Go 1.18 upgrade

This release includes Go and dependency upgrades.

The upgrade to the underlying JWX library also includes security patches.

Breaking changes

• BOUNCER_SIGNING_METHOD (-m) environment variable renamed to BOUNCER_SIGNING_ALG (-a) which has more granular control.

Modernization release

• Backing JWT library switched to lestrrat-go/jwx.
• Upgraded to Go 1.16.
• Elliptic curve signing method parameter renamed from EC to ECDSA.
• ignoreNotBefore and ignoreExpiration settings removed. These claims are now always validated if they are included in the token.

Route matching bugs fixed

This version fixes route matching problems arising in scenarios where original request paths are received in request headers and original URI includes query parameters.

Original request headers

This release is intended to fix the auth server use-case with nginx.

First release

• Static signing key configuration w/ HMAC, RSA and EC support
• Single valid issuer and audience configuration
• Token expiration, "not before" and "issued at" checks with clock skew tolerance
• Authorization policy config with YAML
• Reverse proxy mode without TLS termination