v2.0.0
Changelog
Note: this release contains multiple breaking or potentially breaking changes. Please read the release notes carefully if you are upgrading from a previous version.
Providers
- sso: send access token on group information query - Pass the access token to all identity providers by default. (in preparation for the implementation of Okta and other providers)
- sso: okta provider MVP - Adds initial support for an Okta identity provider.
- providers: group caching mechanism for okta provider - Introduces a mechanism to cache the group memberships within the Okta identity provider.
- sso: support multiple identity providers - Adds support for configuration of multiple unique identity providers using go-config. We previously started to add support for this using viper within sso: introduce Viper for sso config management, however decided to roll back in favour of go-config. [BREAKING - see last section of release notes for further information]
CI
- sso: makefile releasepush - Adds a task to the makefile for pushing a release to Docker Hub
- ci: integrate with Codecov for test coverage - Integrate repo with Codecov to help track and monitor test coverage
- ci: remove minimum coverage setting - Fine tune Codecov integration settings for PR’s
- ci: introduce circleci workflows - Introduces use of CircleCI Workflows, and improves workflow around image tagging
Auth
- sso_auth: add identity provider slug to url path and mux - Allow use of multiple provider slugs, while keeping backwards compatibility
- sso_auth: use hostmux and ping - Using hostmux, allow for use of
/ping
as a host header. - authenticator: remove misc/cruft configuration - Clean up redundant code and configuration
- sso_auth: add default provider slug - Add default identity provider to make migrations easier and more streamlined.
- auth: allow proxying root domains - Allow serving of content on root domains, in addition to subdomains.
- auth: update google version endpoints - Some general cleanup of the google provider, and updates version of the provider endpoints.
Proxy
- sso-proxy: refactor routing into hostmux, refactor oauthproxy startup - Refactor and uncouple routing, upstream configuration, and provider information from the OAuth layer.
- Configure Proxy CookieName via Env Var - Enable setting of the proxy CookieName configuration variable via environment variables.
- sso-proxy: refactor reverse proxy into separate file w/ tests - Refactors reverse proxy and upstream logic into separate files, helping to test changes and isolate portions of code.
- sso-proxy: avoid oversized cookies - gzip the marshalled json containing cookies before encryption to reduce size
- proxy: transition idps ux flow - Improve UX flow during the transition of identity providers, specifically where the existing cookie is for the previous provider.
Bugs and Fixes
- proxy/request signers: request signers should also sign access token - Ensure access tokens are signed in request signatures
- sso-proxy: clear csrf token further down the request flow - Fix bug causing the ‘Group membership required’ to cause a ‘http: named cookie not present’ error upon refresh.
- docker: don't run as root - Run SSO docker containers as a dedicated user, rather than root.
- pkg/logging: resolve timestamp bug - Fix timestamp formatting in logging package.
- sso_proxy: don't set timeout when flush interval is set - Fix issue causing request flushing to be ignored if a request timeout is also set.
- sso_auth: fix client authentication for revoke endpoint - Fixes bug preventing successful use of
/oauth2/sign_out
endpoint within the Okta provider - sso_proxy: user to lowercase - Normalise the casing of the
X-Forwarded-User
to keep consistency. [POTENTIALLY BREAKING] - ci: persist workspace further down the flow - Fix bug preventing test coverage reports being found by Codecov.
- docker: build from go 1.12 - Build binaries using go 1.12.
- sso_auth: fix action tag parsing - Fix parsing of the URL to form ‘action’ tags.
Documentation
- docs: update note on nested groups - Corrects documentation surrounding nested Google groups
- sso: okta provider setup documentation - Documentation on creation and configuration required for the Okta identity provider.
- sso quickstart/docs: update configuration variables - Updates to the Quickstart and provider set-up documentation. (particularly around new configuration variables)
Added Dependencies
There have been a number of dependencies added and/or updated. Please take the time to look through the dependencies in use by scanning through https://github.com/buzzfeed/sso/blob/master/go.mod.
Further details
To help with the introduction of configuration variable changes in sso: support multiple identity providers, below is a list of old_var
-> new_var
pairs for sso_auth only. (these variables changes do not yet apply to sso_proxy)
*
in PROVIDER_*_TYPE
and others represents a unique identifier grouping together a set of provider configs.
### SESSION
(NEW) -> SESSION_COOKIE_NAME
COOKIE_SECRET -> SESSION_COOKIE_SECRET
COOKIE_EXPIRE -> SESSION_COOKIE_EXPIRE
COOKIE_DOMAIN -> SESSION_COOKIE_DOMAIN
COOKIE_REFRESH -> SESSION_COOKIE_REFRESH
COOKIE_SECURE -> SESSION_COOKIE_SECURE
COOKIE_HTTP_ONLY -> SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME_TTL -> SESSION_LIFETIME
AUTH_CODE_SECRET -> SESSION_KEY
### CLIENT
PROXY_CLIENT_ID -> CLIENT_PROXY_ID
PROXY_CLIENT_SECRET -> CLIENT_PROXY_SECRET
### PROVIDER CONFIG FOR GOOGLE
(NEW) -> PROVIDER_*_TYPE
(NEW) -> PROVIDER_*_SLUG
CLIENT_ID -> PROVIDER_*_CLIENT_ID
CLIENT_SECRET -> PROVIDER_*_CLIENT_SECRET
SCOPE -> PROVIDER_*_SCOPE
### GOOGLE SPECIFIC
GOOGLE_SERVICE_ACCOUNT_JSON -> PROVIDER_*_GOOGLE_CREDENTIALS
GOOGLE_ADMIN_EMAIL -> PROVIDER_*_GOOGLE_IMPERSONATE
### OKTA SPECIFIC
OKTA_ORG_URL -> PROVIDER_*_OKTA_URL
PROVIDER_SERVER_ID -> PROVIDER_*_OKTA_SERVER
### GROUP REFRESH
GROUPS_CACHE_REFRESH_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
GROUPS_CACHE_PROVIDER_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER
# SERVER CONFIG
(NEW) -> SERVER_SCHEME
HOST -> SERVER_HOST
PORT -> SERVER_PORT
REQUEST_TIMEOUT -> SERVER_TIMEOUT_REQUEST
TCP_WRITE_TIMEOUT -> SERVER_TIMEOUT_WRITE
TCP_READ_TIMEOUT -> SERVER_TIMEOUT_READ
# AUTHORIZE CONFIG
PROXY_ROOT_DOMAIN -> AUTHORIZE_PROXY_DOMAINS
SSO_EMAIL_DOMAIN -> AUTHORIZE_EMAIL_DOMAINS
SSO_EMAIL_ADDRESSES -> AUTHORIZE_EMAIL_ADDRESSES
# METRICS CONFIG
STATSD_PORT -> METRICS_STATSD_PORT
STATSD_HOST -> METRICS_STATSD_HOST
# LOGGING CONFIG
REQUSEST_LOGGING -> LOGGING_ENABLE
(NEW) -> LOGGING_LEVEL