Skip to content

v0.25.0

Compare
Choose a tag to compare
@sebadob sebadob released this 21 Aug 09:49
· 160 commits to main since this release

Changes

Token Introspection

The introspection endpoint has been fixed in case of the encoding like mentioned in bugfixes.
Additionally, authorization has been added to this endpoint. It will now make sure that the request also includes
an AUTHORIZATION header with either a valid Bearer JwtToken or Basic ClientId:ClientSecret to prevent
token scanning.

The way of authorization on this endpoint is not really standardized, so you may run into issues with your client
application. If so, you can disable the authentication on this endpoint with

# Can be set to `true` to disable authorization on `/oidc/introspect`.
# This should usually never be done, but since the auth on that endpoint is not
# really standardized, you may run into issues with your client app. If so, 
# please open an issue about it.
# default: false
DANGER_DISABLE_INTROSPECT_AUTH=true

2e84ceb
7087a59

API Routes Normalization

In preparation for a clean v1.0.0, some older API routes have been fixed regarding their casing and naming.
The "current" or old routes and names will be available for exactly one release and will be phased out afterward
to have a smooth migration, just in case someone uses these renamed routes.

  • /oidc/tokenInfo -> /oidc/introspect
  • /oidc/rotateJwk -> /oidc/rotate_jwk

Since I don't like kebab-case, most API routes are written in snake_case, with 2 exceptions that follow RFC namings:

  • openid-configuration
  • web-identity

All the *info routes like userinfo or sessioninfo are not kebab_case on purpose, just to match other IdPs and
RFCs a bit more.

There is not a single camelCase anymore in the API routes to avoid confusion and issues in situations where you could
for instance mistake an uppercase I as a lowercase l. The current camelCase endpoints only exist for a smoother
migration and will be phased out with the next bigger release.

107f148

Config Read

The current behavior of reading in config variables was not working as intended.

Rauthy reads the rauthy.cfg as a file first and the environment variables afterward. This makes it possible to
configure it in any way you like and even mix and match.
However, the idea was that any existing variables in the environment should overwrite config variables and therefore
have the higher priority. This was exactly the other way around up until v0.24.1 and has been fixed now.

How Rauthy parses config variables now correctly:

  1. read rauthy.cfg
  2. read env var
  3. all existing env vars will overwrite existing vars from rauthy.cfg and therefore have the higher priority

28b2457

Bugfixes

  • The token introspection endpoint was only accepting requests with Json data, when it should have instead been
    with Form data.

Images

Postgres

ghcr.io/sebadob/rauthy:0.25.0

SQLite

ghcr.io/sebadob/rauthy:0.25.0-lite