-
Drop support for Rails 6
-
Drop support for Ruby 3.0
-
Adds config option that allows apps to change the default behaviour of intercepting 401 requests, by including an initialiser:
GDS::SSO.config { |config| config.intercept_401_responses = false }
. -
Added AuthorisedUserConstraint class so that consumer apps can easily add permission based constraints.
-
Adds deprecation warning for GDS::SSO::ControllerMethods::PermissionDeniedException. If your app uses this you can replace it with GDS::SSO::PermissionDeniedError.
- We no longer set
ActiveSupport::Cache::NullStore.new
as the default cache. This avoids a deprecation warning when the gem is used in Rails apps.- If you're using
gds-sso
in a Rails app and relying on the Railtie to set the cache then you don't need to do anything - If you're using
gds-sso
and manually setting the cache then you don't need to do anything. - If you're using
gds-sso
outside of a Rails app and you're not explicitly setting the cache then you'll need to configure it before you can useGDS::SSO::BearerToken.locate
.
- If you're using
- Enable OAuth2 PKCE extension in the GDS OAuth2 OmniAuth Strategy. The PKCE extension was enabled in Signon in PR 2312.
- Drop support for Ruby 2.7. (#277)
- Relax rubocop-govuk dependency constraint to ~> 4. (#280)
- Update Plek support to allow version 5
- Merge omniauth-gds gem into this codebase, ahead of that gem's retirement.
- Drop support for Ruby 2.6 and Rails 5.
- Permit 2.x versions of oauth2 gem.
- Add
allow_other_host: true
to redirects, for improved Rails 7 support.
- Upgrade OmniAuth to 2.0, and explicitly allow Get requests #243
- Fix linting issues
- BREAKING: OAUTH_ID environment variable is replaced by GDS_SSO_OAUTH_ID and OAUTH_SECRET is replaced by GDS_SSO_OAUTH_SECRET
- Simplify logic to detect and configure API-only apps
- Automatically configure Rails cache for API apps
- Add config defaults that are common across our initializers
- Fix linting issues
- BREAKING: Drop support for Rails 4 and Ruby versions < 2.6
- Change
update_attributes
calls toupdate!
to resolve deprecation warnings - Change the link on the 'unauthorised' page to point to modern GOV.UK.
- Set a user agent for the Omniauth OAuth2 client.
- Allow further customising the OAuth2 Faraday connection_opts.
- Reduce the default open_timeout to 5 seconds.
- Add missing require 'gds-sso/version'.
- Set a user agent for the OAuth client.
- Remove the deprecated
require_signin_permission!
method.
- Provide option to allow applications to specify extra permissions that the mock api user needs. The functionality updates the dummy api user to include the permissions if they do not currently have those permissions.
- Update README to include instructions on how to set up the extra permissions for the mock api user.
- Update the deprecation warning for
require_signin_permission!
.
- Provide option to run in an api_only mode, which happens implicitly if you are using Rails 5 in api_only mode. This disables the routes and parts of this gem used in the oauth redirect dance.
- Use the name of signon instead of signonotron2 since it was renamed.
- Allow running a mock sso session in a Rails production environment via ENV var - to make it easier to test apps in Rails production environment.
- Deprecate
require_signin_permission!
. The signin permission is no longer optional, and signon itself manages this during oauth handshake (see: RFC 78) - README fix
- Remove Rails 3 specific cruft #114
- Permit one or more permissions #112
- Breaking: Drop support for Ruby 2.1, Rails 4.1 #104
- Breaking: Identify API calls via the presence of a bearer token #107
- Support Rails 5 #105
- Add support for caching the bearer token request to Signon
Breaking changes introduced in #95:
- Drop support for Ruby 1.9.3
- Drop support for Rails 4.0
- Add support for Ruby 2.3.0
- Use
test
for maximum compatibility of test-unit/minitestUser
linter
- Add a test-unit/minitest compatible linter for validating that the
User
model is compatible with GDS SSO - Add
disabled
attribute expectation to the existing RSpec shared example
- Pin dependencies to prevent updating to non-compatible versions
- Rerelease of 10.1.0
- Breaking change: Add support for organisation_content_id on the user model
- Fix the user model linter to work with a uid column defined as
NOT NULL
- Strengthen lint specs around user
update_attributes
method
- Add a
disabled
field to GDS::SSO::User to reflect Signon user state. Breaking change: Requires consuming apps to add adisabled
field to their user model
-
Add an RSpec shared example for validating that the User model in the app does enough to work with GDS SSO. To use it:
require 'gds-sso/lint/user_spec' describe User do it_behaves_like "a gds-sso user class" end
- Include oauth client_id when requesting user details from signon. This allows signon to verify that the token used belongs to the app making the request. Sending this id will become mandatory in future.
- update/reauth requests get a content-type of 'text/plain' in responses
- Adds support for string timestamps in serialized sessions (Rails 4.1).
- New sessions are created using ISO 8601 string timestamps.
- Change find_for_gds_oauth to find by UID then fall-back to email This fixes an issue when users logging into preview are duplicated as UIDs are not synced.
- Fix bug in creation of dummy API user in test mode
- Minor bugfix to allow building of gems such as govuk_content_models which do not load rails.
- Includes fix to get the mock_gds_sso_api_access strategy working in development for apps that don't have a role attribute on User.
- Using User#where instead of User#find_by_email in mock gds api user warden strategy, to make it compatible with apps using mongoid.
- UX fix to check whether remotely signed out user signed-in again to let them continue. otherwise, ask them to login again.
- The controllers provided by gds-sso no longer inherit from an application's ApplicationController, and instead inherit directly from ActionController::Base.
- Changed "organisation" to "organisation_slug"
- Changed "organisations" (array) to "organisation" (string)
- Apps using gds-sso must now include a field in their User model for "organisations", which is an array of organisation slugs sourced from https://whitehall-admin.production.alphagov.co.uk/api/organisations
- Removed support for basic authentication. Please use Bearer token authentication instead. This means creating API users and granting them appropriate permissions. See the Signonotron README for more information: https://github.com/alphagov/signonotron2#usage