Improvements:

• added <memcachedSessionManager cookiePrefix="..."/> to support multiple Membrane instances using MemcacheD as session storage
• added <flowInitiator logoutBeforeFlow="true" /> attribute
• added <openapi> response header validation

Fixes:

• upgraded several dependencies
• fixed some examples using external services
• fixed <openapi><rewrite> logic
• fixed <openapi> response validation with status code 204

Fixes:

• fixed automatic release to Docker Hub: docker run predic8/membrane

Changelog

• Added useXForwardedForAsClientAddr Flag to <accessControl>
  • Allows the last entry in X-Forwarded-For header

Improvements:

• added option <openapi validateSecurity="yes"> to be able to selectively disable OpenAPI security validation (not advised ;-)
• added support for OpenID Connect RP-Initiated Logout 1.0, which will log the user out at the Authorization Server, if the server supports it

Fixes:

• upgraded dependencies

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.1 is therefore not working at the moment. Please build your own Docker image in the mean time.

Changes since 5.3.5:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

Features:

• added <apiDocs/> aggregating API documentation from OpenAPI definitions across service proxies
• <openapi/> now validates scopes from various sources (e.g. API keys, JWT tokens, OAuth2 (also using JWT tokens))

Fixes:

• OpenAPI Validation: use most specific body schema for validation
• fixed <requireAuth errorStatus="..."/> by adding Content-Length: 0 to the response
• OAuth2: avoid session creation where none is needed
• minor access log fixes
• upgraded dependencies
• test fixes

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.0 is therefore not working at the moment. Please build your own Docker image in the mean time.

Fixes since 5.3.4:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

Changes since 5.3.3:

• improved OpenTelemetry reporting (changes in <openTelemetry> configuration)
• improved several problem URIs

Fixes:

• upgraded dependencies
• OpenAPI: support nested types
• added prometheus example
• support <requireAuth required="false" .../> to skip authentication, if no token is present
• support <requireAuth errorStatus="401" .../> to return specific error code on authentication failure
• support <oAuth2Resource2 afterErrorUrl="/foo" .../> to send user to error page after error during login
• support <oAuth2Resource2 onlyRefreshToken="true" .../> to allow Authorization Server to return no access token (only a refresh token)
• support <requireAuth scope="foo" oauth2="oauth2"/> and <requireAuth scope="bar" oauth2="oauth2"/> to request multiple access tokens from Authorization Server

Changes:

• <oauth2Resource2/> and <jwtAuth/> now fully support using a HTTP proxy to access the OAuth2 authorization server
• <oauth2Resource2/> now prefers the form code POST, is offered by the OAuth2 authorization server
• <loginParameter/>s can be specified per-<requireAuth/>
• added workaround for Microsoft B2C not adhering to OIDC standard

Improvements:

• several test fixes
• upgraded several dependencies and Docker base image

Improvements:

• APIKey example tests

Bug fixes:

• Fixed #852

Changes:

• Memcached as Session and OriginalRequest Storage
• OAuth2Resource2Interceptor
  • Changes in Attribute/Child Element Configuration
  • Support additional Parameters
  • Support B2C UserFlows
  • Support Logout Endpoint

Fixes:

• SessionManagers handles multiple Cookies