Pomerium changelog

Changelog History

Page 4

• v0.7.0 Changes

  April 05, 2020

  v0.7.0

  🆕 New

  • 🚚 *: remove import path comments @desimone (#545)
  • 🔧 authenticate: make callback path configurable @desimone (#493)
  • authenticate: return 401 for some specific error codes @cuonglm (#561)
  • 🌲 authorization: log audience claim failure @desimone (#553)
  • authorize: use jwt instead of state struct @desimone (#514)
  • authorize: use opa for policy engine @desimone (#474)
  • cmd: add cli to generate service accounts @desimone (#552)
  • 0️⃣ config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
  • config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
  • 🚚 config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
  • gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
  • 👍 identity: support oidc UserInfo Response @desimone (#529)
  • internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
  • metrics: Add storage metrics @travisgroth (#554)

  🛠 Fixed

  • cache: add option validations @desimone (#468)
  • config: Add proper yaml tag to Options.Policies @travisgroth (#475)
  • ensure correct service name on GRPC related metrics @travisgroth (#510)
  • 🛠 fix group impersonation @desimone (#569)
  • 🛠 fix sign-out bug , fixes #530 @desimone (#544)
  • 🚚 proxy: move set request headers before handle allow public access @ohdarling (#479)
  • 👉 use service port for session audiences @travisgroth (#562)

  📚 Documentation

  • 🛠 fix the typo @ilgooz (#566)
  • 🛠 fix kubernetes dashboard recipe docs @desimone (#504)
  • 👉 make from source quickstart @desimone (#519)
  • ⚡️ update background @desimone (#505)
  • ⚡️ update helm for v3 @desimone (#469)
  • 🛠 various fixes @desimone (#478)
  • 🛠 fix cookie_domain @nitper (#472)

  Dependency

  • ⚡️ chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
  • ⚡️ chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
  • ⚡️ chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
  • ⚡️ chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
  • ⚡️ chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
  • ⚡️ chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
  • ⚡️ chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
  • ⚡️ chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
  • ⚡️ chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
  • ⚡️ chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
  • ⚡️ chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
  • ⚡️ chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
  • ⚡️ chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
  • ⚡️ chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
  • ⚡️ chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
  • ⚡️ chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
  • ⚡️ chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
  • ⚡️ chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
  • ⚡️ chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
  • ⚡️ chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
  • ⚡️ chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
  • ⚡️ chore(deps): update module yaml to v2.2.8 @renovate (#471)
  • 🏗 ci: Consolidate matrix build parameters @travisgroth (#521)
  • dependency: use go mod redis @desimone (#528)
  • 🚀 deployment: throw away golanglint-ci defaults @desimone (#439)
  • 🚀 deployment: throw away golanglint-ci defaults @desimone (#439)
  • deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
  • Roll back grpc to v1.25.1 @travisgroth (#484)

• v0.6.4

  April 08, 2020

• v0.6.3 Changes

  March 20, 2020

  v0.6.3

  🛠 Fixed

  • 🛠 sessions: signout bug , fixes #530 @desimone (#544)

• v0.6.2 Changes

  February 03, 2020

  🚀 This release was cut at nearly the same time as v0.6.1 please see that release for additional changes.

  🔄 Changes

  • internal/cryptutil: standardize leeway to 5 mins @desimone (#476)

  🛠 Fixed

  • 🚚 proxy: move set request headers before handle allow public access @ohdarling (#479)

• v0.6.1 Changes

  February 03, 2020

  v0.6.1

  🛠 Fixed

  • cache: add option validations @desimone (#468)
  • grpc: roll back grpc to v1.25.1 @travisgroth (#484)

• v0.6.0 Changes

  January 25, 2020

  v0.6.0

  🆕 New

  • 👍 authenticate: support backend refresh @desimone [GH-438]
  • cache: add cache service @desimone [GH-457]

  🔄 Changed

  • 📦 authorize: consolidate gRPC packages @desimone [GH-443]
  • config: added yaml tags to all options struct fields @travisgroth [GH-394],[gh-397]
  • config: improved config validation for shared_secret @travisgroth [GH-427]
  • 🚚 config: Remove CookieRefresh [GH-428] @u5surf [GH-436]
  • config: validate that shared_key does not contain whitespace @travisgroth [GH-427]
  • httputil : wrap handlers for additional context @desimone [GH-413]

  🛠 Fixed

  • proxy: fix unauthorized redirect loop for forward auth @desimone [GH-448]
  • 🛠 proxy: fixed regression preventing policy reload GH-396

  📚 Documentation

  • ➕ add cookie settings @danderson [GH-429]
  • 🛠 fix typo in forward auth nginx example @travisgroth [GH-445]
  • 👌 improved sentence flow and other stuff @Rio [GH-422]
  • 📇 rename fwdauth to be forwardauth @desimone [GH-447]

  Dependency

  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate [GH-452]
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate [GH-458]
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate [GH-431]
  • ⚡️ chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate [GH-414]
  • ⚡️ chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate [GH-415]
  • ⚡️ chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate [GH-453]
  • ⚡️ chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate [GH-433]
  • ⚡️ chore(deps): update module google/go-cmp to v0.4.0 @renovate [GH-454]
  • ⚡️ chore(deps): update module spf13/viper to v1.6.1 @renovate [GH-423]
  • ⚡️ chore(deps): update module spf13/viper to v1.6.2 @renovate [GH-459]
  • ⚡️ chore(deps): update module square/go-jose to v2.4.1 @renovate [GH-435]

  ⬆️ Upgrade Guide

  Since 0.5.0

  💥 Breaking

  🆕 New cache service

  👍 A back-end cache service was added to support session refreshing from single-page-apps.

  • For all-in-one deployments, no changes are required. The cache will be embedded in the binary. By default, autocache an in-memory LRU cache will be used to temporarily store user session data. If you wish to persist session data, it's also possible to use bolt or redis.
  • 🚀 For split-service deployments, you will need to deploy an additional service called cache. By default, pomerium will use autocache as a distributed, automatically managed cache. It is also possible to use redis as backend in this mode.

  For a concrete example of the required changes, consider the following changes for those running split service mode,:

  ... pomerium-authenticate: environment: - SERVICES=authenticate+ - CACHE\_SERVICE\_URL=http://pomerium-cache:443...+ pomerium-cache:+ image: pomerium/pomerium+ environment:+ - SERVICES=cache+ volumes:+ - ../config/config.example.yaml:/pomerium/config.yaml:ro+ expose:+ - 443
  

  ⚡️ Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see PR438 and PR457.

• v0.5.2 Changes

  December 05, 2019

  🆕 New

  • authenticate: session expiry now matches identity provider's @desimone (#416)

• v0.5.1 Changes

  November 26, 2019

  v0.5.1

  🛠 Fixed

  • 🛠 Fixes forward-auth configurations for nginx and traefik.

• v0.5.0 Changes

  November 15, 2019

  v0.5.0

  🚀 Lots of great stuff in this release, but be sure to follow the upgrade guide at the end of this document as there are several breaking changes!

  🆕 New

  • 🌐 Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
  • Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
  • Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
  • 👉 User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.

  🔒 Security

  • Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.

  🔄 Changed

  • 📄 Azure AD identity provider now uses globally unique and immutable ID for group membership.
  • 📄 Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable ID field.
  • 📄 Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
  • URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
  • OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable ID field.

  ✂ Removed

  • 🚚 Force refresh has been removed from the dashboard.
  • 🚚 Previous programmatic authentication endpoints (/api/v1/token) has been removed and is no longer supported.

  ⬆️ Upgrade Guide

  💥 Breaking

  Subdomain requirement dropped

  • Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).

  Azure AD

  • ⚡️ Azure Active Directory now uses the globally unique and immutableID instead of group name to attest a user's group membership. Please update your policies to use group ID instead of group name.

  Okta

  • 📄 Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's API.
  • ⚡️ Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.
  • 📄 Okta now requires an additional set of credentials to be used to query for group membership set as a service account.

  OneLogin

  • ⚡️ OneLogin group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.

  🚚 Force Refresh Removed

  🚚 Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.

  Programmatic Access API changed

  📚 Previous programmatic authentication endpoints (/api/v1/token) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated programmatic documentation how to use the new programmatic access api.

  Forward-auth route change

  Previously, routes were verified by taking the downstream applications hostname in the form of a path (e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string (e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example) where the routed domain is the value of the uri key.

  Note that the verification URL is no longer nested under the .pomerium endpoint.

  For example, in nginx this would look like:

  - nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no\_redirect=true- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request\_uri+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request\_uri
  

• v0.4.2 Changes

  October 18, 2019

  v0.4.2

  🔒 Security

  • 🛠 Fixes vulnerabilities fixed in 1.13.2 including CVE-2019-17596.

• « First
• ‹ Prev
• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »