v3.0.0

Changelog

⚠️ Similar to the v2.0.0 release, this release includes large changes to the configuration variables used by sso_proxy, so care must be taken while upgrading to this version. ⚠️

To aid the introduction of these new variables, please reference the description in #279, and particularly, the table included at the bottom of the referenced pull request.

Features & Enhancements 🚀

• sso_*: rename 'options' package to 'validators' - rename the options package to validators, better fitting its responsibility.
• sso_*: use ProxyFromEnvironment in http Transport - allow traffic to be passed through a proxy by setting relevant environment variables.
• sso_*change 'master' references to 'main' - after renaming the master branch to main, change relevant references throughout the repo.
• sso-proxy: command line tool to generate request signatures - command line tool to aid with testing request signature validation logic
• sso_*: prevent copying of session between upstream - add a new AuthorizedUpstream value to the session, allowing us to prevent using the same session with a different upstream.
• sso_*: update to Go 1.14 - update sso_proxy and sso_auth to Go 1.14
• sso_auth: make provider_*_okta_server optional - as is stated in the quickstart, allow provider_*_okta_server to be optional.
• codecov: update to project threshold to explicit % - update codecov configuration as result of
• sso_proxy: update to use go-micro for configuration management - bring sso_proxy in line with sso_auth by using go-micro for configuration management [⚠️ BREAKING CHANGE ⚠️]
• sso_*: remove vendored dependencies - to improve clarity, remove vendored dependencies and rely entirely on go modules.
• sso: update go modules - update dependencies, and make use of -mod=readonly.
• release_drafter: add basic config and template for releases - use release-drafter to automate the updating of draft releases
• auth: amazon cognito provider - adds Amazon Cognito as an additional identity provider.

Bug Fixes 🐛

• sso_proxy: add missing return - add a missing return; resolve a simple bug.
• sso_proxy: allow empty slice of groups - when validating groups, allow an empty slice of groups to be passed in.
• sso_*: proxy path-components with %-escaped characters in tact. - fix proxying to paths with %-encoded URL's included.
• fillcache: remove group from cache if it can't be found by the identity provider - proactively delete groups from the cache if they can no longer be found.
• fillcache pkg: trigger cache update immediately - fill group cache immediately, instead of waiting until first TTL to pass.
• sso_proxy: fix request signer hash panic - create a new hash.Hash within each request signer to prevent a race condition.
• sso_proxy: reduce amount of group validations - we started to run group validations too often, so reduce the frequency.
• cmd: ensure http servers shut down gracefully - don't forcefully abort requests on shutdown, handle gracefully instead.
• sso_*: allow group validator to be used standalone - similar to emails and domains, allow groups to be used for validations on their own.

Documentation 📖

• sso_proxy: document provider slug configs - add missing documentation around provider slugs
• docs: update quickstart guide - add some missing points, and improve the clarity of the quickstart documentation.
• sso_proxy: Add comment marking private key as test data - make it extra clear that the test private key is in fact only for testing purposes.

Release Contributors: @Jusshersmith, @benjsto, @jphines, @itwasntandy, @mccutchen, @katzdm, and @kjetijor

v2.1.0

Changelog

Note: This release includes changes to how users are validated using email domains, email addresses, and email groups. With each of these 'validator' mechanisms that is configured, the user will be allowed access as long at least one passes, rather than requiring all to pass.

Please see #253 for more information.

Features

• proxy: Allow injection of request headers - ability to add headers to the request before sending to the proxied service.
• sso_proxy: ability to define allowed email address/domain in upstream config - adds ability to define allowed email addresses and allowed domains directly into upstream configs, rather than only globally.
• sso-proxy: add websocket support - adds support for upstreams using websockets.
• sso_proxy: add test for websockets and update docs - adds some tests for websocket functionality, and updates documentation accordingly.
• sso_*: allow simultaneous use of Validators - reworks 'validator' mechanism and abstractions, and allow request through providing at least one of the validators passes.

Bugs and Fixes

• bug: remove auth code secret - Clears up usage of AUTH_CODE_SECRET.
• sso_auth: add default for groupcache settings - fixes groupcache bug causing panic if particular config variable is unset.
• sso_*: fix 500 error caused by expired Okta refresh token - fixes handling of error and UX caused by an expired Okta refresh token.

Documentation

• Update google_provider_setup.md - Updates Google provider config variable documentation
• docs: outline env vars and fix provider setup documentation - adds documentation around available configuration variables for sso_auth and their types.

v2.0.0

Changelog

Note: this release contains multiple breaking or potentially breaking changes. Please read the release notes carefully if you are upgrading from a previous version.

Providers

• sso: send access token on group information query - Pass the access token to all identity providers by default. (in preparation for the implementation of Okta and other providers)
• sso: okta provider MVP - Adds initial support for an Okta identity provider.
• providers: group caching mechanism for okta provider - Introduces a mechanism to cache the group memberships within the Okta identity provider.
• sso: support multiple identity providers - Adds support for configuration of multiple unique identity providers using go-config. We previously started to add support for this using viper within sso: introduce Viper for sso config management, however decided to roll back in favour of go-config. [BREAKING - see last section of release notes for further information]

CI

• sso: makefile releasepush - Adds a task to the makefile for pushing a release to Docker Hub
• ci: integrate with Codecov for test coverage - Integrate repo with Codecov to help track and monitor test coverage
• ci: remove minimum coverage setting - Fine tune Codecov integration settings for PR’s
• ci: introduce circleci workflows - Introduces use of CircleCI Workflows, and improves workflow around image tagging

Auth

• sso_auth: add identity provider slug to url path and mux - Allow use of multiple provider slugs, while keeping backwards compatibility
• sso_auth: use hostmux and ping - Using hostmux, allow for use of /ping as a host header.
• authenticator: remove misc/cruft configuration - Clean up redundant code and configuration
• sso_auth: add default provider slug - Add default identity provider to make migrations easier and more streamlined.
• auth: allow proxying root domains - Allow serving of content on root domains, in addition to subdomains.
• auth: update google version endpoints - Some general cleanup of the google provider, and updates version of the provider endpoints.

Proxy

• sso-proxy: refactor routing into hostmux, refactor oauthproxy startup - Refactor and uncouple routing, upstream configuration, and provider information from the OAuth layer.
• Configure Proxy CookieName via Env Var - Enable setting of the proxy CookieName configuration variable via environment variables.
• sso-proxy: refactor reverse proxy into separate file w/ tests - Refactors reverse proxy and upstream logic into separate files, helping to test changes and isolate portions of code.
• sso-proxy: avoid oversized cookies - gzip the marshalled json containing cookies before encryption to reduce size
• proxy: transition idps ux flow - Improve UX flow during the transition of identity providers, specifically where the existing cookie is for the previous provider.

Bugs and Fixes

• proxy/request signers: request signers should also sign access token - Ensure access tokens are signed in request signatures
• sso-proxy: clear csrf token further down the request flow - Fix bug causing the ‘Group membership required’ to cause a ‘http: named cookie not present’ error upon refresh.
• docker: don't run as root - Run SSO docker containers as a dedicated user, rather than root.
• pkg/logging: resolve timestamp bug - Fix timestamp formatting in logging package.
• sso_proxy: don't set timeout when flush interval is set - Fix issue causing request flushing to be ignored if a request timeout is also set.
• sso_auth: fix client authentication for revoke endpoint - Fixes bug preventing successful use of /oauth2/sign_out endpoint within the Okta provider
• sso_proxy: user to lowercase - Normalise the casing of the X-Forwarded-User to keep consistency. [POTENTIALLY BREAKING]
• ci: persist workspace further down the flow - Fix bug preventing test coverage reports being found by Codecov.
• docker: build from go 1.12 - Build binaries using go 1.12.
• sso_auth: fix action tag parsing - Fix parsing of the URL to form ‘action’ tags.

Documentation

• docs: update note on nested groups - Corrects documentation surrounding nested Google groups
• sso: okta provider setup documentation - Documentation on creation and configuration required for the Okta identity provider.
• sso quickstart/docs: update configuration variables - Updates to the Quickstart and provider set-up documentation. (particularly around new configuration variables)

Added Dependencies

There have been a number of dependencies added and/or updated. Please take the time to look through the dependencies in use by scanning through https://github.com/buzzfeed/sso/blob/master/go.mod.

Further details

To help with the introduction of configuration variable changes in sso: support multiple identity providers, below is a list of old_var -> new_var pairs for sso_auth only. (these variables changes do not yet apply to sso_proxy)

* in PROVIDER_*_TYPE and others represents a unique identifier grouping together a set of provider configs.

### SESSION
(NEW)                -> SESSION_COOKIE_NAME
COOKIE_SECRET        -> SESSION_COOKIE_SECRET
COOKIE_EXPIRE        -> SESSION_COOKIE_EXPIRE
COOKIE_DOMAIN        -> SESSION_COOKIE_DOMAIN
COOKIE_REFRESH       -> SESSION_COOKIE_REFRESH
COOKIE_SECURE        -> SESSION_COOKIE_SECURE
COOKIE_HTTP_ONLY     -> SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME_TTL -> SESSION_LIFETIME
AUTH_CODE_SECRET     -> SESSION_KEY


### CLIENT
PROXY_CLIENT_ID     -> CLIENT_PROXY_ID
PROXY_CLIENT_SECRET -> CLIENT_PROXY_SECRET


### PROVIDER CONFIG FOR GOOGLE
(NEW)         -> PROVIDER_*_TYPE
(NEW)         -> PROVIDER_*_SLUG
CLIENT_ID     -> PROVIDER_*_CLIENT_ID
CLIENT_SECRET -> PROVIDER_*_CLIENT_SECRET
SCOPE         -> PROVIDER_*_SCOPE

### GOOGLE SPECIFIC 
GOOGLE_SERVICE_ACCOUNT_JSON -> PROVIDER_*_GOOGLE_CREDENTIALS
GOOGLE_ADMIN_EMAIL          -> PROVIDER_*_GOOGLE_IMPERSONATE

### OKTA SPECIFIC
OKTA_ORG_URL       -> PROVIDER_*_OKTA_URL
PROVIDER_SERVER_ID -> PROVIDER_*_OKTA_SERVER

### GROUP REFRESH
GROUPS_CACHE_REFRESH_TTL  -> PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
GROUPS_CACHE_PROVIDER_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER


# SERVER CONFIG
(NEW)             -> SERVER_SCHEME
HOST              -> SERVER_HOST
PORT              -> SERVER_PORT
REQUEST_TIMEOUT   -> SERVER_TIMEOUT_REQUEST
TCP_WRITE_TIMEOUT -> SERVER_TIMEOUT_WRITE
TCP_READ_TIMEOUT  -> SERVER_TIMEOUT_READ


# AUTHORIZE CONFIG
PROXY_ROOT_DOMAIN   -> AUTHORIZE_PROXY_DOMAINS
SSO_EMAIL_DOMAIN    -> AUTHORIZE_EMAIL_DOMAINS
SSO_EMAIL_ADDRESSES -> AUTHORIZE_EMAIL_ADDRESSES


# METRICS CONFIG 
STATSD_PORT -> METRICS_STATSD_PORT
STATSD_HOST -> METRICS_STATSD_HOST


# LOGGING CONFIG
REQUSEST_LOGGING -> LOGGING_ENABLE
(NEW)            -> LOGGING_LEVEL

v1.2.0

Changelog

• Add provider for individual e-mail address authentication (#113)
• Update to documentation to reflect unsupported nested groups (#135)
• Change all session or csrf store logic to use internal CookieStore instead. (#137)
• Prevent empty cookie header being added to request (#143)
• Remove unused SecretBytes function (#145)
• Install curl in the base image, allowing SSO to work with Istio liveness commands (#147)
• Allow specification of default allowed groups via environment config for upstreams (#148)
• Fix bug preventing effective use of nested Google groups (#149)
• Move to Go 1.11 and utilise Go Mod with vendored dependencies, instead of GPM (#154)
• Add attribution of oauth2_proxy to readme (#156)
• Add implementation of reset deadline for http transports to aid with dynamic routing environments (#159)
• Set limit for the WriteTimeout of http.Server to prevent 200 OK being incorrectly sent on long, timed out requests (#163)
• Remove requirement to pull in dependency source code changes with each build (#168)

v1.1.0

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!

• Remove support for legacy alternative cookie cipher (#54)
• Ensure that sso_auth responds to pings (#65)
• Static files are embedded directly into binaries (#63)
• Allow per-upstream configuration of TLS verification (#49)
• Fixed data race for encryption cipher (#77)
• Refactoring of some provider logic, to facilitate additional providers (#76)
• PROXY_ROOT_DOMAIN is now a required option for sso_auth (#92)
• Added optional PROVIDER_URL_INTERNAL for split dns deployments (#88, #123)
• Removed default provider and associated unused functions (#87)
• Access token is now forwarded to upstreams via X-Forwarded-AccessToken header, when proxy option PASS_ACCESS_TOKEN is set (#109)
• Added support for digital signing of upstream requests, via Sso-Signature header (#106)
• Added preserve_host option to upstream configs (#55)
• Various other minor fixes, cleanups, etc.

v1.0.0

v1.0.0 Release Notes

Initial open source release