Changelog

Note: this release contains multiple breaking or potentially breaking changes. Please read the release notes carefully if you are upgrading from a previous version.

Providers

sso: send access token on group information query - Pass the access token to all identity providers by default. (in preparation for the implementation of Okta and other providers)
sso: okta provider MVP - Adds initial support for an Okta identity provider.
providers: group caching mechanism for okta provider - Introduces a mechanism to cache the group memberships within the Okta identity provider.
sso: support multiple identity providers - Adds support for configuration of multiple unique identity providers using go-config. We previously started to add support for this using viper within sso: introduce Viper for sso config management, however decided to roll back in favour of go-config. [BREAKING - see last section of release notes for further information]

CI

sso: makefile releasepush - Adds a task to the makefile for pushing a release to Docker Hub
ci: integrate with Codecov for test coverage - Integrate repo with Codecov to help track and monitor test coverage
ci: remove minimum coverage setting - Fine tune Codecov integration settings for PR’s
ci: introduce circleci workflows - Introduces use of CircleCI Workflows, and improves workflow around image tagging

Auth

sso_auth: add identity provider slug to url path and mux - Allow use of multiple provider slugs, while keeping backwards compatibility
sso_auth: use hostmux and ping - Using hostmux, allow for use of /ping as a host header.
authenticator: remove misc/cruft configuration - Clean up redundant code and configuration
sso_auth: add default provider slug - Add default identity provider to make migrations easier and more streamlined.
auth: allow proxying root domains - Allow serving of content on root domains, in addition to subdomains.
auth: update google version endpoints - Some general cleanup of the google provider, and updates version of the provider endpoints.

Proxy

sso-proxy: refactor routing into hostmux, refactor oauthproxy startup - Refactor and uncouple routing, upstream configuration, and provider information from the OAuth layer.
Configure Proxy CookieName via Env Var - Enable setting of the proxy CookieName configuration variable via environment variables.
sso-proxy: refactor reverse proxy into separate file w/ tests - Refactors reverse proxy and upstream logic into separate files, helping to test changes and isolate portions of code.
sso-proxy: avoid oversized cookies - gzip the marshalled json containing cookies before encryption to reduce size
proxy: transition idps ux flow - Improve UX flow during the transition of identity providers, specifically where the existing cookie is for the previous provider.

Bugs and Fixes

proxy/request signers: request signers should also sign access token - Ensure access tokens are signed in request signatures
sso-proxy: clear csrf token further down the request flow - Fix bug causing the ‘Group membership required’ to cause a ‘http: named cookie not present’ error upon refresh.
docker: don't run as root - Run SSO docker containers as a dedicated user, rather than root.
pkg/logging: resolve timestamp bug - Fix timestamp formatting in logging package.
sso_proxy: don't set timeout when flush interval is set - Fix issue causing request flushing to be ignored if a request timeout is also set.
sso_auth: fix client authentication for revoke endpoint - Fixes bug preventing successful use of /oauth2/sign_out endpoint within the Okta provider
sso_proxy: user to lowercase - Normalise the casing of the X-Forwarded-User to keep consistency. [POTENTIALLY BREAKING]
ci: persist workspace further down the flow - Fix bug preventing test coverage reports being found by Codecov.
docker: build from go 1.12 - Build binaries using go 1.12.
sso_auth: fix action tag parsing - Fix parsing of the URL to form ‘action’ tags.

Documentation

docs: update note on nested groups - Corrects documentation surrounding nested Google groups
sso: okta provider setup documentation - Documentation on creation and configuration required for the Okta identity provider.
sso quickstart/docs: update configuration variables - Updates to the Quickstart and provider set-up documentation. (particularly around new configuration variables)

Added Dependencies

There have been a number of dependencies added and/or updated. Please take the time to look through the dependencies in use by scanning through https://github.com/buzzfeed/sso/blob/master/go.mod.

Further details

To help with the introduction of configuration variable changes in sso: support multiple identity providers, below is a list of old_var -> new_var pairs for sso_auth only. (these variables changes do not yet apply to sso_proxy)

* in PROVIDER_*_TYPE and others represents a unique identifier grouping together a set of provider configs.

### SESSION
(NEW)                -> SESSION_COOKIE_NAME
COOKIE_SECRET        -> SESSION_COOKIE_SECRET
COOKIE_EXPIRE        -> SESSION_COOKIE_EXPIRE
COOKIE_DOMAIN        -> SESSION_COOKIE_DOMAIN
COOKIE_REFRESH       -> SESSION_COOKIE_REFRESH
COOKIE_SECURE        -> SESSION_COOKIE_SECURE
COOKIE_HTTP_ONLY     -> SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME_TTL -> SESSION_LIFETIME
AUTH_CODE_SECRET     -> SESSION_KEY


### CLIENT
PROXY_CLIENT_ID     -> CLIENT_PROXY_ID
PROXY_CLIENT_SECRET -> CLIENT_PROXY_SECRET


### PROVIDER CONFIG FOR GOOGLE
(NEW)         -> PROVIDER_*_TYPE
(NEW)         -> PROVIDER_*_SLUG
CLIENT_ID     -> PROVIDER_*_CLIENT_ID
CLIENT_SECRET -> PROVIDER_*_CLIENT_SECRET
SCOPE         -> PROVIDER_*_SCOPE

### GOOGLE SPECIFIC 
GOOGLE_SERVICE_ACCOUNT_JSON -> PROVIDER_*_GOOGLE_CREDENTIALS
GOOGLE_ADMIN_EMAIL          -> PROVIDER_*_GOOGLE_IMPERSONATE

### OKTA SPECIFIC
OKTA_ORG_URL       -> PROVIDER_*_OKTA_URL
PROVIDER_SERVER_ID -> PROVIDER_*_OKTA_SERVER

### GROUP REFRESH
GROUPS_CACHE_REFRESH_TTL  -> PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
GROUPS_CACHE_PROVIDER_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER


# SERVER CONFIG
(NEW)             -> SERVER_SCHEME
HOST              -> SERVER_HOST
PORT              -> SERVER_PORT
REQUEST_TIMEOUT   -> SERVER_TIMEOUT_REQUEST
TCP_WRITE_TIMEOUT -> SERVER_TIMEOUT_WRITE
TCP_READ_TIMEOUT  -> SERVER_TIMEOUT_READ


# AUTHORIZE CONFIG
PROXY_ROOT_DOMAIN   -> AUTHORIZE_PROXY_DOMAINS
SSO_EMAIL_DOMAIN    -> AUTHORIZE_EMAIL_DOMAINS
SSO_EMAIL_ADDRESSES -> AUTHORIZE_EMAIL_ADDRESSES


# METRICS CONFIG 
STATSD_PORT -> METRICS_STATSD_PORT
STATSD_HOST -> METRICS_STATSD_HOST


# LOGGING CONFIG
REQUSEST_LOGGING -> LOGGING_ENABLE
(NEW)            -> LOGGING_LEVEL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v2.0.0