Skip to content

v0.14.0

Compare
Choose a tag to compare
@guicassolato guicassolato released this 11 Jul 10:12
· 218 commits to main since this release
a27b2a0

New features and Enhancements

  • New response method plain (#393)
    • Allows configuring for the injection of HTTP request headers whose value are simple text/plain values.
    • This is an alternative to having to stringify a JSON object using the json response method.
  • Control over overwriting values in the identity object added to the API (#399)
    • Adds new property overwrite: bool (default: false) to the extended properties that allows to force extend the identity object or only when the property is missing
  • New tighten-up Permissions over Authorino files within the container (#391)
    • Adds a new dedicated home path in the file system within the container for the Authorino binary and any other future Authorino files.
    • The directory is owned by a new authorino Linux user and root Linux group.
    • Allows running Authorino on OpenShift with the default unprivileged user on standard restricted security context strategy, without the files having to be owned by root.
    • In other environments, users can choose to run the container as root or as the less privileged authorino user.
  • [Breaking change] New escaping of base64-decoded strings (#401)
    • Authorino now automatically escapes double quotes within strings extracted from the Authorization JSON and decoded with the @base64 modifier.
    • The typical use case for this is to be able to parse base64-encoded strings that represent valid JSON types other than simple strings (e.g. objects and arrays) and navigate those structures with normal JSON paths. For example, for parsing a JWT straight from the Authorization header.
    • The new behavior comes with a minor breaking change though, which is the dropping of support for base64 URL-encoded values. As a consequence, base64-encoded strings, passed and extracted from the URL path to be decoded with the @base64 modifier, for example, must not include the URL-encoded right padding characters (i.e. =, encoded as %3D). Authorino will fail to decode such values. To work around this limitation, use the @replace modifier before decoding with @base64:decode.
  • [Breaking change] Simple Kubernetes TokenReview identity object (#403)
    • Makes the Kubernetes TokenReview-based identity method to always fill the identity object from the status field of the TokenReview response, as opposed to the current hybrid behaviour of trying to detect whether the verified access token is a JWT or an opaque token.
    • Users relying on JWT detection can still extract, decode and parse the JWT directly from the Authorization header. Here’s an example extending the identity object. E.g.
      spec:
        identity:
        - name: k8s-tokenreview
          kubernetes:
            extendedProperties:
            - name: jwt
              valueFrom:
                authJSON: context.request.http.headers.authorization|@extract:{"pos":1}|@extract:{"sep":".","pos":1}|@base64:decode|@fromstr

Dependencies and Tooling

  • Upgrade to Golang v1.19.x (#409)
  • Bump OPA to v0.52.0 (#398)

Testing

  • Update client certificates used in the automated tests (#405, #406)

Documentation

  • Fix instructions to extract Kubernetes TokenReview username from the identity object mentioned in the docs (#408)
  • Fix wrong metric type mentioned in the docs by @averevki (#410)

Other minor fixes

  • Fix several one-of constraints of the AuthConfig API (#396, #404)

Full Changelog: v0.13.0...v0.14.0