OAuth 2.0 Authentication

Improved the error message which occurred when an anonymous consumer was configured but did not exist.

Add WWW-Authenticate headers to all 401 responses and realm option.

Fixed an issue where the OAuth2 token was being cached as nil if the wrong service was accessed first.#10522

This plugin now prevents an authorization code created by one plugin instance from being exchanged for an access token created by a different plugin instance.#10011

refresh_token_ttl is now limited to a range between 0 and 100000000 by the schema validator. Previously, numbers that were too large caused requests to fail.#10068

Fixed a bug that refresh_token could be shared across instances.

The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.

Updated the priority for some plugins.: oauth2 changed from 1004 to 1400

The plugin clears the X-Authenticated-UserId andX-Authenticated-Scope headers when it is configured in logical OR and is used in conjunction with another authentication plugin.#8422