CHANGELOG.md

2.3.0

FEATURES:

• Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a require-any-role #PR389
• Added a --enable-request-id option to inject a request id into the upstream request #PR392
• Added the ability for the proxy to generate self-signed certificates for use via the --enable-self-signed-tls #PR394
• Added support for token with multiple audiences in the claims #PR401
• Added --max-idle-connections and --max-idle-connections-per-host settings to support tuning the http connection pool size for performance needs #PR405

BREAK CHANGES

• Added the http-cookie-only option as default true #PR397

2.2.2

FEATURES:

• Added the ability to the add response headers via --response-headers #PR386

2.2.1

FIX

• a minor fix to the logout handler, when logout redirection is enable if no redirect param is given we default to the hostname #PR375

2.2.0

FEATURES:

• Added a --enable-default-deny option to make denial by default #PR320
• Added a enable-logout-redirect which redirects the /oauth/logout to the provider #PR327
• Added environment variables alternatives for the forwarding username and password #PR329
• Added metrics latency metrics for the forwarding proxy and the certificate rotation #PR325
• Added spelling check to the tests #PR322
• Added the X-Auth-Audience to the upstream headers #PR319
• Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration #PR315
• Added a --preserve-host option to preserve the host header of the proxied request in the upstream request #PR328
• Added the feature to customize the oauth prefix (defaults to /oauth) #PR326
• Adding additional metrics covering provider request latency, token breakdown #PR324
• Changed the upstream-keepalive to default to true #PR321
• Force configuration to use the wildcard #PR338
• Updated the docker base image alpine 3.7 #PR313
• Updated to Golang version 1.10 #PR316
• Adding the --enable-session-cookies to enable session only cookies #PR357
• Adding a ability to match string arrays claims #PR364
• Imported the fix to the cache headers from upstream go-oidc #PR341
• Switched from glide to dep lib tool #PR373
• Switched to using SHA256 from MD5 for the token hash #PR350
• Switched to using golang v1.10.2 #PR374
• Added a warning messaage to indicate disabling the write-timeout when using pprof #PR370

FIXES:

• Fixed up the redirect_uri to the logout #PR365
• Fixed a redirection bug #PR337
• Updated the go-oidc to fix the cache header issues#PR339
• Fixed up the readme indicating we can run without client secret #PR342
• Fixed up the redirect url in the logout handler #PR345
• Switched to using the upstream stream goproxy #PR349
• Removing the unused code #PR352
• Reducing the aggressive timeouts on the upstream #PR354
• Fixed the issue with a zero exp claim #PR355
• Added a method check for the hijacker #PR302

BREAKING CHANGES:

• Making the cookies session only by default and turning the default denial on #PR368

2.1.1

FEATURES:

• Added the groups parameter to the resource, permitting users to use the groups claim in the token #PR301
• Removed the authors file #PR299

FIXES:

• Fixed the custom headers when upgrading to websockets #PR311
• Fixed exception when upgrading to websockets #PR303

2.1.0

FIXES:

• fixed the parsing of slices for command line arguments (i.e. --cors-origins etc)
• fixed any accidental proxying on the /oauth or /debug URI
• removed all references to the underlining web framework in tests
• adding unit tests for proxy protocol and using the run() method #PR214
• removed unnecessary commands in the Dockerfile #PR213
• removed the unrequired testing tools #PR210
• fixed a number of linting errors highlighted by gometalinter #PR209
• added docker image instructions to the readme #PR204
• added unit tests for the debug handlers #PR223
• fixing the logout handler panic when revocation url is not set #PR254
• fixing the Host header on the forwarding proxy #PR290

FEATURES

• changed the routing engine from gin to echo
• we now normalize all inbound URI before applying the protection middleware
• the order of the resources are no longer important, the framework will handle the routing #PR199
• improved the overall spec of the proxy by removing URL inspection and prefix checking #PR199
• removed the CORS implementation and using the default echo middles, which is more compliant #PR199
• added a warning for suspect resource urls not using wildcards #PR206
• added a build time to the version tag #PR212
• added coveralls coverage submission to the ci build #PR215
• added spelling code coverage to the ci build #PR208
• update the encryption to use aes gcm #PR220
• added the --enable-encrypted-token option to enable encrypting the access token:wq
• added the --skip-client-id option to permit skipping the verification of the auduence against client in token #PR236
• updated the base image to apline 3.6 in commit 0fdebaf821
• moved to use zap for the logging #PR237
• making the X-Auth-Token optional in the upstream headers via the --enable-token-header #PR247
• adding the ability to load a CA authority to provide trust on upstream endpoint #PR248
• adding the ability to set various http server and upstream timeout #PR268
• adding the --enable-authorization-cookies command line option to control upstream cookies $PR287

BREAKING CHANGES:

• the proxy no longer uses prefixes for resources, if you wish to use wildcard urls you need to specify it, i.e. --resource=/ becomes --resource=/* or =admin/ becomes =admin/* or /admin*; a full set of routing details can bt found at https://echo.labstack.com/guide/routing #PR199
• removed the --enable-cors-global option, CORS is now handled the default echo middleware
• changed option from log-requests -> enable-logging #PR199
• changed option from json-format -> enable-json-logging #PR199

MISC:

• Switch to using a go-oidc fork for now, until i get the various bit merged upstream

2.0.7

FIXES:

• Backported Fix to the proxy proxy call 767967c3

2.0.6

FIXES:

• Ensuring we abort all requests to /oauth/ #PR205

2.0.5

FIXES:

• We normalize all urls before the protection middleware is applied #PR202

2.0.4

FIXES:

• Fixes a bug in authentication, which permitted double slashed url entry #PR200

FEATURES:

• Grabbing the revocation-url from the idp config if user override is not specified #PR193

2.0.3

FEATURES:

• Adding the PROXY_ENCRYPTION_KEY environment varable #PR191

2.0.2

FEATURES:

• Adding the --enable-cors-global to switch on CORs header injects into every response #PR174
• Adding the ability to reload the certificates when the change #PR178
• Removing the requirement of a redirection-url, if none is specified it will use Host header or the X-Forwarded-Host if present #PR183

CHANGES:

• Updated the gin dependency to latest version and removed dependency in tests for gin #PR181
• Updated to go-proxy to the latest version #PR180
• Fixed up some spelling mistakes #PR177
• Changed the CLI to use reflection of the config struct #PR176
• Updated the docker base image to alpine:3.5 #PR184
• Added a new options to control the access token duration #PR188

BUGS:

• Fixed the time.Duration flags in the reflection code #PR173
• Fixed the environment variable type #PR176
• Fixed the refresh tokens, the access token cookie was timing out too quickly (#PR188

2.0.1

BUGS:

• fixing the cli option for --resources. Need to start writing tests for the cli options

2.0.0

FEATURES:

• Adding the --skip-openid-provider-tls-verify option to bypass the TLS verification for Idp #PR147
• Added a http service to permit http -> https redirects --enable-https-redirect #PR126
• Added a pprof debug handler to support profiling the proxy, via --enable-profiling #PR156

FIXES:

• Fixed the --headers and --tags command line options, had a typo on the mergeMaps method #PR142
• Cleaned up how the cli command line options are processed #PR164
• Cleaned up the option checking for forwarding proxy tls setting #PR163
• Using timeout rather than multiple attempts for discovery url #PR153
• Updated the go-oidc library with various fixes #PR159

BREAKING CHANGES:

• The login handler by default has been switched off, you must enable for --enable-login-handler #PR
• Changed the CORS format in the configuration file
• Changed the command line options scope -> scopes
• Changed the command line options log-json-format -> json-format
• Changed the command line options resource -> resources
• Changed the command line options tags -> tags

1.2.8

FIXES:

• Fixed a bug in the --cookie-domain options
• Added unit test for the cookie-domain options
• Switched to using set rather than add to the headers

1.2.7

FIXES:

• Added unit tests for the logout handlers
• Added unit tests for the authorization header handling

FEATURES:

• Allow the user to enable or disable adding the Authorization header

1.2.6

FIXES:

• Fixes the revocation url bug

FEATURES:

• Adds the ability to control the http-only cookie option, default to false

1.2.5

FIXES:

• Fixes the /oauth/login handler to return 401 on failed logins

1.2.4

FEATURES

• Added the ability to set the forwarding proxy certificates
• Added logging for outbound forward signing requests

FIXES:

• Fixes the expiration of the access token, if no idle-duration is
• Fixed the forwarding proxy for SSL
• Fixed the bug in the containedSubString method

BREAKING CHANGES:

• Fixed up the config resource definition to use 'uri' not 'url'
• Removed the --idle-duration option, was never really implemented well

1.2.3

FEATURES:

• Added a prometheus metrics endpoint, at present a break down by status_code is provided
• Added the ability to override the cookie domain from the default host header
• Added the ability to load a client certificate used by the reverse and forwarding upstream proxies.

TODO:

• Need a means to updating the client certificate once expired.

CHANGES:

• Updated the godeps for codegangsta cli to it's renamed version

FIXES:

• Fixed the environment variable command line options, the IsSet in cli does not check environment variable setters

1.2.2

CHANGES:

• General Code fix uo
• removing from dockerfile user and group

1.2.1

CHANGES:

• Updated the dockerfile to create a user and group and not run at root

1.2.0

BREAKING CHANGES:

• Changed the /oauth/login handler to use post form values rather than query parameter to ensure (to a degree) they are not logged

1.1.1

FIXES:

• Fixed the configuration bug which required a redirection-url even when redirection was shifted off

1.1.0

FIXES:

• Added a auto build to quay.io on the travis build for master and tags
• Fixed the host header to proxy to upstreams outside of the proxy domain (golang/go#7618)
• Adding a git+sha to the usage
• Defaulting to gin mode release unless verbose is true
• Removed the gin debug logging for tests and builds
• Removed the default upstream, as it caught people by surprise and some accidentally forwarded to themselves
• Changed the state parameter (which is used as a redirect) to base64 the value allowing you to use complex urls

FEATURES:

• Adding environment variables to some of the command line options
• Adding the option of a forwarding agent, i.e. you can seat the proxy front of your application, login to keycloak and use the proxy as forwarding agent to sign outbound requests.
• Adding the version information into a header on /oauth/health endpoint
• Removed the need to specify a client-secret, which means to cope with authz only or public endpoints
• Added role url tokenizer, /auth/%role%/ will extract the role element and check the token as it
• Added proxy protocol support for the listening socket (--enable-proxy-protocol=true)
• Added the ability to listen on a unix socket

BREAKING CHANGES:

• Changed the X-Auth-Subject, it not is the actual subject from the token (makes more sense). X-Auth-UserID will either be the subject id or the preferred username

1.0.6 (May 6th, 2016)

FIXES:

• Fixed the logout endpoint, ensuring users sessions are revoked. Note: i've not really tested this against Keycloak and Google. Revocation or logouts seems to have somewhat scattered implementation across providers.

1.0.5 (May 3th, 2016)

FEATURES:

• You can choose the cookie name of the access and refresh token via --cookie-{access,refresh}-name
• An additional option --add-claims to inject custom claims from the token into the authentication headers i.e. --add-claims=given_name would add X-Auth-Given-Name (assumed the claims exists)
• Added the --secure-cookie option to control the 'secure' flag on the cookie

BREAKING CHANGES:

• Changed the claims option from 'claims' to 'match-claims' (command line and config)
• Changed keepalive config option to the same as the command line 'keepalive' -> 'upstream-keepalives'
• Changed the config option from 'upstream' to 'upstream-url', same as command line

1.0.4 (April 30th, 2016)

FIXES:

• Fixes the cookie sessions expiration

FEATURES:

• Adding a idle duration configuration option which controls the expiration of access token cookie and thus session. If the session is not used within that period, the session is removed.
• The upstream endpoint has also be a unix socket

BREAKING CHANGES:

• Change the client id in json/yaml config file from clientid -> client-id

1.0.2 (April 22th, 2016)

FIXES:

• Cleaned up a lot of code base to make this simpler
• Fixed elements in the refresh tokens and simplified the controller
• Removed of the code out from methods into functions to reduce the dependencies (unit testing is easier as well)
• Fixed how the refresh tokens are implemented, i was somewhat confused between refresh token and offline token
• Fixed the encryption key length, must be either 16 or 32 for aes-128/256 selection

FEATURES:

• Added the ability to store the refresh token in either local boltdb file or a redis service rather than an encrypted cookie (note, the token regardless is encrypted)
• Added a /oauth/logout endpoint to logout the user
• Added a /oauth/login (niche requirement) to provide grant_type=password requests

TODO:

• Really need to mock a oauth server to simplify the unit tests

BREAKING CHANGES:

• Changed the following configuration options to conform to their command line equivalents
  • refresh_sessions -> refresh-sessions
  • discovery_url -> discovery-url
  • redirection_url -> redirection-url
  • tls_ca_certificate -> tls-ca-certificate
  • tls_private_key -> tls-private-key
  • tls_cert -> tls-cert
  • log_json_format -> log-json-format
  • log_requests -> log-requests
  • forbidden_page -> forbidden-page
  • sign_in_page -> sign-in-page
  • secret -> client-secret

1.0.1 (April 8th, 2016)

FIXES:

• Fixed the refresh tokens for those provides whom do not use JWT tokens, Google Connect for example

1.0.0 (April 8th, 2016)

FEATURES

• Added the /oauth/expiration controller to test for access token expiration
• Added the /oauth/token as a helper method to display the access token

FIXES:

• Fixed and cleaned up a few niggling issues

1.0.0-rc6 (March 31th, 2016)

FIXES:

• Added a option to control the upstream TLS verification
• Added in the x-forwarded-for headers rather than overwriting
• Moved back to using the official coreos go-oidc rather than the hacked version

1.0.0-rc5 (March 15th, 2016)

FEATURES:

• Added the realm access roles for keycloak, beforehand the user contect was only parses roles which were from client applications

BUGS:

• Fixed the gitlab-ci build scripts
• Fixed the custom forbidden page bug