A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
This release includes new features and many improvements to the tracing instrumentations.
Pin v0.40.7 release commit (8fc9b7a):
Bumps from v0.40.7-pre.0
Artifacts can be verified with cosign using this public key.
autogen: pin v0.40.7-pre.0 release commit
Add headers option for remote_json authorizer (#1140) (1ee445d)
Preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131) (b5d4d88):
This patch additionally allows selecting between the two authenticators based on a prefix to the token.
Artifacts can be verified with cosign using this public key.
Resolves an issue in how X-Forwarded headers were set.
Artifacts can be verified with cosign using this public key.
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers
was introduced to optionally enable the forwarding of X-Forwarded headers.
Flag to disable hop-by-hop defenses (#1120) (fffe8ef):
Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers
was introduced to optionally enable the forwarding of X-Forwarded headers.
Artifacts can be verified with cosign using this public key.
Added distroless image, fixed some bugs, and added support for JWKs key rotation in the ID token mutator.
Support token rotation in ID token mutator (#1119) (5dd4571):
Previously, only one JWK may be returned by the JWKS URL. This made token rotation impossible. This patch allows for multiple keys to be returned by the JWKS URL and the first key found will be used for signing.
Artifacts can be verified with cosign using this public key.
This release fixes a low-severity security vulnerability.
httputil.ReverseProxy.Rewrite
(#1098) (c5cc7f7)httputil.ReverseProxy.Rewrite
(#1098)Artifacts can be verified with cosign using this public key.
Resolves tracing and health monitoring issues.
Add handlers in correct order to handle CORS requests properly (#1055) (0b5f6e6), closes ory/oathkeeper#1054
Render complete config schema in CI and update tracing config (#1063) (e5e9d17)
Rule readiness check should require at least one rule to be loaded (#1061) (daa2994):
With this change, Oathkeeper now reports as "not ready" on the health check if not at least one valid rule is loaded.
Artifacts can be verified with cosign using this public key.
This release resolves tracing issues and fixes a bug.
t.Parallel()
from tests that use the same cache and keyArtifacts can be verified with cosign using this public key.
This release introduces the new Koanf-based configuration system, resolves several issues, and introduced an experimental gRPC middleware.
Add Oathkeeper gRPC middleware (210aa5e):
This adds a gRPC middleware that encapuslates the Oathkeeper logic.
Matching on gRPC traffic now happens in its own rule.
To match against gRPC traffic, you can use Authority
and FullMethod
instead of URL
and Methods
.
Artifacts can be verified with cosign using this public key.
Introduces a new config option to reducde cardinality in the metrics.
Artifacts can be verified with cosign using this public key.