github tinyauthapp/tinyauth v5.1.0

5 hours ago

Tinyauth v5.1.0

Hey everyone, this is Tinyauth v5.1.0, and Tinyauth is now officially OpenID Connect™ Certified thanks to the amazing help of @Rycochet and @scottmckendry. Additionally, this release brings a lot of improvements in access controls (deny-by-default and Kubernetes yay!), LDAP and general UX improvements. It also addresses some important security vulnerabilities (1, 2, 3) that were responsibly disclosed by our amazing community. Have fun ;)

OpenID Certified

yep, we using that everywhere now

Note

Tinyauth has moved! All repositories now live under the new Tinyauth organization. Pull the new image from ghcr.io/tinyauthapp/tinyauth. The old image under my personal account will no longer be updated, so switch over when you can.

Note

The config file is now a stable feature. Please switch your configuration file flag to --configfile (or TINYAUTH_CONFIGFILE for environment variables).

Warning

This release contains security fixes. Please update as soon as possible.

Warning

Tinyauth v5.1.0 includes some hardening in the trusted proxies. In case you are using any of the IP ACLs, you may need to specify your proxy IP in TINYAUTH_AUTH_TRUSTEDPROXIES.

New Features

Authentication & Access Controls

  • Support for authentication through Tailscale
  • Deny-by-default access controls
  • Annotation-based access controls in Kubernetes @contre95
  • Global bypass by IP @scottmckendry
  • Provider-specific OAuth whitelists @puneetdixit200
  • OAuth whitelist file support @djedditt
  • Allow for NO_PROXY, HTTP_PROXY and HTTPS_PROXY for OAuth requests @florianilch

OpenID Connect

  • Expose all OpenID Connect claims through user attributes @scottmckendry
  • Run Tinyauth on a top-level domain to use it as a standalone OIDC provider @jacekkow
  • POST request support on the OIDC authorize endpoint
  • WebFinger support
  • Support for prompt parameter in OIDC
  • Support for max_age in OIDC

Database & Config

  • PostgreSQL as a database backend @scottmckendry
  • LDAP bind password file support @Rycochet
  • Config file loading is now stable, you will need to rename your CLI flag from --experimental.configfile to --configfile
  • Option to disable lockdown mode
  • Attempt to reconnect to LDAP server on start-up
  • Support for anonymous LDAP bind @nv6

Frontend

  • Merge language and theme selector in new quick actions menu

Improvements

  • Preserve login parameters throughout the frontend
  • Graceful shutdown on SIGTERM
  • Pass through the LDAP mail attribute instead of crafting one when it's available
  • Rework CLI commands for simpler and more intuitive output

Fixes

  • Fix open redirect vulnerability in the OpenID Connect server @Dredsen
  • Use the loaded public key in the OpenID Connect server when available @Dredsen
  • Fix lax trusted proxies configuration in IP ACLs
  • Remove lockdown mode and rework rate-limiting

Technical

  • Rework dependency injection with Dig
  • Rework the user context middleware
  • Rework frontend user/app context API paths (changes in /api/context/app and /api/context/user)
  • Switch package manager from Bun to PNPM
  • Update dependencies and translations

New Contributors

Full Changelog: v5.0.7...v5.1.0

Don't miss a new tinyauth release

NewReleases is sending notifications on new releases.