Skip to content

Latest commit

 

History

History
1537 lines (977 loc) · 105 KB

CHANGELOG.md

File metadata and controls

1537 lines (977 loc) · 105 KB

Changelog

Table of Contents

Unreleased (2020-09-21)

Bug Fixes

  • Deprecated key in goreleaser config (2a4f901)
  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Documentation

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified

0.38.3-beta.1 (2020-07-29)

Bug Fixes

Documentation

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

Bug Fixes

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Documentation

Features

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Bug Fixes

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

0.38.0-beta.2 (2020-05-07)

Bug Fixes

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Code Refactoring

Documentation

Features

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:
       prometheus:
         port: 9000
         host: localhost
         metrics_path: /metrics
    
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

Documentation

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

Bug Fixes

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features

BREAKING CHANGES

  • This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

0.36.0-beta.4 (2020-02-14)

Bug Fixes

  • goreleaser: Update brew section (46fb3da)

Documentation

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

Documentation

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Unclassified

0.35.5-beta.1 (2020-01-27)

Unclassified

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Unclassified

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Documentation

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Unclassified

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Documentation

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Documentation

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

Documentation

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified

  • Add health check commands (#319) (0dd3fe3)

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

Documentation

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

Documentation

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

0.32.0-beta.1 (2019-10-20)

Documentation

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

Documentation

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Unclassified

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250 #251

0.18.0-beta.1 (2019-08-22)

Documentation

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233 #233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Documentation

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

Documentation

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

Documentation

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

Documentation

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified

0.17.0-beta.1 (2019-07-18)

Documentation

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified

  • Fix broken reload tests (d6059b7)

  • Remove useless function (3521a3d)

  • Validate configuration with JSON Schema (997427d)

  • Do not fatal when immutable value is changed (717d7f7)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

Documentation

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified

  • Add cookie session authenticator (#211) (f8a66b7)

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Use non-root user in image (#209) (2215126)

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

Documentation

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

Documentation

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified

0.15.2 (2019-05-04)

Documentation

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184 #182

0.15.1 (2019-04-29)

Unclassified

0.15.0 (2019-04-29)

Documentation

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

No significant changes have been made for this release.

0.14.1+oryOS.10 (2018-12-13)

No significant changes have been made for this release.

0.14.0+oryOS.10 (2018-12-13)

Documentation

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1
    Host: oathkeeper-api:4456
    User-Agent: curl/7.54.0
    Authorization: bearer some-token
    Accept: */*
    Content-Type: application/json
    Content-Length: 0
    

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OK
    Authorization: bearer-sometoken
    Content-Length: 0
    Connection: Closed
    

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OK
    Content-Length: 0
    Connection: Closed
    
  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes #38:

    Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.

  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)

  • Refresh rules in api mode (08204e8)

  • Remove config flag (#111) (8385cbc), closes #110

  • Remove config flag (#111) (7de77b8), closes #110

  • Remove package.json from swagger dir (837d18c)

  • Resolve broken introspection scope setting (18837a9)

  • Resolve HS256 kid mismatch (6d647d7), closes #83

  • Resolves panic when network fails in "rules import" (078542a)

  • Streamlines https configuration variables (#124) (9f6f815), closes #121

  • Test for errors (585672e)

  • Test missing Extra field (a4d3d2d)

  • Test template caching/lookup (ab8a402)

  • Update keto to latest (3e2a8de)

  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)

  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137

  • Test nesting of various types (188748d)

  • Update rules stub (475f39a)

  • Upgrade superagent version (44ed240)

  • Use print funcmap function to override text/template print (76b2d9d)

  • Validate handler configurations (a558103)

  • Adds docker-compose example with postgres (84f1313)

  • Removes obsolete benchmark (3f259da)

  • Resolves an issue with cached matchers (951da25), closes #73:

    This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.

  • Resolves issues with broken tests (6604045)

  • Resolves naming issues and updates readme (5495d4a)

  • Resolves potential panic in request handler (ef6e889)

  • Resolves recursive stack overflow (#81) (0594cda), closes #80

  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71:

    This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.

    Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.

    Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.

  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)

  • Tells linguist to ignore SDK files (ace7f34)

0.11.12 (2018-05-07)

Documentation

  • Adds automatic summary generation (#49) (20fefbc)

  • Adds edit on github links (95af1bb)

  • Adds license note to all source files (#51) (2c8ff2f)

  • Fixes redirect path (9bca2f3)

  • Moves documentation to new repository (#57) (a9f21f3)

  • Redirect to ory domain (0599e63)

  • Removes newline from swagger doc (5e297b3)

  • Removes stray line in api docs (bed1a04)

  • Removes summary plugin (ce06f4e)

  • Resolves broken policy and client definitions (#55) (4676f40), closes #53

  • Updates chat badge to discord (1bbac52)

  • Updates execution instructions (#56) (3bcfd8b):

    Adjusting run script to respect env variables

  • Updates README.md (#58) (bdb542f)

  • Updates swagger docs (5ea68c2)

Unclassified

  • Introduces new versioning number to match ORY Hydra (75b5121)

  • Adds mock generation script (00b51b7)

  • Corrects logging typo (#52) (d415291):

    This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.

  • Updates hydra sdk mock (2ff8032)

  • Updates hydra to 0.11.6 (ee969f6)

  • Updates license header (94a2ed2)

  • Use source file from vendor for mock generation (42517c6)

  • Uses Hydra v0.11.6 in tests (9c2cc89)

  • Adds license (cc13ae8)

  • Updates README.md (c9340dc)

0.0.29 (2017-12-19)

Unclassified

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Unclassified

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46 #43

0.0.27 (2017-12-12)

Unclassified

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Unclassified

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Unclassified

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Unclassified

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27 #34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Documentation

Unclassified

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Unclassified

  • Renames bypass values for better clarity (46a717e), closes #13 #29

0.0.21 (2017-11-19)

Unclassified

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

Documentation

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)
  • Ignore gitbook output directory (580b94f)

0.0.19 (2017-11-13)

Unclassified

0.0.18 (2017-11-13)

Unclassified

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Unclassified

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Unclassified

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Unclassified

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Unclassified

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Unclassified

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Unclassified

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Unclassified

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Unclassified

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Unclassified

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Unclassified

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Unclassified

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Unclassified

  • Added serve all command (dfc071c)

0.0.5 (2017-11-01)

Unclassified

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Unclassified

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Unclassified

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

Unclassified

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

Documentation

Unclassified