Table of Contents
- 0.0.0 (2023-09-08)
- 0.40.6 (2023-07-18)
- 0.40.5 (2023-07-17)
- 0.40.4 (2023-07-13)
- 0.40.3 (2023-04-25)
- 0.40.2 (2023-03-15)
- 0.40.1 (2023-01-17)
- 0.40.0 (2022-09-14)
- 0.39.4 (2022-08-31)
- 0.39.3 (2022-08-18)
- 0.39.3-pre.0 (2022-08-18)
- 0.39.2 (2022-08-18)
- 0.39.0 (2022-06-27)
- 0.38.25-beta.1 (2022-04-13)
- 0.38.24-beta.1 (2022-04-06)
- 0.38.23-beta.1 (2022-02-24)
- 0.38.22-beta.1 (2022-02-23)
- 0.38.20-beta.1 (2022-02-14)
- 0.38.19-beta.1 (2022-02-04)
- 0.38.17-beta.1 (2022-02-03)
- 0.38.18-beta.1 (2022-02-03)
- 0.38.15-beta.1 (2021-08-28)
- 0.38.14-beta.1 (2021-07-14)
- 0.38.12-beta.1 (2021-06-22)
- 0.38.11-beta.1 (2021-05-13)
- 0.38.10-beta.2 (2021-05-05)
- 0.38.9-beta.1 (2021-03-17)
- 0.38.9-beta.1.pre.3 (2021-03-16)
- 0.38.9-beta.1.pre.2 (2021-03-15)
- 0.38.9-beta.1.pre.1 (2021-03-15)
- 0.38.8-beta.1 (2021-02-25)
- 0.38.7-beta.1 (2021-02-22)
- 0.38.6-beta.1 (2021-01-27)
- 0.38.5-beta.1 (2020-12-10)
- 0.38.4-beta.1 (2020-09-28)
- 0.38.3-beta.1 (2020-07-29)
- 0.38.2-beta.1 (2020-05-25)
- 0.38.1-beta.1 (2020-05-08)
- 0.38.0-beta.2 (2020-05-07)
- 0.37.1-beta.1 (2020-04-03)
- 0.37.0-beta.1 (2020-04-02)
- 0.36.0-beta.4 (2020-02-14)
- 0.36.0-beta.1 (2020-02-05)
- 0.35.5-beta.2 (2020-01-31)
- 0.35.5-beta.1 (2020-01-27)
- 0.35.4-beta.1 (2020-01-26)
- 0.35.3-beta.1 (2020-01-26)
- 0.35.1-beta.1 (2020-01-14)
- 0.35.0-beta.1 (2020-01-13)
- 0.34.0-beta.1 (2019-12-26)
- 0.33.1-beta.1 (2019-12-18)
- 0.33.0-beta.1 (2019-12-16)
- 0.32.1-beta.1 (2019-10-30)
- 0.32.0-beta.1 (2019-10-20)
- 0.31.0-beta.1 (2019-10-20)
- 0.19.0-beta.1 (2019-09-23)
- 0.18.0-beta.1 (2019-08-22)
- 0.17.4-beta.1 (2019-08-09)
- 0.17.3-beta.1 (2019-08-03)
- 0.17.2-beta.1 (2019-08-02)
- 0.17.1-beta.1 (2019-07-23)
- 0.17.0-beta.1 (2019-07-18)
- 0.16.0-beta.5 (2019-06-28)
- 0.16.0-beta.4 (2019-05-28)
- 0.16.0-beta.3 (2019-05-19)
- 0.15.2 (2019-05-04)
- 0.15.1 (2019-04-29)
- 0.15.0 (2019-04-29)
- 0.14.2+oryOS.10 (2018-12-13)
- 0.14.1+oryOS.10 (2018-12-13)
- 0.14.0+oryOS.10 (2018-12-13)
- 0.11.12 (2018-05-07)
- 0.0.29 (2017-12-19)
- 0.0.28 (2017-12-19)
- 0.0.27 (2017-12-12)
- 0.0.26 (2017-12-11)
- 0.0.25 (2017-11-28)
- 0.0.24 (2017-11-26)
- 0.0.23 (2017-11-24)
- 0.0.22 (2017-11-20)
- 0.0.21 (2017-11-19)
- 0.0.20 (2017-11-18)
- 0.0.19 (2017-11-13)
- 0.0.18 (2017-11-13)
- 0.0.17 (2017-11-12)
- 0.0.16 (2017-11-12)
- 0.0.15 (2017-11-09)
- 0.0.14 (2017-11-07)
- 0.0.13 (2017-11-07)
- 0.0.12 (2017-11-07)
- 0.0.11 (2017-11-06)
- 0.0.10 (2017-11-06)
- 0.0.9 (2017-11-06)
- 0.0.8 (2017-11-06)
- 0.0.7 (2017-11-06)
- 0.0.6 (2017-11-03)
- 0.0.5 (2017-11-01)
- 0.0.4 (2017-10-21)
- 0.0.3 (2017-10-18)
- 0.0.2 (2017-10-12)
- 0.0.1 (2017-10-10)
0.0.0 (2023-09-08)
-
Preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131) (b5d4d88):
This patch additionally allows selecting between the two authenticators based on a prefix to the token.
0.40.6 (2023-07-18)
Resolves an issue in how X-Forwarded headers were set.
- Pin v0.40.6 release commit (75eb682)
0.40.5 (2023-07-17)
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy.
This will strip any X-Forwarded headers from upstream requests. This however is
not always desirable which is why a new config flag
serve.proxy.trust_forwarded_headers
was introduced to optionally enable the
forwarding of X-Forwarded headers.
- Pin v0.40.5 release commit (ba1f90a)
-
Flag to disable hop-by-hop defenses (#1120) (fffe8ef):
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag
serve.proxy.trust_forwarded_headers
was introduced to optionally enable the forwarding of X-Forwarded headers.
0.40.4 (2023-07-13)
Added distroless image, fixed some bugs, and added support for JWKs key rotation in the ID token mutator.
- Apk install issue (08b2bfb)
- Ensure logger uses config (#1104) (d9b0965)
- Noop mutator don't overwrite session headers (#1091) (3a716f2)
- Use Query.Get when fetching QueryParameter (#1106) (c520e50)
- Pin v0.40.4 release commit (70d63f3)
-
Support token rotation in ID token mutator (#1119) (5dd4571):
Previously, only one JWK may be returned by the JWKS URL. This made token rotation impossible. This patch allows for multiple keys to be returned by the JWKS URL and the first key found will be used for signing.
0.40.3 (2023-04-25)
This release fixes a low-severity security vulnerability.
- Report 499, 502, or 504 (#1090) (360a03e)
- Sqa config values unified across projects (#1094) (9374d2f)
- Switch to
httputil.ReverseProxy.Rewrite
(#1098) (c5cc7f7)
- Pin v0.40.3 release commit (2ab7687)
0.40.2 (2023-03-15)
Resolves tracing and health monitoring issues.
-
Add handlers in correct order to handle CORS requests properly (#1055) (0b5f6e6), closes ory/oathkeeper#1054
-
Render complete config schema in CI and update tracing config (#1063) (e5e9d17)
-
Rule readiness check should require at least one rule to be loaded (#1061) (daa2994):
With this change, Oathkeeper now reports as "not ready" on the health check if not at least one valid rule is loaded.
- Pin v0.40.2 release commit (0f42d7c)
- Add cache to Koanf.validatePipelineConfig (#1042) (e7fb605)
- Expose health checks in middleware (#1058) (e1357f8)
- Forward config options in middleware (#1062) (f3c4386)
- Improved tracing for authorizers (#1079) (b3aa0c3)
- Tracing for authz remote (#1056) (7e7d45e)
0.40.1 (2023-01-17)
This release resolves tracing issues and fixes a bug.
- Align proxy mode log level with decision mode log level for access request granted log (#1029) (b9365a6)
- Allow otel tracing provider in config (#1039) (2661190)
- Decouple cloud storage tests (c1ed811)
- Do not leak sensitive data from gRPC middleware (32aa172)
- Ignore query string when using X-Forwarded-Uri (#1025) (6fa3978)
- Init registry in middleware (1daecb6)
- Pin v0.40.1 release commit (431f415)
- Fix typo from /decision to /decisions (#1036) (5d23dcb)
- Standardize license headers (#1024) (851cd0f)
0.40.0 (2022-09-14)
This release introduces the new Koanf-based configuration system, resolves several issues, and introduced an experimental gRPC middleware.
- Adds tracing to cookie_session and bearer_token authenticators (#995) (6504c0a)
- Do not load from env in middleware (b42261e)
- Make metric name consistent with rest of ory ecosystem (#1010) (c3c5854)
- Move .schema to spec (8ab6f85)
- Remove packr (7f32bc2)
- Pin v0.40.0 release commit (f2cd421)
-
Add Oathkeeper gRPC middleware (210aa5e):
This adds a gRPC middleware that encapuslates the Oathkeeper logic.
Matching on gRPC traffic now happens in its own rule. To match against gRPC traffic, you can use
Authority
andFullMethod
instead ofURL
andMethods
.
- Add gRPC matcher tests (dc8c361)
0.39.4 (2022-08-31)
Introduces a new config option to reducde cardinality in the metrics.
- Pin v0.39.4 release commit (699cf65)
0.39.3 (2022-08-18)
Improves prometheus metrics.
- Pin v0.39.3 release commit (251024c)
0.39.3-pre.0 (2022-08-18)
autogen: pin v0.39.3-pre.0 release commit
- Pin v0.39.3-pre.0 release commit (7569903)
0.39.2 (2022-08-18)
Introduces better prometheus metrics.
- Swagger generation issues (259b192)
- Pin v0.39.2 release commit (d6b3014)
0.39.0 (2022-06-27)
This release ships several improvements to cache logic and request detection.
Additionally, the bearer_token
and cookie_session
handlers pass only the
needed header (Authorization
, Cookie
) to the check URL. To pass additional
headers, use the forward_http_headers
configuration key.
From now on, the bearer_token
and cookie_session
handlers pass only the
needed header (Authorization
, Cookie
) to the check URL. To pass additional
headers, use the forward_http_headers
configuration key.
Closes ory#954 Closes ory/network#76
Co-authored-by: hackerman [email protected]
-
Cache behavior with TTL (#968) (c4836f5):
This test will fail since everytime Authenticate() succeeds the token is cached, even if it was already cached. This behavior makes it possible to keep a token in cache if it is authenticated in a period less than the TTL.
-
Less flaky rule tests (#973) (6ee6a73):
Instead of (flaky) fixed sleeps, we now use assert.Eventually to wait until the rule changes were propagated.
- Pin v0.39.0 release commit (f96f2be)
- JWT should only respect JWT-formats (#958) (6959524)
- Pass only essential and configured headers to authenticator (#952) (e5e4de4)
0.38.25-beta.1 (2022-04-13)
This release provides some minor fixes around headers, see the changelog for more info.
- Case insensitive headers (#951) (2d04cfc), closes #950
- Log proxy errors with logrus (#937) (46bfd70)
- Overzealous url validation (#953) (d0c8d64), closes #930
- Pin v0.38.25-beta.1 release commit (87df0d9)
- Fix version schema (c5497f3)
0.38.24-beta.1 (2022-04-06)
With this release we improve tracing capabilities for Ory Oathkeeper.
- Pin v0.38.24-beta.1 release commit (fb2c246)
0.38.23-beta.1 (2022-02-24)
Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.
- Pin v0.38.23-beta.1 release commit (69ad28f)
0.38.22-beta.1 (2022-02-23)
Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.
Please excuse the previous Ory Oathkeeper release notification. A faulty CI configuration.
- Pin v0.38.22-beta.1 release commit (0dcb7c1)
0.38.20-beta.1 (2022-02-14)
This release introduces caching capabilities for the OAuth2 Client Credentials authenticator as well as compatibility with Traefik!
- Add pre-steps with packr2 (#921) (d53ef01), closes #920
- Bump goreleaser orb (#919) (f8dcda2)
- Use all pre-hooks (09be55f)
- Pin v0.38.20-beta.1 release commit (410d69e)
- Move docs to ory/docs (a0c6927)
- Recover sidebar (165224f)
-
Add post-release step (e7fd550)
-
Introduce token caching for client credentials authentication (#922) (9a56154), closes #870:
Right now every request via Oathkeeper that uses client credentials authentication requests a new access token. This can introduce a lot of latency in the critical path of an application in case of a slow token endpoint.
This change introduces a cache similar to the one that is used in the introspection authentication.
-
Migrate to openapi 3.0 generation (190d1a7)
-
Traefik decision api support (#904) (bfde9df), closes #521 #441 #487 #263:
Closes ory#899
0.38.19-beta.1 (2022-02-04)
This release adds support for rewriting the HTTP method in certain authenticators.
- Pin v0.38.19-beta.1 release commit (dedb92c)
-
Allow overriding HTTP method for upstream calls (69c64e7):
This patch adds new configuration
force_method
to the bearer token and cookie session authenticators. It allows overriding the HTTP method for upstream calls.
0.38.17-beta.1 (2022-02-03)
ci: bump orbs
- Bump orbs (66673ef)
0.38.18-beta.1 (2022-02-03)
This release adds CVE scanners for Docker Images and updates several dependencies to resolve CVE issues.
Additionally, support for various tracers has been added, patches to caching and JWT audiences have been made, and more configuration options have been added for various rules.
-
Add ory cli (df8a19b)
-
Allow forwarding query parameters to the session store (#817) (9375f92), closes #786 #786
-
Remote_json default configuration (#880) (18788d1), closes #797
-
Use NYT capitalistaion for all Swagger headlines (#859) (8c2da46), closes #503:
Capitalised all the Swagger headlines for files found in /api.
- Pin v0.38.18-beta.1 release commit (0bf4a98)
-
Warn that gzip is unsupported (#835) (78e612e):
Note to users that gzip responses are as of now unsupported for Cookie and Bearer authenticators. The result is that the
subject
andextra
will not be filled in, and will fail silently.
-
Add retry and timeout support in authorizers (#883) (ec926b0):
Adds the ability to define HTTP timeouts for authorizers.
-
Add support for X-Forwarded-Proto header (#665) (a8c9354), closes #153
-
Allow both string and []string in aud field (#822) (1897f31), closes #491 #601 #792 #810
-
Store oauth2 introspection result as bytes in cache (#811) (5645605)
- Echo output in run.sh (871b3c6)
- Fix typo (1b21d81)
- Reintroduce -s -o (792477f)
- Verbose curl (5d86cd3)
- docs:� declare s3, gs, and azblob access rule repositories in config schema (#829) (e2433f6), closes #829
0.38.15-beta.1 (2021-08-28)
This release primarily resolves issues with the SDK publishing pipeline.
- Do not modify original headers (1f6c430)
- Pin v0.38.15-beta.1 release commit (95185bb)
- Naming (57a9aa4)
- Add preserve_host to session and bearer configs (e1cc575)
- Add support for additional headers in check_session and bearer token (390abe3)
0.38.14-beta.1 (2021-07-14)
Ory Oathkeeper v0.38.14-beta.1 addresses a vunlerability in jwt-go by bumping the dependency to v3.2.4.
- Update docs deps (3d50ab4)
- Pin v0.38.14-beta.1 release commit (4918be0)
- Fix erroneous sidebar commit (6e3e1a2)
-
Fix goreleaser/render-version-schema step (#789) (#790) (d33e3e1):
This reverts commit d306aa61401b047c232352da47f189a5cd0d4f23.
0.38.12-beta.1 (2021-06-22)
This patch includes an important patch for a security vulnerability
impacting the oauth2_introspection
authenticator when caching is enabled. For
more information please read the
Security Advisory.
We strongly recommend upgrading to this version!
Apart from this fix some improvements have been added to reduce latencies when
fetching JSON Web Keys and during oauth2_introspection
pre-auth. Go templates
can now access the incoming request headers.
- Add docs/node_modules target (52f1c7b)
- Cache introspection pre-auth (#723) (3a9ae1a), closes #712
- Ensure no vulnerable jwt-go deep dependency is being used (#745) (2ccbb2f), closes #740
- Makefile and sdk issues (598d48c)
- Pin v0.38.12-beta.1 release commit (ae23224)
-
Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):
The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.
For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.
The upstream service receives the X-Branch-Id and does your thing.
The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.
-
Add request header in match context (#719) (22b0dbe), closes #512
-
Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203
- Add improved preauth tests (#758) (83c5349)
- Resolve waiting forever regression (#755) (c444d46)
- Resolve windows build failures (#754) (e4e2263)
-
Merge pull request from GHSA-qvp4-rpmr-xwrr (1f9f625):
This patch addresses a security vulnerability which would bypass token claim validation once a token is in the cache.
For more information please refer to https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr
0.38.11-beta.1 (2021-05-13)
This release primarily addresses issues in the SDK build pipeline.
- Init introspect http client once (#714) (e203ad1), closes #712
- Log credentials verifier error details (#713) (766b071), closes #467
- Pin v0.38.11-beta.1 release commit (413393f)
-
Init introspect http client once (#714) (#722) (c58cbd9):
This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.
0.38.10-beta.2 (2021-05-05)
This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.
- Register makefile tasks (2832a77)
- Resolve makefile issues (9df3b2a)
- Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
- Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)
- Pin v0.38.10-beta.2 release commit (4b3403b)
- Move api.json (7dc37fd)
-
Add dotnet sdk (#683) (05ae925):
-
docs: add dotnet sdk
-
docs: add dotnet sdk versioned
-
-
Consistent authz headers (#699) (19948e1):
Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.
-
Add health event manager and rules readiness probe (#674) (01d8588)
-
Add http method into session.MatchContext (#676) (e15a7a5), closes #625
-
Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677
-
Additional JWT auth debug information (#681) (d08ab50), closes #668:
JWT Claims added to error details field.
-
Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)
0.38.9-beta.1 (2021-03-17)
This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.
- Pin v0.38.9-beta.1 release commit (9ad41f0)
0.38.9-beta.1.pre.3 (2021-03-16)
autogen: pin v0.38.9-beta.1.pre.3 release commit
-
Make glob patterns match only one path segment. (#664) (c711aac), closes #630:
This makes
/
also a separator as well as the presumably default value of.
. This allows using <*> for matching only one path segment.
- Pin v0.38.9-beta.1.pre.3 release commit (7725554)
0.38.9-beta.1.pre.2 (2021-03-15)
autogen: pin v0.38.9-beta.1.pre.2 release commit
- Pin v0.38.9-beta.1.pre.2 release commit (9695b77)
0.38.9-beta.1.pre.1 (2021-03-15)
autogen: pin v0.38.9-beta.1.pre.1 release commit
- Resolve goreleaser issues and bump golang (7291df9)
- Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)
0.38.8-beta.1 (2021-02-25)
Improves tracing set up and addresses a bug in the cookie authenticator.
- Ignore cookie auth when no cookies set (c84d880)
- Pin v0.38.8-beta.1 release commit (2943e9a)
0.38.7-beta.1 (2021-02-22)
This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.
-
Accept lower and uppercase in bearer token handler (6e46d4a)
-
Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153
-
Pass context through to external requests (#627) (ee25197):
Enables proper tracing through Jaeger etc
-
Update goreleaser config (9689f45)
-
Update log schema (78e654d)
- Pin v0.38.7-beta.1 release commit (3b37928)
0.38.6-beta.1 (2021-01-27)
We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a
new bearer_token
authenticator has been added.
- Pin v0.38.6-beta.1 release commit (a0c4d7f)
-
Add Rust and Dart SDKs (1524fed):
We now support for Rust and Dart SDKs!
-
Rename index documents (7de0ac3)
-
Add bearer_token authenticator (#613) (b623ae7):
Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)
0.38.5-beta.1 (2020-12-10)
The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!
-
Check content-length header in lowercase (#530) (a68fc8a):
Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.
-
Never construct id token claim templates in parallel (#552) (4f504d9), closes #551
-
Remove token_type validation from introspection handler (#556) (b18d90a), closes #553
-
Support windows file paths (#557) (6a05682), closes #514 #332
-
Update dd-trace to fix build (2e571fa)
- Pin v0.38.5-beta.1 release commit (f4a04da)
-
Add contributing to sidebar (#595) (a3c9584):
The same change as in ory/hydra#2209
-
Add newsletter to config (3c02e22)
-
Fix typo (393af92)
-
Fix typo in API access rules and improve layout (#599) (6a30ce2)
-
Resolve regression issues (82008b2)
- Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
- Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518 #518
- docs. fix typo in list (335189f)
0.38.4-beta.1 (2020-09-28)
This release stabilizes several features and resolves a couple of bugs.
-
Add tests in error_redirect_test.go (#522) (24bdd9b):
Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned
-
Deprecated key in goreleaser config (2a4f901)
-
Ignore x/net false positives (bc8a32c)
-
Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496
- Pin v0.38.4-beta.1 release commit (1c997b2)
-
Fix broken links (dd3bfbe)
-
Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):
Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.
-
Fix sidebar (28247fc)
-
Move development section (582a4d0)
-
Move to json sidebar (b67230d)
-
Remove duplicate template (01550b4)
-
Update repository templates (2aaf766)
-
Add and automate version schema (7ab4012)
-
Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:
This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).
This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.
-
Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505
-
Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)
- Run go format (2c25a2a)
0.38.3-beta.1 (2020-07-29)
This release addresses several configuration bugs and resolves a potential panic.
- Matcher.Match panic on nil *url.URL (#485) (ab27dda), closes #484
- Remove HTTP method restrictions (#472) (bf8a888)
- Resolve build issues and bump herodot (f15e38d)
- Use ory-dev instead of swagutil (#465) (3fce382)
- Pin v0.38.3-beta.1 release commit (1f754a9)
- Delete old redirect homepage (a1a4610)
- Fix access rule example (739f179)
- Fix api access rule example (#460) (c75cd97)
- Update repository templates (edffc2e)
- Update repository templates (7af8749)
- Use central banner repo for README (04fe00c)
- Use mdx for api reference (368f073)
- Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
- Pass query parameters to the hydrators (#479) (48603a1)
0.38.2-beta.1 (2020-05-25)
This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.
- Pin v0.38.2-beta.1 release commit (0de2682)
- Add configurable timeouts to API server (#440) (0dc6292)
- Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442
0.38.1-beta.1 (2020-05-08)
Caching in the hydrator mutator has been improved. Please use
cache.enable=true
if you intend using the hydrator.
-
Improve caching strategy and config for hydrator (#433) (0047054):
To enable the hydrator cache you must now use the
cache.enabled
property. Also, the cache key strategy has been improved.
- Pin v0.38.1-beta.1 release commit (20f439d)
0.38.0-beta.2 (2020-05-07)
This release introduces Prometheus support, a new remote
authorizer, caching,
and several bugfixes!
No backwards incompatible changes have been introduced.
-
Add old schemas to resolve issues with old versions (b94c391), closes #400
-
Don't copy the decision endpoint request's Content-Length (#422) (0e99045):
We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.
This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.
-
Use pipe to pass body remote authorizer (#426) (1a44087):
Resolves flaky tests.
-
Use semver-regex replacer func (a13cdf5)
- Pin v0.38.0-beta.2 release commit (73d36cd)
- Add
authentication_handler_no_match
to error example (ad182f4) - Add missing import (b76ee9c)
- Regenerate and update changelog (7121f65)
- Regenerate and update changelog (6fd7d66)
- Regenerate and update changelog (531200c)
- Regenerate and update changelog (cf8ad0c)
- Update github templates (#407) (9979d77)
- Update github templates (#409) (f92a029)
- Update github templates (#412) (884c113)
- Update github templates (#413) (6d7cba7)
- Update github templates (#413) (d692fbf)
- Update linux install guide (#414) (a0e2cc0)
- Updates issue and pull request templates (#392) (3724ebc)
- Updates issue and pull request templates (#393) (a4ade5c)
- Updates issue and pull request templates (#394) (0ef037a)
- Updates issue and pull request templates (#395) (ecab261)
- Use correct headline for cc handler (#420) (1401610)
-
Add cache to hydrator (#418) (1ae6e7a), closes #417:
This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.
-
Add new remote authorizer that uses request body and headers (#416) (3a20637):
This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.
The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.
Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.
-
Add prometheus endpoint providing basic request metrics (#404) (fdaed46):
This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:
serve: prometheus: port: 9000 host: localhost metrics_path: /metrics
-
Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293
0.37.1-beta.1 (2020-04-03)
chore: replace segment with ory fork (#391)
- Regenerate and update changelog (4e251e9)
0.37.0-beta.1 (2020-04-02)
docs: document v0.36 and v0.37
This feature allows to use the regex capture groups from the URL matcher to be
used in several places, including the ID Token generator and elsewhere. To get
this working, existing keto_engine_acp_ory
authorizers are no longer able to
use regex substition in the form of my:action:$1
but instead must use the new
format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}}
(notice
that the index changed by -1). A rule migrator exists which makes old rules
compatible with the new format, if a version string is given. More details on
the rule migration can be found here:
https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15
-
Add rule id to malformed configuration log error (#386) (7688a8d)
-
Disable test that fails with low cache hit rate (#372) (5414dda), closes #371
-
docker: Improve docker-compose example (#325) (1247381), closes #324:
Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.
Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:
- Bump the version of the compose file to 3.
- Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
- Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
- Use the newly defined Dockerfile 'Dockerfile-dc'.
- We now serve both API and PROXY from the same app, so we don't need two instances of the app.
- Add sample config, rules and JWK files to
.docker_compose
, mount this via a volume mount.
-
Improve id_token performance with caching (#367) (47e9fee), closes #364
-
SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:
This patch removes the
scope
key from the OAuth2 Introspection request body when a scope strategy other thannone
is set for the OAuth2 Introspection handler. If the scope strategy isnone
, thescope
key is included in the body.
-
Change link to Developer Install Guide (#369) (f7fe46f):
Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.
-
Document v0.36 and v0.37 (a176c73)
-
Fix examples for some JSON Schema config keys (#363) (aeeb353)
-
Regenerate and update changelog (9417e2c)
-
Regenerate and update changelog (b817037)
-
Regenerate and update changelog (33a5524)
-
Regenerate and update changelog (888b7a6)
-
Regenerate and update changelog (36faa3b)
-
Regenerate and update changelog (32b6059)
-
Regenerate and update changelog (ba4de09)
-
Regenerate and update changelog (a76f749)
-
Regenerate and update changelog (1789d00)
-
Regenerate and update changelog (0dfc608)
-
Regenerate and update changelog (b23c79a)
-
Regenerate and update changelog (2117171)
-
Regenerate and update changelog (38c9e19)
-
Regenerate and update changelog (e3eda75)
-
Regenerate and update changelog (e7d70f7)
-
Regenerate and update changelog (874b7a9)
-
Regenerate and update changelog (6b1d94b)
-
Regenerate and update changelog (cb38415)
-
Regenerate and update changelog (bec6af0)
-
Update forum and chat links (d9eed10)
-
Update README.md (#375) (313d2fe), closes #374:
Fixed link to Envoy configuration page and added link to AWS API Gateway.
- Add MatchContext in the AuthenticationSession (#358) (a421293)
- authn: Make oauth2_intsropsection configurable timeout (#370) (0a39511)
- authz: Add remote_json authorizer (#389) (45b9f8b), closes /github.com/ory/docs/commit/07a229701835d75e9c2e4b939badb2d5b96ae6aa#diff-c400219db6c7e4b6abab71839d9d294eR272 #201
- Enable OpenTracing (#376) (cb0f3f2)
0.36.0-beta.4 (2020-02-14)
docs: Regenerate and update changelog
- goreleaser: Update brew section (46fb3da)
- Regenerate and update changelog (95a7c09)
0.36.0-beta.1 (2020-02-05)
docs: Regenerate and update changelog
- Prepare ecosystem automation (81ea56b)
- Regenerate and update changelog (b71e48c)
- Regenerate and update changelog (4f22e42)
- Regenerate and update changelog (23e053f)
- Updates issue and pull request templates (#355) (f9251ed)
-
rule: Add glob matching strategy (#334) (5f983ab), closes #321:
This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).
- Update CHANGELOG [ci skip] (8278b9d)
- Update CHANGELOG [ci skip] (17f78b7)
- Update CHANGELOG [ci skip] (d6f6925)
- Update CHANGELOG [ci skip] (0e109ce)
0.35.5-beta.2 (2020-01-31)
Update README.md
0.35.5-beta.1 (2020-01-27)
Hash enabled check to further improve performance (#353)
- Hash enabled check to further improve performance (#353) (19099cb), closes #353
- Update CHANGELOG [ci skip] (6afdeae)
- Update CHANGELOG [ci skip] (3226ae6)
0.35.4-beta.1 (2020-01-26)
Update release pipeline and tests (#351)
0.35.3-beta.1 (2020-01-26)
Update CHANGELOG [ci skip]
- Update CHANGELOG [ci skip] (518b765)
- Update SDK (5e619a0)
- Update CHANGELOG [ci skip] (495adcf)
- Use integer instead of number in config JSON schema (280b42f)
- Update CHANGELOG [ci skip] (b72965f)
- Update SDK (aedabd9)
- Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
- Update CHANGELOG [ci skip] (8e4d58c)
- Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
- Update CHANGELOG [ci skip] (e7a5d89)
- Update CHANGELOG [ci skip] (abc00d4)
- Update SDK (a237c29)
- Update broken links in README (78e498c)
- Cache pipeline config and improve request latency (#348) (95673ed), closes #346
0.35.1-beta.1 (2020-01-14)
Update CHANGELOG [ci skip]
- Update CHANGELOG [ci skip] (63b0076)
0.35.0-beta.1 (2020-01-13)
Update CHANGELOG [ci skip]
- Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
- Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
- Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
- Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)
-
Update CHANGELOG [ci skip] (f0e8ecf)
-
Update SDK (6a0a0f8)
-
Update CHANGELOG [ci skip] (2e13a05)
-
Remove superfluous version from workflows (55037fa)
-
Update CHANGELOG [ci skip] (dfbc231)
-
Update SDK (65222d5)
-
authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:
The subject_from modifier is a GJSON path that points to the
subject
field. Useful if the upstream API does not return a{"subject": "..."}
format. -
authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:
The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a
{"subject": "...", "extra": "..."}
format. -
pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:
Also updates the schemas to add missing cookie config element.
0.34.0-beta.1 (2019-12-26)
Prepare v0.34.0-beta.1+oryOS.14 release
- Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
- Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
- Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)
-
Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)
-
pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:
Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.
Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting
config.when.#.request.remote_ip.RespectForwardedForHeader: true
. -
Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:
This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for
Accept: application/json
requests and a HTTP Redirect response for requests that are coming from a user.This also resolves several issues, as noted below:
0.33.1-beta.1 (2019-12-18)
docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]
- Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
- Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
- Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
- Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
- Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)
-
Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:
Previously, some keys did not respect the values set in the environment variables.
-
Add alpine-based Docker image (#318) (815951b), closes #318 #312
-
Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:
Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.
-
Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:
Remove health endpoints from the logs to make monitoring easier. Setting
log_level
totrace
will show these calls. -
Improve session endpoint debugability (#315) (2718639), closes #300
-
Resolve matcher cache (#313) (1519632), closes #291:
A bug caused the rule matcher to not cache the regular expression result.
-
Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308
0.33.0-beta.1 (2019-12-16)
pipeline/mutator: Refactor hydrator retry config (#287)
- Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
- Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)
- pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
- Update README banner (#307) (f028719), closes #307
- Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
- Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
- Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302
0.32.1-beta.1 (2019-10-30)
docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]
- Add notes for 0.32.0 (40e3b89)
- Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
- Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
- Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
- Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
- Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)
-
pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290
-
Revert incorrect license changes (7892d2f)
-
Revert readme changes to last working version (08d42da)
-
Remove obsolete section from README (aa8deef)
-
Fix broken readme headlines (2e8109a)
-
Auto-kill test runner after 10 retries (#286) (eaad598), closes #286
-
Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281
-
Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:
This patch automatically binds environment variables to configuration keys. This patch resolves several issues:
0.32.0-beta.1 (2019-10-20)
docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]
- Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)
0.31.0-beta.1 (2019-10-20)
docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]
- Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
- Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
- Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)
-
pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:
Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.
-
Update UPGRADE.md (4e4bd93)
-
Update upgrade instructions (7483d1c)
-
Add migration capabilities (#268) (bc74e72), closes #266:
Adds the ability to modify rules with backwards compatibility.
-
Change error code from 403 to 401 (#259) (c17e564), closes #256
-
Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260
0.19.0-beta.1 (2019-09-23)
Fix id_token schema reference URL
- Fix id_token schema reference URL (72a2333)
- Resolve broken tests (#262) (bc67cc1), closes #262
- Homogenize configuration management (#258) (89709aa), closes #258
- Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250 #251
0.18.0-beta.1 (2019-08-22)
mutator/id_token: Add claim templating (#246)
- Incorporates changes from version v0.17.4-beta.1 (370eb37)
- Incorporates changes from version v0.17.5-beta.1 (f7beddc)
- Updates issue and pull request templates (#237) (6181ee5)
- Updates issue and pull request templates (#238) (6f83cda)
- Updates issue and pull request templates (#239) (2e0b3ef)
- Updates issue and pull request templates (#245) (f140837)
- mutator/id_token: Add claim templating (#246) (591f524), closes #246
- Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
- Support multiple mutators per access rule (#233) (d21179d), closes #233 #233
- Add adopters placeholder (#236) (302c7b8)
0.17.4-beta.1 (2019-08-09)
Add sprig template library (#235)
- Incorporates changes from version v0.17.3-beta.1 (b271ff2)
- Updates issue and pull request templates (#232) (00c08ba)
0.17.3-beta.1 (2019-08-03)
rule: Resolve k8s configmap reload issue (#231)
- Incorporates changes from version v0.17.2-beta.1 (e652c3f)
0.17.2-beta.1 (2019-08-02)
rules: Support kubernetes configmap reloading (#230)
- Incorporates changes from version v0.17.1-beta.1 (64d180f)
- Updates issue and pull request templates (#226) (007d491)
0.17.1-beta.1 (2019-07-23)
rule: Fix panic on send on closed channel (#225)
Closes #224
- Incorporates changes from version v0.17.0-beta.1 (8f4a518)
0.17.0-beta.1 (2019-07-18)
ci: Automate schema confiugration sync
- Automate schema confiugration sync (94bcc4f)
- Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
- Update upgrade guide (a8ccb05)
- Update upgrade guide (f727efe)
-
Fix broken reload tests (d6059b7)
-
Validate configuration with JSON Schema (997427d)
-
Watch configuration and access rule changes (#217) (a078e89), closes #217:
This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.
Some configuration keys like serve., log., profiling however require a restart.
-
Create FUNDING.yml (d7da8e2)
-
Add support for rules in YAML format (#213) (67face6), closes #213:
This commit adds support for defining access rules in YAML format, in addition to existing JSON format.
-
Do not fatal when immutable value is changed (717d7f7)
-
Remove useless function (3521a3d)
0.16.0-beta.5 (2019-06-28)
authenticator: Add cookie session authenticator (#211)
- Incorporates changes from version v0.16.0-beta.4 (1e03ee2)
-
Add description into the name of subtest (#212) (230c332), closes #212
-
Update config.yaml (#204) (effe9c0), closes #204:
There's no DSN in oathkeeper
0.16.0-beta.4 (2019-05-28)
server: Properly declare negroni middleware (#200)
Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.
This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.
Closes #199
- Incorporates changes from version v0.16.0-beta.3 (d777ecf)
- Updates issue and pull request templates (#196) (74fa27b)
- Updates issue and pull request templates (#197) (31d057c)
- Updates issue and pull request templates (#198) (244810a)
-
Properly declare negroni middleware (#200) (9d3dc54), closes #199:
Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.
This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.
0.16.0-beta.3 (2019-05-19)
ci: Use golang for docs task
- Use golang for docs task (b120c72)
- Incorporates changes from version v0.15.2 (7ceabe9)
- Rename config.yml -> config.yaml (4faecbe)
- Updates issue and pull request templates (#189) (367a48d)
- Reduce deployment complexity and refactor internals (#185) (6b509ad), closes #185 #178 #177 #174 #168 #164 #141 #140 #136 #122
- Resolve issue with install.sh script (#187) (d31d5be), closes #187
0.15.2 (2019-05-04)
cmd/client: Use json rawmessage for arbtrary payloads (#184)
Closes #182
Signed-off-by: Stanislav Zapolsky [email protected]
- Incorporates changes from version v0.15.1 (5c34958)
0.15.1 (2019-04-29)
vendor: Add go.sum (#180)
Signed-off-by: aeneasr [email protected]
0.15.0 (2019-04-29)
docker: Remove full tag from build pipeline (#179)
Signed-off-by: aeneasr [email protected]
- Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
- Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
- Update patrons (f423666)
- Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149
-
Update CHANGELOG.md (cbccbe2)
-
Ensure rule matcher is locked before updating (#159) (6fb7151):
Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.
-
Move to go-swagger SDK code generation (#170) (38c52a3), closes #165
-
Remove sdk dependencies to keto/hydra (#173) (b538e3c):
This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.
-
Remove vendored dependencies after sdk generation (7c33ca8)
-
Set request headers for credential issuers (#169) (4fc579c), closes #120 #133
-
Update Dockerfile build instructions (ec40cc4)
-
Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:
Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.
0.14.2+oryOS.10 (2018-12-13)
ci: Fix docker push arguments in publish task
Signed-off-by: aeneasr [email protected]
- Fix docker push arguments in publish task (62415a1)
0.14.1+oryOS.10 (2018-12-13)
ci: Fix docker release task
Signed-off-by: aeneasr [email protected]
- Fix docker release task (893385b)
0.14.0+oryOS.10 (2018-12-13)
ci: Fix circle misconfiguration
Signed-off-by: aeneasr [email protected]
- Fix circle misconfiguration (a00ce64)
- Adds gh templates & code of conduct (#78) (02361aa)
- Adds link to examples repository (#79) (bfe96e9)
- Align changelog, upgrade with new versions (#143) (751dfa3)
- Clarify beyondcorp (3647958)
- Clarify breaking change policy (6e6bb7e)
- Fix broken link (#87) (828b33e)
- Fix proxy help command description (#142) (c836cb0)
- Fix typo in README. (#118) (3d33fcc)
- Grammatical fix in stability sentence (#86) (ff0604d)
- Improve some docs and update SDK (#135) (9a6901d)
- Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
- Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
- Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
- Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
- Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
- Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
- Incorporates changes from version v1.0.0-beta.1 (788e96b)
- Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
- Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
- Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
- Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
- Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
- Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
- Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
- Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
- Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
- Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
- Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
- Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
- Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
- Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
- Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
- Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
- Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
- Incorporates changes from version v1.0.0-beta.8 (92c09fb)
- Incorporates changes from version v1.0.0-beta.9 (b9127f6)
- Update documentation links (#144) (84131d2)
- Update link to security console (26fdda1)
- Update migration guide (b2e6d67)
- Updates copyright notice (e58535d)
- Updates issue and pull request templates (#126) (5991a92)
- Updates issue and pull request templates (#127) (e4d0e26)
- Updates link to open collective (25e0dee)
- Updates links to docs (9dca7c0)
- Updates links to docs (57ac174)
- Updates newsletter link in README (97f1dea)
- Updates readme TOC (3c0c862)
- Updates README.md (1387f9f)
- Updates TOC (9b6c0df)
- Updates upgrade.me (0118f9f)
-
Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137
-
Adds docker-compose example with postgres (84f1313)
-
Reduces setup complexity by making strategies configurable (6626f8f), closes #71:
This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.
Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.
Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable
AUTHORIZER_KETO_WARDEN_KETO_URL
is empty. -
Tells linguist to ignore SDK files (ace7f34)
-
Add ability to configure scope strategy (519a536)
-
Add cookies credentials issuer (032d88e)
-
Add endpoint for answering access requests directly (d211641), closes #42:
This patch adds endpoint
/judge
tooathkeeper serve api
. The/judge
endpoint mimics the behavior ofoathkeeper serve proxy
but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.
Assuming you are making the following request:
PUT /judge/my-service/whatever HTTP/1.1 Host: oathkeeper-api:4456 User-Agent: curl/7.54.0 Authorization: bearer some-token Accept: */* Content-Type: application/json Content-Length: 0
And you have a rule which allows token
some-bearer
to accessPUT /my-service/whatever
and you have a credentials issuer which does not modify the Authorization header, the response will be:HTTP/1.1 200 OK Authorization: bearer-sometoken Content-Length: 0 Connection: Closed
If the rule denies the request, the response will be, for example:
HTTP/1.1 401 OK Content-Length: 0 Connection: Closed
-
Add headers credentials issuer (b084c32)
-
Add http proxy timeout config (#132) (b3718ce):
Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.
It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.
-
Add JWT authenticator (61625bc)
-
Adds ability to specify db url via env var in migrate (b2cc5d2)
-
Adds and improves metrics middleware (b0dfd97)
-
Adds log message when telemetry is active (ed2f983)
-
Adds validator for rules (#77) (f450697):
This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.
-
Allow empty upstream in rules (e46065a)
-
Convert AuthenticationSession to local struct type for better handling (b00b2a2)
-
Disable cors per default (#107) (c5ab0c3):
This patch introduces CORS_ENABLED which defaults to "false".
-
Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65
-
Expose all ORY Hydra ports in tests (691a72d)
-
Expose all ORY Hydra ports in tests (add70c6)
-
Ignore query parameters when matching url in rules. (#139) (07eb99b)
-
Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:
This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.
-
Improve hydra integration tests (e8b7a58)
-
Improve refresh subroutines (cc33538)
-
Improves cors parsing (d00dfed)
-
Improves test set up (6b6bb88)
-
Include headers credential issuer in handler factory (0e1ef1b)
-
Introduce health and version endpoint (029c7ff)
-
Make subject configurable using go template (#129) (ee9dcdd)
-
More CredentialsIssuerHeaders tests (079171f)
-
Move headers into new config field (51eb9fb)
-
Properly handle conflicts on PUT and POST (83b591d), closes #38:
Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.
-
Refresh rules in api mode (08204e8)
-
Remove package.json from swagger dir (837d18c)
-
Removes obsolete benchmark (3f259da)
-
Resolve broken introspection scope setting (18837a9)
-
Resolves an issue with cached matchers (951da25), closes #73:
This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.
-
Resolves issues with broken tests (6604045)
-
Resolves naming issues and updates readme (5495d4a)
-
Resolves panic when network fails in "rules import" (078542a)
-
Resolves potential panic in request handler (ef6e889)
-
Resolves recursive stack overflow (#81) (0594cda), closes #80
-
Streamlines https configuration variables (#124) (9f6f815), closes #121
-
Test for errors (585672e)
-
Test missing Extra field (a4d3d2d)
-
Test nesting of various types (188748d)
-
Test template caching/lookup (ab8a402)
-
Update keto to latest (3e2a8de)
-
Update rules stub (475f39a)
-
Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)
-
Upgrade superagent version (44ed240)
-
Use print funcmap function to override text/template print (76b2d9d)
-
Validate handler configurations (a558103)
0.11.12 (2018-05-07)
Introduces new versioning number to match ORY Hydra
-
Adds edit on github links (95af1bb)
-
Fixes redirect path (9bca2f3)
-
Redirect to ory domain (0599e63)
-
Removes newline from swagger doc (5e297b3)
-
Removes stray line in api docs (bed1a04)
-
Removes summary plugin (ce06f4e)
-
Resolves broken policy and client definitions (#55) (4676f40), closes #53
-
Updates chat badge to discord (1bbac52)
-
Updates execution instructions (#56) (3bcfd8b):
Adjusting run script to respect env variables
-
Updates swagger docs (5ea68c2)
-
Introduces new versioning number to match ORY Hydra (75b5121)
-
Adds license (cc13ae8)
-
Updates README.md (c9340dc)
-
Adds mock generation script (00b51b7)
-
Corrects logging typo (#52) (d415291):
This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.
-
Updates hydra sdk mock (2ff8032)
-
Updates hydra to 0.11.6 (ee969f6)
-
Updates license header (94a2ed2)
-
Use source file from vendor for mock generation (42517c6)
-
Uses Hydra v0.11.6 in tests (9c2cc89)
0.0.29 (2017-12-19)
Adds use field to well known (#48)
0.0.28 (2017-12-19)
Replaces key discovery with well-known feature (#46)
Closes #43
0.0.27 (2017-12-12)
Adds cors capabilities to management server
- Adds cors capabilities to management server (6519846)
0.0.26 (2017-12-11)
Adds hydra.introspect to required tokens
0.0.25 (2017-11-28)
Add extra data from token introspection to session
- Add extra data from token introspection to session (ce8f9f2)
0.0.24 (2017-11-26)
Replaces LogError with direct error logging
- Replaces LogError with direct error logging (73994b8)
- Upgrades vendor dependencies (4207aef)
- Introduces telemetry module and adds documentation (c5a7f7a), closes #27 #34
- Use oathkeeper public url as issuer (1e5ae00)
0.0.23 (2017-11-24)
Print formatted output string in rule management CLI (#35)
- Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
- Update docs and add tests (#32) (c6bf7d1), closes #32
0.0.22 (2017-11-20)
Renames bypass values for better clarity
Closes #13 Closes #29
0.0.21 (2017-11-19)
Request hydra.keys scope and fix panic
- Request hydra.keys scope and fix panic (546b2cf)
0.0.20 (2017-11-18)
docs: Improve swagger documentation
- Add developer guide link to readme (68be400)
- Add install and run section (87f0700)
- Fix table of contents in summary (fdb752b)
- Improve swagger documentation (8f16a9b)
- Wrote basic developer guide (952d27c)
- Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
- Ignore gitbook output directory (580b94f)
- Add rules management capabilities to the cli (289c38a)
- Format cmd/serve (bc2e7c1)
0.0.19 (2017-11-13)
evaluator: Use full request URL
- Use full request URL (2b4b149)
0.0.18 (2017-11-13)
evaluator: Improve audit capabilities
- Improve audit capabilities (c952d21)
- Resolve potential panic in token id generation (8fe9e9a), closes #22
0.0.17 (2017-11-12)
Introduces surrogate_id to SQLManager (#21)
0.0.16 (2017-11-12)
Replace MatchesPath with MatchesURL (#20)
0.0.15 (2017-11-09)
Add HTTPS capabilities and document proxy/management commands (#19)
0.0.14 (2017-11-07)
Make refresh_delay configurable and skip it on boot (#18)
0.0.13 (2017-11-07)
Store rules path match in plaintext (#17)
0.0.12 (2017-11-07)
Use ladon regex compiler for matches (#16)
- Use ladon regex compiler for matches (#16) (972a328), closes #16
- Fix typo in circle-ci test-docker job (5618c30)
- Run docker image in test (12b5f13)
0.0.11 (2017-11-06)
Move gatekeeper to $PATH in docker image
0.0.10 (2017-11-06)
Add ssl certificates to scratch image
0.0.9 (2017-11-06)
Build binary statically with CGO disabled
- Build binary statically with CGO disabled (6dd3761)
0.0.8 (2017-11-06)
Make oathkeeper binary executable#
- Make oathkeeper binary executable# (9e24888)
0.0.7 (2017-11-06)
Build oathekeeper docker image statically (#14)
-
Build oathekeeper docker image statically
-
Build oathekeeper docker image statically
-
Build oathekeeper docker image statically (#14) (dbd2037), closes #14:
-
Build oathekeeper docker image statically
-
Build oathekeeper docker image statically
-
0.0.6 (2017-11-03)
Added serve all command
- Added serve all command (dfc071c)
0.0.5 (2017-11-01)
Remove goveralls from circle build
- Remove goveralls from circle build (8362e1c)
- Add cors handling to proxy (84cec15)
- Use circle ci build status badge (b776e05)
- Use circle ci build status badge (65c4100)
- Switch from glide to golang/dep for vendoring (ec63fa4)
- Resolve tests by replacing nil slice (#7) (971d020), closes #7
0.0.4 (2017-10-21)
Return arrays instead of null on rule creation (#6)
- Return arrays instead of null on rule creation (#6) (02e88be), closes #6
- Add circleci configuration file (#5) (76e58f2), closes #5
0.0.3 (2017-10-18)
Force linefeed for shell scripts
0.0.2 (2017-10-12)
cmd: remove unnecessary scope hydra.warden.*
0.0.1 (2017-10-10)
travis: add goveralls report submission (#2)
- Update readme (c11056a)