Skip to content

v2.4.0

Latest
Latest

Choose a tag to compare

View all tags
@thegdsks thegdsks released this 23 Jun 00:01
· 12 commits to main since this release
v2.4.0
4e760df
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

theauth-go v2.4.0

The enterprise security profile, supply chain hardening, and storage portability release.
v2.4 closes the FAPI 2.0 baseline by combining PAR (RFC 9126), JAR (RFC 9101), and
JWT-Bearer client authentication (RFC 7523). A new MySQL 8.x backend, public storagetest
contract suite, CIBA backchannel authentication (RFC 9509), and a Cognito/Auth0 CLI
migration tool round out the release. All additions are fully additive: downstream
code compiles unchanged.

Highlights

FAPI 2.0 baseline (PAR + JAR + JWT-Bearer)

PAR (#64) pushes the full authorization request to the AS over a back-channel before
the browser redirect, eliminating parameter exposure in browser history. JAR (#64) wraps
the parameters in a client-signed JWT, preventing tampering even over the back-channel.
JWT-Bearer client authentication (#65) replaces client_secret with a signed JWT assertion,
making client credentials tamper-evident and eliminating the need to distribute shared
secrets. Together these three features satisfy the FAPI 2.0 Security Profile baseline.

CIBA backchannel authentication (RFC 9509, #66)

Decouples the consumption device from the authentication device. IoT appliances, voice
assistants, call center terminals, and TV apps can now trigger authentication without a
browser redirect. The user approves on their phone. Supports Poll and Ping delivery modes.
Implement the AuthenticationDevice interface to connect any push notification system.

MySQL 8.x storage backend (#62)

Full parity with the postgres adapter. storage/mysql satisfies both theauth.Storage
and OAuthServerStorage. Enable contract testing with THEAUTH_MYSQL_CONTRACT=1. Use
on PlanetScale, AWS RDS MySQL, or any MySQL 8.x host.

Cognito + Auth0 migration CLI (#63)

cmd/theauth-migrate cognito and cmd/theauth-migrate auth0 export user data into an
auditable intermediate JSON bundle, validate it, and apply it to any theauth-go storage
backend. Auth0 users keep their bcrypt password hashes; theauth-go re-hashes with Argon2id
transparently on the next login (controlled by PasswordPolicy.AllowLegacyBcrypt).

Signed releases (goreleaser + cosign + SLSA, #57)

Every release artifact is now signed with Sigstore keyless signing via the GitHub Actions
OIDC identity and comes with a CycloneDX SBOM and SLSA level-3 provenance attestation.
Verify with:

cosign verify-blob \
  --certificate-identity "https://github.com/glincker/theauth-go/.github/workflows/release.yml@refs/tags/v2.4.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --signature theauth-go-v2.4.0.tar.gz.sig \
  --certificate theauth-go-v2.4.0.tar.gz.cert \
  theauth-go-v2.4.0.tar.gz

gh attestation verify theauth-go-v2.4.0.tar.gz --repo glincker/theauth-go

Public storagetest contract suite (#58)

storagetest.Run(t, func() theauth.Storage { return mystorage.New() })

Twelve functional areas. Both in-tree adapters run it in CI.

Upgrading from v2.3

All additions are opt-in via new nil-by-default config fields. Existing code compiles
and runs unchanged. See the v2.3 to v2.4 migration guide
for opt-in instructions.

go get github.com/glincker/theauth-go@v2.4.0
go mod tidy
go build ./...

Full changelog

See CHANGELOG.md for
the complete entry, including per-PR change details, RFC citations, and notes on the
storagetest contract coverage.

What is NOT changing

  • mcpresource module gains zero new transitive dependencies.
  • theauth.Storage and OAuthServerStorage interfaces are unchanged.
  • All existing config structs compile unchanged.
  • Public API is byte-stable.
Assets 8
Loading