Skip to content

10.0.0
Compare
Choose a tag to compare
@rra rra released this 22 Feb 19:15
· 303 commits to main since this release
10.0.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
9517692
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Upgrading to this version requires a database schema migration.

Backwards-incompatible changes

  • Clients of the Gafaelfawr OpenID Connect server now must have registered return URIs as well as client IDs and secrets. Each element of the oidc-server-secrets secret must, in addition to the previous id and secret keys, contain a return_uri key that matches the return URL of authentications from that client. Those return URLs are now allowed to be at any (matching) domain and are not constrained to the same domain as Gafaelfawr.
  • When acting as an OpenID Connect server, Gafaelfawr no longer exposes all claims by default. Instead, it now honors the scope parameter in the request, which must include openid and may include profile and email.
  • In the reply to a successful OpenID Connect authentication, return a Gafaelfawr token of a new oidc type as the access token instead of a copy of the ID token. This oidc token will be marked as a child token of the underlying Gafaelfawr token used to authenticate the OpenID Connect login, which means it will automatically be revoked if the user logs out.
  • Only accept Gafaelfawr tokens of the oidc type for the OpenID Connect server userinfo endpoint.
  • Return only userinfo claims from the OpenID Connect server userinfo endpoint instead of the full set of claims that would go into an ID token. Currently, the userinfo claims are not filtered based on the requested scopes; all available userinfo claims are returned.
  • Set the aud claim in OpenID Connect ID tokens issued by Gafaelfawr to the client ID of the requesting client instead of a fixed audience used for all tokens.
  • OpenID Connect ID tokens issued by Gafaelfawr now inherit their expiration time from the underlying Gafaelfawr token used as the authentication basis for the ID token. Previously, OpenID Connect ID tokens would receive the full default lifetime even when issued on the basis of Gafaelfawr tokens that were about to expire.
  • Require the oidcServer.issuer configuration setting use the https scheme, since this is required by the OpenID Connect 1.0 specification.

New features

  • Add a new rubin scope for the OpenID Connect server that, if requested, provides a data_rights claim listing the data releases to which the user has rights. Add a new config.oidcServer.dataRightsMapping configuration option that is used to determine that list of data releases from a user's group memberships.
  • Add support for a client-supplied nonce in OpenID Connect authentication with Gafaelfawr as a server. The provided nonce is passed through to the ID token following the OpenID Connect specification.
  • Check the database schema at startup to ensure that it is current, and refuse to start if the schema is out of date.
  • Add new gafaelfawr update-schema command that creates the database if necessary and otherwise applies any needed Alembic migrations.
  • Add new gafaelfawr validate-schema command that exits non-zero if the database has not been initialized or if the schema is not up-to-date.

Bug fixes

  • Include the scope used to issue the ID token in the reply from the OpenID Connect server token endpoint.
  • In the response from /.well-known/openid-configuration, declare that the only supported response mode of the OpenID Connect server is query.

Other changes

  • Gafaelfawr now uses Alembic to perform database migrations as needed.
  • Gafaelfawr now uses uv to maintain frozen dependencies and set up a development environment.

What's Changed

  • [neophile] Update dependencies by @neophile-square in #916
  • [neophile] Update dependencies by @neophile-square in #918
  • Bump actions/setup-python from 4 to 5 by @dependabot in #917
  • Update artifact actions by @rra in #930
  • Bump eslint from 8.55.0 to 8.56.0 in /ui by @dependabot in #921
  • Bump gatsby from 5.12.12 to 5.13.1 in /ui by @dependabot in #927
  • Bump react-datepicker from 4.24.0 to 4.25.0 in /ui by @dependabot in #925
  • Bump eslint-plugin-import from 2.29.0 to 2.29.1 in /ui by @dependabot in #923
  • Bump date-fns from 2.30.0 to 3.0.6 in /ui by @dependabot in #928
  • [neophile] Update dependencies by @neophile-square in #926
  • Bump python from 3.11.5-slim-bullseye to 3.12.1-slim-bullseye by @dependabot in #915
  • Switch to Python 3.12 by @rra in #931
  • Remove empty setup.cfg by @rra in #932
  • [neophile] Update dependencies by @neophile-square in #934
  • DM-42384: Fix protocol issues in OpenID Connect server by @rra in #936
  • DM-42384: Update Python dependencies by @rra in #937
  • Bump date-fns from 3.0.6 to 3.2.0 in /ui by @dependabot in #938
  • DM-42384: Add support for OpenID Connect nonces in server by @rra in #940
  • [neophile] Update dependencies by @neophile-square in #943
  • DM-42384: Add support for data rights information by @rra in #944
  • Bump styled-components from 6.1.6 to 6.1.8 in /ui by @dependabot in #942
  • Bump react-icons from 4.12.0 to 5.0.1 in /ui by @dependabot in #941
  • [neophile] Update dependencies by @neophile-square in #946
  • Bump date-fns from 3.2.0 to 3.3.1 in /ui by @dependabot in #947
  • Bump actions/cache from 3 to 4 by @dependabot in #945
  • DM-42384: Add OpenID Connect return URL registration by @rra in #948
  • Update pre-commit with make update-deps by @rra in #949
  • Bump @babel/eslint-parser from 7.23.3 to 7.23.9 in /ui by @dependabot in #952
  • Bump gatsby from 5.13.2 to 5.13.3 in /ui by @dependabot in #951
  • Bump react-datepicker from 4.25.0 to 5.0.0 in /ui by @dependabot in #950
  • Update dependencies by @rra in #954
  • Bump react-datepicker from 5.0.0 to 6.1.0 in /ui by @dependabot in #955
  • Bump @babel/eslint-parser from 7.23.9 to 7.23.10 in /ui by @dependabot in #956
  • Update Python and JavaScript dependencies by @rra in #958
  • Bump eslint-plugin-html from 7.1.0 to 8.0.0 in /ui by @dependabot in #962
  • Bump python from 3.12.1-slim-bullseye to 3.12.2-slim-bullseye by @dependabot in #961
  • Bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #960
  • DM-42384: Add support for database migrations with Alembic by @rra in #959
  • DM-42384: Issue oidc tokens for OIDC access tokens by @rra in #963
  • DM-42384: Verify the database schema on startup by @rra in #964
  • DM-42384: Improve schema handling and testing by @rra in #965
  • DM-42930: Switch to uv for dependency management by @rra in #966
  • Bump medyagh/setup-minikube from 0.0.14 to 0.0.15 by @dependabot in #967
  • DM-42627: Remove uses of sqlalchemy.future by @rra in #968
  • DM-42384: Minor improvements to OpenID Connect documentation by @rra in #969
  • DM-42384: Redeem OIDC codes inside a transaction by @rra in #970
  • DM-42384: Add OpenID Connect tokens to the UI by @rra in #971
  • DM-42384: Prepare 10.0.0 release by @rra in #972

Full Changelog: 9.6.1...10.0.0

Contributors

rra and dependabot
Assets 2
Loading