Skip to content

6.0.0
Compare
Choose a tag to compare
@rra rra released this 27 Sep 16:49
· 1300 commits to main since this release
6.0.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
e57c70b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Backwards-incompatible changes

  • Remove support for all X-Auth-Request-* headers that were not being used. The only available headers are now X-Auth-Request-Email, X-Auth-Request-Token, and X-Auth-Request-User. The other information is already available to the application in other ways (client IP), should not be used by the application due to separation of concerns (scopes), or can be retrieved from the /auth/api/v1/user-info or /auth/api/v1/token-info routes if required.
  • Scopes requested via delegate_scope are now optional. If the authenticating token has a scope requested via that parameter, the delegated token will have it, but if it does not, authentication will still succeed and the delegated token will be created, but without that scope. To restore the previous behavior of also requiring that scope for authentication, add it to scope as well and either omit satisfy or use satisfy=all.
  • Remove support for a user editing their own tokens, and remove the corresponding UI. This is not a commonly supported operation on tokens in other implementations, such as GitHub. Token administrators with the admin:token scope can still edit tokens.
  • Drop support for creating InfluxDB tokens, including the configuration options and the /auth/tokens/influxdb/new route. This support only worked with InfluxDB 1.x and was not used; InfluxDB 2.x uses an entirely different authentication mechanism.
  • The supported URL for getting token information after an OpenID Connect authentication to Gafaelfawr is /auth/openid/userinfo. Fix the mistaken creation of /auth/oidc/userinfo and drop support for /auth/userinfo. The latter incorrectly implies this is a general API, as opposed to specific to the OpenID Connect support.
  • Drop support for /oauth2/callback as an alias for /login and the config.cilogon.redirectUrl setting. This was required for some older CILogon integrations at NCSA, but those deployments have been retired.

New features

  • Add new parameter to the /auth route, minimum_lifetime, which can be used to specify the minimum required lifetime of a delegated token (internal or notebook). If the user's authenticating token doesn't have sufficient remaining lifetime to satisfy this request, /auth will return a 401 error to force a reauthentication.
  • Add new gafaelfawr generate-session-secret command to generate the session secret so that users do not have to write a small script to call the Fernet function.
  • Log more details during token creation or modification, including any user identity information stored with the token. Log expiration times in ISO date format instead of seconds since epoch. The names of the attributes logged have changed from previous versions in some cases.
  • Log changes to the list of administrators.

Bug fixes

  • Correctly cache empty LDAP group membership results.

Other changes

  • Uvicorn logs are now sent through structlog for consistent JSON formatting. Context expected by Google's Cloud Logging is added to each log message.
  • Send Accept: application/vnd.github+json instead of Accept: application/json when making GitHub API calls.
Assets 2
Loading