Changelog History
Page 4
-
v0.7.0 Changes
April 05, 2020v0.7.0
๐ New
- ๐ *: remove import path comments @desimone (#545)
- ๐ง authenticate: make callback path configurable @desimone (#493)
- authenticate: return 401 for some specific error codes @cuonglm (#561)
- ๐ฒ authorization: log audience claim failure @desimone (#553)
- authorize: use jwt instead of state struct @desimone (#514)
- authorize: use opa for policy engine @desimone (#474)
- cmd: add cli to generate service accounts @desimone (#552)
- 0๏ธโฃ config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
- config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
- ๐ config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
- gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
- ๐ identity: support oidc UserInfo Response @desimone (#529)
- internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
- metrics: Add storage metrics @travisgroth (#554)
๐ Fixed
- cache: add option validations @desimone (#468)
- config: Add proper yaml tag to Options.Policies @travisgroth (#475)
- ensure correct service name on GRPC related metrics @travisgroth (#510)
- ๐ fix group impersonation @desimone (#569)
- ๐ fix sign-out bug , fixes #530 @desimone (#544)
- ๐ proxy: move set request headers before handle allow public access @ohdarling (#479)
- ๐ use service port for session audiences @travisgroth (#562)
๐ Documentation
- ๐ fix
the
typo @ilgooz (#566) - ๐ fix kubernetes dashboard recipe docs @desimone (#504)
- ๐ make from source quickstart @desimone (#519)
- โก๏ธ update background @desimone (#505)
- โก๏ธ update helm for v3 @desimone (#469)
- ๐ various fixes @desimone (#478)
- ๐ fix cookie_domain @nitper (#472)
Dependency
- โก๏ธ chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
- โก๏ธ chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
- โก๏ธ chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
- โก๏ธ chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
- โก๏ธ chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
- โก๏ธ chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
- โก๏ธ chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
- โก๏ธ chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
- โก๏ธ chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
- โก๏ธ chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
- โก๏ธ chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
- โก๏ธ chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
- โก๏ธ chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
- โก๏ธ chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
- โก๏ธ chore(deps): update module yaml to v2.2.8 @renovate (#471)
- ๐ ci: Consolidate matrix build parameters @travisgroth (#521)
- dependency: use go mod redis @desimone (#528)
- ๐ deployment: throw away golanglint-ci defaults @desimone (#439)
- ๐ deployment: throw away golanglint-ci defaults @desimone (#439)
- deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
- Roll back grpc to v1.25.1 @travisgroth (#484)
-
v0.6.4
April 08, 2020 -
v0.6.3 Changes
March 20, 2020 -
v0.6.2 Changes
February 03, 2020๐ This release was cut at nearly the same time as v0.6.1 please see that release for additional changes.
๐ Changes
๐ Fixed
- ๐ proxy: move set request headers before handle allow public access @ohdarling (#479)
-
v0.6.1 Changes
February 03, 2020v0.6.1
๐ Fixed
- cache: add option validations @desimone (#468)
- grpc: roll back grpc to v1.25.1 @travisgroth (#484)
-
v0.6.0 Changes
January 25, 2020v0.6.0
๐ New
- ๐ authenticate: support backend refresh @desimone [GH-438]
- cache: add cache service @desimone [GH-457]
๐ Changed
- ๐ฆ authorize: consolidate gRPC packages @desimone [GH-443]
- config: added yaml tags to all options struct fields @travisgroth [GH-394],[gh-397]
- config: improved config validation for
shared_secret
@travisgroth [GH-427] - ๐ config: Remove CookieRefresh [GH-428] @u5surf [GH-436]
- config: validate that
shared_key
does not contain whitespace @travisgroth [GH-427] - httputil : wrap handlers for additional context @desimone [GH-413]
๐ Fixed
- proxy: fix unauthorized redirect loop for forward auth @desimone [GH-448]
- ๐ proxy: fixed regression preventing policy reload GH-396
๐ Documentation
- โ add cookie settings @danderson [GH-429]
- ๐ fix typo in forward auth nginx example @travisgroth [GH-445]
- ๐ improved sentence flow and other stuff @Rio [GH-422]
- ๐ rename fwdauth to be forwardauth @desimone [GH-447]
Dependency
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate [GH-452]
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate [GH-458]
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate [GH-431]
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate [GH-414]
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate [GH-415]
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate [GH-453]
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate [GH-433]
- โก๏ธ chore(deps): update module google/go-cmp to v0.4.0 @renovate [GH-454]
- โก๏ธ chore(deps): update module spf13/viper to v1.6.1 @renovate [GH-423]
- โก๏ธ chore(deps): update module spf13/viper to v1.6.2 @renovate [GH-459]
- โก๏ธ chore(deps): update module square/go-jose to v2.4.1 @renovate [GH-435]
โฌ๏ธ Upgrade Guide
Since 0.5.0
๐ฅ Breaking
๐ New cache service
๐ A back-end cache service was added to support session refreshing from single-page-apps.
- For all-in-one deployments, no changes are required. The cache will be embedded in the binary. By default, autocache an in-memory LRU cache will be used to temporarily store user session data. If you wish to persist session data, it's also possible to use bolt or redis.
- ๐ For split-service deployments, you will need to deploy an additional service called cache. By default, pomerium will use autocache as a distributed, automatically managed cache. It is also possible to use redis as backend in this mode.
For a concrete example of the required changes, consider the following changes for those running split service mode,:
... pomerium-authenticate: environment: - SERVICES=authenticate+ - CACHE\_SERVICE\_URL=http://pomerium-cache:443...+ pomerium-cache:+ image: pomerium/pomerium+ environment:+ - SERVICES=cache+ volumes:+ - ../config/config.example.yaml:/pomerium/config.yaml:ro+ expose:+ - 443
โก๏ธ Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see PR438 and PR457.
-
v0.5.2 Changes
December 05, 2019 -
v0.5.1 Changes
November 26, 2019v0.5.1
๐ Fixed
- ๐ Fixes forward-auth configurations for nginx and traefik.
-
v0.5.0 Changes
November 15, 2019v0.5.0
๐ Lots of great stuff in this release, but be sure to follow the upgrade guide at the end of this document as there are several breaking changes!
๐ New
- ๐ Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
- Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
- Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
- ๐ User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.
๐ Security
- Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.
๐ Changed
- ๐ Azure AD identity provider now uses globally unique and immutable
ID
for group membership. - ๐ Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable
ID
field. - ๐ Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
- URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
- OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable
ID
field.
โ Removed
- ๐ Force refresh has been removed from the dashboard.
- ๐ Previous programmatic authentication endpoints (
/api/v1/token
) has been removed and is no longer supported.
โฌ๏ธ Upgrade Guide
๐ฅ Breaking
Subdomain requirement dropped
- Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).
Azure AD
- โก๏ธ Azure Active Directory now uses the globally unique and immutable
ID
instead ofgroup name
to attest a user's group membership. Please update your policies to use groupID
instead of group name.
Okta
- ๐ Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's API.
- โก๏ธ Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group
ID
instead of group name. - ๐ Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
OneLogin
- โก๏ธ OneLogin group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group
ID
instead of group name.
๐ Force Refresh Removed
๐ Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.
Programmatic Access API changed
๐ Previous programmatic authentication endpoints (
/api/v1/token
) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated programmatic documentation how to use the new programmatic access api.Forward-auth route change
Previously, routes were verified by taking the downstream applications hostname in the form of a path
(e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example
) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string(e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example)
where the routed domain is the value of theuri
key.Note that the verification URL is no longer nested under the
.pomerium
endpoint.For example, in nginx this would look like:
- nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no\_redirect=true- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request\_uri+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request\_uri
-
v0.4.2 Changes
October 18, 2019