Releases: sevensolutions/traefik-oidc-auth
v0.15.0
What's Changed
- feat: add Host / HostRegexp rule by @fabian0702 in #192
- feat: experimental JWT profile authentication for ZITADEL by @sevensolutions in #182
New Contributors
- @fabian0702 made their first contribution in #192
Full Changelog: v0.14.0...v0.15.0
Contributors
Assets 2
v0.14.0
What's Changed
- feat: add missing Query and QueryRegexp rules to AuthenticationBypassRule by @sevensolutions in #178
- fix: proposal to fix #170 by @complynx in #183
- docs: #186 improve docs for EntraID. by @sevensolutions in #187
New Contributors
Full Changelog: v0.13.0...v0.14.0
Contributors
Assets 2
v0.13.0
What's Changed
- feat: prevent open redirect attacks by @sevensolutions in #160
- chore: restructure repository by @sevensolutions in #162
- docs: #145 improve documentation for authorization by @sevensolutions in #163
- fix: Fix Keycloak URL in readme by @I-Al-Istannen in #166
- docs: fix authorization.md (docker label) by @Sorio6 in #167
- feat: add CheckOnEveryRequest authorization option by @Sorio6 in #169
- chore(deps): bump the dependencies group in /website with 28 updates by @dependabot in #175
- feat: #164 change default for TokenValidation to IdToken by @sevensolutions in #174
Breaking Changes
Starting with version 0.13.0 the plugin will use the IdToken by default for validation.
Make sure all your required claims are mapped into the IdToken.
If you still want to use the AccessToken, configure TokenValidation: "AccessToken" in the provider config.
When using the redirect_uri query parameter of the /login or /logout endpoints you now need to allow the needed urls explicitly by specifying ValidPostLoginRedirectUris and/or ValidPostLogoutRedirectUris.
New Contributors
- @I-Al-Istannen made their first contribution in #166
- @Sorio6 made their first contribution in #167
Full Changelog: v0.12.0...v0.13.0
Contributors
Assets 2
v0.12.0
What's Changed
- Fix typo in kanidm docs by @WhySoBad in #136
- docs: fix typos in getting-started by @LucasFA in #139
- fix: #148 fix logout when user is unauthorized by @sevensolutions in #149
- docs: #153: improve provider docs for Pocket ID and ZITADEL by @sevensolutions in #154
- chore(deps): bump the dependencies group in /website with 27 updates by @dependabot in #151
- fix: fix some missing null-checks when validating the session by @sevensolutions in #158
- feat: error pages by @sevensolutions in #150
Breaking Changes
There is a small breaking change.
When users are authenticated but unauthorized, because of your authorization config, the returned status code will now be a 403 (Forbidden) instead of a 401 (Unauthorized).
According to the standard a 403 is more appropriate for this case.
So this means:
| Action | Returned Status Code |
|---|---|
| User is not logged in | 401 Unauthorized |
| User is logged in but not authorized | 403 Forbidden |
| User is logged in and authorized | 200 or whatever the upstream service is returning |
New Contributors
Full Changelog: v0.11.0...v0.12.0
Contributors
Assets 2
v0.11.0
What's Changed
- feat: add option to provide the secret via an environment variable by @sevensolutions in #127
- feat: simplify environment variable usage by @sevensolutions in #129
- feat: add support for default http proxy environmental variables by @mbegerau in #134
- feat: missing authorization for externally authenticated requests by @sevensolutions in #132
Attention: Breaking Changes
Versions up to including 0.10.1 had separate configuration variables to specify parameters by using environment variables. These were suffixed using Env. Eg. UrlEnv, ClientIdEnv etc.
In version 0.11.0 these extra variables have been removed.
Instead you can now provide the environment variable name by using the normal property like Url or ClientId, etc. in the form ${VARIABLE_NAME}.
Please note that this looks like it would support templating but it does not at the moment. So only a single variable name can be used.
Migration path
Old:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
UrlEnv: "PROVIDER_URL"
ClientIdEnv: "CLIENT_ID"
ClientSecretEnv: "CLIENT_SECRET"
New:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "${PROVIDER_URL}"
ClientId: "${CLIENT_ID}"
ClientSecret: "${CLIENT_SECRET}"
Plase see the docs for more details.
New Contributors
Full Changelog: v0.10.1...v0.11.0
Contributors
Assets 2
v0.10.1
What's Changed
- fix: #124: IdToken wasn't stored after renewing the session. This was problematic when using
Provider.TokenValidation = IdToken. by @sevensolutions in #125
Full Changelog: v0.10.0...v0.10.1
Contributors
Assets 2
v0.10.0
What's Changed
- docs: Improve documentation for logout and authorization by @sevensolutions in #119
- feat: Make PostLoginRedirectUri to support absolute uri by @jvitor83 in #122
New Contributors
Full Changelog: v0.9.0...v0.10.0
Contributors
Assets 2
v0.9.0
What's Changed
- docs: #103: add github discussions link to website by @sevensolutions in #105
- chore: Code refactoring by @sevensolutions in #111
- feat: Bypass Authentication Rule by @sevensolutions in #112
Full Changelog: v0.8.0...v0.9.0
Contributors
Assets 2
v0.8.0
What's Changed
- docs: add section with advanced config samples by @sevensolutions in #85
- docs: #88: add hint about sharing session cookie by @sevensolutions in #89
- feat: #98: include id_token_hint on RP-initiated logout by @sevensolutions in #99
- docs: #94: Add example for securing the traefik dashboard by @sevensolutions in #95
- fix: decrease some log levels and improve error handling a bit. by @sevensolutions in #102
Full Changelog: v0.7.0...v0.8.0
Contributors
Assets 2
v0.7.0
What's Changed
- chore: Update traefik to 3.3.2 by @sevensolutions in #78
- feat: Add FAQ by @sevensolutions in #79
- fix: #43: Fix Login URL handling by @sevensolutions in #81
- feat: #61: Change cookie naming to use a prefix. by @sevensolutions in #80
- test: e2e: print container logs on test failure by @cdanis in #83
- test: e2e: assert seamless multi-middleware by @cdanis in #82
Breaking Changes
This release removes the option to change the session cookie name by using the SessionCookie.Name option.
Instead, the new option CookieNamePrefix can be used to specify a global prefix for all internal cookie names.
By default, the session cookie is now named TraefikOidcAuth.Session insead of Authorization which was confusing.
Full Changelog: v0.6.1...v0.7.0
