Skip to content

Latest commit

 

History

History
3709 lines (2878 loc) · 168 KB

CHANGELOG.md

File metadata and controls

3709 lines (2878 loc) · 168 KB
Raw

Changelog

Table of Contents

0.0.0 (2024-08-06)

Bug Fixes

  • Improve caching configuration (2373057)
  • metrics: Remove query string from collapsed path segment (#1159) (15ee438)

0.40.7 (2024-02-29)

This release includes new features and many improvements to the tracing instrumentations.

Code Generation

  • Pin v0.40.7 release commit (8fc9b7a):

    Bumps from v0.40.7-pre.0

0.40.7-pre.0 (2024-02-29)

autogen: pin v0.40.7-pre.0 release commit

Bug Fixes

Code Generation

  • Pin v0.40.7-pre.0 release commit (82282ce)

Features

  • Add headers option for remote_json authorizer (#1140) (1ee445d)

  • Preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131) (b5d4d88):

    This patch additionally allows selecting between the two authenticators based on a prefix to the token.

0.40.6 (2023-07-18)

Resolves an issue in how X-Forwarded headers were set.

Bug Fixes

  • Properly copy x-forwarded headers from upstream (#1121) (7088682)

Code Generation

  • Pin v0.40.6 release commit (75eb682)

0.40.5 (2023-07-17)

Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers was introduced to optionally enable the forwarding of X-Forwarded headers.

Code Generation

  • Pin v0.40.5 release commit (ba1f90a)

Features

  • Flag to disable hop-by-hop defenses (#1120) (fffe8ef):

    Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers was introduced to optionally enable the forwarding of X-Forwarded headers.

0.40.4 (2023-07-13)

Added distroless image, fixed some bugs, and added support for JWKs key rotation in the ID token mutator.

Bug Fixes

Code Generation

  • Pin v0.40.4 release commit (70d63f3)

Features

  • Add distroless images (#1114) (8ac1dac)

  • Sqa metrics v2 (#1110) (baeecc6)

  • Support token rotation in ID token mutator (#1119) (5dd4571):

    Previously, only one JWK may be returned by the JWKS URL. This made token rotation impossible. This patch allows for multiple keys to be returned by the JWKS URL and the first key found will be used for signing.

Tests

0.40.3 (2023-04-25)

This release fixes a low-severity security vulnerability.

Bug Fixes

Code Generation

  • Pin v0.40.3 release commit (2ab7687)

Features

0.40.2 (2023-03-15)

Resolves tracing and health monitoring issues.

Bug Fixes

  • Add handlers in correct order to handle CORS requests properly (#1055) (0b5f6e6), closes ory/oathkeeper#1054

  • Release pipeline (#1053) (878089d)

  • Render complete config schema in CI and update tracing config (#1063) (e5e9d17)

  • Rule readiness check should require at least one rule to be loaded (#1061) (daa2994):

    With this change, Oathkeeper now reports as "not ready" on the health check if not at least one valid rule is loaded.

Code Generation

  • Pin v0.40.2 release commit (0f42d7c)

Documentation

Features

0.40.1 (2023-01-17)

This release resolves tracing issues and fixes a bug.

Bug Fixes

  • Align proxy mode log level with decision mode log level for access request granted log (#1029) (b9365a6)
  • Allow otel tracing provider in config (#1039) (2661190)
  • Decouple cloud storage tests (c1ed811)
  • Do not leak sensitive data from gRPC middleware (32aa172)
  • Ignore query string when using X-Forwarded-Uri (#1025) (6fa3978)
  • Init registry in middleware (1daecb6)

Code Generation

  • Pin v0.40.1 release commit (431f415)

Documentation

Features

Tests

  • Fix flaky tests (099bcf0)
  • Remove t.Parallel() from tests that use the same cache and key (7017fdf)

0.40.0 (2022-09-14)

This release introduces the new Koanf-based configuration system, resolves several issues, and introduced an experimental gRPC middleware.

Bug Fixes

  • Adds tracing to cookie_session and bearer_token authenticators (#995) (6504c0a)
  • Do not load from env in middleware (b42261e)
  • Make metric name consistent with rest of ory ecosystem (#1010) (c3c5854)
  • Move .schema to spec (8ab6f85)
  • Remove packr (7f32bc2)

Code Generation

  • Pin v0.40.0 release commit (f2cd421)

Code Refactoring

Features

  • Add Oathkeeper gRPC middleware (210aa5e):

    This adds a gRPC middleware that encapuslates the Oathkeeper logic.

    Matching on gRPC traffic now happens in its own rule. To match against gRPC traffic, you can use Authority and FullMethod instead of URL and Methods.

Tests

0.39.4 (2022-08-31)

Introduces a new config option to reducde cardinality in the metrics.

Code Generation

  • Pin v0.39.4 release commit (699cf65)

Unclassified

0.39.3 (2022-08-18)

Improves prometheus metrics.

Code Generation

  • Pin v0.39.3 release commit (251024c)

0.39.3-pre.0 (2022-08-18)

autogen: pin v0.39.3-pre.0 release commit

Code Generation

  • Pin v0.39.3-pre.0 release commit (7569903)

0.39.2 (2022-08-18)

Introduces better prometheus metrics.

Bug Fixes

  • Swagger generation issues (259b192)

Code Generation

  • Pin v0.39.2 release commit (d6b3014)

Documentation

Features

  • Customizable Prometheus metric names (#989) (46e09d5)

0.39.0 (2022-06-27)

This release ships several improvements to cache logic and request detection. Additionally, the bearer_token and cookie_session handlers pass only the needed header (Authorization, Cookie) to the check URL. To pass additional headers, use the forward_http_headers configuration key.

Breaking Changes

From now on, the bearer_token and cookie_session handlers pass only the needed header (Authorization, Cookie) to the check URL. To pass additional headers, use the forward_http_headers configuration key.

Closes ory#954 Closes ory/network#76

Co-authored-by: hackerman 3372410+aeneasr@users.noreply.github.com

Bug Fixes

  • Cache behavior with TTL (#968) (c4836f5):

    This test will fail since everytime Authenticate() succeeds the token is cached, even if it was already cached. This behavior makes it possible to keep a token in cache if it is authenticated in a period less than the TTL.

  • Less flaky rule tests (#973) (6ee6a73):

    Instead of (flaky) fixed sleeps, we now use assert.Eventually to wait until the rule changes were propagated.

  • Update format (#970) (17c4214)

Code Generation

  • Pin v0.39.0 release commit (f96f2be)

Features

  • JWT should only respect JWT-formats (#958) (6959524)
  • Pass only essential and configured headers to authenticator (#952) (e5e4de4)

0.38.25-beta.1 (2022-04-13)

This release provides some minor fixes around headers, see the changelog for more info.

Bug Fixes

Code Generation

  • Pin v0.38.25-beta.1 release commit (87df0d9)

Documentation

0.38.24-beta.1 (2022-04-06)

With this release we improve tracing capabilities for Ory Oathkeeper.

Code Generation

  • Pin v0.38.24-beta.1 release commit (fb2c246)

Features

0.38.23-beta.1 (2022-02-24)

Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.

Code Generation

  • Pin v0.38.23-beta.1 release commit (69ad28f)

Features

  • Ddd datadog and elastic-apm tracing schema (#927) (e78855f)

0.38.22-beta.1 (2022-02-23)

Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.

Please excuse the previous Ory Oathkeeper release notification. A faulty CI configuration.

Bug Fixes

  • Pass token to render-version-schema (#929) (f763ced):

    Fixes branch protection error.

Code Generation

  • Pin v0.38.22-beta.1 release commit (0dcb7c1)

0.38.20-beta.1 (2022-02-14)

This release introduces caching capabilities for the OAuth2 Client Credentials authenticator as well as compatibility with Traefik!

Bug Fixes

Code Generation

  • Pin v0.38.20-beta.1 release commit (410d69e)

Code Refactoring

Documentation

Features

  • Add post-release step (e7fd550)

  • Introduce token caching for client credentials authentication (#922) (9a56154), closes #870:

    Right now every request via Oathkeeper that uses client credentials authentication requests a new access token. This can introduce a lot of latency in the critical path of an application in case of a slow token endpoint.

    This change introduces a cache similar to the one that is used in the introspection authentication.

  • Migrate to openapi 3.0 generation (190d1a7)

  • Traefik decision api support (#904) (bfde9df), closes #521 #441 #487 #263:

    Closes ory#899

0.38.19-beta.1 (2022-02-04)

This release adds support for rewriting the HTTP method in certain authenticators.

Bug Fixes

Code Generation

  • Pin v0.38.19-beta.1 release commit (dedb92c)

Documentation

  • Fix "decisions" typo in Introduction (#907) (db346d5)

Features

  • Allow overriding HTTP method for upstream calls (69c64e7):

    This patch adds new configuration force_method to the bearer token and cookie session authenticators. It allows overriding the HTTP method for upstream calls.

0.38.17-beta.1 (2022-02-03)

ci: bump orbs

Continuous Integration

0.38.18-beta.1 (2022-02-03)

This release adds CVE scanners for Docker Images and updates several dependencies to resolve CVE issues.

Additionally, support for various tracers has been added, patches to caching and JWT audiences have been made, and more configuration options have been added for various rules.

Bug Fixes

  • Add config schema for tracing for jaeger (#830) (59871fc)

  • Add hiring notice to README (#884) (9dea379)

  • Add ory cli (df8a19b)

  • Allow forwarding query parameters to the session store (#817) (9375f92), closes #786 #786

  • Building docker image for docker-compose (#889) (adf0d1b)

  • Remote_json default configuration (#880) (18788d1), closes #797

  • Use NYT capitalistaion for all Swagger headlines (#859) (8c2da46), closes #503:

    Capitalised all the Swagger headlines for files found in /api.

Code Generation

  • Pin v0.38.18-beta.1 release commit (0bf4a98)

Documentation

  • Update authz.md (#879) (b6b5824)

  • Use correct casing (58b1d43), closes #900

  • Warn that gzip is unsupported (#835) (78e612e):

    Note to users that gzip responses are as of now unsupported for Cookie and Bearer authenticators. The result is that the subject and extra will not be filled in, and will fail silently.

Features

Tests

Unclassified

  • docs:� declare s3, gs, and azblob access rule repositories in config schema (#829) (e2433f6), closes #829

0.38.15-beta.1 (2021-08-28)

This release primarily resolves issues with the SDK publishing pipeline.

Bug Fixes

  • Do not modify original headers (1f6c430)

Code Generation

  • Pin v0.38.15-beta.1 release commit (95185bb)

Documentation

Features

  • Add preserve_host to session and bearer configs (e1cc575)
  • Add support for additional headers in check_session and bearer token (390abe3)

0.38.14-beta.1 (2021-07-14)

Ory Oathkeeper v0.38.14-beta.1 addresses a vunlerability in jwt-go by bumping the dependency to v3.2.4.

Bug Fixes

Code Generation

  • Pin v0.38.14-beta.1 release commit (4918be0)

Documentation

  • Fix erroneous sidebar commit (6e3e1a2)

Features

Reverts

  • Fix goreleaser/render-version-schema step (#789) (#790) (d33e3e1):

    This reverts commit d306aa61401b047c232352da47f189a5cd0d4f23.

0.38.12-beta.1 (2021-06-22)

This patch includes an important patch for a security vulnerability impacting the oauth2_introspection authenticator when caching is enabled. For more information please read the Security Advisory.

We strongly recommend upgrading to this version!

Apart from this fix some improvements have been added to reduce latencies when fetching JSON Web Keys and during oauth2_introspection pre-auth. Go templates can now access the incoming request headers.

Bug Fixes

  • Add docs/node_modules target (52f1c7b)
  • Cache introspection pre-auth (#723) (3a9ae1a), closes #712
  • Ensure no vulnerable jwt-go deep dependency is being used (#745) (2ccbb2f), closes #740
  • Makefile and sdk issues (598d48c)

Code Generation

  • Pin v0.38.12-beta.1 release commit (ae23224)

Features

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):

    The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.

    For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.

    The upstream service receives the X-Branch-Id and does your thing.

    The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.

  • Add request header in match context (#719) (22b0dbe), closes #512

  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

Tests

Unclassified

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes

Code Generation

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts

  • Init introspect http client once (#714) (#722) (c58cbd9):

    This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring

Documentation

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1):

    Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features

  • Add health event manager and rules readiness probe (#674) (01d8588)

  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625

  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677

  • Additional JWT auth debug information (#681) (d08ab50), closes #668:

    JWT Claims added to error details field.

  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)

  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630:

    This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes

  • Accept lower and uppercase in bearer token handler (6e46d4a)

  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153

  • Pass context through to external requests (#627) (ee25197):

    Enables proper tracing through Jaeger etc

  • Update goreleaser config (9689f45)

  • Update log schema (78e654d)

Code Generation

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation

  • Add Rust and Dart SDKs (1524fed):

    We now support for Rust and Dart SDKs!

  • Fix js npm links (#634) (c339fee)

  • Rename index documents (7de0ac3)

Features

  • Add bearer_token authenticator (#613) (b623ae7):

    Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes

  • Check content-length header in lowercase (#530) (a68fc8a):

    Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.

  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551

  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553

  • Support windows file paths (#557) (6a05682), closes #514 #332

  • Update dd-trace to fix build (2e571fa)

Code Generation

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation

Features

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518 #518

Unclassified

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes

  • Add tests in error_redirect_test.go (#522) (24bdd9b):

    Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned

  • Deprecated key in goreleaser config (2a4f901)

  • Ignore x/net false positives (bc8a32c)

  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes

Code Generation

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation

Features

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Chores

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring

Documentation

Features

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:
   prometheus:
     port: 9000
     host: localhost
     metrics_path: /metrics

  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores

Documentation

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

Documentation

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes

  • goreleaser: Update brew section (46fb3da)

Documentation

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Add health check commands (#319) (0dd3fe3)

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250 #251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233 #233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified

  • Move back to scratch Docker image (3fa8a50)
  • Resolve k8s configmap reload issue (#231) (c04547e)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration

  • Automate schema confiugration sync (94bcc4f)

Documentation

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified

  • Fix broken reload tests (d6059b7)

  • Validate configuration with JSON Schema (997427d)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

  • Do not fatal when immutable value is changed (717d7f7)

  • Remove useless function (3521a3d)

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

  • Add cookie session authenticator (#211) (f8a66b7)

  • Use non-root user in image (#209) (2215126)

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration

  • Use golang for docs task (b120c72)

Documentation

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184 #182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration

  • Fix docker release task (893385b)

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration

  • Fix circle misconfiguration (a00ce64)

Documentation

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified

  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137

  • Adds docker-compose example with postgres (84f1313)

  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71:

    This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.

    Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.

    Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.

  • Tells linguist to ignore SDK files (ace7f34)

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1
Host: oathkeeper-api:4456
User-Agent: curl/7.54.0
Authorization: bearer some-token
Accept: */*
Content-Type: application/json
Content-Length: 0

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OK
Authorization: bearer-sometoken
Content-Length: 0
Connection: Closed

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OK
Content-Length: 0
Connection: Closed

  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes #38:

    Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.

  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)

  • Refresh rules in api mode (08204e8)

  • Remove config flag (#111) (8385cbc), closes #110

  • Remove config flag (#111) (7de77b8), closes #110

  • Remove package.json from swagger dir (837d18c)

  • Removes obsolete benchmark (3f259da)

  • Resolve broken introspection scope setting (18837a9)

  • Resolve HS256 kid mismatch (6d647d7), closes #83

  • Resolves an issue with cached matchers (951da25), closes #73:

    This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.

  • Resolves issues with broken tests (6604045)

  • Resolves naming issues and updates readme (5495d4a)

  • Resolves panic when network fails in "rules import" (078542a)

  • Resolves potential panic in request handler (ef6e889)

  • Resolves recursive stack overflow (#81) (0594cda), closes #80

  • Streamlines https configuration variables (#124) (9f6f815), closes #121

  • Test for errors (585672e)

  • Test missing Extra field (a4d3d2d)

  • Test nesting of various types (188748d)

  • Test template caching/lookup (ab8a402)

  • Update keto to latest (3e2a8de)

  • Update rules stub (475f39a)

  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)

  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)

  • Upgrade superagent version (44ed240)

  • Use print funcmap function to override text/template print (76b2d9d)

  • Validate handler configurations (a558103)

0.11.12 (2018-05-07)

Introduces new versioning number to match ORY Hydra

Documentation

  • Adds automatic summary generation (#49) (20fefbc)

  • Adds edit on github links (95af1bb)

  • Adds license note to all source files (#51) (2c8ff2f)

  • Fixes redirect path (9bca2f3)

  • Moves documentation to new repository (#57) (a9f21f3)

  • Redirect to ory domain (0599e63)

  • Removes newline from swagger doc (5e297b3)

  • Removes stray line in api docs (bed1a04)

  • Removes summary plugin (ce06f4e)

  • Resolves broken policy and client definitions (#55) (4676f40), closes #53

  • Updates chat badge to discord (1bbac52)

  • Updates execution instructions (#56) (3bcfd8b):

    Adjusting run script to respect env variables

  • Updates README.md (#58) (bdb542f)

  • Updates swagger docs (5ea68c2)

Unclassified

  • Introduces new versioning number to match ORY Hydra (75b5121)

  • Adds license (cc13ae8)

  • Updates README.md (c9340dc)

  • Adds mock generation script (00b51b7)

  • Corrects logging typo (#52) (d415291):

    This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.

  • Updates hydra sdk mock (2ff8032)

  • Updates hydra to 0.11.6 (ee969f6)

  • Updates license header (94a2ed2)

  • Use source file from vendor for mock generation (42517c6)

  • Uses Hydra v0.11.6 in tests (9c2cc89)

0.0.29 (2017-12-19)

Adds use field to well known (#48)

Unclassified

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Replaces key discovery with well-known feature (#46)

Closes #43

Unclassified

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46 #43

0.0.27 (2017-12-12)

Adds cors capabilities to management server

Unclassified

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Adds hydra.introspect to required tokens

Unclassified

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Add extra data from token introspection to session

Unclassified

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Replaces LogError with direct error logging

Unclassified

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27 #34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Print formatted output string in rule management CLI (#35)

Documentation

Unclassified

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Renames bypass values for better clarity

Closes #13 Closes #29

Unclassified

  • Renames bypass values for better clarity (46a717e), closes #13 #29

0.0.21 (2017-11-19)

Request hydra.keys scope and fix panic

Unclassified

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

docs: Improve swagger documentation

Documentation

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Ignore gitbook output directory (580b94f)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)

0.0.19 (2017-11-13)

evaluator: Use full request URL

Unclassified

0.0.18 (2017-11-13)

evaluator: Improve audit capabilities

Unclassified

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Introduces surrogate_id to SQLManager (#21)

Unclassified

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Replace MatchesPath with MatchesURL (#20)

Unclassified

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Add HTTPS capabilities and document proxy/management commands (#19)

Unclassified

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Make refresh_delay configurable and skip it on boot (#18)

Unclassified

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Store rules path match in plaintext (#17)

Unclassified

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Use ladon regex compiler for matches (#16)

Unclassified

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Move gatekeeper to $PATH in docker image

Unclassified

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Add ssl certificates to scratch image

Unclassified

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Build binary statically with CGO disabled

Unclassified

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Make oathkeeper binary executable#

Unclassified

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Build oathekeeper docker image statically (#14)

  • Build oathekeeper docker image statically

  • Build oathekeeper docker image statically

Unclassified

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Added serve all command

Unclassified

  • Added serve all command (dfc071c)

0.0.5 (2017-11-01)

Remove goveralls from circle build

Unclassified

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Return arrays instead of null on rule creation (#6)

Unclassified

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Force linefeed for shell scripts

Unclassified

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

cmd: remove unnecessary scope hydra.warden.*

Unclassified

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

travis: add goveralls report submission (#2)

Documentation

Unclassified