Skip to main content
Version: Next

Unreleased (2021-06-18)

Bug Fixes#

Features#

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b): The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services. For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id. The upstream service receives the X-Branch-Id and does your thing. The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.
  • Add request header in match context (#719) (22b0dbe), closes #512
  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes#

Code Generation#

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts#

  • Init introspect http client once (#714) (#722) (c58cbd9): This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes#

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation#

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring#

Documentation#

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1): Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features#

  • Add health event manager and rules readiness probe (#674) (01d8588)
  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625
  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677
  • Additional JWT auth debug information (#681) (d08ab50), closes #668: JWT Claims added to error details field.
  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)
  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation#

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes#

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630: This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation#

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation#

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes#

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation#

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified#

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes#

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation#

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified#

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes#

  • Accept lower and uppercase in bearer token handler (6e46d4a)
  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153
  • Pass context through to external requests (#627) (ee25197): Enables proper tracing through Jaeger etc
  • Update goreleaser config (9689f45)
  • Update log schema (78e654d)

Code Generation#

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features#

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation#

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation#

  • Add Rust and Dart SDKs (1524fed): We now support for Rust and Dart SDKs!
  • Fix js npm links (#634) (c339fee)
  • Rename index documents (7de0ac3)

Features#

  • Add bearer_token authenticator (#613) (b623ae7): Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes#

  • Check content-length header in lowercase (#530) (a68fc8a): Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.
  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551
  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553
  • Support windows file paths (#557) (6a05682), closes #514#332
  • Update dd-trace to fix build (2e571fa)

Code Generation#

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation#

Features#

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518#518

Unclassified#

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes#

  • Add tests in error_redirect_test.go (#522) (24bdd9b): Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned
  • Deprecated key in goreleaser config (2a4f901)
  • Ignore x/net false positives (bc8a32c)
  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation#

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation#

  • Fix broken links (dd3bfbe)
  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20): Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.
  • Fix sidebar (28247fc)
  • Guide for integrating with ORY Hydra (#497) (e1b1751)
  • Move development section (582a4d0)
  • Move to json sidebar (b67230d)
  • Remove duplicate template (01550b4)
  • Update repository templates (2aaf766)
  • Update repository templates (#506) (cb53d79)

Features#

  • Add and automate version schema (7ab4012)
  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511: This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user). This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.
  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505
  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified#

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes#

Code Generation#

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation#

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features#

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes#

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores#

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation#

Features#

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes#

  • Improve caching strategy and config for hydrator (#433) (0047054): To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores#

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes#

  • Add old schemas to resolve issues with old versions (b94c391), closes #400
  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045): We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size. This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.
  • Respect retry in token introspection (#410) (88f7b69)
  • Update install.sh script (#429) (2d2eded)
  • Use pipe to pass body remote authorizer (#426) (1a44087): Resolves flaky tests.
  • Use semver-regex replacer func (a13cdf5)

Chores#

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring#

Documentation#

Features#

  • Add cache to hydrator (#418) (1ae6e7a), closes #417: This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.
  • Add new remote authorizer that uses request body and headers (#416) (3a20637): This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision. The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions. Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.
  • Add prometheus docs (#427) (117ee6a)
  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46): This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:
     serve:   prometheus:     port: 9000     host: localhost     metrics_path: /metrics
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores#

Documentation#

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes#

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes#

  • Add rule id to malformed configuration log error (#386) (7688a8d)
  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371
  • Improve id_token performance with caching (#367) (47e9fee), closes #364
  • Load config file only in serve command (#365) (68c8546)
  • Replace segment with our own sqa endpoint (#385) (8f63eda)
  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377: This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.
  • Token expiration error in tests (#390) (9c07a73)
  • docker: Improve docker-compose example (#325) (1247381), closes #324: Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary. Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:
    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation#

  • Change link to Developer Install Guide (#369) (f7fe46f): Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.
  • Document v0.36 and v0.37 (a176c73)
  • Fix examples for some JSON Schema config keys (#363) (aeeb353)
  • Regenerate and update changelog (9417e2c)
  • Regenerate and update changelog (b817037)
  • Regenerate and update changelog (33a5524)
  • Regenerate and update changelog (888b7a6)
  • Regenerate and update changelog (36faa3b)
  • Regenerate and update changelog (32b6059)
  • Regenerate and update changelog (ba4de09)
  • Regenerate and update changelog (a76f749)
  • Regenerate and update changelog (1789d00)
  • Regenerate and update changelog (0dfc608)
  • Regenerate and update changelog (b23c79a)
  • Regenerate and update changelog (2117171)
  • Regenerate and update changelog (38c9e19)
  • Regenerate and update changelog (e3eda75)
  • Regenerate and update changelog (e7d70f7)
  • Regenerate and update changelog (874b7a9)
  • Regenerate and update changelog (6b1d94b)
  • Regenerate and update changelog (cb38415)
  • Regenerate and update changelog (bec6af0)
  • Update forum and chat links (d9eed10)
  • Update README.md (#375) (313d2fe), closes #374: Fixed link to Envoy configuration page and added link to AWS API Gateway.
  • Updates issue and pull request templates (#382) (484c406)

Features#

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes#

  • goreleaser: Update brew section (46fb3da)

Documentation#

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation#

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features#

  • ci: Add nancy vuln scanner (#354) (de36e40)
  • rule: Add glob matching strategy (#334) (5f983ab), closes #321: This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified#

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified#

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified#

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified#

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation#

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified#

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified#

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation#

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified#

  • Update CHANGELOG [ci skip] (f0e8ecf)
  • Update SDK (6a0a0f8)
  • Update upgrade guide (#337) (99e9877), closes #337
  • Update CHANGELOG [ci skip] (2e13a05)
  • Remove superfluous version from workflows (55037fa)
  • Update CHANGELOG [ci skip] (dfbc231)
  • Update SDK (65222d5)
  • Move to new SDK pipeline (#333) (6940dc8), closes #333
  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336: The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.
  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335: The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.
  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330#331#330: Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation#

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified#

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)
  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323: Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally. Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.
  • Add customizable error handlers (#322) (4033321), closes #322#204#252#119: This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user. This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation#

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified#

  • Add health check commands (#319) (0dd3fe3)
  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320#305#317: Previously, some keys did not respect the values set in the environment variables.
  • Add alpine-based Docker image (#318) (815951b), closes #318#312
  • Add more details to decision logging (#316) (f60f525), closes #316#244#242: Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.
  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283: Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.
  • Improve session endpoint debugability (#315) (2718639), closes #300
  • Resolve matcher cache (#313) (1519632), closes #291: A bug caused the rule matcher to not cache the regular expression result.
  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation#

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified#

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation#

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified#

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290
  • Revert incorrect license changes (7892d2f)
  • Revert readme changes to last working version (08d42da)
  • Remove obsolete section from README (aa8deef)
  • Fix broken readme headlines (2e8109a)
  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286
  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276#270#279#280: This patch automatically binds environment variables to configuration keys. This patch resolves several issues:
  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282ory/docs#217#234#281

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified#

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271#257: Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.
  • Add migration capabilities (#268) (bc74e72), closes #266: Adds the ability to modify rules with backwards compatibility.
  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260
  • Update UPGRADE.md (4e4bd93)
  • Update upgrade instructions (7483d1c)
  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified#

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250#251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation#

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified#

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233#233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation#

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified#

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation#

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified#

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation#

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified#

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation#

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified#

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration#

  • Automate schema confiugration sync (94bcc4f)

Documentation#

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified#

  • Fix broken reload tests (d6059b7)
  • Remove useless function (3521a3d)
  • Validate configuration with JSON Schema (997427d)
  • Do not fatal when immutable value is changed (717d7f7)
  • Watch configuration and access rule changes (#217) (a078e89), closes #217: This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart. Some configuration keys like serve., log., profiling however require a restart.
  • Create FUNDING.yml (d7da8e2)
  • Add support for rules in YAML format (#213) (67face6), closes #213: This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation#

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified#

  • Add cookie session authenticator (#211) (f8a66b7)
  • Add description into the name of subtest (#212) (230c332), closes #212
  • Use non-root user in image (#209) (2215126)
  • Remove binary license (#208) (3460d65), closes #208
  • Update config.yaml (#204) (effe9c0), closes #204: There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation#

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified#

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199: Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use. This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration#

Documentation#

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified#

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation#

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified#

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184#182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified#

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation#

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified#

  • Remove full tag from build pipeline (#179) (e2edbf8)
  • Remove sdk dependencies to keto/hydra (#173) (b538e3c): This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.
  • Update CHANGELOG.md (cbccbe2)
  • Ensure rule matcher is locked before updating (#159) (6fb7151): Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.
  • Improve debugability of JWT authenticator (#156) (8441bd5)
  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165
  • Remove vendored dependencies after sdk generation (7c33ca8)
  • Set request headers for credential issuers (#169) (4fc579c), closes #120#133
  • Update Dockerfile build instructions (ec40cc4)
  • Upgrade dependencies (#163) (f9fdefb)
  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138: Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix circle misconfiguration (a00ce64)

Documentation#

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified#

  • Add ability to configure scope strategy (519a536)
  • Add cookies ci to handler factory (#103) (59aabfa)
  • Add cookies credentials issuer (032d88e)
  • Add endpoint for answering access requests directly (d211641), closes #42: This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response. The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not. Assuming you are making the following request:
    PUT /judge/my-service/whatever HTTP/1.1Host: oathkeeper-api:4456User-Agent: curl/7.54.0Authorization: bearer some-tokenAccept: */*Content-Type: application/jsonContent-Length: 0
    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:
    HTTP/1.1 200 OKAuthorization: bearer-sometokenContent-Length: 0Connection: Closed
    If the rule denies the request, the response will be, for example:
    HTTP/1.1 401 OKContent-Length: 0Connection: Closed
  • Add headers credentials issuer (b084c32)
  • Add http proxy timeout config (#132) (b3718ce): Add environment parameters (and description) to configure timeout settings of a server handled proxy requests. It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.
  • Add JWT authenticator (61625bc)
  • Add NodeJS SDK (#94) (7505b71)
  • Adds ability to specify db url via env var in migrate (b2cc5d2)
  • Adds and improves metrics middleware (b0dfd97)
  • Adds log message when telemetry is active (ed2f983)
  • Adds validator for rules (#77) (f450697): This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.
  • Align TLS options with hydra (#114) (c763152)
  • Allow empty upstream in rules (e46065a)
  • Allow regex in match scheme (c6d17c5), closes #92
  • Allows connectivity to MySQL (fa5388c), closes #82
  • Authenticator noop should not bypass (6f8ab4f), closes #97
  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)
  • Disable cors per default (#107) (c5ab0c3): This patch introduces CORS_ENABLED which defaults to "false".
  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65
  • Enables TLS option on serve api (#116) (83f1f84)
  • Expose all ORY Hydra ports in tests (691a72d)
  • Expose all ORY Hydra ports in tests (add70c6)
  • Fix checkResponse message typo (#106) (0d0e653)
  • Ignore query parameters when matching url in rules. (#139) (07eb99b)
  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101: This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.
  • Improve hydra integration tests (e8b7a58)
  • Improve refresh subroutines (cc33538)
  • Improves cors parsing (d00dfed)
  • Improves test set up (6b6bb88)
  • Include headers credential issuer in handler factory (0e1ef1b)
  • Introduce health and version endpoint (029c7ff)
  • Make subject configurable using go template (#129) (ee9dcdd)
  • More CredentialsIssuerHeaders tests (079171f)
  • Move headers into new config field (51eb9fb)
  • Properly document JWT refresh (#117) (2e024f9)
  • Properly handle conflicts on PUT and POST (83b591d), closes #38: Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.
  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)
  • Refresh rules in api mode (08204e8)
  • Remove config flag (#111) (8385cbc), closes #110
  • Remove config flag (#111) (7de77b8), closes #110
  • Remove package.json from swagger dir (837d18c)
  • Resolve broken introspection scope setting (18837a9)
  • Resolve HS256 kid mismatch (6d647d7), closes #83
  • Resolves panic when network fails in "rules import" (078542a)
  • Streamlines https configuration variables (#124) (9f6f815), closes #121
  • Test for errors (585672e)
  • Test missing Extra field (a4d3d2d)
  • Test template caching/lookup (ab8a402)
  • Update keto to latest (3e2a8de)
  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)
  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137
  • Test nesting of various types (188748d)
  • Update rules stub (475f39a)
  • Upgrade superagent version (44ed240)
  • Use print funcmap function to override text/template print (76b2d9d)
  • Validate handler configurations (a558103)
  • Adds docker-compose example with postgres (84f1313)
  • Removes obsolete benchmark (3f259da)
  • Resolves an issue with cached matchers (951da25), closes #73: This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.
  • Resolves issues with broken tests (6604045)
  • Resolves naming issues and updates readme (5495d4a)
  • Resolves potential panic in request handler (ef6e889)
  • Resolves recursive stack overflow (#81) (0594cda), closes #80
  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71: This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret. Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well. Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.
  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)
  • Tells linguist to ignore SDK files (ace7f34)

0.11.12 (2018-05-07)

Introduces new versioning number to match ORY Hydra

Documentation#

  • Adds automatic summary generation (#49) (20fefbc)
  • Adds edit on github links (95af1bb)
  • Adds license note to all source files (#51) (2c8ff2f)
  • Fixes redirect path (9bca2f3)
  • Moves documentation to new repository (#57) (a9f21f3)
  • Redirect to ory domain (0599e63)
  • Removes newline from swagger doc (5e297b3)
  • Removes stray line in api docs (bed1a04)
  • Removes summary plugin (ce06f4e)
  • Resolves broken policy and client definitions (#55) (4676f40), closes #53
  • Updates chat badge to discord (1bbac52)
  • Updates execution instructions (#56) (3bcfd8b): Adjusting run script to respect env variables
  • Updates README.md (#58) (bdb542f)
  • Updates swagger docs (5ea68c2)

Unclassified#

  • Introduces new versioning number to match ORY Hydra (75b5121)
  • Adds mock generation script (00b51b7)
  • Corrects logging typo (#52) (d415291): This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.
  • Updates hydra sdk mock (2ff8032)
  • Updates hydra to 0.11.6 (ee969f6)
  • Updates license header (94a2ed2)
  • Use source file from vendor for mock generation (42517c6)
  • Uses Hydra v0.11.6 in tests (9c2cc89)
  • Adds license (cc13ae8)
  • Updates README.md (c9340dc)

0.0.29 (2017-12-19)

Adds use field to well known (#48)

Unclassified#

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Replaces key discovery with well-known feature (#46)

Closes #43

Unclassified#

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46#43

0.0.27 (2017-12-12)

Adds cors capabilities to management server

Unclassified#

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Adds hydra.introspect to required tokens

Unclassified#

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Add extra data from token introspection to session

Unclassified#

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Replaces LogError with direct error logging

Unclassified#

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27#34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Print formatted output string in rule management CLI (#35)

Documentation#

Unclassified#

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Renames bypass values for better clarity

Closes #13 Closes #29

Unclassified#

  • Renames bypass values for better clarity (46a717e), closes #13#29

0.0.21 (2017-11-19)

Request hydra.keys scope and fix panic

Unclassified#

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

docs: Improve swagger documentation

Documentation#

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified#

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)
  • Ignore gitbook output directory (580b94f)

0.0.19 (2017-11-13)

evaluator: Use full request URL

Unclassified#

0.0.18 (2017-11-13)

evaluator: Improve audit capabilities

Unclassified#

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Introduces surrogate_id to SQLManager (#21)

Unclassified#

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Replace MatchesPath with MatchesURL (#20)

Unclassified#

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Add HTTPS capabilities and document proxy/management commands (#19)

Unclassified#

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Make refresh_delay configurable and skip it on boot (#18)

Unclassified#

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Store rules path match in plaintext (#17)

Unclassified#

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Use ladon regex compiler for matches (#16)

Unclassified#

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Move gatekeeper to $PATH in docker image

Unclassified#

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Add ssl certificates to scratch image

Unclassified#

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Build binary statically with CGO disabled

Unclassified#

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Make oathkeeper binary executable#

Unclassified#

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Build oathekeeper docker image statically (#14)

  • Build oathekeeper docker image statically

  • Build oathekeeper docker image statically

Unclassified#

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Added serve all command

Unclassified#

0.0.5 (2017-11-01)

Remove goveralls from circle build

Unclassified#

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Return arrays instead of null on rule creation (#6)

Unclassified#

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Force linefeed for shell scripts

Unclassified#

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

cmd: remove unnecessary scope hydra.warden.*

Unclassified#

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

travis: add goveralls report submission (#2)

Documentation#

Unclassified#


id: changelog title: Changelog custom_edit_url: null


Unreleased (2021-06-22)

Bug Fixes#

Features#

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):

    The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.

    For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.

    The upstream service receives the X-Branch-Id and does your thing.

    The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.

  • Add request header in match context (#719) (22b0dbe), closes #512

  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes#

Code Generation#

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts#

  • Init introspect http client once (#714) (#722) (c58cbd9):

    This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes#

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation#

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring#

Documentation#

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1):

    Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features#

  • Add health event manager and rules readiness probe (#674) (01d8588)

  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625

  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677

  • Additional JWT auth debug information (#681) (d08ab50), closes #668:

    JWT Claims added to error details field.

  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)

  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation#

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes#

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630:

    This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation#

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation#

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes#

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation#

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified#

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes#

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation#

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified#

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes#

  • Accept lower and uppercase in bearer token handler (6e46d4a)

  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153

  • Pass context through to external requests (#627) (ee25197):

    Enables proper tracing through Jaeger etc

  • Update goreleaser config (9689f45)

  • Update log schema (78e654d)

Code Generation#

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features#

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation#

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation#

  • Add Rust and Dart SDKs (1524fed):

    We now support for Rust and Dart SDKs!

  • Fix js npm links (#634) (c339fee)

  • Rename index documents (7de0ac3)

Features#

  • Add bearer_token authenticator (#613) (b623ae7):

    Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes#

  • Check content-length header in lowercase (#530) (a68fc8a):

    Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.

  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551

  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553

  • Support windows file paths (#557) (6a05682), closes #514 #332

  • Update dd-trace to fix build (2e571fa)

Code Generation#

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation#

Features#

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518#518

Unclassified#

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes#

  • Add tests in error_redirect_test.go (#522) (24bdd9b):

    Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned

  • Deprecated key in goreleaser config (2a4f901)

  • Ignore x/net false positives (bc8a32c)

  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation#

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation#

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features#

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified#

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes#

Code Generation#

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation#

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features#

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes#

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores#

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation#

Features#

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes#

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores#

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes#

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Chores#

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring#

Documentation#

Features#

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:   prometheus:     port: 9000     host: localhost     metrics_path: /metrics
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores#

Documentation#

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes#

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes#

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation#

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features#

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes#

  • goreleaser: Update brew section (46fb3da)

Documentation#

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation#

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features#

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified#

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified#

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified#

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified#

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation#

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified#

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified#

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation#

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified#

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation#

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified#

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation#

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified#

  • Add health check commands (#319) (0dd3fe3)

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation#

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified#

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation#

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified#

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified#

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified#

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250#251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation#

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified#

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233#233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation#

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified#

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation#

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified#

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation#

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified#

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation#

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified#

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration#

  • Automate schema confiugration sync (94bcc4f)

Documentation#

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified#

  • Fix broken reload tests (d6059b7)

  • Remove useless function (3521a3d)

  • Validate configuration with JSON Schema (997427d)

  • Do not fatal when immutable value is changed (717d7f7)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation#

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified#

  • Add cookie session authenticator (#211) (f8a66b7)

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Use non-root user in image (#209) (2215126)

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation#

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified#

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration#

Documentation#

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified#

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation#

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified#

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184#182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified#

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation#

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified#

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix circle misconfiguration (a00ce64)

Documentation#

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified#

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1Host: oathkeeper-api:4456User-Agent: curl/7.54.0Authorization: bearer some-tokenAccept: */*Content-Type: application/jsonContent-Length: 0

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OKAuthorization: bearer-sometokenContent-Length: 0Connection: Closed

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OKContent-Length: 0Connection: Closed
  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes #38:

    Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.

  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)

  • Refresh rules in api mode (08204e8)

  • Remove config flag (#111) (8385cbc), closes #110

  • Remove config flag (#111) (7de77b8), closes #110

  • Remove package.json from swagger dir (837d18c)

  • Resolve broken introspection scope setting (18837a9)

  • Resolve HS256 kid mismatch (6d647d7), closes #83

  • Resolves panic when network fails in "rules import" (078542a)

  • Streamlines https configuration variables (#124) (9f6f815), closes #121

  • Test for errors (585672e)

  • Test missing Extra field (a4d3d2d)

  • Test template caching/lookup (ab8a402)

  • Update keto to latest (3e2a8de)

  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)

  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137

  • Test nesting of various types (188748d)

  • Update rules stub (475f39a)

  • Upgrade superagent version (44ed240)

  • Use print funcmap function to override text/template print (76b2d9d)

  • Validate handler configurations (a558103)

  • Adds docker-compose example with postgres (84f1313)

  • Removes obsolete benchmark (3f259da)

  • Resolves an issue with cached matchers (951da25), closes #73:

    This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.

  • Resolves issues with broken tests (6604045)

  • Resolves naming issues and updates readme (5495d4a)

  • Resolves potential panic in request handler (ef6e889)

  • Resolves recursive stack overflow (#81) (0594cda), closes #80

  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71:

    This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.

    Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.

    Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.

  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)

  • Tells linguist to ignore SDK files (ace7f34)

0.11.12 (2018-05-07)

Introduces new versioning number to match ORY Hydra

Documentation#

  • Adds automatic summary generation (#49) (20fefbc)

  • Adds edit on github links (95af1bb)

  • Adds license note to all source files (#51) (2c8ff2f)

  • Fixes redirect path (9bca2f3)

  • Moves documentation to new repository (#57) (a9f21f3)

  • Redirect to ory domain (0599e63)

  • Removes newline from swagger doc (5e297b3)

  • Removes stray line in api docs (bed1a04)

  • Removes summary plugin (ce06f4e)

  • Resolves broken policy and client definitions (#55) (4676f40), closes #53

  • Updates chat badge to discord (1bbac52)

  • Updates execution instructions (#56) (3bcfd8b):

    Adjusting run script to respect env variables

  • Updates README.md (#58) (bdb542f)

  • Updates swagger docs (5ea68c2)

Unclassified#

  • Introduces new versioning number to match ORY Hydra (75b5121)

  • Adds mock generation script (00b51b7)

  • Corrects logging typo (#52) (d415291):

    This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.

  • Updates hydra sdk mock (2ff8032)

  • Updates hydra to 0.11.6 (ee969f6)

  • Updates license header (94a2ed2)

  • Use source file from vendor for mock generation (42517c6)

  • Uses Hydra v0.11.6 in tests (9c2cc89)

  • Adds license (cc13ae8)

  • Updates README.md (c9340dc)

0.0.29 (2017-12-19)

Adds use field to well known (#48)

Unclassified#

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Replaces key discovery with well-known feature (#46)

Closes #43

Unclassified#

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46#43

0.0.27 (2017-12-12)

Adds cors capabilities to management server

Unclassified#

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Adds hydra.introspect to required tokens

Unclassified#

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Add extra data from token introspection to session

Unclassified#

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Replaces LogError with direct error logging

Unclassified#

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27#34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Print formatted output string in rule management CLI (#35)

Documentation#

Unclassified#

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Renames bypass values for better clarity

Closes #13 Closes #29

Unclassified#

  • Renames bypass values for better clarity (46a717e), closes #13#29

0.0.21 (2017-11-19)

Request hydra.keys scope and fix panic

Unclassified#

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

docs: Improve swagger documentation

Documentation#

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified#

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)
  • Ignore gitbook output directory (580b94f)

0.0.19 (2017-11-13)

evaluator: Use full request URL

Unclassified#

0.0.18 (2017-11-13)

evaluator: Improve audit capabilities

Unclassified#

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Introduces surrogate_id to SQLManager (#21)

Unclassified#

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Replace MatchesPath with MatchesURL (#20)

Unclassified#

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Add HTTPS capabilities and document proxy/management commands (#19)

Unclassified#

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Make refresh_delay configurable and skip it on boot (#18)

Unclassified#

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Store rules path match in plaintext (#17)

Unclassified#

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Use ladon regex compiler for matches (#16)

Unclassified#

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Move gatekeeper to $PATH in docker image

Unclassified#

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Add ssl certificates to scratch image

Unclassified#

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Build binary statically with CGO disabled

Unclassified#

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Make oathkeeper binary executable#

Unclassified#

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Build oathekeeper docker image statically (#14)

  • Build oathekeeper docker image statically

  • Build oathekeeper docker image statically

Unclassified#

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Added serve all command

Unclassified#

0.0.5 (2017-11-01)

Remove goveralls from circle build

Unclassified#

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Return arrays instead of null on rule creation (#6)

Unclassified#

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Force linefeed for shell scripts

Unclassified#

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

cmd: remove unnecessary scope hydra.warden.*

Unclassified#

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

travis: add goveralls report submission (#2)

Documentation#

Unclassified#


id: changelog title: Changelog custom_edit_url: null


Unreleased (2021-06-22)

Bug Fixes#

Features#

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):

    The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.

    For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.

    The upstream service receives the X-Branch-Id and does your thing.

    The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.

  • Add request header in match context (#719) (22b0dbe), closes #512

  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

Tests#

Unclassified#

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes#

Code Generation#

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts#

  • Init introspect http client once (#714) (#722) (c58cbd9):

    This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes#

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation#

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring#

Documentation#

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1):

    Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features#

  • Add health event manager and rules readiness probe (#674) (01d8588)

  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625

  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677

  • Additional JWT auth debug information (#681) (d08ab50), closes #668:

    JWT Claims added to error details field.

  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)

  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation#

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes#

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630:

    This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation#

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation#

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes#

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation#

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified#

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes#

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation#

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified#

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes#

  • Accept lower and uppercase in bearer token handler (6e46d4a)

  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153

  • Pass context through to external requests (#627) (ee25197):

    Enables proper tracing through Jaeger etc

  • Update goreleaser config (9689f45)

  • Update log schema (78e654d)

Code Generation#

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features#

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation#

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation#

  • Add Rust and Dart SDKs (1524fed):

    We now support for Rust and Dart SDKs!

  • Fix js npm links (#634) (c339fee)

  • Rename index documents (7de0ac3)

Features#

  • Add bearer_token authenticator (#613) (b623ae7):

    Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes#

  • Check content-length header in lowercase (#530) (a68fc8a):

    Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.

  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551

  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553

  • Support windows file paths (#557) (6a05682), closes #514 #332

  • Update dd-trace to fix build (2e571fa)

Code Generation#

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation#

Features#

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518#518

Unclassified#

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes#

  • Add tests in error_redirect_test.go (#522) (24bdd9b):

    Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned

  • Deprecated key in goreleaser config (2a4f901)

  • Ignore x/net false positives (bc8a32c)

  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation#

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation#

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features#

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified#

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes#

Code Generation#

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation#

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features#

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes#

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores#

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation#

Features#

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes#

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores#

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes#

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Chores#

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring#

Documentation#

Features#

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:   prometheus:     port: 9000     host: localhost     metrics_path: /metrics
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores#

Documentation#

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes#

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes#

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation#

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features#

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes#

  • goreleaser: Update brew section (46fb3da)

Documentation#

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation#

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features#

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified#

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified#

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified#

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified#

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation#

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified#

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified#

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation#

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified#

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation#

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified#

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation#

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified#

  • Add health check commands (#319) (0dd3fe3)

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation#

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified#

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation#

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified#

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified#

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified#

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250#251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation#

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified#

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233#233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation#

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified#

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation#

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified#

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation#

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified#

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation#

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified#

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration#

  • Automate schema confiugration sync (94bcc4f)

Documentation#

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified#

  • Fix broken reload tests (d6059b7)

  • Remove useless function (3521a3d)

  • Validate configuration with JSON Schema (997427d)

  • Do not fatal when immutable value is changed (717d7f7)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation#

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified#

  • Add cookie session authenticator (#211) (f8a66b7)

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Use non-root user in image (#209) (2215126)

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation#

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified#

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration#

Documentation#

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified#

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation#

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified#

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184#182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified#

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation#

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified#

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix circle misconfiguration (a00ce64)

Documentation#

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified#

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1Host: oathkeeper-api:4456User-Agent: curl/7.54.0Authorization: bearer some-tokenAccept: */*Content-Type: application/jsonContent-Length: 0

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OKAuthorization: bearer-sometokenContent-Length: 0Connection: Closed

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OKContent-Length: 0Connection: Closed
  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes #38:

    Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.

  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)

  • Refresh rules in api mode (08204e8)

  • Remove config flag (#111) (8385cbc), closes #110

  • Remove config flag (#111) (7de77b8), closes #110

  • Remove package.json from swagger dir (837d18c)

  • Resolve broken introspection scope setting (18837a9)

  • Resolve HS256 kid mismatch (6d647d7), closes #83

  • Resolves panic when network fails in "rules import" (078542a)

  • Streamlines https configuration variables (#124) (9f6f815), closes #121

  • Test for errors (585672e)

  • Test missing Extra field (a4d3d2d)

  • Test template caching/lookup (ab8a402)

  • Update keto to latest (3e2a8de)

  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)

  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137

  • Test nesting of various types (188748d)

  • Update rules stub (475f39a)

  • Upgrade superagent version (44ed240)

  • Use print funcmap function to override text/template print (76b2d9d)

  • Validate handler configurations (a558103)

  • Adds docker-compose example with postgres (84f1313)

  • Removes obsolete benchmark (3f259da)

  • Resolves an issue with cached matchers (951da25), closes #73:

    This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.

  • Resolves issues with broken tests (6604045)

  • Resolves naming issues and updates readme (5495d4a)

  • Resolves potential panic in request handler (ef6e889)

  • Resolves recursive stack overflow (#81) (0594cda), closes #80

  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71:

    This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.

    Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.

    Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.

  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)

  • Tells linguist to ignore SDK files (ace7f34)

0.11.12 (2018-05-07)

Introduces new versioning number to match ORY Hydra

Documentation#

  • Adds automatic summary generation (#49) (20fefbc)

  • Adds edit on github links (95af1bb)

  • Adds license note to all source files (#51) (2c8ff2f)

  • Fixes redirect path (9bca2f3)

  • Moves documentation to new repository (#57) (a9f21f3)

  • Redirect to ory domain (0599e63)

  • Removes newline from swagger doc (5e297b3)

  • Removes stray line in api docs (bed1a04)

  • Removes summary plugin (ce06f4e)

  • Resolves broken policy and client definitions (#55) (4676f40), closes #53

  • Updates chat badge to discord (1bbac52)

  • Updates execution instructions (#56) (3bcfd8b):

    Adjusting run script to respect env variables

  • Updates README.md (#58) (bdb542f)

  • Updates swagger docs (5ea68c2)

Unclassified#

  • Introduces new versioning number to match ORY Hydra (75b5121)

  • Adds mock generation script (00b51b7)

  • Corrects logging typo (#52) (d415291):

    This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.

  • Updates hydra sdk mock (2ff8032)

  • Updates hydra to 0.11.6 (ee969f6)

  • Updates license header (94a2ed2)

  • Use source file from vendor for mock generation (42517c6)

  • Uses Hydra v0.11.6 in tests (9c2cc89)

  • Adds license (cc13ae8)

  • Updates README.md (c9340dc)

0.0.29 (2017-12-19)

Adds use field to well known (#48)

Unclassified#

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Replaces key discovery with well-known feature (#46)

Closes #43

Unclassified#

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46#43

0.0.27 (2017-12-12)

Adds cors capabilities to management server

Unclassified#

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Adds hydra.introspect to required tokens

Unclassified#

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Add extra data from token introspection to session

Unclassified#

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Replaces LogError with direct error logging

Unclassified#

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27#34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Print formatted output string in rule management CLI (#35)

Documentation#

Unclassified#

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Renames bypass values for better clarity

Closes #13 Closes #29

Unclassified#

  • Renames bypass values for better clarity (46a717e), closes #13#29

0.0.21 (2017-11-19)

Request hydra.keys scope and fix panic

Unclassified#

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

docs: Improve swagger documentation

Documentation#

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified#

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)
  • Ignore gitbook output directory (580b94f)

0.0.19 (2017-11-13)

evaluator: Use full request URL

Unclassified#

0.0.18 (2017-11-13)

evaluator: Improve audit capabilities

Unclassified#

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Introduces surrogate_id to SQLManager (#21)

Unclassified#

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Replace MatchesPath with MatchesURL (#20)

Unclassified#

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Add HTTPS capabilities and document proxy/management commands (#19)

Unclassified#

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Make refresh_delay configurable and skip it on boot (#18)

Unclassified#

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Store rules path match in plaintext (#17)

Unclassified#

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Use ladon regex compiler for matches (#16)

Unclassified#

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Move gatekeeper to $PATH in docker image

Unclassified#

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Add ssl certificates to scratch image

Unclassified#

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Build binary statically with CGO disabled

Unclassified#

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Make oathkeeper binary executable#

Unclassified#

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Build oathekeeper docker image statically (#14)

  • Build oathekeeper docker image statically

  • Build oathekeeper docker image statically

Unclassified#

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Added serve all command

Unclassified#

0.0.5 (2017-11-01)

Remove goveralls from circle build

Unclassified#

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Return arrays instead of null on rule creation (#6)

Unclassified#

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Force linefeed for shell scripts

Unclassified#

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

cmd: remove unnecessary scope hydra.warden.*

Unclassified#

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

travis: add goveralls report submission (#2)

Documentation#

Unclassified#


id: changelog title: Changelog custom_edit_url: null


Unreleased (2021-06-23)

0.38.12-beta.1 (2021-06-22)

This patch includes an important patch for a security vulnerability impacting the oauth2_introspection authenticator when caching is enabled. For more information please read the Security Advisory.

We strongly recommend upgrading to this version!

Apart from this fix some improvements have been added to reduce latencies when fetching JSON Web Keys and during oauth2_introspection pre-auth. Go templates can now access the incoming request headers.

Bug Fixes#

Code Generation#

  • Pin v0.38.12-beta.1 release commit (ae23224)

Features#

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):

    The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.

    For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.

    The upstream service receives the X-Branch-Id and does your thing.

    The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.

  • Add request header in match context (#719) (22b0dbe), closes #512

  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

Tests#

Unclassified#

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes#

Code Generation#

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts#

  • Init introspect http client once (#714) (#722) (c58cbd9):

    This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes#

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation#

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring#

Documentation#

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1):

    Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features#

  • Add health event manager and rules readiness probe (#674) (01d8588)

  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625

  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677

  • Additional JWT auth debug information (#681) (d08ab50), closes #668:

    JWT Claims added to error details field.

  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)

  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation#

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes#

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630:

    This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation#

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation#

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes#

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation#

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified#

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes#

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation#

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified#

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes#

  • Accept lower and uppercase in bearer token handler (6e46d4a)

  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153

  • Pass context through to external requests (#627) (ee25197):

    Enables proper tracing through Jaeger etc

  • Update goreleaser config (9689f45)

  • Update log schema (78e654d)

Code Generation#

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features#

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation#

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation#

  • Add Rust and Dart SDKs (1524fed):

    We now support for Rust and Dart SDKs!

  • Fix js npm links (#634) (c339fee)

  • Rename index documents (7de0ac3)

Features#

  • Add bearer_token authenticator (#613) (b623ae7):

    Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes#

  • Check content-length header in lowercase (#530) (a68fc8a):

    Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.

  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551

  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553

  • Support windows file paths (#557) (6a05682), closes #514 #332

  • Update dd-trace to fix build (2e571fa)

Code Generation#

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation#

Features#

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518#518

Unclassified#

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes#

  • Add tests in error_redirect_test.go (#522) (24bdd9b):

    Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned

  • Deprecated key in goreleaser config (2a4f901)

  • Ignore x/net false positives (bc8a32c)

  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation#

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation#

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features#

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified#

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes#

Code Generation#

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation#

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features#

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes#

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores#

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation#

Features#

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes#

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores#

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes#

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Chores#

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring#

Documentation#

Features#

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:   prometheus:     port: 9000     host: localhost     metrics_path: /metrics
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores#

Documentation#

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes#

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes#

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation#

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features#

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes#

  • goreleaser: Update brew section (46fb3da)

Documentation#

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation#

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features#

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified#

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified#

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified#

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified#

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation#

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified#

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified#

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation#

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified#

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation#

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified#

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation#

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified#

  • Add health check commands (#319) (0dd3fe3)

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation#

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified#

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation#

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified#

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified#

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified#

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250#251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation#

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified#

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233#233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation#

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified#

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation#

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified#

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation#

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified#

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation#

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified#

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration#

  • Automate schema confiugration sync (94bcc4f)

Documentation#

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified#

  • Fix broken reload tests (d6059b7)

  • Remove useless function (3521a3d)

  • Validate configuration with JSON Schema (997427d)

  • Do not fatal when immutable value is changed (717d7f7)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation#

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified#

  • Add cookie session authenticator (#211) (f8a66b7)

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Use non-root user in image (#209) (2215126)

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation#

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified#

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration#

Documentation#

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified#

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation#

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified#

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184#182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified#

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation#

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified#

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix circle misconfiguration (a00ce64)

Documentation#

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified#

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1Host: oathkeeper-api:4456User-Agent: curl/7.54.0Authorization: bearer some-tokenAccept: */*Content-Type: application/jsonContent-Length: 0

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OKAuthorization: bearer-sometokenContent-Length: 0Connection: Closed

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OKContent-Length: 0Connection: Closed
  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes #38:

    Previously, PUT and POST did not result in errors (409) when non-existing resources were modified, or existing resources were created. This patch resolves that.

  • Refactors Oathkeeper into new ecosystem (#60) (7acfbca)

  • Refresh rules in api mode (08204e8)

  • Remove config flag (#111) (8385cbc), closes #110

  • Remove config flag (#111) (7de77b8), closes #110

  • Remove package.json from swagger dir (837d18c)

  • Resolve broken introspection scope setting (18837a9)

  • Resolve HS256 kid mismatch (6d647d7), closes #83

  • Resolves panic when network fails in "rules import" (078542a)

  • Streamlines https configuration variables (#124) (9f6f815), closes #121

  • Test for errors (585672e)

  • Test missing Extra field (a4d3d2d)

  • Test template caching/lookup (ab8a402)

  • Update keto to latest (3e2a8de)

  • Upgrade keto authorizer to 0.2.0 (#145) (bcd4836)

  • Support "scope" claim as a string in jwt authenticator (#137) (ab5240e), closes #137

  • Test nesting of various types (188748d)

  • Update rules stub (475f39a)

  • Upgrade superagent version (44ed240)

  • Use print funcmap function to override text/template print (76b2d9d)

  • Validate handler configurations (a558103)

  • Adds docker-compose example with postgres (84f1313)

  • Removes obsolete benchmark (3f259da)

  • Resolves an issue with cached matchers (951da25), closes #73:

    This patch resolves an issue where updates would not properly propagate. This caused deleted rules to still be available in the proxy.

  • Resolves issues with broken tests (6604045)

  • Resolves naming issues and updates readme (5495d4a)

  • Resolves potential panic in request handler (ef6e889)

  • Resolves recursive stack overflow (#81) (0594cda), closes #80

  • Reduces setup complexity by making strategies configurable (6626f8f), closes #71:

    This patch adds another ID Token signing algorithm (HS256) which is easier to set up as it does not rely on ORY Hydra but instead on a shared secret.

    Additionally the ability to specify which ID Token singing algorithm to use has been added. Environmental variables to configure the behvaiour have been added as well.

    Further, the ORY Keto Warden Authorizer strategy is now optional and disabled when the environment variable AUTHORIZER_KETO_WARDEN_KETO_URL is empty.

  • Updates to ORY Hydra v1.0.0-beta.2 (e4c9f2e)

  • Tells linguist to ignore SDK files (ace7f34)

0.11.12 (2018-05-07)

Introduces new versioning number to match ORY Hydra

Documentation#

  • Adds automatic summary generation (#49) (20fefbc)

  • Adds edit on github links (95af1bb)

  • Adds license note to all source files (#51) (2c8ff2f)

  • Fixes redirect path (9bca2f3)

  • Moves documentation to new repository (#57) (a9f21f3)

  • Redirect to ory domain (0599e63)

  • Removes newline from swagger doc (5e297b3)

  • Removes stray line in api docs (bed1a04)

  • Removes summary plugin (ce06f4e)

  • Resolves broken policy and client definitions (#55) (4676f40), closes #53

  • Updates chat badge to discord (1bbac52)

  • Updates execution instructions (#56) (3bcfd8b):

    Adjusting run script to respect env variables

  • Updates README.md (#58) (bdb542f)

  • Updates swagger docs (5ea68c2)

Unclassified#

  • Introduces new versioning number to match ORY Hydra (75b5121)

  • Adds mock generation script (00b51b7)

  • Corrects logging typo (#52) (d415291):

    This corrects logging from 'oahtkeeper-proxy' to 'oathkeeper-proxy' in, e.g., the proxy latency logline.

  • Updates hydra sdk mock (2ff8032)

  • Updates hydra to 0.11.6 (ee969f6)

  • Updates license header (94a2ed2)

  • Use source file from vendor for mock generation (42517c6)

  • Uses Hydra v0.11.6 in tests (9c2cc89)

  • Adds license (cc13ae8)

  • Updates README.md (c9340dc)

0.0.29 (2017-12-19)

Adds use field to well known (#48)

Unclassified#

  • Adds use field to well known (#48) (f7353ea), closes #48

0.0.28 (2017-12-19)

Replaces key discovery with well-known feature (#46)

Closes #43

Unclassified#

  • Replaces key discovery with well-known feature (#46) (e343a61), closes #46#43

0.0.27 (2017-12-12)

Adds cors capabilities to management server

Unclassified#

  • Adds cors capabilities to management server (6519846)

0.0.26 (2017-12-11)

Adds hydra.introspect to required tokens

Unclassified#

  • Adds hydra.introspect to required tokens (b66462a)
  • Fixes broken image link in docs (1aa2404)

0.0.25 (2017-11-28)

Add extra data from token introspection to session

Unclassified#

  • Add extra data from token introspection to session (ce8f9f2)

0.0.24 (2017-11-26)

Replaces LogError with direct error logging

Unclassified#

  • Replaces LogError with direct error logging (73994b8)
  • Upgrades vendor dependencies (4207aef)
  • Introduces telemetry module and adds documentation (c5a7f7a), closes #27#34
  • Use oathkeeper public url as issuer (1e5ae00)

0.0.23 (2017-11-24)

Print formatted output string in rule management CLI (#35)

Documentation#

Unclassified#

  • Print formatted output string in rule management CLI (#35) (b14c74e), closes #35
  • Update docs and add tests (#32) (c6bf7d1), closes #32

0.0.22 (2017-11-20)

Renames bypass values for better clarity

Closes #13 Closes #29

Unclassified#

  • Renames bypass values for better clarity (46a717e), closes #13#29

0.0.21 (2017-11-19)

Request hydra.keys scope and fix panic

Unclassified#

  • Request hydra.keys scope and fix panic (546b2cf)

0.0.20 (2017-11-18)

docs: Improve swagger documentation

Documentation#

  • Add developer guide link to readme (68be400)
  • Add install and run section (87f0700)
  • Fix table of contents in summary (fdb752b)
  • Improve swagger documentation (8f16a9b)
  • Wrote basic developer guide (952d27c)

Unclassified#

  • Replace shared secret with RSA key from Hydra for ID token signing (e7ed8ca)
  • Add rules management capabilities to the cli (289c38a)
  • Format cmd/serve (bc2e7c1)
  • Ignore gitbook output directory (580b94f)

0.0.19 (2017-11-13)

evaluator: Use full request URL

Unclassified#

0.0.18 (2017-11-13)

evaluator: Improve audit capabilities

Unclassified#

  • Improve audit capabilities (c952d21)
  • Resolve potential panic in token id generation (8fe9e9a), closes #22

0.0.17 (2017-11-12)

Introduces surrogate_id to SQLManager (#21)

Unclassified#

  • Introduces surrogate_id to SQLManager (#21) (fbe272f), closes #21

0.0.16 (2017-11-12)

Replace MatchesPath with MatchesURL (#20)

Unclassified#

  • Replace MatchesPath with MatchesURL (#20) (4ee776c), closes #20

0.0.15 (2017-11-09)

Add HTTPS capabilities and document proxy/management commands (#19)

Unclassified#

  • Add HTTPS capabilities and document proxy/management commands (#19) (98ef623), closes #19

0.0.14 (2017-11-07)

Make refresh_delay configurable and skip it on boot (#18)

Unclassified#

  • Make refresh_delay configurable and skip it on boot (#18) (4863a82), closes #18

0.0.13 (2017-11-07)

Store rules path match in plaintext (#17)

Unclassified#

  • Store rules path match in plaintext (#17) (6570b5d), closes #17

0.0.12 (2017-11-07)

Use ladon regex compiler for matches (#16)

Unclassified#

  • Use ladon regex compiler for matches (#16) (972a328), closes #16
  • Fix typo in circle-ci test-docker job (5618c30)
  • Run docker image in test (12b5f13)

0.0.11 (2017-11-06)

Move gatekeeper to $PATH in docker image

Unclassified#

  • Move gatekeeper to $PATH in docker image (81e5562)
  • Force docker version 17.10 in circle (3927a78)

0.0.10 (2017-11-06)

Add ssl certificates to scratch image

Unclassified#

  • Add ssl certificates to scratch image (56a3243)
  • Build static binary within docker (4d6d8bf)

0.0.9 (2017-11-06)

Build binary statically with CGO disabled

Unclassified#

  • Build binary statically with CGO disabled (6dd3761)

0.0.8 (2017-11-06)

Make oathkeeper binary executable#

Unclassified#

  • Make oathkeeper binary executable# (9e24888)

0.0.7 (2017-11-06)

Build oathekeeper docker image statically (#14)

  • Build oathekeeper docker image statically

  • Build oathekeeper docker image statically

Unclassified#

  • Build oathekeeper docker image statically (#14) (dbd2037), closes #14:

    • Build oathekeeper docker image statically

    • Build oathekeeper docker image statically

0.0.6 (2017-11-03)

Added serve all command

Unclassified#

0.0.5 (2017-11-01)

Remove goveralls from circle build

Unclassified#

  • Remove goveralls from circle build (8362e1c)
  • Add cors handling to proxy (84cec15)
  • Use circle ci build status badge (b776e05)
  • Use circle ci build status badge (65c4100)
  • Switch from glide to golang/dep for vendoring (ec63fa4)
  • Resolve tests by replacing nil slice (#7) (971d020), closes #7

0.0.4 (2017-10-21)

Return arrays instead of null on rule creation (#6)

Unclassified#

  • Return arrays instead of null on rule creation (#6) (02e88be), closes #6
  • Add circleci configuration file (#5) (76e58f2), closes #5

0.0.3 (2017-10-18)

Force linefeed for shell scripts

Unclassified#

  • Force linefeed for shell scripts (1e4fc77)
  • When introspection fails return unauthorized (f5295b4)

0.0.2 (2017-10-12)

cmd: remove unnecessary scope hydra.warden.*

Unclassified#

  • Add ability to skip acp checks (18facbb)
  • Remove unnecessary scope hydra.warden.* (2214498)

0.0.1 (2017-10-10)

travis: add goveralls report submission (#2)

Documentation#

Unclassified#


id: changelog title: Changelog custom_edit_url: null


Unreleased (2021-06-24)

0.38.12-beta.1 (2021-06-22)

This patch includes an important patch for a security vulnerability impacting the oauth2_introspection authenticator when caching is enabled. For more information please read the Security Advisory.

We strongly recommend upgrading to this version!

Apart from this fix some improvements have been added to reduce latencies when fetching JSON Web Keys and during oauth2_introspection pre-auth. Go templates can now access the incoming request headers.

Bug Fixes#

Code Generation#

  • Pin v0.38.12-beta.1 release commit (ae23224)

Features#

  • Ability to Configure Remote Authorizers to set Headers in AuthenticationSession (#717) (b3d117b):

    The remote authorizers may have useful context from user's permissions. So with this changes, custom authorizers using remote and remote_json can return some useful headers to be forward into the AuthenticationSession, meaning that these headers will be passed to upstream services.

    For example, an user containing scopes/branches inside an organization profile has some level of data addressed to him. In this case, the upstream service need to know that, and "filter" the data according to his "branch_id". The permission that is given to the user (and the remote authorizers manages) has a record of the "branch_id", for the following responses will be returned as status code 200 (if granted) and containing a header like X-Branch-Id.

    The upstream service receives the X-Branch-Id and does your thing.

    The configuration requires to configure a list of "allowed headers" returning from remote authorizer, that will be accepted in the pipeline.

  • Add request header in match context (#719) (22b0dbe), closes #512

  • Improved JWT Authorizer JWKs fetching (#726) (5613f65), closes #203

Tests#

Unclassified#

0.38.11-beta.1 (2021-05-13)

This release primarily addresses issues in the SDK build pipeline.

Bug Fixes#

Code Generation#

  • Pin v0.38.11-beta.1 release commit (413393f)

Reverts#

  • Init introspect http client once (#714) (#722) (c58cbd9):

    This reverts commit e203ad14ac0e78909e7d42aa214c47a708a7c136.

0.38.10-beta.2 (2021-05-05)

This release improves the health status manager, cache management, improves JSON Web Token debuggability, and resolves other issues.

Bug Fixes#

  • Register makefile tasks (2832a77)
  • Resolve makefile issues (9df3b2a)
  • Set cost 1 when caching tokens with configurable max cost (#680) (8db0e9d)
  • Update shebangs to use bash from /usr/bin/env instead of /bin/ for better portability (#694) (e522062)

Code Generation#

  • Pin v0.38.10-beta.2 release commit (4b3403b)

Code Refactoring#

Documentation#

  • Add dotnet sdk (#683) (05ae925):

    • docs: add dotnet sdk

    • docs: add dotnet sdk versioned

  • Change forum to discussions readme (#690) (d942c04)

  • Consistent authz headers (#699) (19948e1):

    Removes the "Authorizer" prefix from a few of the authorizers to make them all consistent.

  • Fix typo (#696) (eda83f1)

  • Point to deny authz (#701) (4f01963), closes #700

Features#

  • Add health event manager and rules readiness probe (#674) (01d8588)

  • Add http method into session.MatchContext (#676) (e15a7a5), closes #625

  • Add support for requesting an audience to the OAuth2 Introspection pr… (#678) (2405810), closes #677

  • Additional JWT auth debug information (#681) (d08ab50), closes #668:

    JWT Claims added to error details field.

  • Adds audience into Extra at oAuth2 introspection (#480) (c9faecc)

  • Global docs sidebar and added cloud pages (#705) (f67241f)

0.38.9-beta.1 (2021-03-17)

This release adds support for X-Forwarded-Proto, passes tracing contexts to downstream requests, bumps Go to 1.16, and resolves issues preventing the log level from being set to trace level. Additionally included are improvements to the overall tracing set up, a cookie authenticator bugfix, and a bugfix for glob pattern matching.

Code Generation#

  • Pin v0.38.9-beta.1 release commit (9ad41f0)

0.38.9-beta.1.pre.3 (2021-03-16)

autogen: pin v0.38.9-beta.1.pre.3 release commit

Bug Fixes#

  • Make glob patterns match only one path segment. (#664) (c711aac), closes #630:

    This makes / also a separator as well as the presumably default value of .. This allows using <*> for matching only one path segment.

Code Generation#

  • Pin v0.38.9-beta.1.pre.3 release commit (7725554)

0.38.9-beta.1.pre.2 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.2 release commit

Code Generation#

  • Pin v0.38.9-beta.1.pre.2 release commit (9695b77)

0.38.9-beta.1.pre.1 (2021-03-15)

autogen: pin v0.38.9-beta.1.pre.1 release commit

Bug Fixes#

  • Resolve goreleaser issues and bump golang (7291df9)

Code Generation#

  • Pin v0.38.9-beta.1.pre.1 release commit (7afdc40)

Unclassified#

  • Add missing documentation for oauth2_introspection (#648) (34cf38c), closes #549

0.38.8-beta.1 (2021-02-25)

Improves tracing set up and addresses a bug in the cookie authenticator.

Bug Fixes#

  • Ignore cookie auth when no cookies set (c84d880)

Code Generation#

  • Pin v0.38.8-beta.1 release commit (2943e9a)

Unclassified#

  • Formatting (546691b)
  • Add tracing to outbound oauth introspection requests (daf44cb)

0.38.7-beta.1 (2021-02-22)

This release adds support for X-Forwarded-Proto, passes context for tracing to downstream requests, bumps Go to 1.16 and resolves issues preventing the log level from being set to trace level.

Bug Fixes#

  • Accept lower and uppercase in bearer token handler (6e46d4a)

  • Add support for X-Forwarded-Proto header (#638) (6eb83fd), closes #153

  • Pass context through to external requests (#627) (ee25197):

    Enables proper tracing through Jaeger etc

  • Update goreleaser config (9689f45)

  • Update log schema (78e654d)

Code Generation#

  • Pin v0.38.7-beta.1 release commit (3b37928)

Features#

0.38.6-beta.1 (2021-01-27)

We are happy to announce Dart and Rust SDKs for Ory Oathkeeper! Additionally, a new bearer_token authenticator has been added.

Code Generation#

  • Pin v0.38.6-beta.1 release commit (a0c4d7f)

Documentation#

  • Add Rust and Dart SDKs (1524fed):

    We now support for Rust and Dart SDKs!

  • Fix js npm links (#634) (c339fee)

  • Rename index documents (7de0ac3)

Features#

  • Add bearer_token authenticator (#613) (b623ae7):

    Adds a new authenticator to work with Kratos' new API token. Works the same as the cookie_session authenticator but checks for a bearer token in the Authorization header (unless overwritten by token_from)

0.38.5-beta.1 (2020-12-10)

The ORY Community is proud to present you the next iteration of ORY Oathkeeper. In this release, we focused on improving production stability and resolved several pesky bugs!

Bug Fixes#

  • Check content-length header in lowercase (#530) (a68fc8a):

    Issue #422 didn't fix the problem with the requests' Content-Length being copied in the responses because the check was case-sensitive and unit tests didn't cover it.

  • Never construct id token claim templates in parallel (#552) (4f504d9), closes #551

  • Remove token_type validation from introspection handler (#556) (b18d90a), closes #553

  • Support windows file paths (#557) (6a05682), closes #514 #332

  • Update dd-trace to fix build (2e571fa)

Code Generation#

  • Pin v0.38.5-beta.1 release commit (f4a04da)

Documentation#

Features#

  • Forward original authorization header when using remote (json) authorizer (#554) (f4f781e), closes #528
  • Use google/go-cloud to fetch rules and credentials from object storage (#562) (666b951), closes #518#518

Unclassified#

0.38.4-beta.1 (2020-09-28)

This release stabilizes several features and resolves a couple of bugs.

Bug Fixes#

  • Add tests in error_redirect_test.go (#522) (24bdd9b):

    Increased tests coverage to cover for all the three valid scenarios - http absolute, https absolute, relative. Explicitly checked Location path to ensure that correct uri scheme was returned

  • Deprecated key in goreleaser config (2a4f901)

  • Ignore x/net false positives (bc8a32c)

  • Misleading HTTP status code for oauth2_client_credentials authenticator (#504) (0f65631), closes #496

Code Generation#

  • Pin v0.38.4-beta.1 release commit (1c997b2)

Documentation#

  • Fix broken links (dd3bfbe)

  • Fix OAuth2 Introspect Authn Config Documentation (#498) (7612e20):

    Switch the definitions for the pre-authorisation fields 'scope' and 'token endpoint' in the documentation.

  • Fix sidebar (28247fc)

  • Guide for integrating with ORY Hydra (#497) (e1b1751)

  • Move development section (582a4d0)

  • Move to json sidebar (b67230d)

  • Remove duplicate template (01550b4)

  • Update repository templates (2aaf766)

  • Update repository templates (#506) (cb53d79)

Features#

  • Add and automate version schema (7ab4012)

  • Add url_param config option to redirect error handler. (#520) (b5bb3bc), closes #511:

    This change introduces a url_param config option for redirect error handler. If it contains a url paramter name, the redirect url will have this parameter set, containing the current url (from which Oathkeeper has redirected the user).

    This can be useful in passing the return_to url to Kratos, so user can be redirected to the page they initially wanted to access after a successfull sign in.

  • Log invalid credentials on info level instead of error/warning (#517) (a372b5f), closes #505

  • Use uri-reference for errors redirect to allow relative urls (#516) (0d39674)

Unclassified#

0.38.3-beta.1 (2020-07-29)

This release addresses several configuration bugs and resolves a potential panic.

Bug Fixes#

Code Generation#

  • Pin v0.38.3-beta.1 release commit (1f754a9)

Documentation#

  • Delete old redirect homepage (a1a4610)
  • Fix access rule example (739f179)
  • Fix api access rule example (#460) (c75cd97)
  • Update repository templates (edffc2e)
  • Update repository templates (7af8749)
  • Use central banner repo for README (04fe00c)
  • Use mdx for api reference (368f073)

Features#

  • Improve configurability of prometheus metrics (#450) (ddcb226), closes #446
  • Pass query parameters to the hydrators (#479) (48603a1)

0.38.2-beta.1 (2020-05-25)

This patch makes timeouts configurable for oauth2_client_credentials and the reverse proxy and additionally allows prometheus to be configured.

Bug Fixes#

  • Move prometheus validation stanza to local schema (#437) (dcf3e14), closes #438

Chores#

  • Pin v0.38.2-beta.1 release commit (0de2682)

Documentation#

Features#

  • Add configurable timeouts to API server (#440) (0dc6292)
  • Timeout config for oauth2_client_credentials (#443) (2462fa3), closes #442

0.38.1-beta.1 (2020-05-08)

Caching in the hydrator mutator has been improved. Please use cache.enable=true if you intend using the hydrator.

Bug Fixes#

  • Improve caching strategy and config for hydrator (#433) (0047054):

    To enable the hydrator cache you must now use the cache.enabled property. Also, the cache key strategy has been improved.

Chores#

  • Pin v0.38.1-beta.1 release commit (20f439d)

0.38.0-beta.2 (2020-05-07)

This release introduces Prometheus support, a new remote authorizer, caching, and several bugfixes!

No backwards incompatible changes have been introduced.

Bug Fixes#

  • Add old schemas to resolve issues with old versions (b94c391), closes #400

  • Don't copy the decision endpoint request's Content-Length (#422) (0e99045):

    We currently copy all original request headers send to the decission endpoint back. This can include the Content-Length header which describes the request body or response. Including the original request Content-Length causes issues for the decission endpoint client if the response body doesn't match the exact size.

    This change makes sure the Content-Length doesn't get included in the response body and adds a test to prevent future regressions.

  • Respect retry in token introspection (#410) (88f7b69)

  • Update install.sh script (#429) (2d2eded)

  • Use pipe to pass body remote authorizer (#426) (1a44087):

    Resolves flaky tests.

  • Use semver-regex replacer func (a13cdf5)

Chores#

  • Pin v0.38.0-beta.2 release commit (73d36cd)

Code Refactoring#

Documentation#

Features#

  • Add cache to hydrator (#418) (1ae6e7a), closes #417:

    This patch introduces new configuration parameters that allow the hydrator mutator to cache requests.

  • Add new remote authorizer that uses request body and headers (#416) (3a20637):

    This pull request implements a new authorizer that sends the original request body as body to the remote endpoint. This allows the remote endpoint to take the body into account in its decision.

    The current remote_json authorizer does not have the ability to send the request body of the request to authorize. This means this cannot be taken into account while checking permissions.

    Providing the request body as part of the JSON payload won't always work as JSON cannot handle binary data.

  • Add prometheus docs (#427) (117ee6a)

  • Add prometheus endpoint providing basic request metrics (#404) (fdaed46):

    This patch adds basic prometheus metrics. The prometheus metrics are exposed at the default prometheus exporter port 9000 and is configurable with:

     serve:   prometheus:     port: 9000     host: localhost     metrics_path: /metrics
  • Oauth2_introspect cache introspection results (#424) (d4557ae), closes #293

0.37.1-beta.1 (2020-04-03)

chore: replace segment with ory fork (#391)

Chores#

Documentation#

  • Regenerate and update changelog (4e251e9)

0.37.0-beta.1 (2020-04-02)

docs: document v0.36 and v0.37

Breaking Changes#

This feature allows to use the regex capture groups from the URL matcher to be used in several places, including the ID Token generator and elsewhere. To get this working, existing keto_engine_acp_ory authorizers are no longer able to use regex substition in the form of my:action:$1 but instead must use the new format which is {{ printIndex .MatchContext.RegexpCaptureGroups 0}} (notice that the index changed by -1). A rule migrator exists which makes old rules compatible with the new format, if a version string is given. More details on the rule migration can be found here: https://github.com/ory/oathkeeper/pull/358/commits/fd16ceb230a1b14ebb01a147d2d70acce77f9fbd#diff-6177fb19f1b7d7bc392f5062b838df15

Bug Fixes#

  • Add rule id to malformed configuration log error (#386) (7688a8d)

  • Disable test that fails with low cache hit rate (#372) (5414dda), closes #371

  • Improve id_token performance with caching (#367) (47e9fee), closes #364

  • Load config file only in serve command (#365) (68c8546)

  • Replace segment with our own sqa endpoint (#385) (8f63eda)

  • SendOAuth2 introspection scope only when strategy is none (#379) (5e0c8dc), closes #377:

    This patch removes the scope key from the OAuth2 Introspection request body when a scope strategy other than none is set for the OAuth2 Introspection handler. If the scope strategy is none, the scope key is included in the body.

  • Token expiration error in tests (#390) (9c07a73)

  • docker: Improve docker-compose example (#325) (1247381), closes #324:

    Add a new file 'Dockerfile-dc' which will primarily be used by Docker Compose to build docker images. Unlike the existing Dockerfile which depends on the Makefile to build the binary, this Dockerfile copies the source code and builds the binary.

    Oathkeeper has gone through a couple of changes since the initial draft of the docker compose file, considering these changes and the newly introduced Dockerfile in the previous commit, make these changes to the docker-compose.yml:

    1. Bump the version of the compose file to 3.
    2. Remove the need for the postgres database app, since Oathkeeper no longer needs a database.
    3. Remove the need for the migration app, since we no longer need to migrate since there is no database and the option is deprecated.
    4. Use the newly defined Dockerfile 'Dockerfile-dc'.
    5. We now serve both API and PROXY from the same app, so we don't need two instances of the app.
    6. Add sample config, rules and JWK files to .docker_compose, mount this via a volume mount.

Documentation#

  • Change link to Developer Install Guide (#369) (f7fe46f):

    Changing the link to the Developer Documentation - it was pointing to Keto and not to Oathkeeper.

  • Document v0.36 and v0.37 (a176c73)

  • Fix examples for some JSON Schema config keys (#363) (aeeb353)

  • Regenerate and update changelog (9417e2c)

  • Regenerate and update changelog (b817037)

  • Regenerate and update changelog (33a5524)

  • Regenerate and update changelog (888b7a6)

  • Regenerate and update changelog (36faa3b)

  • Regenerate and update changelog (32b6059)

  • Regenerate and update changelog (ba4de09)

  • Regenerate and update changelog (a76f749)

  • Regenerate and update changelog (1789d00)

  • Regenerate and update changelog (0dfc608)

  • Regenerate and update changelog (b23c79a)

  • Regenerate and update changelog (2117171)

  • Regenerate and update changelog (38c9e19)

  • Regenerate and update changelog (e3eda75)

  • Regenerate and update changelog (e7d70f7)

  • Regenerate and update changelog (874b7a9)

  • Regenerate and update changelog (6b1d94b)

  • Regenerate and update changelog (cb38415)

  • Regenerate and update changelog (bec6af0)

  • Update forum and chat links (d9eed10)

  • Update README.md (#375) (313d2fe), closes #374:

    Fixed link to Envoy configuration page and added link to AWS API Gateway.

  • Updates issue and pull request templates (#382) (484c406)

Features#

0.36.0-beta.4 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes#

  • goreleaser: Update brew section (46fb3da)

Documentation#

  • Regenerate and update changelog (95a7c09)

0.36.0-beta.1 (2020-02-05)

docs: Regenerate and update changelog

Documentation#

  • Prepare ecosystem automation (81ea56b)
  • Regenerate and update changelog (b71e48c)
  • Regenerate and update changelog (4f22e42)
  • Regenerate and update changelog (23e053f)
  • Updates issue and pull request templates (#355) (f9251ed)

Features#

  • ci: Add nancy vuln scanner (#354) (de36e40)

  • rule: Add glob matching strategy (#334) (5f983ab), closes #321:

    This patch adds the ability to choose a matching strategy and adds a glob-based matching strategy to the available options (regex is still the default).

Unclassified#

  • Update CHANGELOG [ci skip] (8278b9d)
  • Update CHANGELOG [ci skip] (17f78b7)
  • Update CHANGELOG [ci skip] (d6f6925)
  • Update CHANGELOG [ci skip] (0e109ce)

0.35.5-beta.2 (2020-01-31)

Update README.md

Unclassified#

0.35.5-beta.1 (2020-01-27)

Hash enabled check to further improve performance (#353)

Unclassified#

  • Hash enabled check to further improve performance (#353) (19099cb), closes #353
  • Update CHANGELOG [ci skip] (6afdeae)
  • Update CHANGELOG [ci skip] (3226ae6)

0.35.4-beta.1 (2020-01-26)

Update release pipeline and tests (#351)

Unclassified#

  • Update release pipeline and tests (#351) (c7d81a9), closes #351

0.35.3-beta.1 (2020-01-26)

Update CHANGELOG [ci skip]

Documentation#

  • Updates issue and pull request templates (#341) (eca2652)

Unclassified#

  • Update CHANGELOG [ci skip] (518b765)
  • Update SDK (5e619a0)
  • Cache pipeline config and improve request latency (#348) (95673ed), closes #346
  • Update CHANGELOG [ci skip] (495adcf)
  • Use integer instead of number in config JSON schema (280b42f)
  • Update CHANGELOG [ci skip] (b72965f)
  • Update SDK (aedabd9)
  • Set min/max for port range in config JSON Schema (#345) (d7d696f), closes #345
  • Update CHANGELOG [ci skip] (8e4d58c)
  • Fix profiling env variable not being picked up (#343) (29b0cf1), closes #343
  • Update CHANGELOG [ci skip] (e7a5d89)
  • Update CHANGELOG [ci skip] (abc00d4)
  • Update SDK (a237c29)
  • Update broken links in README (78e498c)

0.35.1-beta.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified#

  • Update CHANGELOG [ci skip] (63b0076)

0.35.0-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Documentation#

  • Incorporates changes from version v0.34.0-beta.1 [ci skip] (a8a62b4)
  • Incorporates changes from version v0.34.0-beta.1-2-g7516eed [ci skip] (eb82132)
  • Incorporates changes from version v0.34.0-beta.1-4-gee2b9e7 [ci skip] (d084c39)
  • Incorporates changes from version v0.34.0-beta.1-6-g6723fb8 [ci skip] (ebe89ab)

Unclassified#

  • Update CHANGELOG [ci skip] (f0e8ecf)

  • Update SDK (6a0a0f8)

  • Update upgrade guide (#337) (99e9877), closes #337

  • Update CHANGELOG [ci skip] (2e13a05)

  • Remove superfluous version from workflows (55037fa)

  • Update CHANGELOG [ci skip] (dfbc231)

  • Update SDK (65222d5)

  • Move to new SDK pipeline (#333) (6940dc8), closes #333

  • authn/cookie_session: Add subject_from modifier (#336) (6723fb8), closes #336:

    The subject_from modifier is a GJSON path that points to the subject field. Useful if the upstream API does not return a {"subject": "..."} format.

  • authn/cookie_session: Add extra_from modifier (#335) (ee2b9e7), closes #335:

    The extra_from modifier is a GJSON path that points to the extra field. Useful if the upstream API does not return a {"subject": "...", "extra": "..."} format.

  • pipeline/authn: Add tests for cookie sources in jwt and oauth2_intro (#330) (#331) (7516eed), closes #330 #331 #330:

    Also updates the schemas to add missing cookie config element.

0.34.0-beta.1 (2019-12-26)

Prepare v0.34.0-beta.1+oryOS.14 release

Documentation#

  • Incorporates changes from version v0.33.1-beta.1 [ci skip] (6681754)
  • Incorporates changes from version v0.33.1-beta.1-2-g4033321 [ci skip] (2764758)
  • Incorporates changes from version v0.33.1-beta.1-4-g7e6f636 [ci skip] (66ae8c8)

Unclassified#

  • Prepare v0.34.0-beta.1+oryOS.14 release (96f77b2)

  • pipe/err: Improve IP and MIME matching (#323) (7e6f636), closes #323:

    Previously, MIME matching respected the request's wildcards which lead to multiple handlers feeling responsible for a particular request. Now, wildcards coming from the HTTP Request itself are interpreted literally.

    Additionally, ORY Oathkeeper respected the X-Forwarded-For HTTP Header for matching remote IP addresses. This behavior is now turned off by default because clients were able to fake this header otherwise. It can explicitly be turned on by setting config.when.#.request.remote_ip.RespectForwardedForHeader: true.

  • Add customizable error handlers (#322) (4033321), closes #322 #204 #252 #119:

    This patch adds a new feature called error handlers. It allows to define the error handling logic globally and per rule. It is now possible, for example, to return a JSON response for Accept: application/json requests and a HTTP Redirect response for requests that are coming from a user.

    This also resolves several issues, as noted below:

0.33.1-beta.1 (2019-12-18)

docs: Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip]

Documentation#

  • Incorporates changes from version v0.33.0-beta.1 [ci skip] (a178031)
  • Incorporates changes from version v0.33.0-beta.1-10-g3e7936a [ci skip] (083b7eb)
  • Incorporates changes from version v0.33.0-beta.1-12-g0dd3fe3 [ci skip] (82c5253)
  • Incorporates changes from version v0.33.0-beta.1-6-gf60f525 [ci skip] (9870722)
  • Incorporates changes from version v0.33.0-beta.1-8-g815951b [ci skip] (d77b225)

Unclassified#

  • Add health check commands (#319) (0dd3fe3)

  • Properly merge env vars into pipeline configs (#320) (3e7936a), closes #320 #305 #317:

    Previously, some keys did not respect the values set in the environment variables.

  • Add alpine-based Docker image (#318) (815951b), closes #318 #312

  • Add more details to decision logging (#316) (f60f525), closes #316 #244 #242:

    Adds details such as the HTTP Method, User Agent, Subject, and other information to the logging output of both the reverse proxy and the decision API.

  • Health endpoints now emit TRACE logs (#314) (9036f8e), closes #283:

    Remove health endpoints from the logs to make monitoring easier. Setting log_level to trace will show these calls.

  • Improve session endpoint debugability (#315) (2718639), closes #300

  • Resolve matcher cache (#313) (1519632), closes #291:

    A bug caused the rule matcher to not cache the regular expression result.

  • Use bearer splitting when header is set to Authorization (#311) (464fa31), closes #308

0.33.0-beta.1 (2019-12-16)

pipeline/mutator: Refactor hydrator retry config (#287)

Documentation#

  • Incorporates changes from version v0.32.1-beta.1 [ci skip] (98c9bf8)
  • Incorporates changes from version v0.32.1-beta.1-5-gf028719 [ci skip] (9f9c00c)

Unclassified#

  • pipeline/mutator: Refactor hydrator retry config (#287) (2a97e05), closes #287
  • Update README banner (#307) (f028719), closes #307
  • Add cookie as an option for oauth2_introspection authenticator (#301) (e3fa55a), closes #301
  • Add preserve_path option for cookie session to not override the path in the request (#297) (7e86b78), closes #297
  • Allow specifying additional headers for the oauth introspection request (#302) (b1e5cea), closes #302

0.32.1-beta.1 (2019-10-30)

docs: Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip]

Documentation#

  • Add notes for 0.32.0 (40e3b89)
  • Incorporates changes from version v0.32.0-beta.1 [ci skip] (f3a0e53)
  • Incorporates changes from version v0.32.0-beta.1-11-g7892d2f [ci skip] (c41ecd4)
  • Incorporates changes from version v0.32.0-beta.1-13-g1910bbe [ci skip] (d45e1a0)
  • Incorporates changes from version v0.32.0-beta.1-3-g8cf6868 [ci skip] (2c8fbf7)
  • Incorporates changes from version v0.32.0-beta.1-9-g08d42da [ci skip] (6ce3344)

Unclassified#

  • pipeline/authz: Add Content-Type header in the call to Keto (#290) (1910bbe), closes #290

  • Revert incorrect license changes (7892d2f)

  • Revert readme changes to last working version (08d42da)

  • Remove obsolete section from README (aa8deef)

  • Fix broken readme headlines (2e8109a)

  • Auto-kill test runner after 10 retries (#286) (eaad598), closes #286

  • Update ory/x/viperx dependency (#285) (0ef3bce), closes #276 #270 #279 #280:

    This patch automatically binds environment variables to configuration keys. This patch resolves several issues:

  • Dereference config schema and resolve issues (#282) (8cf6868), closes #282 ory/docs#217 #234 #281

0.32.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.31.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.31.0-beta.1 [ci skip] (dafc870)

0.31.0-beta.1 (2019-10-20)

docs: Incorporates changes from version v0.30.0-beta.1 [ci skip]

Documentation#

  • Incorporates changes from version v0.19.1-beta.1-2-g41869a9 [ci skip] (a44846b)
  • Incorporates changes from version v0.20.0-beta.1 [ci skip] (aaf801b)
  • Incorporates changes from version v0.30.0-beta.1 [ci skip] (ebd198a)

Unclassified#

  • pipeline/authn: Add token_from config to introspection and jwt (#271) (fc85ac8), closes #271 #257:

    Add additional optional configuration to jwt and oauth2_introspection authenticators allowing to set from where (which header or query parameter) the token should be received. The configuration is a token_from field in per-rule-configuration, as described in a linked issue.

  • Add migration capabilities (#268) (bc74e72), closes #266:

    Adds the ability to modify rules with backwards compatibility.

  • Force auth style in oauth2 client credentials authn (#267) (97d7890), closes #260

  • Update UPGRADE.md (4e4bd93)

  • Update upgrade instructions (7483d1c)

  • Change error code from 403 to 401 (#259) (c17e564), closes #256

0.19.0-beta.1 (2019-09-23)

Fix id_token schema reference URL

Unclassified#

  • Fix id_token schema reference URL (72a2333)
  • Resolve broken tests (#262) (bc67cc1), closes #262
  • Homogenize configuration management (#258) (89709aa), closes #258
  • Fix #250: Ignore query parameters to build payload for Keto engine (#251) (d0fc7f4), closes #250#251

0.18.0-beta.1 (2019-08-22)

mutator/id_token: Add claim templating (#246)

Documentation#

  • Incorporates changes from version v0.17.4-beta.1 (370eb37)
  • Incorporates changes from version v0.17.5-beta.1 (f7beddc)
  • Updates issue and pull request templates (#237) (6181ee5)
  • Updates issue and pull request templates (#238) (6f83cda)
  • Updates issue and pull request templates (#239) (2e0b3ef)
  • Updates issue and pull request templates (#245) (f140837)

Unclassified#

  • mutator/id_token: Add claim templating (#246) (591f524), closes #246
  • Add mutator for modifying authenticationSession with external API (#240) (b38b0f4), closes #240
  • Support multiple mutators per access rule (#233) (d21179d), closes #233#233
  • Add adopters placeholder (#236) (302c7b8)

0.17.4-beta.1 (2019-08-09)

Add sprig template library (#235)

Documentation#

  • Incorporates changes from version v0.17.3-beta.1 (b271ff2)
  • Updates issue and pull request templates (#232) (00c08ba)

Unclassified#

  • Add sprig template library (#235) (c85c540), closes #235

0.17.3-beta.1 (2019-08-03)

rule: Resolve k8s configmap reload issue (#231)

Documentation#

  • Incorporates changes from version v0.17.2-beta.1 (e652c3f)

Unclassified#

  • Resolve k8s configmap reload issue (#231) (c04547e)
  • Move back to scratch Docker image (3fa8a50)

0.17.2-beta.1 (2019-08-02)

rules: Support kubernetes configmap reloading (#230)

Documentation#

  • Incorporates changes from version v0.17.1-beta.1 (64d180f)
  • Updates issue and pull request templates (#226) (007d491)

Unclassified#

  • Support kubernetes configmap reloading (#230) (92b769b)

0.17.1-beta.1 (2019-07-23)

rule: Fix panic on send on closed channel (#225)

Closes #224

Documentation#

  • Incorporates changes from version v0.17.0-beta.1 (8f4a518)

Unclassified#

0.17.0-beta.1 (2019-07-18)

ci: Automate schema confiugration sync

Continuous Integration#

  • Automate schema confiugration sync (94bcc4f)

Documentation#

  • Incorporates changes from version v0.16.0-beta.5 (a8afc3b)
  • Update upgrade guide (a8ccb05)
  • Update upgrade guide (f727efe)

Unclassified#

  • Fix broken reload tests (d6059b7)

  • Remove useless function (3521a3d)

  • Validate configuration with JSON Schema (997427d)

  • Do not fatal when immutable value is changed (717d7f7)

  • Watch configuration and access rule changes (#217) (a078e89), closes #217:

    This patch allows oathkeeper to re-load any changes made to the configuraiton file and/or the access rules to be reloaded without a restart.

    Some configuration keys like serve., log., profiling however require a restart.

  • Create FUNDING.yml (d7da8e2)

  • Add support for rules in YAML format (#213) (67face6), closes #213:

    This commit adds support for defining access rules in YAML format, in addition to existing JSON format.

0.16.0-beta.5 (2019-06-28)

authenticator: Add cookie session authenticator (#211)

Documentation#

  • Incorporates changes from version v0.16.0-beta.4 (1e03ee2)

Unclassified#

  • Add cookie session authenticator (#211) (f8a66b7)

  • Add description into the name of subtest (#212) (230c332), closes #212

  • Use non-root user in image (#209) (2215126)

  • Remove binary license (#208) (3460d65), closes #208

  • Update config.yaml (#204) (effe9c0), closes #204:

    There's no DSN in oathkeeper

0.16.0-beta.4 (2019-05-28)

server: Properly declare negroni middleware (#200)

Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

Closes #199

Documentation#

  • Incorporates changes from version v0.16.0-beta.3 (d777ecf)
  • Updates issue and pull request templates (#196) (74fa27b)
  • Updates issue and pull request templates (#197) (31d057c)
  • Updates issue and pull request templates (#198) (244810a)

Unclassified#

  • Properly declare negroni middleware (#200) (9d3dc54), closes #199:

    Previously, negroni.With was mistakenly used to add middleware onto the stack. The proper method however is negroni.Use.

    This patch fixes the use of negroni.With and resolves issues around logging and the decisions endpoint.

0.16.0-beta.3 (2019-05-19)

ci: Use golang for docs task

Continuous Integration#

Documentation#

  • Incorporates changes from version v0.15.2 (7ceabe9)
  • Rename config.yml -> config.yaml (4faecbe)
  • Updates issue and pull request templates (#189) (367a48d)

Unclassified#

0.15.2 (2019-05-04)

cmd/client: Use json rawmessage for arbtrary payloads (#184)

Closes #182

Signed-off-by: Stanislav Zapolsky stszap@gmail.com

Documentation#

  • Incorporates changes from version v0.15.1 (5c34958)

Unclassified#

  • cmd/client: Use json rawmessage for arbtrary payloads (#184) (a55e4d1), closes #184#182

0.15.1 (2019-04-29)

vendor: Add go.sum (#180)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified#

0.15.0 (2019-04-29)

docker: Remove full tag from build pipeline (#179)

Signed-off-by: aeneasr aeneas@ory.sh

Documentation#

  • Incorporates changes from version v0.0.0-testrelease.3 (44649b6)
  • Incorporates changes from version v0.14.2+oryOS.10 (2d9899a)
  • Update patrons (f423666)
  • Update README building-from-source part with the gomodule way (#152) (9d653f5), closes #149

Unclassified#

  • Remove full tag from build pipeline (#179) (e2edbf8)

  • Remove sdk dependencies to keto/hydra (#173) (b538e3c):

    This patch replaces code-generated SDKs with raw http.Client calls which reduces dependencies and makes future changes to the keto/hydra SDK easier to adopt to.

  • Update CHANGELOG.md (cbccbe2)

  • Ensure rule matcher is locked before updating (#159) (6fb7151):

    Lock CachedMatcher before rules are updated when HTTPMatcher refreshes to avoid concurrent map iteration and map write errors.

  • Improve debugability of JWT authenticator (#156) (8441bd5)

  • Move to go-swagger SDK code generation (#170) (38c52a3), closes #165

  • Remove vendored dependencies after sdk generation (7c33ca8)

  • Set request headers for credential issuers (#169) (4fc579c), closes #120 #133

  • Update Dockerfile build instructions (ec40cc4)

  • Upgrade dependencies (#163) (f9fdefb)

  • Use scp,scope,scopes in jwt authenticator (#162) (eebc2f4), closes #138:

    Previously, the JWT authenticator only used the "scope" claim to retrieve scope values from a JWT. Now, "scp", "scope", "scopes" are supported as string arrays and strings separated by spaces.

0.14.2+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix docker push arguments in publish task (62415a1)

0.14.1+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

0.14.0+oryOS.10 (2018-12-13)

ci: Fix circle misconfiguration

Signed-off-by: aeneasr aeneas@ory.sh

Continuous Integration#

  • Fix circle misconfiguration (a00ce64)

Documentation#

  • Adds gh templates & code of conduct (#78) (02361aa)
  • Adds link to examples repository (#79) (bfe96e9)
  • Align changelog, upgrade with new versions (#143) (751dfa3)
  • Clarify beyondcorp (3647958)
  • Clarify breaking change policy (6e6bb7e)
  • Fix broken link (#87) (828b33e)
  • Fix proxy help command description (#142) (c836cb0)
  • Fix typo in README. (#118) (3d33fcc)
  • Grammatical fix in stability sentence (#86) (ff0604d)
  • Improve some docs and update SDK (#135) (9a6901d)
  • Incorporates changes from version v0.11.12-1-gace7f34 (3a6450c)
  • Incorporates changes from version v0.11.12-10-g57ac174 (c594b7e)
  • Incorporates changes from version v0.11.12-13-gd00dfed (7c221fa)
  • Incorporates changes from version v0.11.12-15-g6604045 (2a594f4)
  • Incorporates changes from version v0.11.12-3-g7acfbca (ac34a58)
  • Incorporates changes from version v0.11.12-6-g181e9ac (01dda53)
  • Incorporates changes from version v1.0.0-beta.1 (788e96b)
  • Incorporates changes from version v1.0.0-beta.2-1-gd6eb440 (579f7a7)
  • Incorporates changes from version v1.0.0-beta.2-10-gef6e889 (38cfb31)
  • Incorporates changes from version v1.0.0-beta.2-12-g9b6c0df (82ac9b2)
  • Incorporates changes from version v1.0.0-beta.2-6-ged2f983 (d9737c8)
  • Incorporates changes from version v1.0.0-beta.2-8-g5495d4a (546828d)
  • Incorporates changes from version v1.0.0-beta.3-3-g3c0c862 (e1127a8)
  • Incorporates changes from version v1.0.0-beta.4-1-g643dbea (5c40f97)
  • Incorporates changes from version v1.0.0-beta.4-12-gbfe96e9 (756178a)
  • Incorporates changes from version v1.0.0-beta.4-17-gfa5388c (3d5df8b)
  • Incorporates changes from version v1.0.0-beta.4-19-g6d647d7 (b5539f4)
  • Incorporates changes from version v1.0.0-beta.4-3-g951da25 (8931b39)
  • Incorporates changes from version v1.0.0-beta.4-5-g83b591d (4f2c64b)
  • Incorporates changes from version v1.0.0-beta.4-7-gf450697 (8f904d2)
  • Incorporates changes from version v1.0.0-beta.4-9-g02361aa (5b34e91)
  • Incorporates changes from version v1.0.0-beta.5-1-g3647958 (2bcfb39)
  • Incorporates changes from version v1.0.0-beta.6-1-gff0604d (0c69154)
  • Incorporates changes from version v1.0.0-beta.6-3-g828b33e (c53f5b2)
  • Incorporates changes from version v1.0.0-beta.8 (92c09fb)
  • Incorporates changes from version v1.0.0-beta.9 (b9127f6)
  • Update documentation links (#144) (84131d2)
  • Update link to security console (26fdda1)
  • Update migration guide (b2e6d67)
  • Updates copyright notice (e58535d)
  • Updates issue and pull request templates (#126) (5991a92)
  • Updates issue and pull request templates (#127) (e4d0e26)
  • Updates link to open collective (25e0dee)
  • Updates links to docs (9dca7c0)
  • Updates links to docs (57ac174)
  • Updates newsletter link in README (97f1dea)
  • Updates readme TOC (3c0c862)
  • Updates README.md (1387f9f)
  • Updates TOC (9b6c0df)
  • Updates upgrade.me (0118f9f)

Unclassified#

  • Add ability to configure scope strategy (519a536)

  • Add cookies ci to handler factory (#103) (59aabfa)

  • Add cookies credentials issuer (032d88e)

  • Add endpoint for answering access requests directly (d211641), closes #42:

    This patch adds endpoint /judge to oathkeeper serve api. The /judge endpoint mimics the behavior of oathkeeper serve proxy but instead of forwarding the request to the upstream server, the endpoint answers directly with a HTTP response.

    The HTTP response returns status code 200 if the request should be allowed and any other status code (e.g. 401, 403) if not.

    Assuming you are making the following request:

    PUT /judge/my-service/whatever HTTP/1.1Host: oathkeeper-api:4456User-Agent: curl/7.54.0Authorization: bearer some-tokenAccept: */*Content-Type: application/jsonContent-Length: 0

    And you have a rule which allows token some-bearer to access PUT /my-service/whatever and you have a credentials issuer which does not modify the Authorization header, the response will be:

    HTTP/1.1 200 OKAuthorization: bearer-sometokenContent-Length: 0Connection: Closed

    If the rule denies the request, the response will be, for example:

    HTTP/1.1 401 OKContent-Length: 0Connection: Closed
  • Add headers credentials issuer (b084c32)

  • Add http proxy timeout config (#132) (b3718ce):

    Add environment parameters (and description) to configure timeout settings of a server handled proxy requests.

    It will help prevent a case of unexpected closing a client connection if an upstream request is executing more than default timeout.

  • Add JWT authenticator (61625bc)

  • Add NodeJS SDK (#94) (7505b71)

  • Adds ability to specify db url via env var in migrate (b2cc5d2)

  • Adds and improves metrics middleware (b0dfd97)

  • Adds log message when telemetry is active (ed2f983)

  • Adds validator for rules (#77) (f450697):

    This patch adds an input validator for rules which should prevent accidental typos or similar issues when creating a rule. Additionally, no invalid/unconfigured handlers (authorizers, credential issuers, authenticators) can be used.

  • Align TLS options with hydra (#114) (c763152)

  • Allow empty upstream in rules (e46065a)

  • Allow regex in match scheme (c6d17c5), closes #92

  • Allows connectivity to MySQL (fa5388c), closes #82

  • Authenticator noop should not bypass (6f8ab4f), closes #97

  • Convert AuthenticationSession to local struct type for better handling (b00b2a2)

  • Disable cors per default (#107) (c5ab0c3):

    This patch introduces CORS_ENABLED which defaults to "false".

  • Doesn't fatal if no ORY Hydra is unresponsive. (#66) (181e9ac), closes #65

  • Enables TLS option on serve api (#116) (83f1f84)

  • Expose all ORY Hydra ports in tests (691a72d)

  • Expose all ORY Hydra ports in tests (add70c6)

  • Fix checkResponse message typo (#106) (0d0e653)

  • Ignore query parameters when matching url in rules. (#139) (07eb99b)

  • Improve compatibility with ORY Hydra 1.0.0-beta.8 (#108) (296e012), closes #101:

    This patch improves compatibility with ORY Hydra 1.0.0-beta.8 and updates vendored dependencies.

  • Improve hydra integration tests (e8b7a58)

  • Improve refresh subroutines (cc33538)

  • Improves cors parsing (d00dfed)

  • Improves test set up (6b6bb88)

  • Include headers credential issuer in handler factory (0e1ef1b)

  • Introduce health and version endpoint (029c7ff)

  • Make subject configurable using go template (#129) (ee9dcdd)

  • More CredentialsIssuerHeaders tests (079171f)

  • Move headers into new config field (51eb9fb)

  • Properly document JWT refresh (#117) (2e024f9)

  • Properly handle conflicts on PUT and POST (83b591d), closes