diff --git a/vendor/git.autistici.org/id/auth/README.md b/vendor/git.autistici.org/id/auth/README.md
index b25a67f65b51c9a98ddac7122eef1ee81b4926aa..e50e3a0ea41d1509a637e538b9032561a01995ab 100644
--- a/vendor/git.autistici.org/id/auth/README.md
+++ b/vendor/git.autistici.org/id/auth/README.md
@@ -121,7 +121,29 @@ should specify the following attributes:
   only be applied to failed authentication requests
 * `keys` is a list of strings specifying the request identifiers that
   will make up the rate limiter key. The list can include one or both
-  of *ip* (referring to the remote client's IP) and *user* (username)
+  of *ip* (referring to the remote client's IP) and *user* (username).
+* `bypass` is a list of criteria that will cause the request to skip
+  the enforcement of this ratelimit/blacklist. Criteria are objects
+  with `key` (one of *ip* or *user*) and *value* attributes, which
+  specify an exact equality match.
+
+The following is an example of an IP-based ratelimit with blacklist
+period of 1 hour, that will allow an arbitrary amount of requests from
+localhost:
+
+```yaml
+rate_limits:
+  blacklist_10qps_1h:
+    limit: 100
+    period: 10
+    blacklist_for: 3600
+    keys: [ip]
+    bypass:
+      - key: ip
+        value: "127.0.0.1"
+      - key: ip
+        value: "::1"
+```
 
 ## Service definition
 
@@ -160,8 +182,10 @@ user, with the following attributes:
 
 * `name` is the username
 * `email` is the email associated with the user (optional)
-* `password` stores the encrypted password
+* `password` stores the encrypted password, see *Password Encoding*
+  below for details on the supported algorithms etc.
 * `totp_secret` stores the *unencrypted* TOTP secret seed
+  (base32-encoded)
 * `u2f_registrations` is a list of U2F registrations with `key_handle`
   and `public_key` attributes, in the format used by *pamu2fcfg* (for
   convenience)
@@ -209,8 +233,10 @@ LDAP attributes). The following attribute names are defined:
 
 * `password` contains the encrypted password. Since this attribute is
   often also used for authentication of the LDAP protocol itself, an
-  eventual `{crypt}` prefix is ignored. Passwords should be encrypted.
-* `otp_secret` should contain the hex-encoded TOTP secret
+  eventual `{crypt}` prefix is ignored. Passwords should be encrypted,
+  see *Password Encoding* below for details on the supported
+  algorithms etc.
+* `otp_secret` should contain the base32-encoded TOTP secret
 * `app_specific_password` (possibly repeated) contains an encrypted
   app-specific password
 
@@ -409,3 +435,28 @@ Responses will contain the following attributes:
   * `email`: email of this user
   * `groups`: groups the user is a member of.
 
+### Password encoding
+
+Multiple password hashing algorithms are supported. The format is the
+well-known dollar-separated field string, extended with optional
+algorithm-specific parameters:
+
+```
+$id[$params...]$salt$encrypted
+```
+
+where the optional *params* field is itself a dollar-separated list of
+integers.
+
+All *id* values understood by the libc *crypt(3)* function are
+supported, as well as a few more custom algorithms:
+
+* Scrypt (id `$s$`), in which case the parameters are *N*, *R* and
+  *P*.
+
+* Argon2 (id `$a2$`), with parameters *time*, *memory* and
+  *threads*.
+
+Check the documentation for these algorithms for an explanation of the
+meaning of the parameters. Each algorithm has different requirements
+for the salt.
diff --git a/vendor/git.autistici.org/id/auth/client/client.go b/vendor/git.autistici.org/id/auth/client/client.go
index 3aa4e5bbb5c1b4261209196a7ea94da6d8e2220a..6c68c4f947f3d008ae8ff22d9c6187b068220e9c 100644
--- a/vendor/git.autistici.org/id/auth/client/client.go
+++ b/vendor/git.autistici.org/id/auth/client/client.go
@@ -2,8 +2,11 @@ package client
 
 import (
 	"context"
+	"net"
 	"net/textproto"
 
+	"github.com/cenkalti/backoff"
+
 	"git.autistici.org/id/auth"
 )
 
@@ -26,6 +29,23 @@ func New(socketPath string) Client {
 }
 
 func (c *socketClient) Authenticate(ctx context.Context, req *auth.Request) (*auth.Response, error) {
+	// Retry the request, with backoff, if we get a temporary
+	// network error.
+	var resp *auth.Response
+	err := backoff.Retry(func() error {
+		var err error
+		resp, err = c.doAuthenticate(ctx, req)
+		if err == nil {
+			return nil
+		} else if netErr, ok := err.(net.Error); ok && netErr.Temporary() {
+			return netErr
+		}
+		return backoff.Permanent(err)
+	}, backoff.WithContext(backoff.NewExponentialBackOff(), ctx))
+	return resp, err
+}
+
+func (c *socketClient) doAuthenticate(ctx context.Context, req *auth.Request) (*auth.Response, error) {
 	// Create the connection outside of the timed goroutine, so
 	// that we can call Close() on exit regardless of the reason:
 	// this way, when a timeout occurs or the context is canceled,
diff --git a/vendor/git.autistici.org/id/auth/codec.go b/vendor/git.autistici.org/id/auth/codec.go
index 3bfe59ed76659d662998cb005834894b77b72355..30873f57cf24836051995e4e85762e2b2e3c1e88 100644
--- a/vendor/git.autistici.org/id/auth/codec.go
+++ b/vendor/git.autistici.org/id/auth/codec.go
@@ -148,7 +148,7 @@ func (i *inputScanner) parseQuotedString() (string, error) {
 }
 
 func (i *inputScanner) parseBase64String() (string, error) {
-	data := i.parseUntilOrEOF(' ')
+	data := bytes.TrimRight(i.parseUntilOrEOF(' '), "=")
 	out := make([]byte, base64.RawURLEncoding.DecodedLen(len(data)))
 	_, err := base64.RawURLEncoding.Decode(out, data)
 	if err != nil {
diff --git a/vendor/vendor.json b/vendor/vendor.json
index 5822d76e05e8866aa7260f4aee782551a32b8d4b..52c3fcf3c4622740a2c10a9021174911e548579b 100644
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -27,16 +27,16 @@
 			"revisionTime": "2019-06-30T08:30:15Z"
 		},
 		{
-			"checksumSHA1": "T9WPwUls+LPk89st6TGCbQf5HNQ=",
+			"checksumSHA1": "5WLGZjUV9Ly/rMdQwo9j8FJSlQA=",
 			"path": "git.autistici.org/id/auth",
-			"revision": "5f6c4202ceac71349b414ab65b94f8e0f191c208",
-			"revisionTime": "2019-05-24T11:03:32Z"
+			"revision": "ffc5d8791fd81d28fb2b0bce4540a10426a25124",
+			"revisionTime": "2019-10-24T15:02:31Z"
 		},
 		{
-			"checksumSHA1": "Xd+uslNbKnbygNAhwAWQ2JVc6do=",
+			"checksumSHA1": "3xM1BQ7kVyqn74GQz07uCBSNh2E=",
 			"path": "git.autistici.org/id/auth/client",
-			"revision": "5f6c4202ceac71349b414ab65b94f8e0f191c208",
-			"revisionTime": "2019-05-24T11:03:32Z"
+			"revision": "ffc5d8791fd81d28fb2b0bce4540a10426a25124",
+			"revisionTime": "2019-10-24T15:02:31Z"
 		},
 		{
 			"checksumSHA1": "MlpsZgRytv/c9IX9YawRJDN/ibQ=",