Bot releases are hidden (Show)
⚠️ Similar to the v2.0.0 release, this release includes large changes to the configuration variables used by sso_proxy
, so care must be taken while upgrading to this version. ⚠️
To aid the introduction of these new variables, please reference the description in https://github.com/buzzfeed/sso/pull/279, and particularly, the table included at the bottom of the referenced pull request.
options
package to validators
, better fitting its responsibility.master
branch to main
, change relevant references throughout the repo.AuthorizedUpstream
value to the session, allowing us to prevent using the same session with a different upstream.sso_proxy
and sso_auth
to Go 1.14provider_*_okta_server
to be optional.sso_proxy
in line with sso_auth
by using go-micro for configuration management [⚠️ BREAKING CHANGE ⚠️]
-mod=readonly
.hash.Hash
within each request signer to prevent a race condition.Release Contributors: @Jusshersmith, @benjsto, @jphines, @itwasntandy, @mccutchen, @katzdm, and @kjetijor
Published by Jusshersmith about 5 years ago
Note: This release includes changes to how users are validated using email domains, email addresses, and email groups. With each of these 'validator' mechanisms that is configured, the user will be allowed access as long at least one passes, rather than requiring all to pass.
Please see https://github.com/buzzfeed/sso/pull/253 for more information.
AUTH_CODE_SECRET
.sso_auth
and their types.Published by Jusshersmith about 5 years ago
Note: this release contains multiple breaking or potentially breaking changes. Please read the release notes carefully if you are upgrading from a previous version.
/ping
as a host header./oauth2/sign_out
endpoint within the Okta providerX-Forwarded-User
to keep consistency. [POTENTIALLY BREAKING]There have been a number of dependencies added and/or updated. Please take the time to look through the dependencies in use by scanning through https://github.com/buzzfeed/sso/blob/master/go.mod.
To help with the introduction of configuration variable changes in sso: support multiple identity providers, below is a list of old_var
-> new_var
pairs for sso_auth only. (these variables changes do not yet apply to sso_proxy)
*
in PROVIDER_*_TYPE
and others represents a unique identifier grouping together a set of provider configs.
### SESSION
(NEW) -> SESSION_COOKIE_NAME
COOKIE_SECRET -> SESSION_COOKIE_SECRET
COOKIE_EXPIRE -> SESSION_COOKIE_EXPIRE
COOKIE_DOMAIN -> SESSION_COOKIE_DOMAIN
COOKIE_REFRESH -> SESSION_COOKIE_REFRESH
COOKIE_SECURE -> SESSION_COOKIE_SECURE
COOKIE_HTTP_ONLY -> SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME_TTL -> SESSION_LIFETIME
AUTH_CODE_SECRET -> SESSION_KEY
### CLIENT
PROXY_CLIENT_ID -> CLIENT_PROXY_ID
PROXY_CLIENT_SECRET -> CLIENT_PROXY_SECRET
### PROVIDER CONFIG FOR GOOGLE
(NEW) -> PROVIDER_*_TYPE
(NEW) -> PROVIDER_*_SLUG
CLIENT_ID -> PROVIDER_*_CLIENT_ID
CLIENT_SECRET -> PROVIDER_*_CLIENT_SECRET
SCOPE -> PROVIDER_*_SCOPE
### GOOGLE SPECIFIC
GOOGLE_SERVICE_ACCOUNT_JSON -> PROVIDER_*_GOOGLE_CREDENTIALS
GOOGLE_ADMIN_EMAIL -> PROVIDER_*_GOOGLE_IMPERSONATE
### OKTA SPECIFIC
OKTA_ORG_URL -> PROVIDER_*_OKTA_URL
PROVIDER_SERVER_ID -> PROVIDER_*_OKTA_SERVER
### GROUP REFRESH
GROUPS_CACHE_REFRESH_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
GROUPS_CACHE_PROVIDER_TTL -> PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER
# SERVER CONFIG
(NEW) -> SERVER_SCHEME
HOST -> SERVER_HOST
PORT -> SERVER_PORT
REQUEST_TIMEOUT -> SERVER_TIMEOUT_REQUEST
TCP_WRITE_TIMEOUT -> SERVER_TIMEOUT_WRITE
TCP_READ_TIMEOUT -> SERVER_TIMEOUT_READ
# AUTHORIZE CONFIG
PROXY_ROOT_DOMAIN -> AUTHORIZE_PROXY_DOMAINS
SSO_EMAIL_DOMAIN -> AUTHORIZE_EMAIL_DOMAINS
SSO_EMAIL_ADDRESSES -> AUTHORIZE_EMAIL_ADDRESSES
# METRICS CONFIG
STATSD_PORT -> METRICS_STATSD_PORT
STATSD_HOST -> METRICS_STATSD_HOST
# LOGGING CONFIG
REQUSEST_LOGGING -> LOGGING_ENABLE
(NEW) -> LOGGING_LEVEL
Published by Jusshersmith over 5 years ago
CookieStore
instead. (https://github.com/buzzfeed/sso/pull/137)SecretBytes
function (https://github.com/buzzfeed/sso/pull/145)curl
in the base image, allowing SSO to work with Istio liveness commands (https://github.com/buzzfeed/sso/pull/147)oauth2_proxy
to readme (https://github.com/buzzfeed/sso/pull/156)WriteTimeout
of http.Server
to prevent 200 OK
being incorrectly sent on long, timed out requests (https://github.com/buzzfeed/sso/pull/163)Published by katzdm almost 6 years ago
Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!
sso_auth
responds to pings (#65)PROXY_ROOT_DOMAIN
is now a required option for sso_auth
(#92)PROVIDER_URL_INTERNAL
for split dns deployments (#88, #123)X-Forwarded-AccessToken
header, when proxy option PASS_ACCESS_TOKEN
is set (#109)Sso-Signature
header (#106)preserve_host
option to upstream configs (#55)Published by shrayolacrayon about 6 years ago
Initial open source release