Skip to content

4.0.0
Compare
Choose a tag to compare
@rra rra released this 25 Mar 23:09
· 1642 commits to main since this release
4.0.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
37f1d8d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

As of this release, the only supported mechanism for installing Gafaelfawr is as part of the Vera C. Rubin Science Platform, using Phalanx.

  • The Gafaelfawr token lifetime is now configured with config.tokenLifetimeMinutes instead of config.issuer.expMinutes.
  • The internal OpenID Connect server now puts the numeric UID in a uid_number claim rather than uidNumber for consistency with the naming scheme of other claims.
  • InfluxDB 1.x token generation is now configured with config.influxdb.enabled and config.influxdb.username without the issuer component.
  • Drop support for restricting the upstream OpenID Connect provider to specific key IDs. This prevents upstream key rotation for dubious security benefit given that Gafaelfawr still verifies the issuer URL and then reaches out to its .well-known endpoints to retrieve the public key and verify the key signature.
  • Log token scopes as proper lists instead of space- or comma-separated strings.
  • Return 404 with a proper error if the OpenID Connect server routes are accessed when Gafaelfawr is not configured to act as an OpenID Connect server.
  • Drop support for Python 3.9.
  • Update dependencies.
Assets 2
Loading