Skip to content
db74661
Compare
Choose a tag to compare

Release Highlights

  • #1361 PKCE Code Challenge Support - RFC-7636 (@braunsonm)
    • At this time the --code-challenge-method flag can be used to enable it with the method of your choice.
  • Parital support for OAuth2 Authorization Server Metadata for detecting code challenge methods (@braunsonm)
    • A warning will be displayed when your provider advertises support for PKCE but you have not enabled it.
  • Support for the ARMv8 and ppc64le architectures
  • Configurable upstream request timeouts

Important Notes

  • oauth2-proxy separate image tags for each architecture is deprecated. Instead, images are cross compiled and pushed as the same tag for every platform.
    If you are using an architecture specific tag (ex: v7.2.1-arm64) you should move to the generic tag instead (ex: v7.2.1 )
  • #1478 Changes the UID and GID of the runtime user to 65532.
    Which also is known as nonroot user in distroless images.
  • This release includes fixes for a number of CVEs, we recomend to upgrade as soon as possible.

Breaking Changes

N/A

Changes since v7.2.1

  • #1662 Discover signature algorithms from OIDC provider (@JoelSpeed)
  • #1651 Updated go-lang's text, crypto and prometheus dependencies to fix reported security vulnerabilities. (@rkkris75)
  • #1595 Add optional allowed_emails query parameter to the auth_request. (@zv0n)
  • #1478 Parameterise the runtime image (@omBratteng)
  • #1583 Add groups to session too when creating session from bearer token (@adriananeci)
  • #1418 Support for passing arbitrary query parameters through from /oauth2/start to the identity provider's login URL. Configuration settings control which parameters are passed by default and precisely which values can be overridden per-request (@ianroberts)
  • #1559 Introduce ProviderVerifier to clean up OIDC discovery code (@JoelSpeed)
  • #1561 Add ppc64le support (@mgiessing)
  • #1563 Ensure claim extractor does not attempt profile call when URL is empty (@JoelSpeed)
  • #1560 Fix provider data initialisation (@JoelSpeed)
  • #1555 Refactor provider configuration into providers package (@JoelSpeed)
  • #1394 Add generic claim extractor to get claims from ID Tokens (@JoelSpeed)
  • #1468 Implement session locking with session state lock (@JoelSpeed, @Bibob7)
  • #1489 Fix Docker Buildx push to include build version (@JoelSpeed)
  • #1477 Remove provider documentation for Microsoft Azure AD (@omBratteng)
  • #1204 Added configuration for audience claim (--oidc-extra-audience) and ability to specify extra audiences (--oidc-extra-audience) allowed passing audience verification. This enables support for AWS Cognito and other issuers that have custom audience claims. Also, this adds the ability to allow multiple audiences. (@kschu91)
  • #1509 Update LoginGovProvider ValidateSession to pass access_token in Header (@pksheldon4)
  • #1474 Support configuration of minimal acceptable TLS version (@polarctos)
  • #1545 Fix issue with query string allowed group panic on skip methods (@andytson)
  • #1286 Add the allowed_email_domains and the allowed_groups on the auth_request + support standard wildcard char for validation with sub-domain and email-domain. (@w3st3ry @armandpicard)
  • #1361 PKCE Code Challenge Support - RFC-7636 (@braunsonm)
  • #1594 Release ARMv8 docker images (@braunsonm)
  • #1649 Return a 400 instead of a 500 when a request contains an invalid redirect target (@Niksko)
  • #1638 Implement configurable upstream timeout (@jacksgt)
  • #1650 Fixed 500 when checking if user has repo (@adamsong)
  • #1635 Added description and unit tests for ipv6 address (@t-katsumura)
  • #1502 Unbreak oauth2-proxy for keycloak provider after 2c668a (@ckwalsh)
5761849
Compare
Choose a tag to compare

Release Highlights

This release contains a number of bug and security fixes, but has no feature additions.

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.2.0

6c379f7
Compare
Choose a tag to compare

Release Highlights

  • LinkedIn provider updated to support the new v2 API
  • Introduce --force-json-errors to allow OAuth2 Proxy to protect JSON APIs and disable authentication redirection
  • Add URL rewrite capabilities to the upstream proxy
  • New ADFS provider integration
  • New Keycloak OIDC provider integration
  • Introduced Multiarch Docker images on the standard image tags

Important Notes

  • #1086 The extra validation to protect invalid session
    deserialization from v6.0.0 (only) has been removed to improve performance. If you are on v6.0.0, either upgrade
    to a version before this first and allow legacy sessions to expire gracefully or change your cookie-secret
    value and force all sessions to reauthenticate.
  • #1210 A new keycloak-oidc provider has been added with support for role based authentication. The existing keycloak auth provider will eventually be deprecated and removed. Please switch to the new provider keycloak-oidc.

Breaking Changes

  • #1239 GitLab groups sent in the X-Forwarded-Groups header
    to the upstream server will no longer be prefixed with group:

Changes since v7.1.3

88122f6
Compare
Choose a tag to compare

Release Highlights

  • Fixed typos in the metrics server TLS config names

Important Notes

  • #967 --insecure-oidc-skip-nonce is currently true by default in case
    any existing OIDC Identity Providers don't support it. The default will switch to false in a future version.

Breaking Changes

Changes since v7.1.2

9d20b4e
Compare
Choose a tag to compare
4daa66e
Compare
Choose a tag to compare
d64d717
Compare
Choose a tag to compare

Release Highlights

  • New improved design for sign in and error pages based on bulma framework
  • Refactored templates loading
    • robots.txt, sign_in.html and error.html can now be provided individually in --custom-templates-dir
    • If any of the above are not provided, defaults are used
    • Defaults templates be found in pkg/app/pagewriter
  • Introduction of basic prometheus metrics
  • Introduction of Traefik based local testing/example environment
  • Support for request IDs to allow request co-ordination of log lines

Important Notes

  • GHSA-652x-m2gr-hppm GitLab group authorization stopped working in v7.0.0, the functionality has now been restored, please see the linked advisory for details
  • #1103 Upstream request signatures via --signature-key is
    deprecated. Support will be removed completely in v8.0.0.
  • 1087 The default logging templates have been updated to include {{.RequestID}}
  • #1117 The --gcp-healthchecks option is now deprecated. It will be removed in a future release.
    • To migrate, you can change your application health checks for OAuth2 Proxy to point to
      the --ping-path value.
    • You can also migrate the user agent based health check using the --ping-user-agent option. Set it to GoogleHC/1.0 to allow health checks on the path / from the Google health checker.

Breaking Changes

N/A

Changes since v7.0.1

4fa607f
Compare
Choose a tag to compare

Release Highlights

  • Fixed a bug that meant that flag ordering mattered
  • Fixed a bug where response headers for groups were not being flattened

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.0.0

0698587
Compare
Choose a tag to compare

Release Highlights

  • Major internal improvements to provider interfaces
  • Added group authorization support
  • Improved support for external auth for Traefik
  • Introduced alpha configuration format to allow users to trial new configuration format and alpha features
  • GitLab provider now supports restricting to members of a project
  • Keycloak provider now supports restricting users to members of a set of groups
  • (Alpha) Flexible header configuration allowing user defined mapping of session claims to header values

Important Notes

  • GHSA-4mf2-f3wh-gvf2 The whitelist domain feature has been updated to fix a vulnerability that was identified, please see the linked advisory for details
  • #964 Redirect URL generation will attempt secondary strategies
    in the priority chain if any fail the IsValidRedirect security check. Previously any failures fell back to /.
  • #953 Keycloak will now use --profile-url if set for the userinfo endpoint
    instead of --validate-url. --validate-url will still work for backwards compatibility.
  • #957 To use X-Forwarded-{Proto,Host,Uri} on redirect detection, --reverse-proxy must be true.
  • #936 --user-id-claim option is deprecated and replaced by --oidc-email-claim
  • #630 Gitlab projects needs a Gitlab application with the extra read_api enabled
  • #849 /oauth2/auth allowed_groups querystring parameter can be paired with the allowed-groups configuration option.
    • The allowed_groups querystring parameter can specify multiple comma delimited groups.
    • In this scenario, the user must have a group (from their multiple groups) present in both lists to not get a 401 or 403 response code.
    • Example:
      • OAuth2-Proxy globally sets the allowed_groups as engineering.
      • An application using Kubernetes ingress uses the /oauth2/auth endpoint with allowed_groups querystring set to backend.
      • A user must have a session with the groups ["engineering", "backend"] to pass authorization.
      • Another user with the groups ["engineering", "frontend"] would fail the querystring authorization portion.
  • #905 Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
  • #826 skip-auth-strip-headers now applies to all requests, not just those where authentication would be skipped.
  • #797 The behavior of the Google provider Groups restriction changes with this
    • Either --google-group or the new --allowed-group will work for Google now (--google-group will be used if both are set)
    • Group membership lists will be passed to the backend with the X-Forwarded-Groups header
    • If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
      • Previously, group membership was only checked on session creation and refresh.
  • #789 --skip-auth-route is (almost) backwards compatible with --skip-auth-regex
    • We are marking --skip-auth-regex as DEPRECATED and will remove it in the next major version.
    • If your regex contains an = and you want it for all methods, you will need to add a leading = (this is the area where --skip-auth-regex doesn't port perfectly)
  • #575 Sessions from v5.1.1 or earlier will no longer validate since they were not signed with SHA1.
    • Sessions from v6.0.0 or later had a graceful conversion to SHA256 that resulted in no reauthentication
    • Upgrading from v5.1.1 or earlier will result in a reauthentication
  • #616 Ensure you have configured oauth2-proxy to use the groups scope.
    • The user may be logged out initially as they may not currently have the groups claim however after going back through login process wil be authenticated.
  • #839 Enables complex data structures for group claim entries, which are output as Json by default.

Breaking Changes

  • #964 --reverse-proxy must be true to trust X-Forwarded-* headers as canonical.
    These are used throughout the application in redirect URLs, cookie domains and host logging logic. These are the headers:
    • X-Forwarded-Proto instead of req.URL.Scheme
    • X-Forwarded-Host instead of req.Host
    • X-Forwarded-Uri instead of req.URL.RequestURI()
  • #953 In config files & envvar configs, keycloak_group is now the plural keycloak_groups.
    Flag configs are still --keycloak-group but it can be passed multiple times.
  • #911 Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".
  • #797 Security changes to Google provider group authorization flow
    • If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
      • Previously, group membership was only checked on session creation and refresh.
  • #722 When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass
  • #800 Fix import path for v7. The import path has changed to support the go get installation.
    • You can now go get github.com/oauth2-proxy/oauth2-proxy/v7 to get the latest v7 version of OAuth2 Proxy
    • Import paths for package are now under v7, eg github.com/oauth2-proxy/oauth2-proxy/v7/pkg/<module>
  • #753 A bug in the Azure provider prevented it from properly passing the configured protected --resource
    via the login url. If this option was used in the past, behavior will change with this release as it will
    affect the tokens returned by Azure. In the past, the tokens were always for https://graph.microsoft.com (the default)
    and will now be for the configured resource (if it exists, otherwise it will run into errors)
  • #754 The Azure provider now has token refresh functionality implemented. This means that there won't
    be any redirects in the browser anymore when tokens expire, but instead a token refresh is initiated
    in the background, which leads to new tokens being returned in the cookies.
    • Please note that --cookie-refresh must be 0 (the default) or equal to the token lifespan configured in Azure AD to make
      Azure token refresh reliable. Setting this value to 0 means that it relies on the provider implementation
      to decide if a refresh is required.

Changes since v6.1.1

e4e5580
Compare
Choose a tag to compare

Release Highlights

  • Fixed a bug which prevented static upstreams from being used
  • Fixed a bug which prevented file based upstreams from being used
  • Ensure that X-Forwarded-Host is respected consistently

Important Notes

N/A

Breaking

N/A

Changes since v6.1.0