Skip to content

Releases: Kuadrant/authorino

v0.4.0

31 Aug 11:55
ab99d75
Compare
Choose a tag to compare
v0.4.0 Pre-release
Pre-release

New features and Enhancements

  • Auth Pipeline Phase 4: Dynamic responses (#141)

    • Adds spec.response: [{ name: string, wrapper: httpHeader | envoyDynamicMetadata, wrapperKey: string, wristband: object | json: object }] to the API, an array of dynamic response configs (custom JSON objects or wristband tokens), triggered by Authorino after a successful "Phase 3: Authorization"
    • Introduces the new type Dynamic JSON response: spec.response[].json: { properties: [{ name: string, value: string | valueFrom: { authJSON: string } }] }, to build custom JSON objects that will be returned to the client after a successful auth pipeline. This is an alternative to the Festival Wristband if all you want is to return data of the authorization process to the client instead of a signed JWT.
    • Festival Wristband configs are now defined as a type of dynamic response, in the response array
    • Multiple wristband tokens can now be issued per authorized request
    • Wristband issuer endpoints now include the name of the config in the path – the new format is http(s)://<oidc-service>:8083/<namespace>/<resource-name>/<response-config-name>
    • The name of the wristband-related HTTP response header Ext-Auth-Wristband is now configurable by the user, through the response[].wrapperKey option – default to the name of the config
    • Dynamic responses (wristband tokens or dynamic JSON objects) can be passed along wrapped as added HTTP headers (default) or as Envoy External Authorization Dynamic Metadata
    • The authorization JSON is now extended with the objects resolved in the authorization phase as well (for future use)
  • Generic HTTP metadata without authentication (#146)

    • No need to associate a secret in the configuration for Authorino to authenticate before external sources of metadata (if this is the case)
  • Extended (custom) properties for resolved identity objects (#145)

    • Adds a new config option spec.identity[].extendedProperties: [{ name: string, value: string | valueFrom: { authJSON: string } }] that modifies the resolved identity object extending it with the defined JSON properties, whose values can be static or fetched from the authorization JSON – useful for token normalization
    • Makes the custom JSON properties to respect the original type of the source value – works with identity[].extendedProperties and other structures based on custom JSON properties such as wristband custom claims and dynamic JSON responses
  • [Breaking change!] Service CRD renamed to AuthConfig (#147)

    • This is a big one! services.configs.authorino.3scale.net/v1beta1 is now authconfigs.authorino.3scale.net/v1beta1

Dependency upgrades

  • Upgraded sigs.k8s.io/controller-runtime/tools/setup-envtest to latest (#140)
  • Set to use latest version of Kind always (#142)
  • Upgraded sigs.k8s.io/controller-tools/cmd/controller-gen to v0.6.1 (#143)

Bug fixes

  • Exported a few types of service config (required by clients of the package) (#143)

Doc fixes/updates

  • Removed AUTHORINO_IMAGE parameter from the OpenShift tutorial – now static in the version of the manifests pointed in the tutorial (#148)

v0.3.0

29 Jul 08:32
7612c49
Compare
Choose a tag to compare
v0.3.0 Pre-release
Pre-release

Enhancements

  • Deployments now default to quay.io/3scale/authorino:latest instead of authorino:local, except for make local-* (#123, #131)
    • With make local-* target, use SKIP_LOCAL_BUILD=1 to avoid building Authorino image locally and use the default one instead
    • AUTHORINO_IMAGE continues to work to set a custom image on deploy
  • Secret-related events watched by the SecretReconciler now filtered using Operator SDK predicates to avoid overwhelming the reconciler with irrelevant events (#124, #133)
  • Upgrade controller-runtime version to latest (v0.9.2) (#130, #132)
  • Server TLS opt-out on deploy – AUTHORINO_DEPLOYMENT now accepts a -notls suffix to disable server TLS (#135)
  • OIDC_CA_PATH env var to set location of the TLS certificate and TLS private key in the file system for used by the Wristband OIDC server replaced with more explicit ones OIDC_TLS_CERT and OIDC_TLS_CERT_KEY (#136)
  • TLS for the external authorization service (gRPC) – file location in the file system set through TLS_CERT and TLS_CERT_KEY env vars (#137)

Bug fixes

  • Cert-manager admission webhook fails on local-setup (#126)

v0.2.1

09 Jul 18:38
b40141a
Compare
Choose a tag to compare
v0.2.1 Pre-release
Pre-release

Bug fixes

  • Adjust memory resource request and limit to prevent OOMKilled pod failure in environments with OOM killer enabled (#122)

v0.2.0

08 Jul 15:06
97f14e0
Compare
Choose a tag to compare
v0.2.0 Pre-release
Pre-release

New features

  • Authorino Festival Wristbands (#94)
  • HTTP GET and GET-by-POST metadata (#100)

Enhancements

  • Remove the port part from the host header when looking for a cache service config (#95)
  • Make Authorino default secret label configurable (#96)
  • Better support for multiple Authorino instances (#101)
    • Cache consistency ensured across Authorino pods
    • Deployment modes: cluster-wide and namespaced
    • Host collision protection across different namespaces
    • Refactoring of the manifests in /install and /deploy
    • Authorino Service CR status (number of identity sources, number of metadata sources, number of authorization policies, wristband ON/OFF)
  • Add use claim to wristband signing keys (#119)
  • Serve OIDC (Wristband) HTTP endpoints over TLS (#120)

Doc fixes/updates

#98, #104, #103, #117

CI/CD

  • Latest container images automatically pushed to quay.io (#102)

v0.1.0

13 May 15:39
a53c0df
Compare
Choose a tag to compare
v0.1.0 Pre-release
Pre-release

Authorino's history is just starting. In this release you will find the following features:

Identity verification

  • API key
  • Kubernetes tokens
  • OIDC JWT verification/validation
  • OAuth2 token introspection

Metadata

  • OIDC User info
  • UMA-protected resource data

Authorization

  • JSON pattern matching
  • OPA Rego policies