release 1.7.0

Note that opts.secret and opts.redirect_uri_path are now deprecated and will be removed in a next release; a warning is issued in the log now.

Bugfixes

• deprecate opts.secret in favor of opts.public_key and opts.symmetric_key; see #196; thanks @dholth
• url-encode client_id/client_secret following https://tools.ietf.org/html/rfc6749#section-2.3.1; closes #204; thanks @grrolland
• use session.start instead of session.open to allow better control over session lifetime using lua-resty-session primitives; see #174; thanks @thomasleplus
• soften the impact of token refresh race condition by creating a new session when tokens are refreshed; see #190; thanks @luisviman

Features

• added redirect_uri option that specifies a relative or absolute redirect URI; redirect_uri_path is now deprecated
• add token revocation support on logout with opts.revoke_tokens_on_logout; thanks @oleeander
• bypass introspection cache on demand with opts.introspection_cache_ignore; thanks @dmitriyblok
• add opts.use_nonce option to avoid sending a nonce parameter to broken OpenID Connect providers; see #193; thanks @thewilli
• added opts.http_request_decorator option that can be used to augment the HTTP requests when accessing discovery, token or jwks endpoints; thanks @bodewig
• add support for a public client (i.e. without a client secret) to support Windows Integrated Authentication (WIA) with Active Directory Federation Services (AD FS) on Windows Server 2016 (or newer)

Other

• extract log function and log level constant to the module level to allow customization
• make call_userinfo_endpoint a public function; see #207; thanks @thomasleplus
• make call_token_endpoint a public function