Pascal Rigaux

Regarding verification of JWT: I do not see any use of verifying a JWT without checking the signature. Checking signature in a web browser means the key to check the...

I just did a small commit that allows ``` set $cas_user ""; access_by_lua_block { ngx.var.cas_user = require('cas').forceAuthentication(); } ``` => `$cas_user` can be used in `log_format`

As for authorization, it seems you will have to write it in lua...

nginx-auth-cas-lua is tested on debian which has ngx_http_lua_module 0.10.13, which has C implementation of `ngx.var`. It seems you have lua-resty-core which is a lua implementation of things previously done in...

AFAIK CAS is always appending the `ticket` last, though the [specification](https://apereo.github.io/cas/6.1.x/protocol/CAS-Protocol-V2-Specification.html#224-response) is not clear about this. So not important IMO, but ok for a pull request.

> `ngx.var.host` to `ngx.var.http_host` can you confirm you suggest this change because your url has a specific port number? if that's the case, i suggest you open a specific issue.

I have enhanced error message for this configuration issue.

Oops, my version of nginx+lua did not warn me :-( Corrected in updated commit.

It has been tested and validated with [debian 10 libnginx-mod-http-lua](https://packages.debian.org/buster/libnginx-mod-http-lua) which uses lua nginx [0.10.13](https://github.com/openresty/lua-nginx-module/releases/tag/v0.10.13) ([ref](https://salsa.debian.org/nginx-team/nginx/-/tree/master/debian/modules/http-lua))

For the record, radash `shake` can behave as lodash `omitBy` (which is alike `pickBy`, but inverted condition)