release 2.3.9

Bugfixes

• ignore/trim spaces in X-Forwarded-* headers
• fix OAuth 2.0 RS config check when just OIDCOAuthServerMetadataURL is set; thanks @psteniusubi
• fix parsing of cookie name in OIDCOAuthAcceptTokenAs when the cookie option is not listed last

Features

• support backchannel logout according to: https://openid.net/specs/openid-connect-backchannel-1_0.html
• deal with forwarding proxy setups; see #395 ; thanks @archzone
• support nested arrays in Require claim authorization evaluation; see #392; thanks @hpbieker
• support Token Binding for Access Tokens according to: https://tools.ietf.org/html/draft-ietf-oauth-token-binding
• add support for draft https://www.ietf.org/id/draft-ietf-oauth-mtls-12.txt:
  OAuth 2.0 Mutual TLS Client Certificate Bound Access Tokens
  when running as an OAuth 2.0 RS, validating cnf["x5t#S256"] claims.

Other

• add test-cmd command to generate hashed base64urlencoded inputs (i.e. for cnf/tbh claims)

Packaging

• the libcjose >= 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise