A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
autogen: pin v0.39.3-pre.0 release commit
Artifacts can be verified with cosign using this public key.
Introduces better prometheus metrics.
Artifacts can be verified with cosign using this public key.
This release ships several improvements to cache logic and request detection. Additionally, the bearer_token
and cookie_session
handlers pass only the needed header (Authorization
, Cookie
) to the check URL. To pass additional headers, use the forward_http_headers
configuration key.
From now on, the bearer_token
and cookie_session
handlers pass only the needed header (Authorization
, Cookie
) to the check URL. To pass additional headers, use the forward_http_headers
configuration key.
Closes https://github.com/ory/oathkeeper/pull/954 Closes https://github.com/ory/cloud/issues/76
Co-authored-by: hackerman [email protected]
Cache behavior with TTL (#968) (c4836f5):
This test will fail since everytime Authenticate() succeeds the token is cached, even if it was already cached. This behavior makes it possible to keep a token in cache if it is authenticated in a period less than the TTL.
Less flaky rule tests (#973) (6ee6a73):
Instead of (flaky) fixed sleeps, we now use assert.Eventually to wait until the rule changes were propagated.
Artifacts can be verified with cosign using this public key.
This release provides some minor fixes around headers, see the changelog for more info.
Artifacts can be verified with cosign using this public key.
With this release we improve tracing capabilities for Ory Oathkeeper.
Artifacts can be verified with cosign using this public key.
Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.
Artifacts can be verified with cosign using this public key.
Ory Oathkeeper has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/oathkeeper! Additionally, the CI/CD infrastructure was moved to GitHub Actions.
Artifacts can be verified with cosign using this public key.
This release introduces caching capabilities for the OAuth2 Client Credentials authenticator as well as compatibility with Traefik!
Add post-release step (e7fd550)
Introduce token caching for client credentials authentication (#922) (9a56154), closes #870:
Right now every request via Oathkeeper that uses client credentials authentication requests a new access token. This can introduce a lot of latency in the critical path of an application in case of a slow token endpoint.
This change introduces a cache similar to the one that is used in the introspection authentication.
Migrate to openapi 3.0 generation (190d1a7)
Traefik decision api support (#904) (bfde9df), closes #521 #441 #487 #263:
Artifacts can be verified with cosign using this public key.
This release adds support for rewriting the HTTP method in certain authenticators.
Allow overriding HTTP method for upstream calls (69c64e7):
This patch adds new configuration force_method
to the bearer token and cookie session authenticators. It allows overriding the HTTP method for upstream calls.
This release adds CVE scanners for Docker Images and updates several dependencies to resolve CVE issues.
Additionally, support for various tracers has been added, patches to caching and JWT audiences have been made, and more configuration options have been added for various rules.
Add ory cli (df8a19b)
Allow forwarding query parameters to the session store (#817) (9375f92), closes #786 #786
Remote_json default configuration (#880) (18788d1), closes #797
Use NYT capitalistaion for all Swagger headlines (#859) (8c2da46), closes #503:
Capitalised all the Swagger headlines for files found in /api.
Warn that gzip is unsupported (#835) (78e612e):
Note to users that gzip responses are as of now unsupported for Cookie and Bearer authenticators.
The result is that the subject
and extra
will not be filled in, and will fail silently.
Add retry and timeout support in authorizers (#883) (ec926b0):
Adds the ability to define HTTP timeouts for authorizers.
Add support for X-Forwarded-Proto header (#665) (a8c9354), closes #153
Allow both string and []string in aud field (#822) (1897f31), closes #491 #601 #792 #810
Store oauth2 introspection result as bytes in cache (#811) (5645605)