FEATURES:
- Added a --enable-default-deny option to make denial by default #PR320
- Added metrics latency metrics for the forwarding proxy and the certificate rotation #PR325
- Added spelling check to the tests #PR322
- Added the X-Auth-Audience to the upstream headers #PR319
- Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration #PR315
- Added the feature to customize the oauth prefix (defaults to /oauth) #PR326
- Added a
enable-logout-redirect
which redirects the /oauth/logout to the provider #PR327 - Adding additional metrics covering provider request latency, token breakdown #PR324
- Added environment variables alternatives for the forwarding username and password [#PR329]louketo#329)
- Changed the upstream-keepalive to default to true #PR321
- Updated the docker base image alpine 3.7 #PR313
- Updated to Golang version 1.10 #PR316
FEATURES:
- Added the groups parameter to the resource, permitting users to use the
groups
claim in the token #PR301 - Removed the authors file #PR299
FIXES:
- Fixed the custom headers when upgrading to websockets #PR311
- Fixed exception when upgrading to websockets #PR303
FIXES:
- fixed the parsing of slices for command line arguments (i.e. --cors-origins etc)
- fixed any accidental proxying on the /oauth or /debug URI
- removed all references to the underlining web framework in tests
- adding unit tests for proxy protocol and using the run() method #PR214
- removed unnecessary commands in the Dockerfile #PR213
- removed the unrequired testing tools #PR210
- fixed a number of linting errors highlighted by gometalinter #PR209
- added docker image instructions to the readme #PR204
- added unit tests for the debug handlers #PR223
- fixing the logout handler panic when revocation url is not set #PR254
- fixing the Host header on the forwarding proxy #PR290
FEATURES
- changed the routing engine from gin to echo
- we now normalize all inbound URI before applying the protection middleware
- the order of the resources are no longer important, the framework will handle the routing #PR199
- improved the overall spec of the proxy by removing URL inspection and prefix checking #PR199
- removed the CORS implementation and using the default echo middles, which is more compliant #PR199
- added a warning for suspect resource urls not using wildcards #PR206
- added a build time to the version tag #PR212
- added coveralls coverage submission to the ci build #PR215
- added spelling code coverage to the ci build #PR208
- update the encryption to use aes gcm #PR220
- added the --enable-encrypted-token option to enable encrypting the access token:wq
- added the --skip-client-id option to permit skipping the verification of the auduence against client in token #PR236
- updated the base image to apline 3.6 in commit 0fdebaf821
- moved to use zap for the logging #PR237
- making the X-Auth-Token optional in the upstream headers via the --enable-token-header #PR247
- adding the ability to load a CA authority to provide trust on upstream endpoint #PR248
- adding the ability to set various http server and upstream timeout #PR268
- adding the
--enable-authorization-cookies
command line option to control upstream cookies $PR287
BREAKING CHANGES:
- the proxy no longer uses prefixes for resources, if you wish to use wildcard urls you need to specify it, i.e. --resource=/ becomes --resource=/* or =admin/ becomes =admin/* or /admin*; a full set of routing details can bt found at https://echo.labstack.com/guide/routing #PR199
- removed the --enable-cors-global option, CORS is now handled the default echo middleware
- changed option from log-requests -> enable-logging #PR199
- changed option from json-format -> enable-json-logging #PR199
MISC:
- Switch to using a go-oidc fork for now, until i get the various bit merged upstream
FIXES:
- Backported Fix to the proxy proxy call 767967c3
FIXES:
- Ensuring we abort all requests to /oauth/ #PR205
FIXES:
- We normalize all urls before the protection middleware is applied #PR202
FIXES:
- Fixes a bug in authentication, which permitted double slashed url entry #PR200
FEATURES:
- Grabbing the revocation-url from the idp config if user override is not specified #PR193
FEATURES:
- Adding the PROXY_ENCRYPTION_KEY environment varable #PR191
FEATURES:
- Adding the --enable-cors-global to switch on CORs header injects into every response #PR174
- Adding the ability to reload the certificates when the change #PR178
- Removing the requirement of a redirection-url, if none is specified it will use Host header or the X-Forwarded-Host if present #PR183
CHANGES:
- Updated the gin dependency to latest version and removed dependency in tests for gin #PR181
- Updated to go-proxy to the latest version #PR180
- Fixed up some spelling mistakes #PR177
- Changed the CLI to use reflection of the config struct #PR176
- Updated the docker base image to alpine:3.5 #PR184
- Added a new options to control the access token duration #PR188
BUGS:
- Fixed the time.Duration flags in the reflection code #PR173
- Fixed the environment variable type #PR176
- Fixed the refresh tokens, the access token cookie was timing out too quickly (#PR188
BUGS:
- fixing the cli option for --resources. Need to start writing tests for the cli options
FEATURES:
- Adding the --skip-openid-provider-tls-verify option to bypass the TLS verification for Idp #PR147
- Added a http service to permit http -> https redirects --enable-https-redirect #PR126
- Added a pprof debug handler to support profiling the proxy, via --enable-profiling #PR156
FIXES:
- Fixed the --headers and --tags command line options, had a typo on the mergeMaps method #PR142
- Cleaned up how the cli command line options are processed #PR164
- Cleaned up the option checking for forwarding proxy tls setting #PR163
- Using timeout rather than multiple attempts for discovery url #PR153
- Updated the go-oidc library with various fixes #PR159
BREAKING CHANGES:
- The login handler by default has been switched off, you must enable for --enable-login-handler #PR
- Changed the CORS format in the configuration file
- Changed the command line options scope -> scopes
- Changed the command line options log-json-format -> json-format
- Changed the command line options resource -> resources
- Changed the command line options tags -> tags
FIXES:
- Fixed a bug in the --cookie-domain options
- Added unit test for the cookie-domain options
- Switched to using set rather than add to the headers
FIXES:
- Added unit tests for the logout handlers
- Added unit tests for the authorization header handling
FEATURES:
- Allow the user to enable or disable adding the Authorization header
FIXES:
- Fixes the revocation url bug
FEATURES:
- Adds the ability to control the http-only cookie option, default to false
FIXES:
- Fixes the /oauth/login handler to return 401 on failed logins
FEATURES
- Added the ability to set the forwarding proxy certificates
- Added logging for outbound forward signing requests
FIXES:
- Fixes the expiration of the access token, if no idle-duration is
- Fixed the forwarding proxy for SSL
- Fixed the bug in the containedSubString method
BREAKING CHANGES:
- Fixed up the config resource definition to use 'uri' not 'url'
- Removed the --idle-duration option, was never really implemented well
FEATURES:
- Added a prometheus metrics endpoint, at present a break down by status_code is provided
- Added the ability to override the cookie domain from the default host header
- Added the ability to load a client certificate used by the reverse and forwarding upstream proxies.
TODO:
- Need a means to updating the client certificate once expired.
CHANGES:
- Updated the godeps for codegangsta cli to it's renamed version
FIXES:
- Fixed the environment variable command line options, the IsSet in cli does not check environment variable setters
CHANGES:
- General Code fix uo
- removing from dockerfile user and group
CHANGES:
- Updated the dockerfile to create a user and group and not run at root
BREAKING CHANGES:
- Changed the /oauth/login handler to use post form values rather than query parameter to ensure (to a degree) they are not logged
FIXES:
- Fixed the configuration bug which required a redirection-url even when redirection was shifted off
FIXES:
- Added a auto build to quay.io on the travis build for master and tags
- Fixed the host header to proxy to upstreams outside of the proxy domain (golang/go#7618)
- Adding a git+sha to the usage
- Defaulting to gin mode release unless verbose is true
- Removed the gin debug logging for tests and builds
- Removed the default upstream, as it caught people by surprise and some accidentally forwarded to themselves
- Changed the state parameter (which is used as a redirect) to base64 the value allowing you to use complex urls
FEATURES:
- Adding environment variables to some of the command line options
- Adding the option of a forwarding agent, i.e. you can seat the proxy front of your application, login to keycloak and use the proxy as forwarding agent to sign outbound requests.
- Adding the version information into a header on /oauth/health endpoint
- Removed the need to specify a client-secret, which means to cope with authz only or public endpoints
- Added role url tokenizer, /auth/%role%/ will extract the role element and check the token as it
- Added proxy protocol support for the listening socket (--enable-proxy-protocol=true)
- Added the ability to listen on a unix socket
BREAKING CHANGES:
- Changed the X-Auth-Subject, it not is the actual subject from the token (makes more sense). X-Auth-UserID will either be the subject id or the preferred username
FIXES:
- Fixed the logout endpoint, ensuring users sessions are revoked. Note: i've not really tested this against Keycloak and Google. Revocation or logouts seems to have somewhat scattered implementation across providers.
FEATURES:
- You can choose the cookie name of the access and refresh token via --cookie-{access,refresh}-name
- An additional option --add-claims to inject custom claims from the token into the authentication headers i.e. --add-claims=given_name would add X-Auth-Given-Name (assumed the claims exists)
- Added the --secure-cookie option to control the 'secure' flag on the cookie
BREAKING CHANGES:
- Changed the claims option from 'claims' to 'match-claims' (command line and config)
- Changed keepalive config option to the same as the command line 'keepalive' -> 'upstream-keepalives'
- Changed the config option from 'upstream' to 'upstream-url', same as command line
FIXES:
- Fixes the cookie sessions expiration
FEATURES:
- Adding a idle duration configuration option which controls the expiration of access token cookie and thus session. If the session is not used within that period, the session is removed.
- The upstream endpoint has also be a unix socket
BREAKING CHANGES:
- Change the client id in json/yaml config file from clientid -> client-id
FIXES:
- Cleaned up a lot of code base to make this simpler
- Fixed elements in the refresh tokens and simplified the controller
- Removed of the code out from methods into functions to reduce the dependencies (unit testing is easier as well)
- Fixed how the refresh tokens are implemented, i was somewhat confused between refresh token and offline token
- Fixed the encryption key length, must be either 16 or 32 for aes-128/256 selection
FEATURES:
- Added the ability to store the refresh token in either local boltdb file or a redis service rather than an encrypted cookie (note, the token regardless is encrypted)
- Added a /oauth/logout endpoint to logout the user
- Added a /oauth/login (niche requirement) to provide grant_type=password requests
TODO:
- Really need to mock a oauth server to simplify the unit tests
BREAKING CHANGES:
- Changed the following configuration options to conform to their command line equivalents
- refresh_sessions -> refresh-sessions
- discovery_url -> discovery-url
- redirection_url -> redirection-url
- tls_ca_certificate -> tls-ca-certificate
- tls_private_key -> tls-private-key
- tls_cert -> tls-cert
- log_json_format -> log-json-format
- log_requests -> log-requests
- forbidden_page -> forbidden-page
- sign_in_page -> sign-in-page
- secret -> client-secret
FIXES:
- Fixed the refresh tokens for those provides whom do not use JWT tokens, Google Connect for example
FEATURES
- Added the /oauth/expiration controller to test for access token expiration
- Added the /oauth/token as a helper method to display the access token
FIXES:
- Fixed and cleaned up a few niggling issues
FIXES:
- Added a option to control the upstream TLS verification
- Added in the x-forwarded-for headers rather than overwriting
- Moved back to using the official coreos go-oidc rather than the hacked version
FEATURES:
- Added the realm access roles for keycloak, beforehand the user contect was only parses roles which were from client applications
BUGS:
- Fixed the gitlab-ci build scripts
- Fixed the custom forbidden page bug