Skip to content

Commit

Permalink
Merge pull request #972 from lsst-sqre/tickets/DM-42384
Browse files Browse the repository at this point in the history
DM-42384: Prepare 10.0.0 release
  • Loading branch information
rra authored Feb 22, 2024
2 parents 597b803 + d0efa13 commit 9517692
Show file tree
Hide file tree
Showing 17 changed files with 393 additions and 363 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ repos:
- id: trailing-whitespace

- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.2.1
rev: v0.2.2
hooks:
- id: ruff
args: [--fix, --exit-non-zero-on-fix]
Expand Down
32 changes: 32 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,38 @@ Find changes for the upcoming release in the project's [changelog.d directory](h

<!-- scriv-insert-here -->

<a id='changelog-10.0.0'></a>
## 10.0.0 (2024-02-22)

### Backwards-incompatible changes

- Clients of the Gafaelfawr OpenID Connect server now must have registered return URIs as well as client IDs and secrets. Each element of the `oidc-server-secrets` secret must, in addition to the previous `id` and `secret` keys, contain a `return_uri` key that matches the return URL of authentications from that client. Those return URLs are now allowed to be at any (matching) domain and are not constrained to the same domain as Gafaelfawr.
- When acting as an OpenID Connect server, Gafaelfawr no longer exposes all claims by default. Instead, it now honors the `scope` parameter in the request, which must include `openid` and may include `profile` and `email`.
- In the reply to a successful OpenID Connect authentication, return a Gafaelfawr token of a new `oidc` type as the access token instead of a copy of the ID token. This `oidc` token will be marked as a child token of the underlying Gafaelfawr token used to authenticate the OpenID Connect login, which means it will automatically be revoked if the user logs out.
- Only accept Gafaelfawr tokens of the `oidc` type for the OpenID Connect server userinfo endpoint.
- Return only userinfo claims from the OpenID Connect server userinfo endpoint instead of the full set of claims that would go into an ID token. Currently, the userinfo claims are not filtered based on the requested scopes; all available userinfo claims are returned.
- Set the `aud` claim in OpenID Connect ID tokens issued by Gafaelfawr to the client ID of the requesting client instead of a fixed audience used for all tokens.
- OpenID Connect ID tokens issued by Gafaelfawr now inherit their expiration time from the underlying Gafaelfawr token used as the authentication basis for the ID token. Previously, OpenID Connect ID tokens would receive the full default lifetime even when issued on the basis of Gafaelfawr tokens that were about to expire.
- Require the `oidcServer.issuer` configuration setting use the `https` scheme, since this is required by the OpenID Connect 1.0 specification.

### New features

- Add a new `rubin` scope for the OpenID Connect server that, if requested, provides a `data_rights` claim listing the data releases to which the user has rights. Add a new `config.oidcServer.dataRightsMapping` configuration option that is used to determine that list of data releases from a user's group memberships.
- Add support for a client-supplied nonce in OpenID Connect authentication with Gafaelfawr as a server. The provided nonce is passed through to the ID token following the OpenID Connect specification.
- Check the database schema at startup to ensure that it is current, and refuse to start if the schema is out of date.
- Add new `gafaelfawr update-schema` command that creates the database if necessary and otherwise applies any needed Alembic migrations.
- Add new `gafaelfawr validate-schema` command that exits non-zero if the database has not been initialized or if the schema is not up-to-date.

### Bug fixes

- Include the scope used to issue the ID token in the reply from the OpenID Connect server token endpoint.
- In the response from `/.well-known/openid-configuration`, declare that the only supported response mode of the OpenID Connect server is `query`.

### Other changes

- Gafaelfawr now uses [Alembic](https://alembic.sqlalchemy.org/en/latest/index.html) to perform database migrations as needed.
- Gafaelfawr now uses [uv](https://github.com/astral-sh/uv) to maintain frozen dependencies and set up a development environment.

<a id='changelog-9.6.1'></a>
## 9.6.1 (2023-12-08)

Expand Down
11 changes: 0 additions & 11 deletions changelog.d/20240110_125829_rra_DM_42384.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240111_164048_rra_DM_42384.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240117_152943_rra_DM_42384.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240123_163221_rra_DM_42384.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240209_160742_rra_DM_42384.md

This file was deleted.

5 changes: 0 additions & 5 deletions changelog.d/20240213_170118_rra_DM_42384a.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240214_133634_rra_DM_42384.md

This file was deleted.

4 changes: 0 additions & 4 deletions changelog.d/20240214_185441_rra_DM_42384.md

This file was deleted.

3 changes: 0 additions & 3 deletions changelog.d/20240216_083628_rra_DM_42930.md

This file was deleted.

Loading

0 comments on commit 9517692

Please sign in to comment.