Releases: istio-ecosystem/authservice
Releases · istio-ecosystem/authservice
v1.1.5
What's Changed
- Bump golang 1.25.5 to fix several CVEs by @llinder in #312
- Bump github.com/quic-go/quic-go from 0.56.0 to 0.57.0 in /tools by @dependabot[bot] in #313
- Upgrade scan action by @nacx in #314
Full Changelog: v1.1.4...v1.1.5
Contributors
llinder, nacx, and dependabot
Assets 6
v1.1.4
What's Changed
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools by @dependabot[bot] in #311
Full Changelog: v1.1.3...v1.1.4
Contributors
dependabot
Assets 6
v1.1.3
This is a patch release that contains additional CVE fixes. See details below!
What's Changed
- Bump github.com/quic-go/quic-go from 0.51.0 to 0.54.1 in /tools by @dependabot[bot] in #306
- Bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @dependabot[bot] in #310
Full Changelog: v1.1.2...v1.1.3
Contributors
dependabot
Assets 6
v1.1.2
This is a patch release that fixes the following CVEs:
- CVE-2025-58183
- CVE-2025-58186
- CVE-2025-58187
- CVE-2025-58188
- CVE-2025-47912
- CVE-2025-58185
- CVE-2025-58189
- CVE-2025-61723
- CVE-2025-61724
- CVE-2025-61725
- CVE-2024-25621
- CVE-2025-64329
- CVE-2025-31133
- CVE-2025-52881
- CVE-2025-52565
What's Changed
- Bump github.com/containerd/containerd from 1.7.27 to 1.7.29 in /tools by @dependabot[bot] in #307
- Bump to Golang 1.25.4 with multiple CVE fixes by @llinder in #308
New Contributors
Full Changelog: v1.1.1...v1.1.2
Contributors
llinder and dependabot
Assets 6
v1.1.1
This is a patch release to fix several CVEs and a bug where the Redis credentials were ignored when configured in the Redis URL.
It also fixes a bug where the Redis credentials were leaked in the logs when configured in the Redis URL.
What's Changed
- Pin Helm version for e2e tests by @nacx in #299
- Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 by @dependabot[bot] in #298
- chore: separate the tool dependencies from the main go.mod by @nacx in #302
- Upgrade to Go 1.24.7 to fix CVE-2024-3566 by @nacx in #303
- fix: user/pass in redis URI support by @mjnagel in #305
New Contributors
Full Changelog: v1.1.0...v1.1.1
Contributors
nacx, mjnagel, and dependabot
Assets 6
v1.1.0
Authservice 1.1.0 fixes several CVEs and brings several new features:
- Added Token Exchange support: This release adds support for the OAuth2 Token Exchange flow. This can be used to exchange the token retrieved from the Identity provider for an internal token suitable for accessing internal services. This is a useful flow when the token obtained directly from the Identity Provider doesn't have access to all the services behind the Authservice.
- Redis connection parameters: In this release, the configuration has been enhanced to allow setting the Redis connection options when using Redis as a session store. This can be used to better configure Redis credentials or mTLS certificates.
- Better file watching: The watchers that watch for changes to files have been optimized. In previous releases, they were periodically loaded at a fixed interval. In this release, this has been refactored, and now the changes to watched files (client secret, redis credentials, OIDC CA files, etc) will be automatically reflected as they happen.
- CVE fixes:
Detailed Changelog
- Bump Go to fix CVE-2025-22866 by @nacx in #272
- Bump to Go 1.24 by @nacx in #273
- Bump golang.org/x/net from 0.35.0 to 0.36.0 by @dependabot[bot] in #274
- Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 by @dependabot[bot] in #275
- fix logr configuration by @nacx in #276
- chore: auto-generate configuration docs by @nacx in #277
- Do not log secret value in secret reconcile by @nacx in #278
- Bump Go to 1.24.2 to fix CVE-2025-22871 by @nacx in #279
- Bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #280
- chore: upgrade to buf v2 and use native go tools by @nacx in #281
- Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 by @dependabot[bot] in #285
- Add ability to set cookie properties per OIDCConfig by @basvanbeek in #286
- CVE: bump golang to 1.24.4 to fix several CVEs by @nacx in #287
- Bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 by @dependabot[bot] in #288
- Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot[bot] in #290
- Bump golang.org/x/oauth2 from 0.26.0 to 0.27.0 by @dependabot[bot] in #291
- Implement OAuth2 Token Exchange to fetch tokens from internal authorization servers by @nacx in #292
- Generalize secret controller by @nacx in #293
- Fix CVE-2025-47907 by @nacx in #295
- Add support for POST client authentication method by @ilgatnau and @nacx in #296
- Add options to configure TLS and mTLS connections to Redis by @nacx in #294
- Unify file watching strategy in TLS config pool by @nacx in #297
New Contributors 🎉
- @basvanbeek made their first contribution in #286
- @ilgatnau made the first contribution adding support for using POST as a client auth method.
Full Changelog: v1.0.4...v1.1.0
Contributors
nacx, basvanbeek, and 2 other contributors
Assets 6
v1.0.4
This is a patch release to fix CVE-2024-45337 and CVE-2024-45338.
What's Changed
- Bump golang.org/x/crypto from 0.21.0 to 0.31.0 by @dependabot in #269
- Fix CVE-2024-45338 by @nacx in #270
- Update copyright headers by @nacx in #271
Full Changelog: v1.0.3...v1.0.4
Contributors
nacx and dependabot
Assets 6
v1.0.3
Authservice 1.0.3 adds support for PKCE in the Authorization Code Grant Flow. Thanks @gdasson for your contribution! More details about PKCE can be found here:
https://oauth.net/2/pkce/
https://blog.postman.com/what-is-pkce/
It also comes with a change to not allow Client IDs to have the : character, as it breaks client authentication when calling the token endpoint. This is now properly validated and the configuration is rejected.
Detailed Changelog
- Validate that clientId does not contain ':' by @nacx in #266
- chore: use a better maintained and more flexible license checker tool by @nacx in #267
- Add support for PKCE by @gdasson in #265
New Contributors
Full Changelog: v1.0.2...v1.0.3
Contributors
nacx and gdasson
Assets 6
v1.0.2
This is a small bugfix release that includes fixes for several CVEs.
What's Changed
- Upgrade to Go 1.22.4 by @nacx in #260
- Upgrade to Go 1.22.5 to fix CVE-2024-24791 by @nacx in #261
- Upgrade to Go 1.23.1 by @nacx in #264
Full Changelog: v1.0.1...v1.0.2
Contributors
nacx
Assets 6
v1.0.1
This is a bugfix release that includes fixes for several CVEs as well as fixes for small regressions introduced in v1.0.0.
In addition to the bug fixes, it also comes with the following added features:
- Reduces the number of requests to the OIDC well-known endpoint.
- Added support for retrieving the end-session endpoint from the OIDC Discovery endpoint.
- Enhanced identity Provider logging. Starting on
v1.0.1you can enable theidplogger atdebuglevel to show all the requests and responses exchanged with the identity Provider in the authservice logs. Use with caution and only for debugging purposes, as these logs may contain sensitive information. - Added examples to help getting started with authservice and Istio.
- Configured a nightly vulnerability scan job to report new vulnerabilities to the GitHub Code Scanning page.
Detailed changelog
- Allow customizing the Istio version to use in the e2e tests by @nacx in #243
- Upgrade Go to 1.22.2 to get rid of CVE-2023-45288 by @nacx in #244
- Configure nightly vulnerability scans and report upload by @nacx in #245
- Infer the JWS signing algorithm name by looking at the provided key by @erik-h in #247
- Use the OIDC Discovery end session endpoint if present by @nacx in #249
- Add a logger to log the calls to the Identity Provider by @nacx in #250
- Cache well-known responses to avoid making too much calls to the IdP by @nacx in #251
- Add minimal examples to make it easier to get started by @nacx in #252
- Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #253
- Fix scan job configuration by @nacx in #254
- Update code owners by @nacx in #248
- Update protoc-gen-go comment to fix
make checkby @sergicastro in #257 - Validate token_type case-insensitively by @jojonium in #256
- Fix flaky file watcher test by @sergicastro in #258
New Contributors
We want to thank our new contributors for taking the time to report issues, implement, and contribute the fixes. Thank you! 🙇♂️
Full Changelog: v1.0.0...v1.0.1
Contributors
nacx, sergicastro, and 3 other contributors