Releases: sevensolutions/traefik-oidc-auth
v0.18.0
What's Changed
- deps: bump react from 19.1.0 to 19.2.1 by @baarde in #238
- docs: remove obsolete info for keycloak about audience configuration by @sevensolutions in #242
- fix: fix a possible nil reference when refreshing the token #234 by @sevensolutions in #250
- feat: add support for RFC 8707 resource indicators by @sevensolutions in #251
- fix: also use jwks keys without "use" field by @bkw in #254
- feat: allow multiple header values in upstream headers configuration by @Prototik in #252
- chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 by @dependabot[bot] in #253
New Contributors
- @baarde made their first contribution in #238
- @bkw made their first contribution in #254
- @Prototik made their first contribution in #252
Full Changelog: v0.17.0...v0.18.0
Contributors
Assets 2
v0.17.0
What's Changed
- feat: #196: early token renewal by @sevensolutions in #204
- feat: #193 keep old refresh token if IDP doesn't return a new one by @sevensolutions in #215
- fix(docs): use same middleware name for k8s by @fty4 in #217
- chore(docs): add secret to k8s example by @fty4 in #218
- chore(deps): bump the website group in /website with 28 updates by @dependabot[bot] in #223
- chore(deps): bump the website group in /website with 28 updates by @dependabot[bot] in #230
New Contributors
Full Changelog: v0.16.0...v0.17.0
Contributors
Assets 2
v0.16.0
What's Changed
- deps: bump traefik to v3.5.0 by @sevensolutions in #198
- docs: add missing
refreshTokenattribute in header template context by @spietras in #200 - feat: add
Autooption forUnauthorizedBehaviorby @spietras in #201 - feat: Implement UserInfo Claims Integration by @aslafy-z in #206
- docs: drop kanidm note about TokenValidation by @adamcstephens in #199
- test: migrate e2e tests to keycloak by @sevensolutions in #209
- chore(deps): bump github.com/spyzhov/ajson from 0.9.4 to 0.9.6 by @dependabot[bot] in #212
- chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.3.0 by @dependabot[bot] in #213
Breaking Changes
This release changes the default value of the UnauthorizedBehavior option to the new Auto value.
This means that unauthorized requests will now get a response according to the sent Accept header.
New Contributors
- @spietras made their first contribution in #200
- @aslafy-z made their first contribution in #206
- @adamcstephens made their first contribution in #199
Full Changelog: v0.15.0...v0.16.0
Contributors
Assets 2
v0.15.0
What's Changed
- feat: add Host / HostRegexp rule by @fabian0702 in #192
- feat: experimental JWT profile authentication for ZITADEL by @sevensolutions in #182
New Contributors
- @fabian0702 made their first contribution in #192
Full Changelog: v0.14.0...v0.15.0
Contributors
Assets 2
v0.14.0
What's Changed
- feat: add missing Query and QueryRegexp rules to AuthenticationBypassRule by @sevensolutions in #178
- fix: proposal to fix #170 by @complynx in #183
- docs: #186 improve docs for EntraID. by @sevensolutions in #187
New Contributors
Full Changelog: v0.13.0...v0.14.0
Contributors
Assets 2
v0.13.0
What's Changed
- feat: prevent open redirect attacks by @sevensolutions in #160
- chore: restructure repository by @sevensolutions in #162
- docs: #145 improve documentation for authorization by @sevensolutions in #163
- fix: Fix Keycloak URL in readme by @I-Al-Istannen in #166
- docs: fix authorization.md (docker label) by @Sorio6 in #167
- feat: add CheckOnEveryRequest authorization option by @Sorio6 in #169
- chore(deps): bump the dependencies group in /website with 28 updates by @dependabot in #175
- feat: #164 change default for TokenValidation to IdToken by @sevensolutions in #174
Breaking Changes
Starting with version 0.13.0 the plugin will use the IdToken by default for validation.
Make sure all your required claims are mapped into the IdToken.
If you still want to use the AccessToken, configure TokenValidation: "AccessToken" in the provider config.
When using the redirect_uri query parameter of the /login or /logout endpoints you now need to allow the needed urls explicitly by specifying ValidPostLoginRedirectUris and/or ValidPostLogoutRedirectUris.
New Contributors
- @I-Al-Istannen made their first contribution in #166
- @Sorio6 made their first contribution in #167
Full Changelog: v0.12.0...v0.13.0
Contributors
Assets 2
v0.12.0
What's Changed
- Fix typo in kanidm docs by @WhySoBad in #136
- docs: fix typos in getting-started by @LucasFA in #139
- fix: #148 fix logout when user is unauthorized by @sevensolutions in #149
- docs: #153: improve provider docs for Pocket ID and ZITADEL by @sevensolutions in #154
- chore(deps): bump the dependencies group in /website with 27 updates by @dependabot in #151
- fix: fix some missing null-checks when validating the session by @sevensolutions in #158
- feat: error pages by @sevensolutions in #150
Breaking Changes
There is a small breaking change.
When users are authenticated but unauthorized, because of your authorization config, the returned status code will now be a 403 (Forbidden) instead of a 401 (Unauthorized).
According to the standard a 403 is more appropriate for this case.
So this means:
| Action | Returned Status Code |
|---|---|
| User is not logged in | 401 Unauthorized |
| User is logged in but not authorized | 403 Forbidden |
| User is logged in and authorized | 200 or whatever the upstream service is returning |
New Contributors
Full Changelog: v0.11.0...v0.12.0
Contributors
Assets 2
v0.11.0
What's Changed
- feat: add option to provide the secret via an environment variable by @sevensolutions in #127
- feat: simplify environment variable usage by @sevensolutions in #129
- feat: add support for default http proxy environmental variables by @mbegerau in #134
- feat: missing authorization for externally authenticated requests by @sevensolutions in #132
Attention: Breaking Changes
Versions up to including 0.10.1 had separate configuration variables to specify parameters by using environment variables. These were suffixed using Env. Eg. UrlEnv, ClientIdEnv etc.
In version 0.11.0 these extra variables have been removed.
Instead you can now provide the environment variable name by using the normal property like Url or ClientId, etc. in the form ${VARIABLE_NAME}.
Please note that this looks like it would support templating but it does not at the moment. So only a single variable name can be used.
Migration path
Old:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
UrlEnv: "PROVIDER_URL"
ClientIdEnv: "CLIENT_ID"
ClientSecretEnv: "CLIENT_SECRET"
New:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "${PROVIDER_URL}"
ClientId: "${CLIENT_ID}"
ClientSecret: "${CLIENT_SECRET}"
Plase see the docs for more details.
New Contributors
Full Changelog: v0.10.1...v0.11.0
Contributors
Assets 2
v0.10.1
What's Changed
- fix: #124: IdToken wasn't stored after renewing the session. This was problematic when using
Provider.TokenValidation = IdToken. by @sevensolutions in #125
Full Changelog: v0.10.0...v0.10.1
Contributors
Assets 2
v0.10.0
What's Changed
- docs: Improve documentation for logout and authorization by @sevensolutions in #119
- feat: Make PostLoginRedirectUri to support absolute uri by @jvitor83 in #122
New Contributors
Full Changelog: v0.9.0...v0.10.0
