« Changelog History


Pomerium v0.5.0 Release Notes

Release Date: 2019-11-15 // over 4 years ago

  • v0.5.0

    🚀 Lots of great stuff in this release, but be sure to follow the upgrade guide at the end of this document as there are several breaking changes!

    🆕 New

    • 🌐 Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
    • Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
    • Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
    • 👉 User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.

    🔒 Security

    • Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.

    🔄 Changed

    • 📄 Azure AD identity provider now uses globally unique and immutable ID for group membership.
    • 📄 Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable ID field.
    • 📄 Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
    • URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
    • OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable ID field.

    ✂ Removed

    • 🚚 Force refresh has been removed from the dashboard.
    • 🚚 Previous programmatic authentication endpoints (/api/v1/token) has been removed and is no longer supported.

    ⬆️ Upgrade Guide

    💥 Breaking

    Subdomain requirement dropped

    • Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).

    Azure AD

    • ⚡️ Azure Active Directory now uses the globally unique and immutableID instead of group name to attest a user's group membership. Please update your policies to use group ID instead of group name.

    Okta

    • 📄 Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's API.
    • ⚡️ Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.
    • 📄 Okta now requires an additional set of credentials to be used to query for group membership set as a service account.

    OneLogin

    • ⚡️ OneLogin group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.

    🚚 Force Refresh Removed

    🚚 Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.

    Programmatic Access API changed

    📚 Previous programmatic authentication endpoints (/api/v1/token) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated programmatic documentation how to use the new programmatic access api.

    Forward-auth route change

    Previously, routes were verified by taking the downstream applications hostname in the form of a path (e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string (e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example) where the routed domain is the value of the uri key.

    Note that the verification URL is no longer nested under the .pomerium endpoint.

    For example, in nginx this would look like:

    - nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no\_redirect=true- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request\_uri+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request\_uri