Releases: Kuadrant/authorino
Releases · Kuadrant/authorino
v0.4.0
New features and Enhancements
-
Auth Pipeline Phase 4: Dynamic responses (#141)
- Adds
spec.response: [{ name: string, wrapper: httpHeader | envoyDynamicMetadata, wrapperKey: string, wristband: object | json: object }]
to the API, an array of dynamic response configs (custom JSON objects or wristband tokens), triggered by Authorino after a successful "Phase 3: Authorization" - Introduces the new type Dynamic JSON response:
spec.response[].json: { properties: [{ name: string, value: string | valueFrom: { authJSON: string } }] }
, to build custom JSON objects that will be returned to the client after a successful auth pipeline. This is an alternative to the Festival Wristband if all you want is to return data of the authorization process to the client instead of a signed JWT. - Festival Wristband configs are now defined as a type of dynamic response, in the
response
array - Multiple wristband tokens can now be issued per authorized request
- Wristband issuer endpoints now include the name of the config in the path – the new format is
http(s)://<oidc-service>:8083/<namespace>/<resource-name>/<response-config-name>
- The name of the wristband-related HTTP response header
Ext-Auth-Wristband
is now configurable by the user, through theresponse[].wrapperKey
option – default to the name of the config - Dynamic responses (wristband tokens or dynamic JSON objects) can be passed along wrapped as added HTTP headers (default) or as Envoy External Authorization Dynamic Metadata
- The authorization JSON is now extended with the objects resolved in the authorization phase as well (for future use)
- Adds
-
Generic HTTP metadata without authentication (#146)
- No need to associate a secret in the configuration for Authorino to authenticate before external sources of metadata (if this is the case)
-
Extended (custom) properties for resolved identity objects (#145)
- Adds a new config option
spec.identity[].extendedProperties: [{ name: string, value: string | valueFrom: { authJSON: string } }]
that modifies the resolved identity object extending it with the defined JSON properties, whose values can be static or fetched from the authorization JSON – useful for token normalization - Makes the custom JSON properties to respect the original type of the source value – works with
identity[].extendedProperties
and other structures based on custom JSON properties such as wristband custom claims and dynamic JSON responses
- Adds a new config option
-
[Breaking change!]
Service
CRD renamed toAuthConfig
(#147)- This is a big one!
services.configs.authorino.3scale.net/v1beta1
is nowauthconfigs.authorino.3scale.net/v1beta1
- This is a big one!
Dependency upgrades
- Upgraded sigs.k8s.io/controller-runtime/tools/setup-envtest to latest (#140)
- Set to use latest version of Kind always (#142)
- Upgraded sigs.k8s.io/controller-tools/cmd/controller-gen to v0.6.1 (#143)
Bug fixes
- Exported a few types of service config (required by clients of the package) (#143)
Doc fixes/updates
- Removed
AUTHORINO_IMAGE
parameter from the OpenShift tutorial – now static in the version of the manifests pointed in the tutorial (#148)
v0.3.0
Enhancements
- Deployments now default to
quay.io/3scale/authorino:latest
instead ofauthorino:local
, except formake local-*
(#123, #131)- With
make local-*
target, useSKIP_LOCAL_BUILD=1
to avoid building Authorino image locally and use the default one instead AUTHORINO_IMAGE
continues to work to set a custom image on deploy
- With
Secret
-related events watched by theSecretReconciler
now filtered using Operator SDK predicates to avoid overwhelming the reconciler with irrelevant events (#124, #133)- Upgrade controller-runtime version to latest (v0.9.2) (#130, #132)
- Server TLS opt-out on deploy –
AUTHORINO_DEPLOYMENT
now accepts a-notls
suffix to disable server TLS (#135) OIDC_CA_PATH
env var to set location of the TLS certificate and TLS private key in the file system for used by the Wristband OIDC server replaced with more explicit onesOIDC_TLS_CERT
andOIDC_TLS_CERT_KEY
(#136)- TLS for the external authorization service (gRPC) – file location in the file system set through
TLS_CERT
andTLS_CERT_KEY
env vars (#137)
Bug fixes
- Cert-manager admission webhook fails on local-setup (#126)
v0.2.1
v0.2.0
New features
Enhancements
- Remove the port part from the host header when looking for a cache service config (#95)
- Make Authorino default secret label configurable (#96)
- Better support for multiple Authorino instances (#101)
- Cache consistency ensured across Authorino pods
- Deployment modes:
cluster-wide
andnamespaced
- Host collision protection across different namespaces
- Refactoring of the manifests in
/install
and/deploy
- Authorino
Service
CR status (number of identity sources, number of metadata sources, number of authorization policies, wristband ON/OFF)
- Add
use
claim to wristband signing keys (#119) - Serve OIDC (Wristband) HTTP endpoints over TLS (#120)
Doc fixes/updates
CI/CD
- Latest container images automatically pushed to quay.io (#102)
v0.1.0
Authorino's history is just starting. In this release you will find the following features:
Identity verification
- API key
- Kubernetes tokens
- OIDC JWT verification/validation
- OAuth2 token introspection
Metadata
- OIDC User info
- UMA-protected resource data
Authorization
- JSON pattern matching
- OPA Rego policies