v0.13.0

New features and Enhancements

• Activated server reflection in the gRPC authorization interface (#388)
  • Makes it easy to send authorization requests to Authorino via gRPC without having to supply the proto files - e.g.

    grpcurl -plaintext -d @ authorino:50051 envoy.service.auth.v3.Authorization.Check {...}
    

• Tracing enhancements
  • Replaces Jaeger Thrift integration with OpenTelemetry OTLP (#390)
    • [Breaking change!] Server command-line --tracing-service-endpoint now requires 'rpc' or 'http'
    • New server command-line option: --tracing-service-insecure=bool - disable TLS for the tracing service connection (default: false)
  • Propagate W3C Trace Context in the requests to external services such as when fetching metadata, verifying OAuth2 opaque tokens, and pulling OPA policies from registry (#386 by @Rohith-Raju)
  • Ensure the request ID is always present in the traces and logs by retrieving from context or generating random one when not available (#389)

Full Changelog: v0.12.0...v0.13.0

v0.12.0

New features and Enhancements

• New Auth Pipeline phase: callbacks (#368, #371)
  • Allows to send configurable HTTP requests to external services at the end of Auth Pipeline
  • Same API as the HTTP GET/GET-by-POST metadata method
  • when conditions and access to the Authorization JSON just like any other evaluator
• Built-in integration with Authzed SpiceDB (#375)
  • Configurable check permission requests sent by Authorino to an external SpiceDB instance via GRPC (authorization phase)
  • Demo available in this YouTube video: https://youtu.be/lL9YsdDaRXk
• New JSON path @strip string modifier for easy removing of non printable characters (#374 by @OperationalDev, #377)
• Support for multi-element JSON responses from external sources of metadata (#376)
• Support for OAuth2 client credentials for fetching metadata and callbacks (#379, #381)
• Tracing (#380 by @Rohith-Raju, #384)
  • Authorino now emits traces to an external OpenTelemetry tracing service
  • Support for W3C Trace Context format and user-defined baggage traces

Dependencies and Tooling

• golang.org/x/net bumped from 0.6.0 to 0.7.0 (#382)

Documentation

• Fixed typo in TokenRequest API link (#383 by @bartoszmajsak)
• Fix broken link and examples in the Edge Authentication guide (#387 by @averevki)

Minor fixes and enhancements

• [ci] Fixed unit benchmarks (#370)
• Fixed spacing in comments (#378)

Special thanks to our new contributors 🎉

• @OperationalDev made their first contribution in #374
• @bartoszmajsak made their first contribution in #383
• @Rohith-Raju made their first contribution in #380
• @averevki made their first contribution in #387

Full Changelog: v0.11.0...v0.12.0

v0.11.0

New features and Enhancements

• Health check/readiness probe endpoints (#365)
  • Allows to check for the aggregated status of handled AuthConfigs at /readyz/authconfigs
• Command-line interface (CLI) (#366)
  • Configuration options, including for the authorization server, now passed as command-line arguments
  • [Deprecation warning] Deprecation of the old environment variables to configure Authorino
  • Version of the Authorino binary can now be verified with the authorino version command

Bug fixes

• Safe concurrent access to the Auth Pipeline maps (#358)

Documentation

• Observability (health/readiness probe endpoints) and new CLI (#367)
  • Observability section refactored to include in one user guide: metrics, readiness, logging and tracing
  • Fixed all references to deprecated environment variables, to favor their corresponding command-line flag substitutes

Dependencies and Tooling

• OPA module upgraded to v0.43.1 (#352)
  • General improvements in OPA
  • Security patches: CVE-2022-36085, CVE-2022-27664 and CVE-2022-32190
• Golang upgraded to v1.18 (#354, #362)

v0.10.0

New features and Enhancements

• All valid hosts added to cache (#324)
  • Instead of aborting at the first host in the list of hosts in an AuthConfig (spec.hosts) that cannot be added to the index of AuthConfigs due to being already taken, Authorino now ensures all valid hosts in the list are added, despite presence of invalid (taken) ones among them. Only the invalid ones will be rejected.
• Improved AuthConfig status – This is a big one!
  • Now the AuthConfig Status sub-resource is divided in summary and conditions (#318). The former summarizes info about the status of the resource, including readiness state, hosts accepted, evaluator counters, etc. The latter provides fine-grained info in the form of "conditions", to infer availability and full-readiness of the resource, described in the table below:

    Type	Status	Reason	Message	Meaning
    Available	True	HostsLinked	N/A	At least one host from spec.hosts was linked to the AuthConfig in the index. Requests sent to the linked host can be expected to be protected by this AuthConfig. User can check status.summary.hostsReady for the list of host names that did succeed being linked to the AuthConfig in the index.
    Available	False	HostsNotLinked	No hosts linked to the resource.	No host from spec.hosts was linked to the AuthConfig in the index. No request will cause this AuthConfig to be evaluated by Authorino. Only possible status for Ready is False in this case.
    Ready	True	Reconciled	N/A	The AuthConfig is indexed for all host names listed in spec.hosts.
    Ready	False	HostsNotLinked	One or more hosts not linked to the resource	Failed to index the AuthConfig for one or more host names in spec.hosts. User should check status.summary.hostsReady for the list of host names that did succeed being linked to the AuthConfig in the index; occasionally none.

  • Reconciliation errors and proper reason to failing reconciling an AuthConfig reflected in the status. The table below summarizes all the reasons for an AuthConfig to be cnsidered "ready" or "not ready".

    Reason	Description	Ready?
    Reconciling	Transient state between reconciliation started and finished (due to success or terminal failure)	N
    Invalid	Invalid resource. AuthConfig cannot be added to cache for any of the hosts listed. Message will reflect the exact error (e.g. broken ref).	N
    HostsNotLinked	One or more hosts not linked to the resource	N
    CachingError	Failed to add the AuthConfig to the index	N
    Reconciled	Resource reconciled	Y
    Unknown	Should never happen 🙂	N

• Support for host names with wildcards (#312) - Another big one!
  • Now you can use wildcards in the host names you add to spec.hosts. E.g. *.pets.com, which matches authorization requests for dogs.pets.com, cats.pets.com and even snakes.pets.com (if you are that kind of person).
  • More specific host names take precedence. E.g. when evaluating for a request that is sent for dogs.pets.com, an AuthConfig A that links dogs.pets.com will be favored before an AuthConfig B that links the more generic host with wildcard *.pets.com; in case of an authorization request sent for cats.pets.com, Authorino would fall back to AuthConfig B (wildcard).
  • You can have as many levels as you want between more specific to more generic host names with wildcards. E.g. api.pets.com → *.pets.com → *.com → *.
  • Important! Keep in mind that due to the mechanism that prevents inattentive/malicious users from fully (or now also partially) taking control over someone else's auth scheme, by applying another AuthConfig that links identical (or now also more specific) host names previously accepted for another resource, and where both AuthConfigs are in the scope of the same Authorino instance, the support for host names with wildcards redefines the concept of host collision, from a relation of equality (host1 == host2) to a relation of sets and subsets (host1 ⊆ host2). This imposes a constraint regarding the order that legit AuthConfigs have to be applied to the cluster – always starting with the ones for more specific host names first, to the more generic ones (with wildcards) second.
• Prevention of host name collisions in all cases (#343)
  • Authorino now rejects linking AuthConfigs to hosts already taken regardless of namespace. This is a policy we used to enforce in the past only across different namespaces (with Authorino deployed in cluster-wide reconciliation mode only). It is now enforced in all cases, including with Authorino in namespaced mode, for AuthConfigs in the same Kubernetes namespace. This implies that users who get hosts in their AuthConfigs rejected to be linked will have to coordinate who actually owns the auth scheme for that host and, if necessary, remove it from an AuthConfig where the host was previously taken and/or reapplying the sequence of AuthConfigs in an acceptable order.
• [Breaking change] Kube notation for API key and MTLS Secret label selectors (#341, #344)
  • Authorino now complies with the new Kubernetes syntax to express the label selectors used for API key and MTLS Kubernetes secrets scoped with an AuthConfig. The API changed as follows:
    
    Before:

    spec:
      identity:
      - name: friends
        apiKey:
          labelSelectors:
            group: friends

    Now:

    spec:
      identity:
      - name: friends
        apiKey:
          selector:
            matchLabels:
              group: friends

  • Apart from making the AuthConfig more seamless to use by users familiar with this API of Kubernetes, we all also get as bonus support for label expressions. E.g.:

    spec:
      identity:
      - name: friends
        apiKey:
          selector:
            matchExpressions:
              key: group
              operator: NotIn
              values:
              - enemies

• Improvements to the raw HTTP external authorization interface
  • Protection against large body content (#313)
    • Set to a maximum of 8192 (8KB) by default
    • Returns an HTTP status 413 Request Entity Too Large when exceeded
    • Can be configured by setting the MAX_REQUEST_BYTES environment variable in the Authorino pod - support by the Operator via spec.maxHttpRequestBodySize field of the Authorino CR
  • Improvements in the log messages (debug level) (#325)
• Authorino version info embedded into the binary (#345)
  • You no longer need to trust only on the tag of the container image to check the exact version of the Authorino binary you are running. You can now find it right in the very second message in the logs:

    {"level":"info","ts":1634674939.7563884,"logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"}
    {"level":"info","ts":1634674939.7567484,"logger":"authorino","msg":"booting up authorino","version":"v0.10.0"}
    

• Red Hat Universal Base Image (UBI) 8 (#332)
  • Container images are now based on Red Hat Universal Base Image (UBI) 8 instead of Google's distroless images. This enables better security scans and support on community images released in the upstream.

Bug fixes

• No more phantom host associations (#327)
  • Oops. This is awkward. We discovered that host names removed from an AuthConfig were refusing to leave the index. It looks like they loved Authorino so much that they wanted to continue to be linked to the AuthConfig that once brought them to the party. But not anymore! Now we ensure deleted hosts vanish from the index for good.
  • This didn't affect the deletion of AuthConfigs as a whole, but only when editing existing ones. Either way, it's now fixed.
• Respect the creation order of the resources when bootstrapping the index of AuthConfigs (#330, #338, #349)
  • When a new Authorino pod started, it bootstraped the index of AuthConfigs by reconciling again all pre-existing resources marked as available in whatever order the reconciliation events were picked by the runtime controller. Since the ordering of the events cannot be guaranteed, this behavior led to a probabilistic situation of error where multiple pods (multiple generations of a pod) could exist with different states between them regarding which AuthConfigs and corresponding hosts were accepted in the index. This is now fixed and Authorino will always respect the order of the resources based on creationTimestamp whenever bootstrapping the index for the first time. This should be enough to prevent inconsistent states, ensuring the same sequence of decisions of the past.
  • While bootstrapping the index for the first time, AuthConfigs in the process of being reconciled might momentarily return a 503 Busy status code when requested, until they are fully operable. We put our best efforts to make this step as efficient and quick as possible, so it's almost never perceived by the user.
• Avoid panicking when external OPA response misses the Content-Type header (#347)
• Use RWMutex for all the cases where multiple concurrent reads and writes are expected (status updater, API key and MTLS loading and access) (#348)

Dependencies and Tooling

• A couple of improvements to the Developer's Makefile
  • Check if GNU sed is insta...

v0.9.1

Security

• Security patch for CVE-2022-28946 - Denial of Service (DoS) vulnerability found in OPA v0.37.2 (#311)
  • Bumps github.com/open-policy-agent/opa to v0.41.0 (latest)
  • Bumps github.com/go-redis/redis/v8 to v8.11.5 (latest)
  • Bumps sigs.k8s.io/controller-tools/cmd/controller-gen to v0.9.0 (latest)

v0.9.0

New features and Enhancements

• New Raw HTTP external authorization interface (#273, #286, #309)
  • Additional interface for raw HTTP authorization requests, suitable use cases such as:
    • using Authorino as Kubernetes ValidatingWebhook service (example)
    • integration with other HTTP proxies and API gateways
    • integration with old versions of Envoy incompatible with the latest version of gRPC external authorization protocol (Authorino is based on v3.19.1 of Envoy external authorization API)
  • Added option to disable any of the listeners (gRPC auth server, raw HTTP auth server, and OIDC Festival Wristband HTTP server), by setting the corresponding port number to "0" or any value that fails to cast to an integer number
  • New TIMEOUT env var to allow controlling the maximum duration of external authorization requests (both gRPC and raw HTTP interfaces) before context is cancelled by the service. Integrations via proxy which prefer to control the timeout at client-side (i.e. by the proxy) can disable the internal service timeout by leaving TIMEOUT=0 (default).
• Mutual Transport Layer Security (mTLS) authentication method (#305, #307)
  • Adds support for client TLS certificate validation at application layer in Authorino
  • Works for peer certificated supplied by Envoy in the payload and with the new raw HTTP authorization interface
• Plain identity method (#276)
• Adds a new identity mode called 'plain' that allows identity objects to be injected in the payload to Authorino and then fetched from the Authorization JSON without implicit verification.
  • Make the user experience more seamless when combining ext-authz with identity verification done beforehand by other means (e.g. using Envoy built-in authentication filters)
• Default to Anonymous access when no identity configs are stated in an AuthConfig (#275)
• New field 'body' to HTTP GET/GET-by-POST metadata (#293)
  • Adds a new field spec.metadata.body as an alternative to spec.metadata.bodyParameters
  • Allows to generate raw HTTP bodies with proper content encoding of dynamic JSON objects containing multiple levels
• Reconciliation of individual API key secrets within an AuthConfig (#297)
  • Avoids reconciling the entire AuthConfig when a new API Key secret is reconciled
  • Improves performance
• Make TLSv1.2 minimum version required to all interfaces (#267)
• Replace any usage of MD5 algorithm for SHA-256 instead → helps make Authorino FIPS compliant (#270)
• Cleanup unnecessary RBAC definitions (#272)

Dependencies and Tooling

• Made possible to deploy (dev tools) to a namespace that already exists in the cluster (#287)
• New make help target added, together with other enhancements for devs (#289, #294, #295)
  • New make targets ‘uninstall-operator', ‘mockgen’, 'keycloak' and 'dex'
  • Old make target renamed: 'manager' -> 'build' and 'example-apps' -> 'user-apps'
  • Added go-get-tool function to install controller-gen, kustomize, kind and setup-envtest under in $PROJECT_DIR/bin
  • kustomize bumped to v4.5.5
  • Reference to setup-envtest binary fixed
• Multi-Platform auto builds → amd64 and arm64 built and pushed automatically to quay.io/kuadrant/authorino, which now supersedes the old image repo quay.io/3scale/authorino (#277, #278, #279, #280, #281, #283)
• Enhancements regarding image tagging for builds triggered manually (#282)

Documentation

• Several enhancements and minor fixes to the docs (#262, #263, #308)
• User guide: Using Authorino as ValidatingWebhook service (#288)
• Developer’s guide updated (#296)
• Now using Kubernetes namespace default for the main workload in most examples and tutorials (#292)
• More information about runtime evaluator caching added to the Feature description page (#300)

Testing

• Avoids using static IP addresses in the tests → prevents false-positives on static code analysis pointing to vulnerabilities such as CVE-2006-5901 and CVE-2005-3725 (#261)
• Removed a few unfinished broken API tests (#274)
• Lots of improvements to end-to-end tests (#284, #299, #302, #303, #304)
  • Fail fast when missing required commands
  • Verbose option
  • Create the TokenRequest with kubectl create --raw
  • Test OIDC Festival Wristband well-known endpoints
  • Test case: revoke API key
  • Remove no longer needed kubectl proxy command
  • New timeout added to avoid getting stuck indefinitely when condition do not match (default: 10 minutes, can be changed by supplying TIMEOUT=x)
• New automated smoke tests → e2e tests run on public community images published to quay.io/kuadrant/authorino (#238, #285)

v0.8.0

New features and Enhancements

• Anonymous access (#218, #219)
  • Identity verification phase can now be skipped by enabling anonymous access to services and APIs protected with Authorino
• Fuzzy OPA (#216)
  • It is now possible to read values from any Rego rule in the evaluated Rego document of an OPA policy and reuse those values in other evaluators and phases of the Auth Pipeline
  • Enable the additional rules by setting spec.authorization.opa.allValues: true in the AuthConfig
  • [Breaking change] The resolved object returned by the OPA authorization evaluators is no longer a simple boolean value, but now an actual object { "allow": boolean, ...other rules }
• Auto-refresh of Rego policies pulled from external registry (#231)
  • Set authconfigs.spec.authorization.opa.externalRegistry.ttl (in seconds) to enable auto-refresh of authorization policies pulled from external registries
• In-memory caching of objects returned by any evaluator of an AuthConfig (#239, #247)
  • Available for any evaluator really, but especially useful for:
    • Caching of metadata fetched from external sources
    • Caching of previously introspected OAuth2 opaque tokens
    • Caching of complex Rego policies (e.g. involving sending requests to external services)
  • The cache key can be defined as dynamic values resolved from the Authorization JSON (e.g. using the request path, user ID, etc)
  • The TTL of each evaluator cache can be set individually for each configuration (default to 60 seconds)
  • The size of each cache table can be limited by configuration at the level of the Authorino instance (FIFO eviction policy will apply)
• Support for 'host' lookup key passed as context extension (#229)
  • So you can leverage more of Envoy external authorization protocol to enable use cases such as
    • Path-based AuthConfig lookup: multiple APIs behind the same base domain and routed by the path prefix, for different AuthConfigs
    • Wildcard subdomain AuthConfig lookup: single API serving for wildcard subdomains and enforcing always a same AuthConfig
• Possibility to set dynamic response messages on denied requests (#241, #246) and new option to customize the body of the HTTP response as well (#248, #251, #255)
• AuthConfig status update after caching (#235)
  • The status of the AuthConfig CRs now waits until the config is fully updated in the cache to be marked as 'Ready'
  • This prevents AuthConfigs that are not ready to receive traffic (e.g. due to still fetching JWKs and Rego policies from external sources) to misleadingly be marked as 'Ready' before time
• [Breaking change] Filter API keys by namespace (#214)
  • Now by default Authorino will only watch for API key Kubernete Secrets in the same namespace of the AuthConfig
  • Scope can be changed back to cluster-wide by setting spec.identity.apiKey.allNamespaces: true
• Observability metrics for the gRPC (ext-authz) and HTTP (wristband) servers (#225)
  • You can read about Authorino's new Prometheus exported metrics at https://github.com/Kuadrant/authorino/blob/main/docs/user-guides/metrics.md
• Some lomg needed code reorganization and enhancements
  • /pkg reorganization - Bye, bye github.com/kuadrant/authorino/pkg/common! Welcome new better defined packages! (#226)
  • New API type StaticOrDynamicValue defined for improved reusability (#240)
  • go.mod bumped to v1.17 (#258)

Dependencies and Tooling

• Upgrade built-in OPA module to v0.37.2 (#215, #223)
• [GHA] End-to-end tests (#236, #252, #237, #253, #254, #256)
  • Workflow can be triggered manually for any branch
  • Testing virtually every feature in an AuthConfig
• Bump tidwall/gjson to v1.14.0 (#259)
  • Fix a few vulnerabilities – security report available here
  • Faster – benchmarks available here
  • New built-in modifiers (@keys, @values, @tostr, @fromstr, @group)
• Replace dgrijalva/jwt-go (no longer maintained) with golang-jwt/jwt (#260)

Bug fixes

• Envoy Dynamic Metadata generation no longer breaks when using static values for the injected properties (#233)
• Escaping characters used in string templates will now be skipped instead of added to the output resolved string (#250)

Documentation

• Enhancements to the project summary (#224)
• Small fixes in the user guides and examples (#228, #234, #244)
• New User guide: Authorization with Keycloak Authorization Services (#230)

v0.7.0

New features and Enhancements

• Conditions (#206)
  • Introduces when conditions field to the AuthConfig API, allowing to skip any evaluator of the config based on context (patterns fetched from the Authorization JSON)
  • Introduces patterns field to the AuthConfig API, to store reusable JSON patterns composed of selector, operator and value – names patterns can be referred in when conditions and rules of the JSON pattern-matching authorization feature
  • Removed JSON pattern-matching and Kubernetes SubjectAccessReview exclusive conditions option - now superseded by the new when conditions field

Dependencies and Tooling

• Fixed bug in the make target option to deploy IdP Keycloak and/or Dex (#207)

Bug fixes

• K8s authn does in namespaced deployment mode (#127)

Documentation

• New User guide: OpenID Connect (OIDC) and Role-Based Access Control (RBAC) with Authorino and Keycloak (#209)
• Fixes a few typos and better (animated) diagram of the Auth Pipeline (#210)
• Improved user guide for Kubernetes Authentication (TokenReview) and Kubernetes Authorization (SubjectAccessReview) - simpler to understand and more straightforward into the features that the focus of this user guide (#213)

v0.6.0

New features and Enhancements

• Label selectors for the AuthConfig (#179)
  • It is now possible to configure an instance of Authorino to watch only a subset of the AuthConfigs in the watching space (Kubernetes namespace or Kubernetes cluster)
  • The new selector is configurable for an instance of Authorino via AUTH_CONFIG_LABEL_SELECTOR environment variable (spec.authConfigLabelSelectors field of the Authorino CR)
  • For consistency, the environment variable to configure label selector for API key secrets to be watched by the Auhtorino instance was also renamed to SECRET_LABEL_SELECTOR (spec.secretLabelSelectors field of the Authorino CR)
  • Label selectors for both AuthConfigs and API key Secrets are now fully compatible with Kubernetes label selector syntax, accepting values such as:

    authorino.kuadrant.io/managed-by=authorino
    authorino.kuadrant.io/managed-by=authorino,other-label=other-value
    authorino.kuadrant.io/managed-by in (authorino,kuadrant)
    authorino.kuadrant.io/managed-by!=authorino-v0.4
    !disabled
    

  • [Breaking change] The semantics of label selectors for API key secrets also changed together with the new syntax, now working as one would expect from any Kubernetes label selector, effectively causing:
    i. AuthConfigs no longer required to declare all labels of the API key secrets it accepts to authenticate for the protected hosts;
    ii. API key secrets can be labeled in sets and subsets in the AuthConfigs
• Custom headers option for HTTP external metadata requests (#186)
  • The AuthConfig API was extended with an option spec.metadata.http.headers to customize the headers of the HTTP request to external sources of metadata (Generic HTTP external metadata feature). Values can be static values or dynamically fetched from the Authorization JSON.
• Priorities for the evaluator configs (#188)
  • The AuthConfig API was extended with an option priority that can be defined in any evaluator of all phases.
  • Evaluators of same priority execute concurrently to each other "in a block”; after syncing that block (i.e. after all evaluators of the block have returned), the next block of evaluator configs of consecutive priority (immediately higher numbered) is triggered.
  • The default priority of an evaluator, when omitted is 0, meaning the highest priority block, i.e. the one the evaluates first.
  • Typical use cases for for priorities are:
    i. Saving expensive tasks to be triggered when there's a high chance of returning immediately after finishing executing a less expensive one – e.g.
    - an identity config that calls an external IdP to verify a token that is rarely used, compared to verifying JWTs preferred by most users of the service;
    - an authorization policy that performs some quick checks first, such as verifying allowed paths, and only if it passes, moves to the evaluation of a more expensive policy.
    ii. Establishing dependencies between evaluators - e.g.
    - an external metadata request that needs to wait until a previous metadata responds first (in order to use data from the response)
• [Breaking change] OAuth2 token introspection authentication method now rejects access tokens that are inactive right in the identity verification phase (#194)
  • Before, inactive tokens had to be rejected via authorization policy added to the AuthConfig.
  • With the change, OAuth2 token introspection in Authorino is now fully compliant with RFC 7662.
• OpenID Connect discovery auto-refresh (#197)
  • The AuthConfig API was extended with a new option spec.identity.oidc.ttl: <time to refresh in seconds> the sets the frequency for OpenID Connect configurations to be auto-refreshed from the OIDC provider.
  • Default value of the property is 0, meaning the auto refreshed of the OIDC config is disable
• [Breaking change] The API group of the AuthConfigs is now authorino.kuadrant.io (replacing the old authorino.3scale.net) (#203)
  • This can cause existing AuthConfigs to stop being reconciled by Authorino instances until the apiVersion field of the resource is updated to authorino.kuadrant.io
  • All RBAC roles associated with the Authorino service will also be redefined in the cluster, possibly causing previous bindings to have to be recreated

Dependencies and Tooling

• Local setup now relies on the Authorino Operator to deploy (#180)
  • With the release of the Authorino Operator, this is now the default way to install and deploy Authorino, including for the devs workflow when trying a local branch of Authorino
• Manifest bundles
  • Authorino can now be installed from one single manifest file (#191, #193) – used by the Authorino Operator
  • Install Authorino Operator and cert-manager from manifests (#201) – devs workflow

Bug fixes

• Removed required labels from existing API key secrets now properly trigger the reconciliation of the resource and related AuthConfig (#179)
• Fix Kubernetes auth permissions for the manager-role (#187)
• Rename authorino-(editor|viewer)-role => authorino-authconfig-(editor|viewer)-role, so they won't collide with operator's homonimous roles associated to the Authorino crd (#192)
• Fix DNS names of the cert-manager certificates (#198)
• Auth credentials passed in cookies can now contain the equal sign ('=') in the value (#196)
• Avoid OIDC verify token to crash when missing the provider config (#199)

Documentation

Authorino documentation was completely restructured (#180, #200, #202), with

• Better and more straightforward README file, including all you expect to know about Authorino in one short page (first steps, how it works, FAQs, list of features, etc).
• A new Getting started page, with requirements, installation instructions and first steps.
• 21 new User guides, from a Hello World to implementing Edge Authentication Architecture (EAA) using Authorino.
• The Architecture page now includes better diagrams and descriptions that will help you understand how Authorino works under the hood and to better leverage it for your specific needs, including details about possible topologies, deployment modes, RBAC, caching options for sharding and gains of performance, etc.
• A new Features page completely extracted from the description of the architecture and now including more details and links to corresponding API types.

v0.5.0

New features and Enhancements

• External URL for the OPA authorization policy (#144)
  • Extends the AuthConfig API with spec.authorization.opa.externalRegistry to fetch an OPA Rego policy from an external source (reconciliation-time), alternatively to using inlineRego
  • Apart from the endpoint of the external policy, it allows to set a sharedSecretRef and credentials (where in the request) for authentication between Authorino and the policy registry
• Kubernetes authorization based on SubjectAccessReview (#154, #160)
  • Support for SubjectAccessReview queries for resource and non-resource attributes
  • Allows to set spec.authorization.kubernetes.conditions to enforce or skip the policy (similarly to how those work for the JSON pattern-matching authorization policies)
• Custom parameters in the body of HTTP external metadata POST requests (#156)
  • Extends the AuthConfig API with spec.metadata.http.bodyParameters, an array of properties to be added as parameters of the HTTP POST request to the external service
  • Extends the AuthConfig API with spec.metadata.http.contentType, the content-type of the HTTP POST request – application/x-www-form-urlencoded and application/json supported
• Support for string interpolation in the values of valueFrom.authJSON fields (#165, #168 )
  • Possibility to set template-like values with variable placeholders that resolve to gjson patterns (e.g. "Hello, {auth.identity.name}!")
  • Simple JSON patterns such as context.request.http.host continue to be supported as before
• Introduction of new string modifiers to gjson patterns on values fetched from the Authorization JSON (#154, #167)
  • @extract:{sep:string, pos:int} → splits a string value at occurrences of a separator (default: " ") and selects the substring at the pos-th position (default: 0)
  • @replace:{old:string, new:string} → replaces a substring within a string value
  • @case:upper|lower → changes the case of a string value
  • @base64:encode|decode → base64-encodes or decodes a string value; in combination with @extract allows to extract the username of an HTTP Basic Authentication request
• Support for custom denial status code/messages (#159)
  • AuthConfig API extended with options spec.denyWith.unauthenticated and spec.denyWith.unauthorized that allow to set custom code, message and headers to replace the default response attributes returned when 401 Unauthorized and 403 Forbidden
  • Allows to set a redirect 302 status code and Location response header, e.g.
  • Custom response headers defined as JSON properties with static (value) or dynamically fetched (valueFrom.authJSON) values
• Enhanced JSON structured logging (#172)
  • Support for log levels (debug → info → error), set via LOG_LEVEL env var (default: info)
  • Configurable log output modes: production (fully JSON structured) and development (human-readable outputs, extra stack traces and logging info, plus extra values output as JSON), set via LOG_MODE env var (default: production)
  • No sensitive data output to info log messages (closes #161)
  • Log tracing ID: request id propagated across all log entries associated with an external authorization request

Bug fixes

• Fix serialization of JSON strings returned in dynamic response HTTP headers (#157)

Dependencies and Tooling

• Better logging for the Talker API example app (#158)
  • Includes support for LOG_LEVEL=debug environment variable
  • Response message with HTTP header names echoed back in their original form (e.g. X-Ext-Auth-Wristband instead of HTTP_X_EXT_AUTH_WRISTBAND)
• Versions of controller-gen and kustomize pinned to the project path (#150)

Documentation

• Descriptions of log messages, log metadata ("extra values") and log samples added to the docs (#172 )