AuthNHeader setting and allow server-wide config too
- avoid segfault on corrupted/non- JSON/JWT input

5/20/2014
- fix URL assembly when running on non-standard port
- release 1.3

5/17/2014
- support outgoing proxy using OIDCOutgoingProxy
- correct sample configs in documentation for missing OIDCCookiePath
- support OIDCCookiePath in server-wide config as well

5/13/2014
- support configurable (custom) query parameters in the authorization request

5/12/2014
- support encrypted JWTs using A128KW and A256KW for the Content Encryption Key
- support A256CBC-HS512 encrypted JWTs
- support custom client JWKs URI

5/8/2014
- support encrypted JWTs using RSA1_5 and A128CBC-HS256

5/2/2014
- do not use ap_get_remote_host for browser fingerprinting

5/1/2014
- split out custom client config into separate <issuer>.conf file
- allow to override client_contact, client_name and registration_token in .conf file
- remove OIDCRegistrationToken command for the static OP config

4/29/2014
- support JWT verification of ES256, ES384 and ES512 algorithms

4/28/2014
- support configurable response_mode (fragment, query or form_post)
- use nonce in all flows except for OP Google and flows "code" or "code token"

4/26/2014
- make client secret optional (support self-issued OP)

4/25/2014
- support Hybrid flows

4/24/2014
- fix using Bearer token Authorization header on JSON POST calls
- support using a Bearer token on client registration calls

4/22/2014
- match request and response type 
- check at_hash value on "token id_token" implicit flow
- use shared memory caching by default
- release 1.2

4/19/2014
- store response_type in state and make state a JSON object

4/18/2014
- support RSASSA-PSS token signing algorithms (PS256,PS384,PS512)

4/17/2014
- improve session inactivity timeout handling

4/16/2014
- set REMOTE_USER and HTTP headers on OAuth 2.0 protected paths

4/15/2014
- add session inactivity timeout
- register all supported response_types during client registration and try
  to pick the one that matches the configured default
- use long timeouts on JWK retrieval calls
- allow for non-null but empty query parameters on implicit authorization response
- simplify azp/aud and nonce handling
- change session_type naming (to "server-cache"/"client-cookie")

4/14/2014
- factor out JOSE related code

4/3/2014
- add configurable claim name for the REMOTE_USER variable, optionally postfixed with the  url-encoded
  issuer value; the default for the remote username is "sub@" now, makeing it unique across OPs
- some refactoring of id_token validation functions
- add INSTALL, move auth_openidc.conf to main directory
- release 1.1

3/28/2014
- fix Require claim name mismatch for Apache 2.4
- fix hmac method/printout naming artifacts from earlier
auto-search-and-replace
- release v1.0.1

3/27/2014
- initial import named mod_auth_openidc
- updated README
- fix debian/changelog
