Releases: istio-ecosystem/authservice
v1.0.1
This is a bugfix release that includes fixes for several CVEs as well as fixes for small regressions introduced in v1.0.0.
In addition to the bug fixes, it also comes with the following added features:
- Reduces the number of requests to the OIDC well-known endpoint.
- Added support for retrieving the end-session endpoint from the OIDC Discovery endpoint.
- Enhanced identity Provider logging. Starting on
v1.0.1you can enable theidplogger atdebuglevel to show all the requests and responses exchanged with the identity Provider in the authservice logs. Use with caution and only for debugging purposes, as these logs may contain sensitive information. - Added examples to help getting started with authservice and Istio.
- Configured a nightly vulnerability scan job to report new vulnerabilities to the GitHub Code Scanning page.
Detailed changelog
- Allow customizing the Istio version to use in the e2e tests by @nacx in #243
- Upgrade Go to 1.22.2 to get rid of CVE-2023-45288 by @nacx in #244
- Configure nightly vulnerability scans and report upload by @nacx in #245
- Infer the JWS signing algorithm name by looking at the provided key by @erik-h in #247
- Use the OIDC Discovery end session endpoint if present by @nacx in #249
- Add a logger to log the calls to the Identity Provider by @nacx in #250
- Cache well-known responses to avoid making too much calls to the IdP by @nacx in #251
- Add minimal examples to make it easier to get started by @nacx in #252
- Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #253
- Fix scan job configuration by @nacx in #254
- Update code owners by @nacx in #248
- Update protoc-gen-go comment to fix
make checkby @sergicastro in #257 - Validate token_type case-insensitively by @jojonium in #256
- Fix flaky file watcher test by @sergicastro in #258
New Contributors
We want to thank our new contributors for taking the time to report issues, implement, and contribute the fixes. Thank you! 🙇♂️
Full Changelog: v1.0.0...v1.0.1
Contributors
Assets 6
v1.0.0
authservice 1.0.0
This is the first release of the Go rewrite of the authservice! 🚀
This is a full rewrite of the project in pure Go, to improve code readability, testability, quality, and the overall maintainability of the project. It provides feature parity with the original project, and the Docker images that are published on the project's GitHub Docker registry can be used as a drop-in replacement for the old authservice ones.
This project adds extensive code coverage, several end-to-end test suites that verify the correct behavior of the supported OIDC flows, as well as a compatibility suite that runs with both images, the Go-based authservice and the old C++ authservice to make sure backward-compatibility is not broken.
In addition to the extensive tests and feature parity, this first release of the Go authservice fixes the following issues:
- Add integration tests that can run in CI
- Allow configuration of endpoints by configuring the OIDC Provider's well-known endpoint
- CI could automatically build container images on every commit to master which passes unit tests
- Update base image of Authservice container image
- Change the inline OIDC client configuration to reference of a k8s secret
- How to set the client secret from an existing kubernetes secret?
Check it out!
- Use the Docker image right away.
- Or read the Development Guide and start contributing!
Initial contributors
The first release of the Go rewrite of theauthservice has been crafted with a lot of dedication and work from @zhaohuabing, @sergicastro, and @nacx, and thoroughly tested by @sbko Thank you all for your contributions!
Full release changelog: https://github.com/istio-ecosystem/authservice/commits/v1.0.0
Contributors
Assets 6
0.5.3-rc1
What's Changed
- Move the VERSION env to GITHUB_ENV. by @incfly in #221
- Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
- clean the commented out code. by @incfly in #224
- Use @envoy//bazel:boringssl by @dio in #228
- http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
- Enable FIPS for Linux only by @dio in #231
Full Changelog: 0.5.1...0.5.3-rc1
Contributors
Assets 5
0.5.3
What's Changed
- Move the VERSION env to GITHUB_ENV. by @incfly in #221
- Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
- clean the commented out code. by @incfly in #224
- Use @envoy//bazel:boringssl by @dio in #228
- http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
- Enable FIPS for Linux only by @dio in #231
Full Changelog: 0.5.1...0.5.3
Contributors
Assets 5
0.5.2
Merge github.com:istio-ecosystem/authservice into release-0.5
0.5.2-rc1
Fix the unmatched request handling by set the grpc status in payload.… … (#223) * mst fix e2e with hardcode. Signed-off-by: Jianfei Hu <hujianfei258@gmail.com> * wip organize the convert code. Signed-off-by: Jianfei Hu <hujianfei258@gmail.com> * update example to use localhost Signed-off-by: Jianfei Hu <hujianfei258@gmail.com> * make format. Signed-off-by: Jianfei Hu <hujianfei258@gmail.com>
0.5.1
Compared with 0.5.0, this releases
- Fixed the timeout issue we see when integrating with ADFS, #211 by closing the connection explicitly.
- Ensure using
libc++for bazel build in the final release image,libc++,libgcc,libstdc++if are used, they are all static linked. #215 - Use Ubuntu 18.04 (previous 20.04) as build environment. #219
- Added standalone binary into the release artifcats.
v0.5.0
New Features
- JWKs fetcher for token validation.
- healthcheck endpoint for active JWKs existence.
- BoringSSL-FIPS build.
Bugs Fixed
- #167 Fix out of memory problem during service running.
- reject requests by default if they are not matched any filter chain.
- Remove the authentication based on "Authorization: ".
Docker containers
v0.4.1
Make header handling case-insensitive per HTTP RFC.
v0.4.0
https://github.com/istio-ecosystem/authservice/packages/42399\
New Features
- Add availability to use ext_authz V3 API.
- Introduced backward compatibility layer between v2 and v3 API
oidc_overridefilter that is merged withdefault_oidc_config