oauth2_proxy/CHANGELOG.md

# Vx.x.x (Pre-release)

## Changes since v3.2.0

# v3.2.0

## Release highlights
- Internal restructure of session state storage to use JSON rather than proprietary scheme
- Added health check options for running on GCP behind a load balancer
- Improved support for protecting websockets
- Added provider for login.gov
- Allow manual configuration of OIDC providers

## Important notes
- Dockerfile user is now non-root, this may break your existing deployment
- In the OIDC provider, when no email is returned, the ID Token subject will be used
instead of returning an error
- GitHub user emails must now be primary and verified before authenticating

## Changes since v3.1.0

- [#96](https://github.com/bitly/oauth2_proxy/pull/96) Check if email is verified on GitHub (@caarlos0)
- [#110](https://github.com/pusher/oauth2_proxy/pull/110) Added GCP healthcheck option (@timothy-spencer)
- [#112](https://github.com/pusher/oauth2_proxy/pull/112) Improve websocket support (@gyson)
- [#63](https://github.com/pusher/oauth2_proxy/pull/63) Use encoding/json for SessionState serialization (@yaegashi)
  - Use JSON to encode session state to be stored in browser cookies
  - Implement legacy decode function to support existing cookies generated by older versions
  - Add detailed table driven tests in session_state_test.go
- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru)
- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer)
- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer)
- [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr)
- [#92](https://github.com/pusher/oauth2_proxy/pull/92) Merge websocket proxy feature from openshift/oauth-proxy (@butzist)
- [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius)
- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)
- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery
- [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75)
- [#10](https://github.com/pusher/oauth2_proxy/pull/10) fix redirect url param handling (@dt-rush)
- [#122](https://github.com/pusher/oauth2_proxy/pull/122) Expose -cookie-path as configuration parameter (@costelmoraru)
- [#124](https://github.com/pusher/oauth2_proxy/pull/124) Use Go 1.12 for testing and build environments (@syscll)

# v3.1.0

## Release highlights

- Introduction of ARM releases and and general improvements to Docker builds
- Improvements to OIDC provider allowing pass-through of ID Tokens
- Multiple redirect domains can now be whitelisted
- Streamed responses are now flushed periodically

## Important notes

- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621)
  and have cookies larger than the 4kb limit,
  the cookie splitting pattern has changed and now uses `_` in place of `-` when
  indexing cookies.
  This will force users to reauthenticate the first time they use `v3.1.0`.
- Streamed responses will now be flushed every 1 second by default.
  Previously streamed responses were flushed only when the buffer was full.
  To retain the old behaviour set `--flush-interval=0`.
  See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details.

## Changes since v3.0.0

- [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
  - Implement `pass-authorization-header` and `set-authorization-header` flags
  - Implement token refreshing in OIDC provider
  - Split cookies larger than 4k limit into multiple cookies
  - Implement token validation in OIDC provider
- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed)
  - Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
- [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)
  - Move Docker base image from debian to alpine
  - Install ca-certificates in docker image
- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses
  - Long-running upstream responses will get flushed every <timeperiod> (1 second by default)
- [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)
  - After a successful login, you will be redirected to your original URL rather than /
- [#35](https://github.com/pusher/oauth2_proxy/pull/35) arm and arm64 binary releases (@kskewes)
  - Add armv6 and arm64 to Makefile `release` target
- [#37](https://github.com/pusher/oauth2_proxy/pull/37) cross build arm and arm64 docker images (@kskewes)

# v3.0.0

Adoption of OAuth2_Proxy by Pusher.
Project was hard forked and tidied however no logical changes have occurred since
v2.2 as released by Bitly.

## Changes since v2.2:

- [#7](https://github.com/pusher/oauth2_proxy/pull/7) Migration to Pusher (@joelspeed)
  - Move automated build to debian base image
  - Add Makefile
    - Update CI to run `make test`
    - Update Dockerfile to use `make clean oauth2_proxy`
    - Update `VERSION` parameter to be set by `ldflags` from Git Status
    - Remove lint and test scripts
  - Remove Go v1.8.x from Travis CI testing
  - Add CODEOWNERS file
  - Add CONTRIBUTING guide
  - Add Issue and Pull Request templates
  - Add Dockerfile
  - Fix fsnotify import
  - Update README to reflect new repository ownership
  - Update CI scripts to separate linting and testing
    - Now using `gometalinter` for linting
  - Move Go import path from `github.com/bitly/oauth2_proxy` to `github.com/pusher/oauth2_proxy`
  - Repository forked on 27/11/18
    - README updated to include note that this repository is forked
    - CHANGLOG created to track changes to repository from original fork
Add Fork notice 2018-11-27 11:23:37 +00:00			`# Vx.x.x (Pre-release)`

Update changelog for release v3.2.0 2019-04-12 09:27:42 +00:00			`## Changes since v3.2.0`

			`# v3.2.0`

			`## Release highlights`
			`- Internal restructure of session state storage to use JSON rather than proprietary scheme`
			`- Added health check options for running on GCP behind a load balancer`
			`- Improved support for protecting websockets`
			`- Added provider for login.gov`
			`- Allow manual configuration of OIDC providers`

			`## Important notes`
			`- Dockerfile user is now non-root, this may break your existing deployment`
			`- In the OIDC provider, when no email is returned, the ID Token subject will be used`
			`instead of returning an error`
			`- GitHub user emails must now be primary and verified before authenticating`

Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00			`## Changes since v3.1.0`

fix: changelog 2019-03-11 17:55:02 +00:00			`- [#96](https://github.com/bitly/oauth2_proxy/pull/96) Check if email is verified on GitHub (@caarlos0)`
added the PR to the changelog 2019-03-20 21:44:01 +00:00			`- [#110](https://github.com/pusher/oauth2_proxy/pull/110) Added GCP healthcheck option (@timothy-spencer)`
Update CHANGELOG.md 2019-03-22 21:41:55 +00:00			`- [#112](https://github.com/pusher/oauth2_proxy/pull/112) Improve websocket support (@gyson)`
Use encoding/json for SessionState serialization (#63) * Use encoding/json for SessionState serialization In order to make it easier to extend in future. * Store only email and user in cookie when cipher is unavailable This improves safety and robustness, and also preserves the existing behaviour. * Add TestEncodeSessionState/TestDecodeSessionState Use the test vectors with JSON encoding just introduced. * Support session state encoding in older versions * Add test cases for legacy session state strings * Add check for wrong expiration time in session state strings * Avoid exposing time.Time zero value when encoding session state string * Update CHANGELOG.md 2019-03-20 13:59:24 +00:00			`- [#63](https://github.com/pusher/oauth2_proxy/pull/63) Use encoding/json for SessionState serialization (@yaegashi)`
			`- Use JSON to encode session state to be stored in browser cookies`
			`- Implement legacy decode function to support existing cookies generated by older versions`
			`- Add detailed table driven tests in session_state_test.go`
Encrypting user/email from cookie, add changelog 2019-04-09 12:00:17 +00:00			`- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru)`
add login.gov provider (#55) * first stab at login.gov provider * fixing bugs now that I think I understand things better * fixing up dependencies * remove some debug stuff * Fixing all dependencies to point at my fork * forgot to hit save on the github rehome here * adding options for setting keys and so on, use JWT workflow instead of PKCE * forgot comma * was too aggressive with search/replace * need JWTKey to be byte array * removed custom refresh stuff * do our own custom jwt claim and store it in the normal session store * golang json types are strange * I have much to learn about golang * fix time and signing key * add http lib * fixed claims up since we don't need custom claims * add libs * forgot ioutil * forgot ioutil * moved back to pusher location * changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov * update dependencies * do JWTs properly * finished oidc flow, fixed up tests to work better * updated comments, added test that we set expiresOn properly * got confused with header and post vs get * clean up debug and test dir * add login.gov to README, remove references to my repo * forgot to remove un-needed code * can use sample_key* instead of generating your own * updated changelog * apparently golint wants comments like this * linter wants non-standard libs in a separate grouping * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback * github doesn't seem to do gofmt when merging. :-) * update CODEOWNERS * check the nonce * validate the JWT fully * forgot to add pubjwk-url to README * unexport the struct * fix up the err masking that travis found * update nonce comment by request of @JoelSpeed * argh. Thought I'd formatted the merge properly, but apparently not. * fixed test to not fail if the query time was greater than zero 2019-03-20 13:44:51 +00:00			`- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer)`
			`- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer)`
Fixes deletion of splitted cookies - Issue #69 (#70) * fixes deletion of splitted cookies * three minor adjustments to improve the tests * changed cookie name matching to regex * Update oauthproxy.go Co-Authored-By: einfachchr <einfachchr@gmail.com> * removed unused variable * Changelog 2019-03-15 07:18:37 +00:00			`- [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr)`
Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-08 08:15:21 +00:00			`- [#92](https://github.com/pusher/oauth2_proxy/pull/92) Merge websocket proxy feature from openshift/oauth-proxy (@butzist)`
Update changelog for pull request #57 2019-03-08 12:41:15 +00:00			`- [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius)`
Update CHANGELOG.md Co-Authored-By: kskewes <karl.skewes@gmail.com> 2019-03-05 19:42:11 +00:00			`- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)`
Access token forwarding through nginx auth request (#68) * Access token forwarding through nginx auth request Related to #420. (cherry picked from commit b138872beaaa7f47d43a1c0fef11a67f57e61eff) Signed-off-by: David Holsgrove <david.holsgrove@biarri.com> * Improved documentation for auth request token (cherry picked from commit 6fab314f7203f4d652bb34247abb4e7cb497c41d) Signed-off-by: David Holsgrove <david.holsgrove@biarri.com> * Update README.md Example should set header as `X-Access-Token` Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com> * Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68 * Fix Changelog message location 2019-02-22 07:49:57 +00:00			`- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)`
Add -skip-oidc-discovery option (#41) * added karrieretutor go-oidc fork for using an AAD B2C Policy * added karrieretutor go-oidc fork for using an AAD B2C Policy * added --skip-oidc-discovery option * added --skip-oidc-discovery option * add simple test for skip-oidc-discovery option * revert Dockerfile to pusher upstream * revert Dockerfile to pusher upstream * remove karrieretutor b2c option leftover * remove karrieretutor b2c option leftover * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * replace fake http client with NewProvider() from go-oidc * remove OIDC UserInfo URL option (not required) * add info about -skip-oidc-discovery to README * add note to changelog * Update outdated comment 2019-03-04 13:54:22 +00:00			`- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery`
Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00			- [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75)
fix redirect url param handling (#10) * Added conditional to prevent user-supplied redirect URL getting clobbered Change-type: patch * use redirectURL as OAuthCallbackURL (as it should be!) Change-type: patch 2019-03-05 14:58:26 +00:00			`- [#10](https://github.com/pusher/oauth2_proxy/pull/10) fix redirect url param handling (@dt-rush)`
Update the changelog 2019-04-09 21:42:17 +00:00			`- [#122](https://github.com/pusher/oauth2_proxy/pull/122) Expose -cookie-path as configuration parameter (@costelmoraru)`
build: use go 1.12 (#124) * build: use go 1.12 * Update CHANGELOG.md 2019-04-12 10:15:29 +00:00			`- [#124](https://github.com/pusher/oauth2_proxy/pull/124) Use Go 1.12 for testing and build environments (@syscll)`
Access token forwarding through nginx auth request (#68) * Access token forwarding through nginx auth request Related to #420. (cherry picked from commit b138872beaaa7f47d43a1c0fef11a67f57e61eff) Signed-off-by: David Holsgrove <david.holsgrove@biarri.com> * Improved documentation for auth request token (cherry picked from commit 6fab314f7203f4d652bb34247abb4e7cb497c41d) Signed-off-by: David Holsgrove <david.holsgrove@biarri.com> * Update README.md Example should set header as `X-Access-Token` Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com> * Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68 * Fix Changelog message location 2019-02-22 07:49:57 +00:00
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00			`# v3.1.0`

			`## Release highlights`

			`- Introduction of ARM releases and and general improvements to Docker builds`
			`- Improvements to OIDC provider allowing pass-through of ID Tokens`
			`- Multiple redirect domains can now be whitelisted`
			`- Streamed responses are now flushed periodically`

			`## Important notes`

Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00			`- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621)`
			`and have cookies larger than the 4kb limit,`
			the cookie splitting pattern has changed and now uses `_` in place of `-` when
			`indexing cookies.`
			This will force users to reauthenticate the first time they use `v3.1.0`.
			`- Streamed responses will now be flushed every 1 second by default.`
			`Previously streamed responses were flushed only when the buffer was full.`
			To retain the old behaviour set `--flush-interval=0`.
			`See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details.`
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Release v3.0.0 2019-01-14 10:07:22 +00:00			`## Changes since v3.0.0`

Update documentation and changelog 2019-01-22 11:36:52 +00:00			`- [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)`
			- Implement `pass-authorization-header` and `set-authorization-header` flags
			`- Implement token refreshing in OIDC provider`
			`- Split cookies larger than 4k limit into multiple cookies`
			`- Implement token validation in OIDC provider`
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00			`- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed)`
Add whitelist domain to changelog 2019-01-22 12:01:37 +00:00			- Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
Update changelog for Docker Improvements 2019-01-22 10:11:40 +00:00			`- [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)`
			`- Move Docker base image from debian to alpine`
			`- Install ca-certificates in docker image`
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00			`- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses`
Implemented flushing interval (#23) * Implemented flushing interval When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval. * flushing CHANGELOG * gofmt and goimports 2019-01-31 14:02:15 +00:00			`- Long-running upstream responses will get flushed every <timeperiod> (1 second by default)`
redirect to original path after login (#24) * redirect to original path after login * tests for new redirect behaviour * fixed comment * added redirect fix to changelog 2019-01-29 12:13:02 +00:00			`- [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)`
			`- After a successful login, you will be redirected to your original URL rather than /`
feat(arm): Makefile add armv6 and arm64 to releases 2019-01-31 18:52:08 +00:00			`- [#35](https://github.com/pusher/oauth2_proxy/pull/35) arm and arm64 binary releases (@kskewes)`
			- Add armv6 and arm64 to Makefile `release` target
feat(arm): Cross build arm and arm64 docker images - Requires `qemu-user-static`, added to travis - maybe incorrect? - Add build guide - `.gitignore` `release/` directory 2019-02-01 23:08:19 +00:00			`- [#37](https://github.com/pusher/oauth2_proxy/pull/37) cross build arm and arm64 docker images (@kskewes)`
Update changelog for Docker Improvements 2019-01-22 10:11:40 +00:00
Release v3.0.0 2019-01-14 10:07:22 +00:00			`# v3.0.0`

			`Adoption of OAuth2_Proxy by Pusher.`
			`Project was hard forked and tidied however no logical changes have occurred since`
			`v2.2 as released by Bitly.`

Add Fork notice 2018-11-27 11:23:37 +00:00			`## Changes since v2.2:`

Fix changelog PR link 2019-01-14 10:47:01 +00:00			`- [#7](https://github.com/pusher/oauth2_proxy/pull/7) Migration to Pusher (@joelspeed)`
Release v3.0.0 2019-01-14 10:07:22 +00:00			`- Move automated build to debian base image`
			`- Add Makefile`
			- Update CI to run `make test`
			- Update Dockerfile to use `make clean oauth2_proxy`
			- Update `VERSION` parameter to be set by `ldflags` from Git Status
			`- Remove lint and test scripts`
			`- Remove Go v1.8.x from Travis CI testing`
			`- Add CODEOWNERS file`
			`- Add CONTRIBUTING guide`
			`- Add Issue and Pull Request templates`
			`- Add Dockerfile`
			`- Fix fsnotify import`
			`- Update README to reflect new repository ownership`
			`- Update CI scripts to separate linting and testing`
			- Now using `gometalinter` for linting
			- Move Go import path from `github.com/bitly/oauth2_proxy` to `github.com/pusher/oauth2_proxy`
			`- Repository forked on 27/11/18`
			`- README updated to include note that this repository is forked`
			`- CHANGLOG created to track changes to repository from original fork`