Changes
Token Introspection
The introspection endpoint has been fixed in case of the encoding like mentioned in bugfixes.
Additionally, authorization has been added to this endpoint. It will now make sure that the request also includes
an AUTHORIZATION
header with either a valid Bearer JwtToken
or Basic ClientId:ClientSecret
to prevent
token scanning.
The way of authorization on this endpoint is not really standardized, so you may run into issues with your client
application. If so, you can disable the authentication on this endpoint with
# Can be set to `true` to disable authorization on `/oidc/introspect`.
# This should usually never be done, but since the auth on that endpoint is not
# really standardized, you may run into issues with your client app. If so,
# please open an issue about it.
# default: false
DANGER_DISABLE_INTROSPECT_AUTH=true
API Routes Normalization
In preparation for a clean v1.0.0, some older API routes have been fixed regarding their casing and naming.
The "current" or old routes and names will be available for exactly one release and will be phased out afterward
to have a smooth migration, just in case someone uses these renamed routes.
/oidc/tokenInfo
->/oidc/introspect
/oidc/rotateJwk
->/oidc/rotate_jwk
Since I don't like kebab-case
, most API routes are written in snake_case
, with 2 exceptions that follow RFC namings:
openid-configuration
web-identity
All the *info
routes like userinfo
or sessioninfo
are not kebab_case
on purpose, just to match other IdPs and
RFCs a bit more.
There is not a single camelCase
anymore in the API routes to avoid confusion and issues in situations where you could
for instance mistake an uppercase I
as a lowercase l
. The current camelCase
endpoints only exist for a smoother
migration and will be phased out with the next bigger release.
Config Read
The current behavior of reading in config variables was not working as intended.
Rauthy reads the rauthy.cfg
as a file first and the environment variables afterward. This makes it possible to
configure it in any way you like and even mix and match.
However, the idea was that any existing variables in the environment should overwrite config variables and therefore
have the higher priority. This was exactly the other way around up until v0.24.1
and has been fixed now.
How Rauthy parses config variables now correctly:
- read
rauthy.cfg
- read env var
- all existing env vars will overwrite existing vars from
rauthy.cfg
and therefore have the higher priority
Bugfixes
- The token introspection endpoint was only accepting requests with
Json
data, when it should have instead been
withForm
data.
Images
Postgres
ghcr.io/sebadob/rauthy:0.25.0
SQLite
ghcr.io/sebadob/rauthy:0.25.0-lite