v1.0.3

Authservice 1.0.3 adds support for PKCE in the Authorization Code Grant Flow. Thanks @gdasson for your contribution! More details about PKCE can be found here:

https://oauth.net/2/pkce/
https://blog.postman.com/what-is-pkce/

It also comes with a change to not allow Client IDs to have the : character, as it breaks client authentication when calling the token endpoint. This is now properly validated and the configuration is rejected.

Detailed Changelog

• Validate that clientId does not contain ':' by @nacx in #266
• chore: use a better maintained and more flexible license checker tool by @nacx in #267
• Add support for PKCE by @gdasson in #265

New Contributors

• @gdasson made their first contribution in #265 🎉

Full Changelog: v1.0.2...v1.0.3

v1.0.2

This is a small bugfix release that includes fixes for several CVEs.

What's Changed

• Upgrade to Go 1.22.4 by @nacx in #260
• Upgrade to Go 1.22.5 to fix CVE-2024-24791 by @nacx in #261
• Upgrade to Go 1.23.1 by @nacx in #264

Full Changelog: v1.0.1...v1.0.2

v1.0.1

This is a bugfix release that includes fixes for several CVEs as well as fixes for small regressions introduced in v1.0.0.

In addition to the bug fixes, it also comes with the following added features:

• Reduces the number of requests to the OIDC well-known endpoint.
• Added support for retrieving the end-session endpoint from the OIDC Discovery endpoint.
• Enhanced identity Provider logging. Starting on v1.0.1 you can enable the idp logger at debug level to show all the requests and responses exchanged with the identity Provider in the authservice logs. Use with caution and only for debugging purposes, as these logs may contain sensitive information.
• Added examples to help getting started with authservice and Istio.
• Configured a nightly vulnerability scan job to report new vulnerabilities to the GitHub Code Scanning page.

Detailed changelog

• Allow customizing the Istio version to use in the e2e tests by @nacx in #243
• Upgrade Go to 1.22.2 to get rid of CVE-2023-45288 by @nacx in #244
• Configure nightly vulnerability scans and report upload by @nacx in #245
• Infer the JWS signing algorithm name by looking at the provided key by @erik-h in #247
• Use the OIDC Discovery end session endpoint if present by @nacx in #249
• Add a logger to log the calls to the Identity Provider by @nacx in #250
• Cache well-known responses to avoid making too much calls to the IdP by @nacx in #251
• Add minimal examples to make it easier to get started by @nacx in #252
• Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #253
• Fix scan job configuration by @nacx in #254
• Update code owners by @nacx in #248
• Update protoc-gen-go comment to fix make check by @sergicastro in #257
• Validate token_type case-insensitively by @jojonium in #256
• Fix flaky file watcher test by @sergicastro in #258

New Contributors

We want to thank our new contributors for taking the time to report issues, implement, and contribute the fixes. Thank you! 🙇‍♂️

• @erik-h made their first contribution in #247
• @jojonium made their first contribution in #256

Full Changelog: v1.0.0...v1.0.1

v1.0.0

authservice 1.0.0

This is the first release of the Go rewrite of the authservice! 🚀

This is a full rewrite of the project in pure Go, to improve code readability, testability, quality, and the overall maintainability of the project. It provides feature parity with the original project, and the Docker images that are published on the project's GitHub Docker registry can be used as a drop-in replacement for the old authservice ones.

This project adds extensive code coverage, several end-to-end test suites that verify the correct behavior of the supported OIDC flows, as well as a compatibility suite that runs with both images, the Go-based authservice and the old C++ authservice to make sure backward-compatibility is not broken.

In addition to the extensive tests and feature parity, this first release of the Go authservice fixes the following issues:

• Add integration tests that can run in CI
• Allow configuration of endpoints by configuring the OIDC Provider's well-known endpoint
• CI could automatically build container images on every commit to master which passes unit tests
• Update base image of Authservice container image
• Change the inline OIDC client configuration to reference of a k8s secret
• How to set the client secret from an existing kubernetes secret?

Check it out!

• Use the Docker image right away.
• Or read the Development Guide and start contributing!

Initial contributors

The first release of the Go rewrite of theauthservice has been crafted with a lot of dedication and work from @zhaohuabing, @sergicastro, and @nacx, and thoroughly tested by @sbko Thank you all for your contributions!

Full release changelog: https://github.com/istio-ecosystem/authservice/commits/v1.0.0

0.5.3-rc1

What's Changed

• Move the VERSION env to GITHUB_ENV. by @incfly in #221
• Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
• clean the commented out code. by @incfly in #224
• Use @envoy//bazel:boringssl by @dio in #228
• http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
• Enable FIPS for Linux only by @dio in #231

Full Changelog: 0.5.1...0.5.3-rc1

0.5.3

What's Changed

• Move the VERSION env to GITHUB_ENV. by @incfly in #221
• Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
• clean the commented out code. by @incfly in #224
• Use @envoy//bazel:boringssl by @dio in #228
• http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
• Enable FIPS for Linux only by @dio in #231

Full Changelog: 0.5.1...0.5.3

0.5.2

Merge github.com:istio-ecosystem/authservice into release-0.5

0.5.2-rc1

Fix the unmatched request handling by set the grpc status in payload.…

0.5.1

Compared with 0.5.0, this releases

• Fixed the timeout issue we see when integrating with ADFS, #211 by closing the connection explicitly.
• Ensure using libc++ for bazel build in the final release image, libc++, libgcc, libstdc++ if are used, they are all static linked. #215
• Use Ubuntu 18.04 (previous 20.04) as build environment. #219
• Added standalone binary into the release artifcats.

v0.5.0

New Features

• JWKs fetcher for token validation.
• healthcheck endpoint for active JWKs existence.
• BoringSSL-FIPS build.

Bugs Fixed

• #167 Fix out of memory problem during service running.
• reject requests by default if they are not matched any filter chain.
• Remove the authentication based on "Authorization: ".

Docker containers

• 0.5.0 https://github.com/istio-ecosystem/authservice/pkgs/container/authservice%2Fauthservice/11171996?tag=0.5.0
• 0.5.0-fips https://github.com/istio-ecosystem/authservice/pkgs/container/authservice%2Fauthservice/11122101?tag=0.5.0-fips