All notable changes to this project will be documented in this file.
- None
- None
- Fix issue impacting the implicit grant type from working in cases where the tenants has configured an LDAP authentication due to response_type being dropped from the login UI. See issue #66 for more details.
- None
- Added a new /v3/oauth2/webapp/logout endpoint for testing with the Token Webapp; it removes only the token from the session, while keeping the authorization server's session in tact. This allows for using the Token Webapp to test repeated logins within the same authorization server session.
- Fix bug where, for tenants configured with custom OA2 IdPs, a second attempt to authenticate a user via an OAuth2 flow after a user had already authenticated with a previous client (and had established a session) would fail. The issue is that, in 1.5.0, we remove the orig_client_* attributes from the session on successful login; however, for custom OA2 IdPs, we expect to get the client_id out of the session. This will fail on the first call to /authorize in such cases.
- None
- Tenants are now able to determine how long the MFA authentication should last before the user has to re-enter their MFA
- Updated HTML - all of the different pages of the authentication workflow now have updated design layouts
- The device code flow, starting with GET /v3/device?client_id=<client_id>, is now working for all login methods
- The language for the user code form of the device flow is now more clear
There were no major updates in this release.
- None
- None
- None
- The DELETE /v3/oauth2/clients endpoint now returns the standard 5-stanza Tapis response. Previously, it returned an empty HTTP response. Applications that use this endpoint should be updated to handle a non-empty response.
- The POST /v3/oauth2/tokens endpoint has been changed in the case of the device_code grant to require only the client_id as a POST parameter. Previously, the client_id and client_key were erroneously both required to be passed using an HTTP Basic Auth header. Client applications that utilized the device code grant type and passed the client credentials as part of the HTTP Basic Auth header must be updated to pass only the client id as part of the POST payload. The OA3 spec has been updated to reflect this new requirement. See issue #32.
- By default, an account with username "admin" is now created in the dev tenant (see issue #33).
- Upgrade to tapipy 1.4.0 and associated library upgrades (e.g., openapi-core 0.16 from 0.12). This upgrade improves spec loading times and reduces the overall time for the authenticator service to start up. See issue #31.
- The POST /v3/oauth2/tokens endpoint has been changed in the case of the device_code grant to require only the client_id as a POST parameter. Previously, the client_id and client_key were erroneously both required to be passed using an HTTP Basic Auth header. Client applications that utilized the device code grant type and passed the client credentials as part of the HTTP Basic Auth header must be updated to pass only the client id as part of the POST payload. The OA3 spec has been updated to reflect this new requirement. See issue #32.
- The OA3 spec has been updated to correct the DELETE /v3/oauth2/clients endpoint (it was mislabeled "Delete a tenant") and to specify the TapisJWT authentication on endpoints that require it (see issue #34)
- None
- None
- This release fixes some issues with the device code flow, including when generating a device code and when using device codes with non-ldap identity providers.
- This release also fixes a bug in the OAuth2ProviderExtCallback controller where the append_idp_to_username was not defined if the ext type was not "multi_idps". This bug impacted tenants such as CII with a different custom IdP type.
- None
- Update the oa3 spec with a comment to indicate that Profile fields are optional; add check for custom idp types and still try to get the profile fields in those cases.
- None
- None
- None
- Fix an issue where the tenant_config_cache was leaving an access share relation (table) lock on the table indefinitely, preventing alter table commands from completing.
- None
- Add support for "multi_keycloak" OAuth extension type, allowing tenants to configure arbitrary KeyCloak instances.
- Add support for "globus" OAuth extension type, enabling use of Globus Auth/CILogon without KeyCloak.
- Add support for "multi_idps" extension type, enabling tenants to configure multiple identity provider backends including: GitHub, KeyCloak, Globus, LDAP, etc.
- Updates to the HTML in the example token web app.
- None
This production point release adds support for TACC MFA, token revocation, token tracking for usage analytics and a number of bug fixes. NOTE: This version of Authenticator depends on the Site Router API for Token revocation, not previously released.
- None; Site Router is now required for revocation endpoints to function.
- Suport for TACC MFA
- Support for Token revocation.
- Support for usage analytics via token tracking.
- Add support for configuring Tokens to serve all tenants at a site via the
tenants: ["*"]configuration.
- Fix a bug in the way authenticator called
jwt.decodewhen decoding a CII token. Due to a recent upgrade to the Python JWT library in flaskbase, we must specify the algorithm used to decode -- in this case,HS256. (originally released in 1.2.1)
This preview release adds support for tracking tokens generated in SQL, including access and refresh token. This feature allows users to compute usage data such as how many distinct users generated access tokens in each tenant.
- None.
- Adds new SQL tables for tracking access tokens and refresh tokens generated by authenticator (#22).
- Add additional indexes to the Clients and TenantConfigs table; (this update provided as a separate migration).
- None.
This preview release adds support for token revocation. See issue #7 for more details.
- None.
- Adds a new endpoint for revoking a Tapis user JWT.
- None.
This is a bug fix release that corrects a small issue with the MFA feature.
- None.
- None.
- Fixes an issue with the MFA feature where tenants could be prompted for MFA even if they were not configured for it.
This preview release adds support for the TACC MFA solution, which can be configured for tenants using the TACC identity provider (TACC LDAP) on a tenant by tenant basis. It also adds a new endpoint for exchanging a v3 access token for a Tapis v2 token. This feature is also only available for certain tenants.
- None.
- Support for TACC MFA via PrivacyIdea API (requires configuration for each tenant)
- Support for exchanging Tapis v3 tokens for Tapis v2 tokens (requires configuration for each tenant).
- None.
This patch release fixes an issue with the CII authenticator plugin that was introduced by an upgrade to the Python JWT library.
- None.
- None.
- Fix a bug in the way authenticator called
jwt.decodewhen decoding a CII token. Due to a recent upgrade to the Python JWT lobrary in flaskbase, we must specify the algorithm used to decode -- in this case,HS256.
This release adds support for the device code grant type and OAuth2 authentication via TACC's Keycloak instance to support third-party identity providers, including Globus Auth.
- None.
- Add support for the device code grant type (https://datatracker.ietf.org/doc/html/rfc8628) and with it, the ability to generate long-lived tokens. See issue #6 for more details.
- Adds support for authenticating via TACC's Keycloak instance. This authentication
mechanism is used when a tenant configures a custom idp configuration of type
tacc_keycloak. See issue #18 for more details. - Adds health check and ready endpoints.
- Fix a bug in the way authenticator computed the
default_user_filter_prefixthat was causing two equals signs (=) to get inserted into the filter.
This release converts the Authenticator to using the new tapipy-tapisservice plugin-based
Tapis Python SDK and makes updates necessary for supporting deployment automation provided
by the Tapis Deployer project.
- None.
- Convert Authenticator to using the new
tapis/flaskbase-pluginsimage. - Support the initial version of the Tapis Deployer deployment automation.
- Add support for utilizing the
devldap (with test accounts) on an arbitrary tenant, not just thedevtenant, so that it can be utilized by different sites.
- None.
- None.
- Added support for the implict grant type (#5). This feature is in "preview".
- Added support for sending www-form encoded requests to the tokens endpoint (#10).
- Added support for OAuth metadata discovery endpoint. (#11)
- None.
- None.
- None.
- Fix bug where API request would result in an uncaught sqlalchemy detached instance error (see #4)
Initial production release of Tapis Authenticator with support for OAuth2 password and authorization code grant types and authentication with LDAP servers.
For more details, please see the documentations: https://tapis.readthedocs.io/en/latest/technical/authentication.html
Live-docs: https://tapis-project.github.io/live-docs/
- Initial release.
- Initial release.
- None.
- Initial alpha release.
- No change.
- No change.