Tinyauth v5.1.0
Hey everyone, this is Tinyauth v5.1.0, and Tinyauth is now officially OpenID Connect™ Certified thanks to the amazing help of @Rycochet and @scottmckendry. Additionally, this release brings a lot of improvements in access controls (deny-by-default and Kubernetes yay!), LDAP and general UX improvements. It also addresses some important security vulnerabilities (1, 2, 3) that were responsibly disclosed by our amazing community. Have fun ;)
yep, we using that everywhere now
Note
Tinyauth has moved! All repositories now live under the new Tinyauth organization. Pull the new image from ghcr.io/tinyauthapp/tinyauth. The old image under my personal account will no longer be updated, so switch over when you can.
Note
The config file is now a stable feature. Please switch your configuration file flag to --configfile (or TINYAUTH_CONFIGFILE for environment variables).
Warning
This release contains security fixes. Please update as soon as possible.
Warning
Tinyauth v5.1.0 includes some hardening in the trusted proxies. In case you are using any of the IP ACLs, you may need to specify your proxy IP in TINYAUTH_AUTH_TRUSTEDPROXIES.
New Features
Authentication & Access Controls
- Support for authentication through Tailscale
- Deny-by-default access controls
- Annotation-based access controls in Kubernetes @contre95
- Global bypass by IP @scottmckendry
- Provider-specific OAuth whitelists @puneetdixit200
- OAuth whitelist file support @djedditt
- Allow for
NO_PROXY,HTTP_PROXYandHTTPS_PROXYfor OAuth requests @florianilch
OpenID Connect
- Expose all OpenID Connect claims through user attributes @scottmckendry
- Run Tinyauth on a top-level domain to use it as a standalone OIDC provider @jacekkow
POSTrequest support on the OIDC authorize endpoint- WebFinger support
- Support for
promptparameter in OIDC - Support for
max_agein OIDC
Database & Config
- PostgreSQL as a database backend @scottmckendry
- LDAP bind password file support @Rycochet
- Config file loading is now stable, you will need to rename your CLI flag from
--experimental.configfileto--configfile - Option to disable lockdown mode
- Attempt to reconnect to LDAP server on start-up
- Support for anonymous LDAP bind @nv6
Frontend
- Merge language and theme selector in new quick actions menu
Improvements
- Preserve login parameters throughout the frontend
- Graceful shutdown on
SIGTERM - Pass through the LDAP mail attribute instead of crafting one when it's available
- Rework CLI commands for simpler and more intuitive output
Fixes
- Fix open redirect vulnerability in the OpenID Connect server @Dredsen
- Use the loaded public key in the OpenID Connect server when available @Dredsen
- Fix lax trusted proxies configuration in IP ACLs
- Remove lockdown mode and rework rate-limiting
Technical
- Rework dependency injection with Dig
- Rework the user context middleware
- Rework frontend user/app context API paths (changes in
/api/context/appand/api/context/user) - Switch package manager from Bun to PNPM
- Update dependencies and translations
New Contributors
- @Rycochet made their first contribution in #793
- @contre95 made their first contribution in #627
- @djedditt made their first contribution in #826
- @itasli made their first contribution in #834
- @Dredsen made their first contribution in #854
- @puneetdixit200 made their first contribution in #882
- @nv6 made their first contribution in #979
- @florianilch made their first contribution in #999
Full Changelog: v5.0.7...v5.1.0