- If kerberos initialization fails with the default KRB5_CONFIG="", try
    again without it.  Observed to be needed at CNAF, although not for
    FNAL, CERN, or LIGO.  Don't do second try if the first error was due
    to an expired ticket, because that sometimes erroneously succeeds on
    second try.

- Try a default cafile of '/etc/pki/tls/cert.pem' if system default is empty.
  This can happen when the SSL_CERT_FILE environment variable is empty.

- Add --kerbprincipal option
- Change the default kerbpath to include issuer and role
- Limit oidc polling to 2 minutes
- Disable oidc authenticatio when running in the background, that is, when
    none of stdin, stdout, or stderr are on a tty
- Document that audience can be a comma or space separated list
- Updated pip-installed dependent packages to latest versions

- Fix working with a kerberos domain that is missing from krb5.conf
- Extract more formatted information from http exceptions
- Improve format of printed kerberos exceptions

- Integrate with htcondor, including these changes:
 - Change --authpath option name to --oidcpath.
 - Add --noidc option.
 - Add --vaulttokenttl option.
 - Make --vaulttokenfile default to /dev/stdout if the ttl is more than
    a million seconds, and also require it to start with /dev/std or
    /dev/fd if the ttl is more than a million seconds.
 - Add --vaulttokeninfile option.
 - Add --nobearertoken option.
 - Add --showbearerurl option.
 - Send progress output to stderr if --vaulttokenfile is /dev/stdout or
     --showbearerurl option is enabled.
- Use a separate version number for the python library downloads tarball.

- Add --credkey option.
 - Add --vaultalias option.
 - Add --nokerberos and --kerbpath options.
 - Change the name of the --vaultrole option to --role; the short name -r
    remains unchanged.
 - Fill out the man page and add a html version of it to the source,
    generated by a Makefile.