github sebadob/rauthy v0.22.1

latest releases: v0.26.2, v0.26.1, v0.26.0...
7 months ago

Security

This version fixes a potential DoS in rustls which has been found yesterday.
f4d65a6

Features

Dedicated /forward_auth + Trusted Authn/Authz Headers

In addition to the /userinfo endpoint specified in the OIDC spec, Rauthy implements an additional endpoint
specifically for ForwardAuth situations. You can find it at /auth/v1/oidc/forward_auth and it can be configured
to append optional Trusted Header with User Information for downstream applications, that do not support OIDC
on their own.

The HeaderNames can be configured to match your environment.
Please keep in mind, that you should only use these, if you legacy application does not support OIDC natively,
because Auth Headers come with a lot of pitfalls, when your environment is not configured properly.

# You can enable authn/authz headers which would be added to the response
# of the `/auth/v1/forward_auth` endpoint. With  `AUTH_HEADERS_ENABLE=true`,
# the headers below will be added to authenticated requests. These could
# be used on legacy downstream applications, that don't support OIDC on
# their own.
# However, be careful when using this, since this kind of authn/authz has
# a lot of pitfalls out of the scope of Rauthy.
AUTH_HEADERS_ENABLE=true

# Configure the header names being used for the different values.
# You can change them to your needs, if you cannot easily change your
# downstream apps.
# default: x-forwarded-user
AUTH_HEADER_USER=x-forwarded-user
# default: x-forwarded-user-roles
AUTH_HEADER_ROLES=x-forwarded-user-roles
# default: x-forwarded-user-groups
AUTH_HEADER_GROUPS=x-forwarded-user-groups
# default: x-forwarded-user-email
AUTH_HEADER_EMAIL=x-forwarded-user-email
# default: x-forwarded-user-email-verified
AUTH_HEADER_EMAIL_VERIFIED=x-forwarded-user-email-verified
# default: x-forwarded-user-family-name
AUTH_HEADER_FAMILY_NAME=x-forwarded-user-family-name
# default: x-forwarded-user-given-name
AUTH_HEADER_GIVEN_NAME=x-forwarded-user-given-name
# default: x-forwarded-user-mfa
AUTH_HEADER_MFA=x-forwarded-user-mfa

7d5a44a

Bugfixes

  • allow CORS requests for the GET PoW and the user sign up endpoint's to make it possible to build a custom UI without
    having a server side. At the same time, the method for requesting a PoW has been changed from GET to POST.
    This change has been done because even though only in-memory, a request would create data in the backend, which should
    never be done by a GET.
    Technically, this is a breaking change, but since it has only been available from the Rauthy UI itself because of the
    CORS header setting, I decided to only bump the patch, not the minor version.
    e4d935f

Images

Postgres

ghcr.io/sebadob/rauthy:0.22.1

SQLite

ghcr.io/sebadob/rauthy:0.22.1-lite

Don't miss a new rauthy release

NewReleases is sending notifications on new releases.