Releases: ory/oathkeeper
v0.40.8
This release consists of dependency updates and also includes some bug fixes.
Bug Fixes
- Config schema $id (889c9ec)
- Improve caching configuration (2373057)
- metrics: Remove query string from collapsed path segment (#1159) (15ee438)
- Remote authorizers with request body (#1185) (62ca1e8)
- Set correct max cost for oauth2 introspection authn handler (#1176) (368c28a)
Code Generation
- Pin v0.40.8 release commit (f14d6da)
Changelog
- 5f778cb autogen(docs): generate and bump docs
- 374b146 autogen(docs): regenerate and update changelog
- 9c27046 autogen(docs): regenerate and update changelog
- 6b5672b autogen(docs): regenerate and update changelog
- f6adf0b autogen(docs): regenerate and update changelog
- 817943a autogen: add v0.40.7 to version.schema.json
- f14d6da autogen: pin v0.40.8 release commit
- c815b8b autogen: render config schema
- addd40d autogen: render config schema
- 6d628fb chore: add kubescape image scanner (#1168)
- f0c8650 chore: adjust project automation (#1192)
- 9ba2a4b chore: bump go-jose (#1180)
- f561c5a chore: bump libcrypto and alpine (#1207)
- ba39541 chore: bump to go 1.22 and fix automations (#1183)
- 1950529 chore: pin GHA PM action version (#1199)
- e0b22cb chore: remove git unset release hooks
- 92ae88c chore: update dependencies (#1206)
- 361177a chore: update golang-jwt to v5 (#1171)
- a360da5 chore: update goreleaser to v2
- ea93326 chore: update newsletter link (#1174)
- 8a3961a chore: update newsletter link (#1175)
- 4c9f0f7 chore: update repository templates to ory/meta@1af2225
- a28a6d3 chore: update repository templates to ory/meta@297c8a5
- f46220e chore: update repository templates to ory/meta@3cf0f00
- 7acc639 chore: update repository templates to ory/meta@4132def
- 42934ea chore: update repository templates to ory/meta@43af518
- b142379 chore: update repository templates to ory/meta@939b80f
- 9add863 chore: update repository templates to ory/meta@e838bee
- 6fd2968 chore: update repository templates to ory/meta@fe4ffe0
- b9b9f87 chore: update security policy
- 72dde73 chore: upgrade deps with high cves (#1198)
- 98f8a00 chore: upgrade ristretto to use generics (#1195)
- acb2584 ci: update Code QL action to v2 (#1173)
- 15ee438 fix(metrics): remove query string from collapsed path segment (#1159)
- 889c9ec fix: config schema $id
- 2373057 fix: improve caching configuration
- 62ca1e8 fix: remote authorizers with request body (#1185)
- 368c28a fix: set correct max cost for oauth2 introspection authn handler (#1176)
Artifacts can be verified with cosign using this public key.
v0.40.7
This release includes new features and many improvements to the tracing instrumentations.
Code Generation
-
Pin v0.40.7 release commit (8fc9b7a):
Bumps from v0.40.7-pre.0
Changelog
- 8fc9b7a autogen: pin v0.40.7 release commit
Artifacts can be verified with cosign using this public key.
v0.40.7-pre.0
autogen: pin v0.40.7-pre.0 release commit
Bug Fixes
Code Generation
- Pin v0.40.7-pre.0 release commit (82282ce)
Features
-
Add headers option for remote_json authorizer (#1140) (1ee445d)
-
Preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131) (b5d4d88):
This patch additionally allows selecting between the two authenticators based on a prefix to the token.
Changelog
- 25959b1 autogen(docs): generate and bump docs
- 4d61221 autogen(docs): regenerate and update changelog
- cae2824 autogen(docs): regenerate and update changelog
- 0260960 autogen(docs): regenerate and update changelog
- c064f20 autogen(docs): regenerate and update changelog
- 1329413 autogen(docs): regenerate and update changelog
- d1e74fa autogen(docs): regenerate and update changelog
- db2da0a autogen: add v0.40.6 to version.schema.json
- 82282ce autogen: pin v0.40.7-pre.0 release commit
- 93939a0 chore: bump golangci-lint (#1150)
- 98e8e5c chore: bump ory/herodot
- 461f088 chore: update repository templates to ory/meta@ac80097
- 557f512 chore: update repository templates to ory/meta@af28aff
- 1ee445d feat: add headers option for remote_json authorizer (#1140)
- b5d4d88 feat: preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131)
- 58690ae fix: ignore version.schema.json (prettier)
- 5bf9b70 fix: update alpine version (#1128)
Artifacts can be verified with cosign using this public key.
v0.40.6
Resolves an issue in how X-Forwarded headers were set.
Bug Fixes
Code Generation
- Pin v0.40.6 release commit (75eb682)
Changelog
- ee605eb autogen(docs): generate and bump docs
- 8fc3473 autogen: add v0.40.5 to version.schema.json
- 75eb682 autogen: pin v0.40.6 release commit
- 7088682 fix: properly copy x-forwarded headers from upstream (#1121)
Artifacts can be verified with cosign using this public key.
v0.40.5
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers
was introduced to optionally enable the forwarding of X-Forwarded headers.
Code Generation
- Pin v0.40.5 release commit (ba1f90a)
Features
-
Flag to disable hop-by-hop defenses (#1120) (fffe8ef):
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag
serve.proxy.trust_forwarded_headers
was introduced to optionally enable the forwarding of X-Forwarded headers.
Changelog
- 7a94b54 autogen(docs): generate and bump docs
- 07c1e3c autogen: add v0.40.4 to version.schema.json
- ba1f90a autogen: pin v0.40.5 release commit
- fffe8ef feat: flag to disable hop-by-hop defenses (#1120)
Artifacts can be verified with cosign using this public key.
v0.40.4
Added distroless image, fixed some bugs, and added support for JWKs key rotation in the ID token mutator.
Bug Fixes
- Apk install issue (08b2bfb)
- Ensure logger uses config (#1104) (d9b0965)
- Noop mutator don't overwrite session headers (#1091) (3a716f2)
- Use Query.Get when fetching QueryParameter (#1106) (c520e50)
Code Generation
- Pin v0.40.4 release commit (70d63f3)
Features
-
Support token rotation in ID token mutator (#1119) (5dd4571):
Previously, only one JWK may be returned by the JWKS URL. This made token rotation impossible. This patch allows for multiple keys to be returned by the JWKS URL and the first key found will be used for signing.
Tests
Changelog
- 48c90c1 autogen(docs): generate and bump docs
- 47e3d19 autogen(docs): regenerate and update changelog
- b7c57ca autogen(docs): regenerate and update changelog
- 6761be1 autogen(docs): regenerate and update changelog
- 64aed38 autogen(docs): regenerate and update changelog
- ccdf1e4 autogen(docs): regenerate and update changelog
- 9275dcd autogen(docs): regenerate and update changelog
- 1c333b9 autogen(docs): regenerate and update changelog
- 4f08af7 autogen(docs): regenerate and update changelog
- 3276408 autogen(openapi): regenerate swagger spec and internal client
- 97e9660 autogen(openapi): regenerate swagger spec and internal client
- 12d0aea autogen: add v0.40.3 to version.schema.json
- 70d63f3 autogen: pin v0.40.4 release commit
- c85d0a9 autogen: pin v0.40.4 release commit
- 596ad11 chore(deps): bump github.com/knadh/koanf to v2.0.1 (#1111)
- 0a767e7 chore(deps): update ory/x to v0.0.565 (#1113)
- 56779c4 chore: support in README (#1117)
- 91ae714 chore: update gRPC to v1.56.1 (#1118)
- 1857ba3 chore: update security scanners (#1107)
- 8ac1dac feat: add distroless images (#1114)
- baeecc6 feat: sqa metrics v2 (#1110)
- 5dd4571 feat: support token rotation in ID token mutator (#1119)
- 08b2bfb fix: apk install issue
- d9b0965 fix: ensure logger uses config (#1104)
- 3a716f2 fix: noop mutator don't overwrite session headers (#1091)
- c520e50 fix: use Query.Get when fetching QueryParameter (#1106)
- af5ce29 test: use reliable upstream server (#1099)
Artifacts can be verified with cosign using this public key.
v0.40.3
This release fixes a low-severity security vulnerability.
Bug Fixes
- Report 499, 502, or 504 (#1090) (360a03e)
- Sqa config values unified across projects (#1094) (9374d2f)
- Switch to
httputil.ReverseProxy.Rewrite
(#1098) (c5cc7f7)
Code Generation
- Pin v0.40.3 release commit (2ab7687)
Features
Changelog
- d15dfa2 autogen(docs): generate and bump docs
- 4768d05 autogen(docs): regenerate and update changelog
- 2fd6a84 autogen(docs): regenerate and update changelog
- 271a666 autogen(docs): regenerate and update changelog
- b8c6261 autogen(docs): regenerate and update changelog
- 629247b autogen(openapi): regenerate swagger spec and internal client
- f3ec24a autogen: add v0.40.2 to version.schema.json
- 2ab7687 autogen: pin v0.40.3 release commit
- 310aa5f chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#1097)
- a615f7b chore(deps): bump github.com/docker/docker
- 37e2df8 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#1084)
- c60e4ac feat: tracing for gRPC middleware (#1086)
- 360a03e fix: report 499, 502, or 504 (#1090)
- 9374d2f fix: sqa config values unified across projects (#1094)
- c5cc7f7 fix: switch to
httputil.ReverseProxy.Rewrite
(#1098)
Artifacts can be verified with cosign using this public key.
v0.40.2
Resolves tracing and health monitoring issues.
Bug Fixes
-
Add handlers in correct order to handle CORS requests properly (#1055) (0b5f6e6), closes ory/oathkeeper#1054
-
Render complete config schema in CI and update tracing config (#1063) (e5e9d17)
-
Rule readiness check should require at least one rule to be loaded (#1061) (daa2994):
With this change, Oathkeeper now reports as "not ready" on the health check if not at least one valid rule is loaded.
Code Generation
- Pin v0.40.2 release commit (0f42d7c)
Documentation
Features
- Add cache to Koanf.validatePipelineConfig (#1042) (e7fb605)
- Expose health checks in middleware (#1058) (e1357f8)
- Forward config options in middleware (#1062) (f3c4386)
- Improved tracing for authorizers (#1079) (b3aa0c3)
- Tracing for authz remote (#1056) (7e7d45e)
Changelog
- 4e8f06e autogen(docs): generate and bump docs
- 9572b59 autogen(docs): regenerate and update changelog
- 46689fa autogen(docs): regenerate and update changelog
- f40b3f1 autogen(docs): regenerate and update changelog
- e29a26a autogen(docs): regenerate and update changelog
- 29c09de autogen(docs): regenerate and update changelog
- 12bdbe6 autogen(docs): regenerate and update changelog
- b342931 autogen(docs): regenerate and update changelog
- 34d1217 autogen(docs): regenerate and update changelog
- 5233025 autogen(docs): regenerate and update changelog
- 98da1a3 autogen(docs): regenerate and update changelog
- 3cd0550 autogen(docs): regenerate and update changelog
- 0f42d7c autogen: pin v0.40.2 release commit
- 2b13ac1 chore(deps): bump JWT deps (#1052)
- cd35bf8 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#1069)
- 0e3c249 chore: update alpine version (#1070)
- d305381 chore: use watcherx to watch access rule files (#1059)
- bba14ba docs: update security email (#1077)
- e7fb605 feat: add cache to Koanf.validatePipelineConfig (#1042)
- e1357f8 feat: expose health checks in middleware (#1058)
- f3c4386 feat: forward config options in middleware (#1062)
- b3aa0c3 feat: improved tracing for authorizers (#1079)
- 7e7d45e feat: tracing for authz remote (#1056)
- 0b5f6e6 fix: add handlers in correct order to handle CORS requests properly (#1055)
- 878089d fix: release pipeline (#1053)
- e5e9d17 fix: render complete config schema in CI and update tracing config (#1063)
- daa2994 fix: rule readiness check should require at least one rule to be loaded (#1061)
Artifacts can be verified with cosign using this public key.
v0.40.1
This release resolves tracing issues and fixes a bug.
Bug Fixes
- Align proxy mode log level with decision mode log level for access request granted log (#1029) (b9365a6)
- Allow otel tracing provider in config (#1039) (2661190)
- Decouple cloud storage tests (c1ed811)
- Do not leak sensitive data from gRPC middleware (32aa172)
- Ignore query string when using X-Forwarded-Uri (#1025) (6fa3978)
- Init registry in middleware (1daecb6)
Code Generation
- Pin v0.40.1 release commit (431f415)
Documentation
- Fix typo from /decision to /decisions (#1036) (5d23dcb)
- Standardize license headers (#1024) (851cd0f)
Features
Tests
Changelog
- 9665fff autogen(docs): generate and bump docs
- ae9a754 autogen(docs): regenerate and update changelog
- 0262948 autogen(docs): regenerate and update changelog
- 7150da0 autogen(docs): regenerate and update changelog
- 3df857a autogen(docs): regenerate and update changelog
- 37f576b autogen(docs): regenerate and update changelog
- 6f26b99 autogen(docs): regenerate and update changelog
- 6e54918 autogen(docs): regenerate and update changelog
- a3600af autogen(docs): regenerate and update changelog
- 7159176 autogen(docs): regenerate and update changelog
- 9b5c899 autogen(docs): regenerate and update changelog
- 4f27378 autogen(docs): regenerate and update changelog
- e2737ab autogen(docs): regenerate and update changelog
- 9c92010 autogen(openapi): regenerate swagger spec and internal client
- ae7b65b autogen(openapi): regenerate swagger spec and internal client
- 431f415 autogen: pin v0.40.1 release commit
- 2532da3 chore: fix formatting (#1022)
- 229f6e9 chore: format using Make (#1014)
- 88e7caf chore: license checker (#1027)
- f363b3a chore: list contributors in file (#1032)
- 910ba45 chore: remove double-tabs from Makefile (#1019)
- ab50e06 chore: remove listx dependency (#1021)
- f810a0b chore: remove obsolete header (#1028)
- 8e742cc chore: update Ory CLI with breaking changes to the format task (#1030)
- b8bda91 chore: update copyrights for 2023 (#1048)
- 19c0e52 chore: update repository templates
- 6e3844e chore: update repository templates to ory/meta@19eed81
- 1e047c2 chore: update repository templates to ory/meta@23d918a
- 864b5ba chore: update repository templates to ory/meta@4a68ca0
- f68646e chore: update repository templates to ory/meta@4ef1342
- 5b3836c chore: update repository templates to ory/meta@6ab5ce6
- 376a2dc chore: update repository templates to ory/meta@852a1ae
- 84f9405 chore: update repository templates to ory/meta@935cc04
- f1819fb chore: update repository templates to ory/meta@a1264fa
- 75746e7 chore: update repository templates to ory/meta@a2fba7e
- a6feb49 chore: update repository templates to ory/meta@b41b1ee
- dbfbddd chore: update repository templates to ory/meta@d3f8710
- 079bfd6 ci: bump dockle
- 5d23dcb docs: fix typo from /decision to /decisions (#1036)
- 851cd0f docs: standardize license headers (#1024)
- 8f42940 feat: move to open telemetry (#1047)
- f74e8e8 feat: mutator tracing (#1050)
- b9365a6 fix: align proxy mode log level with decision mode log level for access request granted log (#1029)
- 2661190 fix: allow otel tracing provider in config (#1039)
- c1ed811 fix: decouple cloud storage tests
- 32aa172 fix: do not leak sensitive data from gRPC middleware
- 6fa3978 fix: ignore query string when using X-Forwarded-Uri (#1025)
- 1daecb6 fix: init registry in middleware
- 099bcf0 test: fix flaky tests
- 7017fdf test: remove
t.Parallel()
from tests that use the same cache and key
Artifacts can be verified with cosign using this public key.
v0.40.0
This release introduces the new Koanf-based configuration system, resolves several issues, and introduced an experimental gRPC middleware.
Bug Fixes
- Adds tracing to cookie_session and bearer_token authenticators (#995) (6504c0a)
- Do not load from env in middleware (b42261e)
- Make metric name consistent with rest of ory ecosystem (#1010) (c3c5854)
- Move .schema to spec (8ab6f85)
- Remove packr (7f32bc2)
Code Generation
- Pin v0.40.0 release commit (f2cd421)
Code Refactoring
Features
-
Add Oathkeeper gRPC middleware (210aa5e):
This adds a gRPC middleware that encapuslates the
Oathkeeper logic.Matching on gRPC traffic now happens in its own rule.
To match against gRPC traffic, you can useAuthority
andFullMethod
instead ofURL
andMethods
.
Tests
- Add gRPC matcher tests (dc8c361)
Changelog
- 54c40f2 autogen(docs): generate and bump docs
- 7e52903 autogen(docs): regenerate and update changelog
- b045906 autogen(docs): regenerate and update changelog
- 708ad9d autogen(docs): regenerate and update changelog
- becfc76 autogen(openapi): regenerate swagger spec and internal client
- 0fafa73 autogen(openapi): regenerate swagger spec and internal client
- 6e4ce40 autogen(openapi): regenerate swagger spec and internal client
- 686efbe autogen(openapi): regenerate swagger spec and internal client
- f2cd421 autogen: pin v0.40.0 release commit
- 562cabe chore: format
- 20fbb8e chore: move to go 1.19
- 1738e61 chore: sort package.json (#1002)
- 210aa5e feat: add Oathkeeper gRPC middleware
- 6504c0a fix: adds tracing to cookie_session and bearer_token authenticators (#995)
- b42261e fix: do not load from env in middleware
- c3c5854 fix: make metric name consistent with rest of ory ecosystem (#1010)
- 8ab6f85 fix: move .schema to spec
- 7f32bc2 fix: remove packr
- 6bac536 refactor: use koanf configuration system (#999)
- dc8c361 test: add gRPC matcher tests
Artifacts can be verified with cosign using this public key.