istio-ecosystem/authservice v1.1.0

on GitHub

Authservice 1.1.0 fixes several CVEs and brings several new features:

• Added Token Exchange support: This release adds support for the OAuth2 Token Exchange flow. This can be used to exchange the token retrieved from the Identity provider for an internal token suitable for accessing internal services. This is a useful flow when the token obtained directly from the Identity Provider doesn't have access to all the services behind the Authservice.
• Redis connection parameters: In this release, the configuration has been enhanced to allow setting the Redis connection options when using Redis as a session store. This can be used to better configure Redis credentials or mTLS certificates.
• Better file watching: The watchers that watch for changes to files have been optimized. In previous releases, they were periodically loaded at a fixed interval. In this release, this has been refactored, and now the changes to watched files (client secret, redis credentials, OIDC CA files, etc) will be automatically reflected as they happen.
• CVE fixes:
  • CVE-2025-0913
  • CVE-2025-4673
  • CVE-2025-22866
  • CVE-2025-22871
  • CVE-2025-22874
  • CVE-2025-29923
  • CVE-2025-47907
  • GHSA-vrw8-fxc6-2r93

Detailed Changelog

• Bump Go to fix CVE-2025-22866 by @nacx in #272
• Bump to Go 1.24 by @nacx in #273
• Bump golang.org/x/net from 0.35.0 to 0.36.0 by @dependabot[bot] in #274
• Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 by @dependabot[bot] in #275
• fix logr configuration by @nacx in #276
• chore: auto-generate configuration docs by @nacx in #277
• Do not log secret value in secret reconcile by @nacx in #278
• Bump Go to 1.24.2 to fix CVE-2025-22871 by @nacx in #279
• Bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #280
• chore: upgrade to buf v2 and use native go tools by @nacx in #281
• Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 by @dependabot[bot] in #285
• Add ability to set cookie properties per OIDCConfig by @basvanbeek in #286
• CVE: bump golang to 1.24.4 to fix several CVEs by @nacx in #287
• Bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 by @dependabot[bot] in #288
• Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot[bot] in #290
• Bump golang.org/x/oauth2 from 0.26.0 to 0.27.0 by @dependabot[bot] in #291
• Implement OAuth2 Token Exchange to fetch tokens from internal authorization servers by @nacx in #292
• Generalize secret controller by @nacx in #293
• Fix CVE-2025-47907 by @nacx in #295
• Add support for POST client authentication method by @ilgatnau and @nacx in #296
• Add options to configure TLS and mTLS connections to Redis by @nacx in #294
• Unify file watching strategy in TLS config pool by @nacx in #297

New Contributors 🎉

• @basvanbeek made their first contribution in #286
• @ilgatnau made the first contribution adding support for using POST as a client auth method.

Full Changelog: v1.0.4...v1.1.0