All Versions
46
Latest Version
Avg Release Cycle
13 days
Latest Release
1434 days ago

Changelog History
Page 4

  • v0.7.0 Changes

    April 05, 2020

    v0.7.0

    ๐Ÿ†• New

    ๐Ÿ›  Fixed

    ๐Ÿ“š Documentation

    Dependency

    • โšก๏ธ chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
    • โšก๏ธ chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
    • โšก๏ธ chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
    • โšก๏ธ chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
    • โšก๏ธ chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
    • โšก๏ธ chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
    • โšก๏ธ chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
    • โšก๏ธ chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
    • โšก๏ธ chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
    • โšก๏ธ chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
    • โšก๏ธ chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
    • โšก๏ธ chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
    • โšก๏ธ chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
    • โšก๏ธ chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
    • โšก๏ธ chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
    • โšก๏ธ chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
    • โšก๏ธ chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
    • โšก๏ธ chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
    • โšก๏ธ chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
    • โšก๏ธ chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
    • โšก๏ธ chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
    • โšก๏ธ chore(deps): update module yaml to v2.2.8 @renovate (#471)
    • ๐Ÿ— ci: Consolidate matrix build parameters @travisgroth (#521)
    • dependency: use go mod redis @desimone (#528)
    • ๐Ÿš€ deployment: throw away golanglint-ci defaults @desimone (#439)
    • ๐Ÿš€ deployment: throw away golanglint-ci defaults @desimone (#439)
    • deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
    • Roll back grpc to v1.25.1 @travisgroth (#484)
  • v0.6.4

    April 08, 2020
  • v0.6.3 Changes

    March 20, 2020

    v0.6.3

    ๐Ÿ›  Fixed

  • v0.6.2 Changes

    February 03, 2020

    ๐Ÿš€ This release was cut at nearly the same time as v0.6.1 please see that release for additional changes.

    ๐Ÿ”„ Changes

    • internal/cryptutil: standardize leeway to 5 mins @desimone (#476)

    ๐Ÿ›  Fixed

    • ๐Ÿšš proxy: move set request headers before handle allow public access @ohdarling (#479)
  • v0.6.1 Changes

    February 03, 2020

    v0.6.1

    ๐Ÿ›  Fixed

  • v0.6.0 Changes

    January 25, 2020

    v0.6.0

    ๐Ÿ†• New

    ๐Ÿ”„ Changed

    ๐Ÿ›  Fixed

    • proxy: fix unauthorized redirect loop for forward auth @desimone [GH-448]
    • ๐Ÿ›  proxy: fixed regression preventing policy reload GH-396

    ๐Ÿ“š Documentation

    Dependency

    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate [GH-452]
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate [GH-458]
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate [GH-431]
    • โšก๏ธ chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate [GH-414]
    • โšก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate [GH-415]
    • โšก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate [GH-453]
    • โšก๏ธ chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate [GH-433]
    • โšก๏ธ chore(deps): update module google/go-cmp to v0.4.0 @renovate [GH-454]
    • โšก๏ธ chore(deps): update module spf13/viper to v1.6.1 @renovate [GH-423]
    • โšก๏ธ chore(deps): update module spf13/viper to v1.6.2 @renovate [GH-459]
    • โšก๏ธ chore(deps): update module square/go-jose to v2.4.1 @renovate [GH-435]

    โฌ†๏ธ Upgrade Guide

    Since 0.5.0

    ๐Ÿ’ฅ Breaking

    ๐Ÿ†• New cache service

    ๐Ÿ‘ A back-end cache service was added to support session refreshing from single-page-apps.

    • For all-in-one deployments, no changes are required. The cache will be embedded in the binary. By default, autocache an in-memory LRU cache will be used to temporarily store user session data. If you wish to persist session data, it's also possible to use bolt or redis.
    • ๐Ÿš€ For split-service deployments, you will need to deploy an additional service called cache. By default, pomerium will use autocache as a distributed, automatically managed cache. It is also possible to use redis as backend in this mode.

    For a concrete example of the required changes, consider the following changes for those running split service mode,:

    ... pomerium-authenticate: environment: - SERVICES=authenticate+ - CACHE\_SERVICE\_URL=http://pomerium-cache:443...+ pomerium-cache:+ image: pomerium/pomerium+ environment:+ - SERVICES=cache+ volumes:+ - ../config/config.example.yaml:/pomerium/config.yaml:ro+ expose:+ - 443
    

    โšก๏ธ Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see PR438 and PR457.

  • v0.5.2 Changes

    December 05, 2019

    ๐Ÿ†• New

    • authenticate: session expiry now matches identity provider's @desimone (#416)
  • v0.5.1 Changes

    November 26, 2019

    v0.5.1

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixes forward-auth configurations for nginx and traefik.
  • v0.5.0 Changes

    November 15, 2019

    v0.5.0

    ๐Ÿš€ Lots of great stuff in this release, but be sure to follow the upgrade guide at the end of this document as there are several breaking changes!

    ๐Ÿ†• New

    • ๐ŸŒ Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
    • Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
    • Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
    • ๐Ÿ‘‰ User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.

    ๐Ÿ”’ Security

    • Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.

    ๐Ÿ”„ Changed

    • ๐Ÿ“„ Azure AD identity provider now uses globally unique and immutable ID for group membership.
    • ๐Ÿ“„ Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable ID field.
    • ๐Ÿ“„ Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
    • URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
    • OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable ID field.

    โœ‚ Removed

    • ๐Ÿšš Force refresh has been removed from the dashboard.
    • ๐Ÿšš Previous programmatic authentication endpoints (/api/v1/token) has been removed and is no longer supported.

    โฌ†๏ธ Upgrade Guide

    ๐Ÿ’ฅ Breaking

    Subdomain requirement dropped
    • Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).
    Azure AD
    • โšก๏ธ Azure Active Directory now uses the globally unique and immutableID instead of group name to attest a user's group membership. Please update your policies to use group ID instead of group name.
    Okta
    • ๐Ÿ“„ Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's API.
    • โšก๏ธ Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.
    • ๐Ÿ“„ Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
    OneLogin
    • โšก๏ธ OneLogin group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group ID instead of group name.
    ๐Ÿšš Force Refresh Removed

    ๐Ÿšš Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.

    Programmatic Access API changed

    ๐Ÿ“š Previous programmatic authentication endpoints (/api/v1/token) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated programmatic documentation how to use the new programmatic access api.

    Forward-auth route change

    Previously, routes were verified by taking the downstream applications hostname in the form of a path (e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string (e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example) where the routed domain is the value of the uri key.

    Note that the verification URL is no longer nested under the .pomerium endpoint.

    For example, in nginx this would look like:

    - nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no\_redirect=true- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request\_uri+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request\_uri
    
  • v0.4.2 Changes

    October 18, 2019

    v0.4.2

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fixes vulnerabilities fixed in 1.13.2 including CVE-2019-17596.