Changelog

⚠️ Similar to the v2.0.0 release, this release includes large changes to the configuration variables used by sso_proxy, so care must be taken while upgrading to this version. ⚠️

To aid the introduction of these new variables, please reference the description in #279, and particularly, the table included at the bottom of the referenced pull request.

Features & Enhancements 🚀

• sso_*: rename 'options' package to 'validators' - rename the options package to validators, better fitting its responsibility.
• sso_*: use ProxyFromEnvironment in http Transport - allow traffic to be passed through a proxy by setting relevant environment variables.
• sso_*change 'master' references to 'main' - after renaming the master branch to main, change relevant references throughout the repo.
• sso-proxy: command line tool to generate request signatures - command line tool to aid with testing request signature validation logic
• sso_*: prevent copying of session between upstream - add a new AuthorizedUpstream value to the session, allowing us to prevent using the same session with a different upstream.
• sso_*: update to Go 1.14 - update sso_proxy and sso_auth to Go 1.14
• sso_auth: make provider_*_okta_server optional - as is stated in the quickstart, allow provider_*_okta_server to be optional.
• codecov: update to project threshold to explicit % - update codecov configuration as result of
• sso_proxy: update to use go-micro for configuration management - bring sso_proxy in line with sso_auth by using go-micro for configuration management [⚠️ BREAKING CHANGE ⚠️]
• sso_*: remove vendored dependencies - to improve clarity, remove vendored dependencies and rely entirely on go modules.
• sso: update go modules - update dependencies, and make use of -mod=readonly.
• release_drafter: add basic config and template for releases - use release-drafter to automate the updating of draft releases
• auth: amazon cognito provider - adds Amazon Cognito as an additional identity provider.

Bug Fixes 🐛

• sso_proxy: add missing return - add a missing return; resolve a simple bug.
• sso_proxy: allow empty slice of groups - when validating groups, allow an empty slice of groups to be passed in.
• sso_*: proxy path-components with %-escaped characters in tact. - fix proxying to paths with %-encoded URL's included.
• fillcache: remove group from cache if it can't be found by the identity provider - proactively delete groups from the cache if they can no longer be found.
• fillcache pkg: trigger cache update immediately - fill group cache immediately, instead of waiting until first TTL to pass.
• sso_proxy: fix request signer hash panic - create a new hash.Hash within each request signer to prevent a race condition.
• sso_proxy: reduce amount of group validations - we started to run group validations too often, so reduce the frequency.
• cmd: ensure http servers shut down gracefully - don't forcefully abort requests on shutdown, handle gracefully instead.
• sso_*: allow group validator to be used standalone - similar to emails and domains, allow groups to be used for validations on their own.

Documentation 📖

• sso_proxy: document provider slug configs - add missing documentation around provider slugs
• docs: update quickstart guide - add some missing points, and improve the clarity of the quickstart documentation.
• sso_proxy: Add comment marking private key as test data - make it extra clear that the test private key is in fact only for testing purposes.

Release Contributors: @Jusshersmith, @benjsto, @jphines, @itwasntandy, @mccutchen, @katzdm, and @kjetijor

Changelog

Note: this release contains multiple breaking or potentially breaking changes. Please read the release notes carefully if you are upgrading from a previous version.

Providers

• sso: send access token on group information query - Pass the access token to all identity providers by default. (in preparation for the implementation of Okta and other providers)
• sso: okta provider MVP - Adds initial support for an Okta identity provider.
• providers: group caching mechanism for okta provider - Introduces a mechanism to cache the group memberships within the Okta identity provider.
• sso: support multiple identity providers - Adds support for configuration of multiple unique identity providers using go-config. We previously started to add support for this using viper within sso: introduce Viper for sso config management, however decided to roll back in favour of go-config. [BREAKING - see last section of release notes for further information]

CI

• sso: makefile releasepush - Adds a task to the makefile for pushing a release to Docker Hub
• ci: integrate with Codecov for test coverage - Integrate repo with Codecov to help track and monitor test coverage
• ci: remove minimum coverage setting - Fine tune Codecov integration settings for PR’s
• ci: introduce circleci workflows - Introduces use of CircleCI Workflows, and improves workflow around image tagging

Auth

• sso_auth: add identity provider slug to url path and mux - Allow use of multiple provider slugs, while keeping backwards compatibility
• sso_auth: use hostmux and ping - Using hostmux, allow for use of /ping as a host header.
• authenticator: remove misc/cruft configuration - Clean up redundant code and configuration
• sso_auth: add default provider slug - Add default identity provider to make migrations easier and more streamlined.
• auth: allow proxying root domains - Allow serving of content on root domains, in addition to subdomains.
• auth: update google version endpoints - Some general cleanup of the google provider, and updates version of the provider endpoints.

Proxy

• sso-proxy: refactor routing into hostmux, refactor oauthproxy startup - Refactor and uncouple routing, upstream configuration, and provider information from the OAuth layer.
• Configure Proxy CookieName via Env Var - Enable setting of the proxy CookieName configuration variable via environment variables.
• sso-proxy: refactor reverse proxy into separate file w/ tests - Refactors reverse proxy and upstream logic into separate files, helping to test changes and isolate portions of code.
• sso-proxy: avoid oversized cookies - gzip the marshalled json containing cookies before encryption to reduce size
• proxy: transition idps ux flow - Improve UX flow during the transition of identity providers, specifically where the existing cookie is for the previous provider.

Bugs and Fixes

• proxy/request signers: request signers should also sign access token - Ensure access tokens are signed in request signatures
• sso-proxy: clear csrf token further down the request flow - Fix bug causing the ‘Group membership required’ to cause a ‘http: named cookie not present’ error upon refresh.
• docker: don't run as root - Run SSO docker containers as a dedicated user, rather than root.
• pkg/logging: resolve timestamp bug - Fix timestamp formatting in logging package.
• sso_proxy: don't set timeout when flush interval is set - Fix issue causing request flushing to be ignored if a request timeout is also set.
• sso_auth: fix client authentication for revoke endpoint - Fixes bug preventing successful use of /oauth2/sign_out endpoint within the Okta provider
• sso_proxy: user to lowercase - Normalise the casing of the X-Forwarded-User to keep consistency. [POTENTIALLY BREAKING]
• ci: persist workspace further down the flow - Fix bug preventing test coverage reports being found by Codecov.
• docker: build from go 1.12 - Build binaries using go 1.12.
• sso_auth: fix action tag parsing - Fix parsing of the URL to form ‘action’ tags.

Documentation

• docs: update note on nested groups - Corrects documentation surrounding nested Google groups
• sso: okta provider setup documentation - Documentation on creation and configuration required for the Okta identity provider.
• sso quickstart/docs: update configuration variables - Updates to the Quickstart and provider set-up documentation. (particularly around new configuration variables)

Added Dependencies

There have been a number of dependencies added and/or updated. Please take the time to look through the dependencies in use by scanning through https://github.com/buzzfeed/sso/blob/master/go.mod.

Further details

To help with the introduction of configuration variable changes in sso: support multiple identity providers, below is a list of old_var -> new_var pairs for sso_auth only. (these variables changes do not yet apply to sso_proxy)

* in PROVIDER_*_TYPE and others represents a unique identifier grouping together a set of provider configs.

### SESSION
(NEW)                -> SESSION_COOKIE_NAME
COOKIE_SECRET        -> SESSION_COOKIE_SECRET
COOKIE_EXPIRE        -> SESSION_COOKIE_EXPIRE
COOKIE_DOMAIN        -> SESSION_COOKIE_DOMAIN
COOKIE_REFRESH       -> SESSION_COOKIE_REFRESH
COOKIE_SECURE        -> SESSION_COOKIE_SECURE
COOKIE_HTTP_ONLY     -> SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME_TTL -> SESSION_LIFETIME
AUTH_CODE_SECRET     -> SESSION_KEY


### CLIENT
PROXY_CLIENT_ID     -> CLIENT_PROXY_ID
PROXY_CLIENT_SECRET -> CLIENT_PROXY_SECRET


### PROVIDER CONFIG FOR GOOGLE
(NEW)         -> PROVIDER_*_TYPE
(NEW)         -> PROVIDER_*_SLUG
CLIENT_ID     -> PROVIDER_*_CLIENT_ID
CLIENT_SECRET -> PROVIDER_*_CLIENT_SECRET
SCOPE         -> PROVIDER_*_SCOPE

### GOOGLE SPECIFIC 
GOOGLE_SERVICE_ACCOUNT_JSON -> PROVIDER_*_GOOGLE_CREDENTIALS
GOOGLE_ADMIN_EMAIL          -> PROVIDER_*_GOOGLE_IMPERSONATE

### OKTA SPECIFIC
OKTA_ORG_URL       -> PROVIDER_*_OKTA_URL
PROVIDER_SERVER_ID -> PROVIDER_*_OKTA_SERVER

### GROUP REFRESH
GROUPS_CACHE_REFRESH_TTL  -> PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
GROUPS_CACHE_PROVIDER_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER


# SERVER CONFIG
(NEW)             -> SERVER_SCHEME
HOST              -> SERVER_HOST
PORT              -> SERVER_PORT
REQUEST_TIMEOUT   -> SERVER_TIMEOUT_REQUEST
TCP_WRITE_TIMEOUT -> SERVER_TIMEOUT_WRITE
TCP_READ_TIMEOUT  -> SERVER_TIMEOUT_READ


# AUTHORIZE CONFIG
PROXY_ROOT_DOMAIN   -> AUTHORIZE_PROXY_DOMAINS
SSO_EMAIL_DOMAIN    -> AUTHORIZE_EMAIL_DOMAINS
SSO_EMAIL_ADDRESSES -> AUTHORIZE_EMAIL_ADDRESSES


# METRICS CONFIG 
STATSD_PORT -> METRICS_STATSD_PORT
STATSD_HOST -> METRICS_STATSD_HOST


# LOGGING CONFIG
REQUSEST_LOGGING -> LOGGING_ENABLE
(NEW)            -> LOGGING_LEVEL

Changelog

• Add provider for individual e-mail address authentication (#113)
• Update to documentation to reflect unsupported nested groups (#135)
• Change all session or csrf store logic to use internal CookieStore instead. (#137)
• Prevent empty cookie header being added to request (#143)
• Remove unused SecretBytes function (#145)
• Install curl in the base image, allowing SSO to work with Istio liveness commands (#147)
• Allow specification of default allowed groups via environment config for upstreams (#148)
• Fix bug preventing effective use of nested Google groups (#149)
• Move to Go 1.11 and utilise Go Mod with vendored dependencies, instead of GPM (#154)
• Add attribution of oauth2_proxy to readme (#156)
• Add implementation of reset deadline for http transports to aid with dynamic routing environments (#159)
• Set limit for the WriteTimeout of http.Server to prevent 200 OK being incorrectly sent on long, timed out requests (#163)
• Remove requirement to pull in dependency source code changes with each build (#168)

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!

• Remove support for legacy alternative cookie cipher (#54)
• Ensure that sso_auth responds to pings (#65)
• Static files are embedded directly into binaries (#63)
• Allow per-upstream configuration of TLS verification (#49)
• Fixed data race for encryption cipher (#77)
• Refactoring of some provider logic, to facilitate additional providers (#76)
• PROXY_ROOT_DOMAIN is now a required option for sso_auth (#92)
• Added optional PROVIDER_URL_INTERNAL for split dns deployments (#88, #123)
• Removed default provider and associated unused functions (#87)
• Access token is now forwarded to upstreams via X-Forwarded-AccessToken header, when proxy option PASS_ACCESS_TOKEN is set (#109)
• Added support for digital signing of upstream requests, via Sso-Signature header (#106)
• Added preserve_host option to upstream configs (#55)
• Various other minor fixes, cleanups, etc.

v1.0.0 Release Notes

Initial open source release