release 2.3.8

Bugfixes

• fix return result FALSE when JWT payload parsing fails; see #389; thanks @amdonov
• fix reading access_token form POST parameters when combined with AuthType auth-openidc; see #376; thanks Nicolas Salerno
• fix using access token as endpoint auth method in introspection calls; closes #377; thanks @skauffmann

Features

• add option to set an upper limit to the number of concurrent state cookies via OIDCStateMaxNumberOfCookies; see #331
• make the default maximum number of parallel state cookies 7 instead of unlimited; see #331
• improve auto-detection of XMLHttpRequests via Accept header; see #331
• allow usage with LibreSSL; closes #380; thanks @hihellobolke

Other

• initialize test_proto_authorization_request properly; see #382; thanks @jdennis
• add sanity check on provider->auth_request_method; closes #382; thanks @jdennis
• add LGTM code quality badges, see #385; thanks @xcorail

Packaging

• the libcjose 0.5.1 binaries that this module depends on are available from the release 2.3.0 "Assets" section
• Ubuntu Xenial packages can also be used on Ubuntu Yakkety, Zesty and Artful; the Debian Wheezy package can be used on Ubuntu Precise