Release v7.5.1 (oauth2-proxy#2227)

* Update changelog for v7.5.1 release * Create versioned docs for release v7.5.x Created using: yarn run docusaurus docs:version 7.5.x --------- Co-authored-by: Joel Speed <[email protected]>
tuunit · Oct 26, 2023 · 70f35ae · 70f35ae
1 parent 76a6add
commit 70f35ae
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,11 +6,31 @@
 
 ## Breaking Changes
 
+## Changes since v7.5.1
+
+# V7.5.1
+
+## Release Highlights
+- 🐛 Several bugs have been squashed
+- 🕵️‍♀️ Vulnerabilities have been addressed
+- 📖Improved docs
+
+## Important Notes
+
+- This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
+- The environment variable OAUTH2_PROXY_GOOGLE_GROUP has been deprecated in favor of OAUTH2_PROXY_GOOGLE_GROUPS. Next major release
+will remove this option. This change makes sure that the configuration options follow the documentation.
+
+## Breaking Changes
+
+N/A
+
 ## Changes since v7.5.0
 - [#2220](https://github.com/oauth2-proxy/oauth2-proxy/pull/2220) Added binary and docker release platforms (@kvanzuijlen)
 - [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen)
 - [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider (@tuunit)
 - [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos)
+- [#2208](https://github.com/oauth2-proxy/oauth2-proxy/pull/2208) Improved session documentation (@lathspell)
 - [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers (@tuunit)
 - [#2194](https://github.com/oauth2-proxy/oauth2-proxy/pull/2194) Fix Gitea token validation (@tuunit)
 
@@ -26,6 +46,8 @@
 ## Important Notes
 
 - This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
+- This release was pushed with the wrong Docker platform type for arm64/armv8. Use v7.5.1 instead.
+- This release introduced a bug with the Keycloak OIDC provider causing no scopes to be send along with the request. Use v7.5.1 instead.
 
 ## Breaking Changes
 

diff --git a/docs/versioned_docs/version-7.5.x/configuration/sessions.md b/docs/versioned_docs/version-7.5.x/configuration/sessions.md
@@ -52,6 +52,33 @@ in redis via the `SETEX` command.
 Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from
 disclosure.
 
+Additionally the browser only has to send a short Cookie with every request and not the whole JWT, which can get quite big.
+
+Two settings are used to configure the OAuth2 Proxy cookie lifetime:
+
+    --cookie-refresh duration   refresh the cookie after this duration; 0 to disable
+    --cookie-expire duration    expire timeframe for cookie     168h0m0s
+
+The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server.
+If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start
+the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already
+expired.
+
+The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the
+Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the
+available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid.
+Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available.
+
+Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s".
+It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate
+it. This is especially relevant if the backend uses the JWT to make requests to other backends.
+For this reason, it's advised to set the cookie-refresh a couple of seconds less than the Access-Token lifespan.
+
+Recommended settings:
+
+* cookie\_refresh := Access-Token lifespan - 1m
+* cookie\_expire := Refresh-Token lifespan (i.e. Keycloak's client\_session\_idle)
+
 #### Usage
 
 When using the redis store, specify `--session-store-type=redis` as well as the Redis connection URL, via
@@ -68,4 +95,4 @@ Note that flags `--redis-use-sentinel=true` and `--redis-use-cluster=true` are m
 
 Note, if Redis timeout option is set to non-zero, the `--redis-connection-idle-timeout` 
 must be less than [Redis timeout option](https://redis.io/docs/reference/clients/#client-timeouts). For example: if either redis.conf includes 
-`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14`
+`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14`
diff --git a/docs/versioned_docs/version-7.5.x/installation.md b/docs/versioned_docs/version-7.5.x/installation.md
@@ -10,7 +10,7 @@ slug: /
 
     b. Build with `$ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest` which will put the binary in `$GOPATH/bin`
 
-    c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, ARMv6 and ARM64 tags available)
+    c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, ARMv6, ARMv7, and ARM64 tags available)
 
     d. Using a [Kubernetes manifest](https://github.com/oauth2-proxy/manifests) (Helm)