Release Highlights
- New Azure groups support for Azure OAuth2 v2.0
- Option to configure API routes - paths that will not redirect to login when unauthenticated
- CSRF and session cookies now have different timeouts
Important Notes
- #1708 Enable different CSRF cookies per request (@miguelborges99)
- Since the CSRF cookie name is now longer it could potentially break long cookie names (around 1000 characters).
- Having a unique CSRF cookie per request can lead to quite a number of cookies, in case an application performs a high number of parallel authentication requests. Each call will redirect to /oauth2/start, if the user is not authenticated, and a new cookie will be set. The successfully authenticated requests will have its CSRF cookies immediatly expired, however the failed ones will mantain its CSRF cookies until they expire (by default in 15 minutes).
- The user may redefine the CSRF cookie expiration time using flag "--cookie-csrf-expire" (e.g. --cookie-csrf-expire=5m). By default, it is 15 minutes, but you can fine tune to your environment.
- #1574 Add Azure groups support and Azure OAuth v2.0 (@adriananeci)
- group membership check is now validated while using the the azure provider.
- Azure OAuth v2.0 (https://login.microsoftonline.com/{tenant_id}/v2.0) is now available along with Azure OAuth v1.0. See https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/auth.md#azure-auth-provider for more details
- When using v2.0 Azure Auth endpoint (
https://login.microsoftonline.com/{tenant-id}/v2.0) as--oidc_issuer_url, in conjunction with--resourceflag, be sure to append/.defaultat the end of the resource name. See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope for more details.
- This release includes fixes for a number of CVEs, we recomend to upgrade as soon as possible.
Breaking Changes
N/A
Changes since v7.3.0
- #1862 Update dependencies (@JoelSpeed)
- #1828 call providerData.setProviderDefaults for oidc provider to achieve consistent behaviour (@Centzilius)
- UserClaim will be set to sub instead of beeing empty from now on.
- #1691 Fix Redis IdleTimeout when Redis timeout option is set to non-zero (@Dimss)
- #1669 Fix method deprecated error in lint (@t-katsumura)
- #1701 Watch the htpasswd file for changes and update the htpasswdMap (@aiciobanu)
- #1709 Show an alert message when basic auth credentials are invalid (@aiciobanu)
- #1723 Added ability to specify allowed TLS cipher suites. (@crbednarz)
- #1720 Extract roles from authToken, to allow using allowed roles with Keycloak. (@MrDeerly )
- #1774 Fix vulnerabilities CVE-2022-27191, CVE-2021-44716 and CVE-2022-29526. (@felipeconti)
- #1667 Rename configuration file flag for PKCE (@ChrisEke)
to remain consistent with CLI flags. You should specifycode_challenge_methodin your configuration instead of
force_code_challenge_method. - #1708 Enable different CSRF cookies per request (@miguelborges99)
- Add flag "--cookie-csrf-per-request" which activates an algorithm to name CSRF cookies differently per request.
This feature allows parallel callbacks and by default it is disabled. - Add flag "--cookie-csrf-expire" to define a different expiration time for the CSRF cookie. By default, it is 15 minutes.
- Add flag "--cookie-csrf-per-request" which activates an algorithm to name CSRF cookies differently per request.
- #1762 Support negating for skip auth routes (@ianldge)
- #1788 Update base docker image to alpine 3.16 (@tooptoop4)
- #1760 Option to configure API routes (@segfault16)
- #1825 Fix vulnerabilities CVE-2022-32149 and CVE-2022-27664. (@crbednarz)
- #1750 Fix Nextcloud provider (@n1tehawk)
- #1574 Add Azure groups support and Azure OAuth v2.0 (@adriananeci)
- #1851 Bump golang to 1.19 and min allowed version to 1.18 (@adriananeci)
- #1815 Keycloak: save user and preferredUsername in session to populate headers for the backend (@babs)
- #1847 Update go-redis/redis to v9 (@arhamGH)