Critical bug fix for malformed paths that allow access to protected resources. This appears to be an upstream bug in Caddy that allows fuzzy matching for paths that are autocorrected by most browser implementations, but break strict path matching that is important for protected resources.
Allows OPTIONS requests to pass through without authentication to conform with the CORS spec
The major feature is support for Auth0-style claims which require a fully namespaced key. This leads to claims that look like
{
"http://example.com/user": "test"
}This creates problems for passing the claims as a header value because of characters such as / which are not allowed.
Token-Claimheaders are now URL escaped- Token claim headers are passed as title case to align with the docs and standard practice. Prior to v3, tokens were all upper case despite being listed as title case in the docs.
strip_headerdirective added to strip out the namespacing up to the last portion of the path. This is primarily useful for constructing nicer-looking header values for Auth0 tokens.
This release adds the ability to specify multiple public keys or secrets that may be used to validate tokens. The primary use case is for JWTs that may be issued by multiple authorities. All keys configured in the Caddyfile will be tried for each request. Access will be authorized if any key validates the token.