Skip to content

Latest commit

 

History

History
398 lines (301 loc) · 21.1 KB

CHANGELOG.md

File metadata and controls

398 lines (301 loc) · 21.1 KB

2.3.0

FEATURES:

  • Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a require-any-role #PR389
  • Added a --enable-request-id option to inject a request id into the upstream request #PR392
  • Added the ability for the proxy to generate self-signed certificates for use via the --enable-self-signed-tls #PR394
  • Added support for token with multiple audiences in the claims #PR401
  • Added --max-idle-connections and --max-idle-connections-per-host settings to support tuning the http connection pool size for performance needs #PR405

BREAK CHANGES

  • Added the http-cookie-only option as default true #PR397

2.2.2

FEATURES:

  • Added the ability to the add response headers via --response-headers #PR386

2.2.1

FIX

  • a minor fix to the logout handler, when logout redirection is enable if no redirect param is given we default to the hostname #PR375

2.2.0

FEATURES:

  • Added a --enable-default-deny option to make denial by default #PR320
  • Added a enable-logout-redirect which redirects the /oauth/logout to the provider #PR327
  • Added environment variables alternatives for the forwarding username and password #PR329
  • Added metrics latency metrics for the forwarding proxy and the certificate rotation #PR325
  • Added spelling check to the tests #PR322
  • Added the X-Auth-Audience to the upstream headers #PR319
  • Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration #PR315
  • Added a --preserve-host option to preserve the host header of the proxied request in the upstream request #PR328
  • Added the feature to customize the oauth prefix (defaults to /oauth) #PR326
  • Adding additional metrics covering provider request latency, token breakdown #PR324
  • Changed the upstream-keepalive to default to true #PR321
  • Force configuration to use the wildcard #PR338
  • Updated the docker base image alpine 3.7 #PR313
  • Updated to Golang version 1.10 #PR316
  • Adding the --enable-session-cookies to enable session only cookies #PR357
  • Adding a ability to match string arrays claims #PR364
  • Imported the fix to the cache headers from upstream go-oidc #PR341
  • Switched from glide to dep lib tool #PR373
  • Switched to using SHA256 from MD5 for the token hash #PR350
  • Switched to using golang v1.10.2 #PR374
  • Added a warning messaage to indicate disabling the write-timeout when using pprof #PR370

FIXES:

  • Fixed up the redirect_uri to the logout #PR365
  • Fixed a redirection bug #PR337
  • Updated the go-oidc to fix the cache header issues#PR339
  • Fixed up the readme indicating we can run without client secret #PR342
  • Fixed up the redirect url in the logout handler #PR345
  • Switched to using the upstream stream goproxy #PR349
  • Removing the unused code #PR352
  • Reducing the aggressive timeouts on the upstream #PR354
  • Fixed the issue with a zero exp claim #PR355
  • Added a method check for the hijacker #PR302

BREAKING CHANGES:

  • Making the cookies session only by default and turning the default denial on #PR368

2.1.1

FEATURES:

  • Added the groups parameter to the resource, permitting users to use the groups claim in the token #PR301
  • Removed the authors file #PR299

FIXES:

  • Fixed the custom headers when upgrading to websockets #PR311
  • Fixed exception when upgrading to websockets #PR303

2.1.0

FIXES:

  • fixed the parsing of slices for command line arguments (i.e. --cors-origins etc)
  • fixed any accidental proxying on the /oauth or /debug URI
  • removed all references to the underlining web framework in tests
  • adding unit tests for proxy protocol and using the run() method #PR214
  • removed unnecessary commands in the Dockerfile #PR213
  • removed the unrequired testing tools #PR210
  • fixed a number of linting errors highlighted by gometalinter #PR209
  • added docker image instructions to the readme #PR204
  • added unit tests for the debug handlers #PR223
  • fixing the logout handler panic when revocation url is not set #PR254
  • fixing the Host header on the forwarding proxy #PR290

FEATURES

  • changed the routing engine from gin to echo
  • we now normalize all inbound URI before applying the protection middleware
  • the order of the resources are no longer important, the framework will handle the routing #PR199
  • improved the overall spec of the proxy by removing URL inspection and prefix checking #PR199
  • removed the CORS implementation and using the default echo middles, which is more compliant #PR199
  • added a warning for suspect resource urls not using wildcards #PR206
  • added a build time to the version tag #PR212
  • added coveralls coverage submission to the ci build #PR215
  • added spelling code coverage to the ci build #PR208
  • update the encryption to use aes gcm #PR220
  • added the --enable-encrypted-token option to enable encrypting the access token:wq
  • added the --skip-client-id option to permit skipping the verification of the auduence against client in token #PR236
  • updated the base image to apline 3.6 in commit 0fdebaf821
  • moved to use zap for the logging #PR237
  • making the X-Auth-Token optional in the upstream headers via the --enable-token-header #PR247
  • adding the ability to load a CA authority to provide trust on upstream endpoint #PR248
  • adding the ability to set various http server and upstream timeout #PR268
  • adding the --enable-authorization-cookies command line option to control upstream cookies $PR287

BREAKING CHANGES:

  • the proxy no longer uses prefixes for resources, if you wish to use wildcard urls you need to specify it, i.e. --resource=/ becomes --resource=/* or =admin/ becomes =admin/* or /admin*; a full set of routing details can bt found at https://echo.labstack.com/guide/routing #PR199
  • removed the --enable-cors-global option, CORS is now handled the default echo middleware
  • changed option from log-requests -> enable-logging #PR199
  • changed option from json-format -> enable-json-logging #PR199

MISC:

  • Switch to using a go-oidc fork for now, until i get the various bit merged upstream

2.0.7

FIXES:

  • Backported Fix to the proxy proxy call 767967c3

2.0.6

FIXES:

  • Ensuring we abort all requests to /oauth/ #PR205

2.0.5

FIXES:

  • We normalize all urls before the protection middleware is applied #PR202

2.0.4

FIXES:

  • Fixes a bug in authentication, which permitted double slashed url entry #PR200

FEATURES:

  • Grabbing the revocation-url from the idp config if user override is not specified #PR193

2.0.3

FEATURES:

  • Adding the PROXY_ENCRYPTION_KEY environment varable #PR191

2.0.2

FEATURES:

  • Adding the --enable-cors-global to switch on CORs header injects into every response #PR174
  • Adding the ability to reload the certificates when the change #PR178
  • Removing the requirement of a redirection-url, if none is specified it will use Host header or the X-Forwarded-Host if present #PR183

CHANGES:

  • Updated the gin dependency to latest version and removed dependency in tests for gin #PR181
  • Updated to go-proxy to the latest version #PR180
  • Fixed up some spelling mistakes #PR177
  • Changed the CLI to use reflection of the config struct #PR176
  • Updated the docker base image to alpine:3.5 #PR184
  • Added a new options to control the access token duration #PR188

BUGS:

  • Fixed the time.Duration flags in the reflection code #PR173
  • Fixed the environment variable type #PR176
  • Fixed the refresh tokens, the access token cookie was timing out too quickly (#PR188

2.0.1

BUGS:

  • fixing the cli option for --resources. Need to start writing tests for the cli options

2.0.0

FEATURES:

  • Adding the --skip-openid-provider-tls-verify option to bypass the TLS verification for Idp #PR147
  • Added a http service to permit http -> https redirects --enable-https-redirect #PR126
  • Added a pprof debug handler to support profiling the proxy, via --enable-profiling #PR156

FIXES:

  • Fixed the --headers and --tags command line options, had a typo on the mergeMaps method #PR142
  • Cleaned up how the cli command line options are processed #PR164
  • Cleaned up the option checking for forwarding proxy tls setting #PR163
  • Using timeout rather than multiple attempts for discovery url #PR153
  • Updated the go-oidc library with various fixes #PR159

BREAKING CHANGES:

  • The login handler by default has been switched off, you must enable for --enable-login-handler #PR
  • Changed the CORS format in the configuration file
  • Changed the command line options scope -> scopes
  • Changed the command line options log-json-format -> json-format
  • Changed the command line options resource -> resources
  • Changed the command line options tags -> tags

1.2.8

FIXES:

  • Fixed a bug in the --cookie-domain options
  • Added unit test for the cookie-domain options
  • Switched to using set rather than add to the headers

1.2.7

FIXES:

  • Added unit tests for the logout handlers
  • Added unit tests for the authorization header handling

FEATURES:

  • Allow the user to enable or disable adding the Authorization header

1.2.6

FIXES:

  • Fixes the revocation url bug

FEATURES:

  • Adds the ability to control the http-only cookie option, default to false

1.2.5

FIXES:

  • Fixes the /oauth/login handler to return 401 on failed logins

1.2.4

FEATURES

  • Added the ability to set the forwarding proxy certificates
  • Added logging for outbound forward signing requests

FIXES:

  • Fixes the expiration of the access token, if no idle-duration is
  • Fixed the forwarding proxy for SSL
  • Fixed the bug in the containedSubString method

BREAKING CHANGES:

  • Fixed up the config resource definition to use 'uri' not 'url'
  • Removed the --idle-duration option, was never really implemented well

1.2.3

FEATURES:

  • Added a prometheus metrics endpoint, at present a break down by status_code is provided
  • Added the ability to override the cookie domain from the default host header
  • Added the ability to load a client certificate used by the reverse and forwarding upstream proxies.

TODO:

  • Need a means to updating the client certificate once expired.

CHANGES:

  • Updated the godeps for codegangsta cli to it's renamed version

FIXES:

  • Fixed the environment variable command line options, the IsSet in cli does not check environment variable setters

1.2.2

CHANGES:

  • General Code fix uo
  • removing from dockerfile user and group

1.2.1

CHANGES:

  • Updated the dockerfile to create a user and group and not run at root

1.2.0

BREAKING CHANGES:

  • Changed the /oauth/login handler to use post form values rather than query parameter to ensure (to a degree) they are not logged

1.1.1

FIXES:

  • Fixed the configuration bug which required a redirection-url even when redirection was shifted off

1.1.0

FIXES:

  • Added a auto build to quay.io on the travis build for master and tags
  • Fixed the host header to proxy to upstreams outside of the proxy domain (golang/go#7618)
  • Adding a git+sha to the usage
  • Defaulting to gin mode release unless verbose is true
  • Removed the gin debug logging for tests and builds
  • Removed the default upstream, as it caught people by surprise and some accidentally forwarded to themselves
  • Changed the state parameter (which is used as a redirect) to base64 the value allowing you to use complex urls

FEATURES:

  • Adding environment variables to some of the command line options
  • Adding the option of a forwarding agent, i.e. you can seat the proxy front of your application, login to keycloak and use the proxy as forwarding agent to sign outbound requests.
  • Adding the version information into a header on /oauth/health endpoint
  • Removed the need to specify a client-secret, which means to cope with authz only or public endpoints
  • Added role url tokenizer, /auth/%role%/ will extract the role element and check the token as it
  • Added proxy protocol support for the listening socket (--enable-proxy-protocol=true)
  • Added the ability to listen on a unix socket

BREAKING CHANGES:

  • Changed the X-Auth-Subject, it not is the actual subject from the token (makes more sense). X-Auth-UserID will either be the subject id or the preferred username

1.0.6 (May 6th, 2016)

FIXES:

  • Fixed the logout endpoint, ensuring users sessions are revoked. Note: i've not really tested this against Keycloak and Google. Revocation or logouts seems to have somewhat scattered implementation across providers.

1.0.5 (May 3th, 2016)

FEATURES:

  • You can choose the cookie name of the access and refresh token via --cookie-{access,refresh}-name
  • An additional option --add-claims to inject custom claims from the token into the authentication headers i.e. --add-claims=given_name would add X-Auth-Given-Name (assumed the claims exists)
  • Added the --secure-cookie option to control the 'secure' flag on the cookie

BREAKING CHANGES:

  • Changed the claims option from 'claims' to 'match-claims' (command line and config)
  • Changed keepalive config option to the same as the command line 'keepalive' -> 'upstream-keepalives'
  • Changed the config option from 'upstream' to 'upstream-url', same as command line

1.0.4 (April 30th, 2016)

FIXES:

  • Fixes the cookie sessions expiration

FEATURES:

  • Adding a idle duration configuration option which controls the expiration of access token cookie and thus session. If the session is not used within that period, the session is removed.
  • The upstream endpoint has also be a unix socket

BREAKING CHANGES:

  • Change the client id in json/yaml config file from clientid -> client-id

1.0.2 (April 22th, 2016)

FIXES:

  • Cleaned up a lot of code base to make this simpler
  • Fixed elements in the refresh tokens and simplified the controller
  • Removed of the code out from methods into functions to reduce the dependencies (unit testing is easier as well)
  • Fixed how the refresh tokens are implemented, i was somewhat confused between refresh token and offline token
  • Fixed the encryption key length, must be either 16 or 32 for aes-128/256 selection

FEATURES:

  • Added the ability to store the refresh token in either local boltdb file or a redis service rather than an encrypted cookie (note, the token regardless is encrypted)
  • Added a /oauth/logout endpoint to logout the user
  • Added a /oauth/login (niche requirement) to provide grant_type=password requests

TODO:

  • Really need to mock a oauth server to simplify the unit tests

BREAKING CHANGES:

  • Changed the following configuration options to conform to their command line equivalents
    • refresh_sessions -> refresh-sessions
    • discovery_url -> discovery-url
    • redirection_url -> redirection-url
    • tls_ca_certificate -> tls-ca-certificate
    • tls_private_key -> tls-private-key
    • tls_cert -> tls-cert
    • log_json_format -> log-json-format
    • log_requests -> log-requests
    • forbidden_page -> forbidden-page
    • sign_in_page -> sign-in-page
    • secret -> client-secret

1.0.1 (April 8th, 2016)

FIXES:

  • Fixed the refresh tokens for those provides whom do not use JWT tokens, Google Connect for example

1.0.0 (April 8th, 2016)

FEATURES

  • Added the /oauth/expiration controller to test for access token expiration
  • Added the /oauth/token as a helper method to display the access token

FIXES:

  • Fixed and cleaned up a few niggling issues

1.0.0-rc6 (March 31th, 2016)

FIXES:

  • Added a option to control the upstream TLS verification
  • Added in the x-forwarded-for headers rather than overwriting
  • Moved back to using the official coreos go-oidc rather than the hacked version

1.0.0-rc5 (March 15th, 2016)

FEATURES:

  • Added the realm access roles for keycloak, beforehand the user contect was only parses roles which were from client applications

BUGS:

  • Fixed the gitlab-ci build scripts
  • Fixed the custom forbidden page bug