# Changelog

# v0.9.3

# Fixed

  • authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026

# v0.9.2

# Fixed

  • internal/envoy: fix handleLogs causes envoy hang forever @cuonglm GH-927

# v0.9.1

# Changes

  • Remove unnecessary viper.New() @yegle GH-849
  • authorize: reduce duplicate evaluations in opa policy @travisgroth GH-882
  • envoy: bump envoy to 1.14.2 @desimone GH-894
  • policy: Add consistent route identifier @travisgroth GH-905

# Fixed

  • xds: use ipv4 address when ipv6 is disabled @calebdoxsey GH-823
  • proxy: only set validation context if trusted_ca is used @calebdoxsey GH-863
  • config: ensure viper ignores certificates config field @travisgroth GH-876
  • controlplane: use previous preferred cipher suite @desimone GH-889
  • controlplane: fix missing full cert chain @desimone GH-888
  • internal/controlplane: make sure options.Headers are set for response @cuonglm GH-907

# Security

  • envoy: fixes CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters

# v0.9.0

# New

  • proxy: envoy is now used to handle proxying
  • authenticate: add jwks and .well-known endpoint @desimone [GH-745]
  • authorize: add client mTLS support @calebdoxsey [GH-751]

# Fixed

  • cache: fix closing too early @calebdoxsey [GH-791]
  • authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
  • authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
  • authenticate: clear session if ctx fails @desimone [GH-806]
  • telemetry: fix autocache labels @travisgroth [GH-805]
  • telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
  • authorize: fix authorization panic caused by logging a nil reference @desimone [[GH-704]]

# Changes

  • authenticate: remove authorize url validate check @calebdoxsey [GH-790]
  • authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
  • authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
  • envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
  • envoy: enable zipkin tracing @travisgroth [GH-737]
  • envoy: improvements to logging @calebdoxsey [GH-742]
  • envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
  • envoy: support ports in hosts for routing @calebdoxsey [GH-748]
  • forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
  • proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
  • sessions/state: add nickname claim @BenoitKnecht [GH-755]
  • state: infer user (user) from subject (sub) @desimone [GH-772]
  • telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
  • telemetry: service label updates @travisgroth [GH-802]
  • xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
  • xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]

# Documentation

  • docs: add mTLS recipe @calebdoxsey [GH-807]
  • docs: add argo recipe @calebdoxsey [GH-803]
  • docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
  • docs: typo on configuration doc @kintoandar [GH-800]
  • docs: docs regarding claim headers @strideynet [GH-782]
  • docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
  • docs: add note about unsupported platforms @calebdoxsey [GH-799]
  • docs: expose config parameters in sidebar @travisgroth [GH-797]
  • docs: update examples @travisgroth [GH-796]

# v0.8.3

# Changes

  • state: infer user (user) from subject (sub) @desimone GH-772
  • proxy/forward-auth: block expired request prior to 302 @desimone GH-773

# v0.8.2

# Security

This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762]

# v0.8.1

# Fixed

  • authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]

# v0.8.0

To see a complete list of changes see the diff.

# New

  • cryptutil: add automatic certificate management @desimone GH-644
  • implement path-based route matching @calebdoxsey GH-615
  • internal/identity: implement github provider support @Lumexralph GH-582
  • proxy: add configurable JWT claim headers @travisgroth (#596)
  • proxy: remove extra session unmarshalling @desimone (#592)

# Changes

  • ci: Switch integration tests from minikube to kind @travisgroth GH-656
  • integration-tests: add CORS test @calebdoxsey GH-662
  • integration-tests: add websocket enabled/disabled test @calebdoxsey GH-661
  • integration-tests: set_request_headers and preserve_host_header options @calebdoxsey GH-668
  • pre-commit: add pre-commit configuration @calebdoxsey GH-666
  • proxy: improve JWT header behavior @travisgroth GH-642

# Fixed

  • authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624
  • authorize: fix unexpected panic on reload @travisgroth GH-652
  • site: fix site on mobile @desimone GH-597

# Documentation

  • deploy: autocert documentation and defaults @travisgroth GH-658

# v0.7.5

# Fixed

  • authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624

# v0.7.4

# Fixed

  • pomerium-cli: fix service account cli @desimone GH-613

# v0.7.3

# Fixed

  • Upgrade gRPC to 1.27.1 @travisgroth GH-609

# v0.7.2

# Changes

  • proxy: remove extra session unmarshalling @desimone GH-592
  • proxy: add configurable JWT claim headers @travisgroth GH-596
  • grpcutil: remove unused pkg @desimone GH-593

# Fixed

  • site: fix site on mobile @desimone GH-597

# Documentation

  • site: fix site on mobile @desimone GH-597

# Dependency

  • chore(deps): update vuepress monorepo to v1.4.0 @renovate GH-559

# v0.7.1

There were no changes in the v0.7.1 release, but we updated the build process slightly.

# v0.7.0

# New

  • *: remove import path comments @desimone GH-545
  • authenticate: make callback path configurable @desimone GH-493
  • authenticate: return 401 for some specific error codes @cuonglm GH-561
  • authorization: log audience claim failure @desimone GH-553
  • authorize: use jwt instead of state struct @desimone GH-514
  • authorize: use opa for policy engine @desimone GH-474
  • cmd: add cli to generate service accounts @desimone GH-552
  • config: Expose and set default GRPC Server Keepalive Parameters @travisgroth GH-509
  • config: Make IDP_PROVIDER env var mandatory @mihaitodor GH-536
  • config: Remove superfluous Options.Checksum type conversions @travisgroth GH-522
  • gitlab/identity: change group unique identifier to ID @Lumexralph GH-571
  • identity: support oidc UserInfo Response @desimone GH-529
  • internal/cryptutil: standardize leeway to 5 mins @desimone GH-476
  • metrics: Add storage metrics @travisgroth GH-554

# Fixed

  • cache: add option validations @desimone GH-468
  • config: Add proper yaml tag to Options.Policies @travisgroth GH-475
  • ensure correct service name on GRPC related metrics @travisgroth GH-510
  • fix group impersonation @desimone GH-569
  • fix sign-out bug , fixes #530 @desimone GH-544
  • proxy: move set request headers before handle allow public access @ohdarling GH-479
  • use service port for session audiences @travisgroth GH-562

# Documentation

  • fix the typo @ilgooz GH-566
  • fix kubernetes dashboard recipe docs @desimone GH-504
  • make from source quickstart @desimone GH-519
  • update background @desimone GH-505
  • update helm for v3 @desimone GH-469
  • various fixes @desimone GH-478
  • fix cookie_domain @nitper GH-472

# Dependency

  • chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate GH-480
  • chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate GH-537
  • chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate GH-574
  • chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate GH-538
  • chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate GH-481
  • chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate GH-556
  • chore(deps): update module fatih/color to v1.9.0 @renovate GH-575
  • chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate GH-539
  • chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate GH-557
  • chore(deps): update module go.opencensus.io to v0.22.3 @renovate GH-483
  • chore(deps): update module golang/mock to v1.4.0 @renovate GH-470
  • chore(deps): update module golang/mock to v1.4.3 @renovate GH-540
  • chore(deps): update module golang/protobuf to v1.3.4 @renovate GH-485
  • chore(deps): update module golang/protobuf to v1.3.5 @renovate GH-541
  • chore(deps): update module google.golang.org/api to v0.20.0 @renovate GH-495
  • chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate GH-496
  • chore(deps): update module gorilla/mux to v1.7.4 @renovate GH-506
  • chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate GH-497
  • chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate GH-513
  • chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate GH-558
  • chore(deps): update module prometheus/client_golang to v1.4.1 @renovate GH-498
  • chore(deps): update module prometheus/client_golang to v1.5.0 @renovate GH-531
  • chore(deps): update module prometheus/client_golang to v1.5.1 @renovate GH-543
  • chore(deps): update module rakyll/statik to v0.1.7 @renovate GH-517
  • chore(deps): update module rs/zerolog to v1.18.0 @renovate GH-507
  • chore(deps): update module yaml to v2.2.8 @renovate GH-471
  • ci: Consolidate matrix build parameters @travisgroth GH-521
  • dependency: use go mod redis @desimone GH-528
  • deployment: throw away golanglint-ci defaults @desimone GH-439
  • deployment: throw away golanglint-ci defaults @desimone GH-439
  • deps: enable automerge and set labels on renovate PRs @travisgroth GH-527
  • Roll back grpc to v1.25.1 @travisgroth GH-484

# v0.6.0

# New

  • authenticate: support backend refresh @desimone GH-438
  • cache: add cache service @desimone GH-457

# Changed

  • authorize: consolidate gRPC packages @desimone GH-443
  • config: added yaml tags to all options struct fields @travisgroth GH-394,gh-397
  • config: improved config validation for shared_secret @travisgroth GH-427
  • config: Remove CookieRefresh GH-428 @u5surf GH-436
  • config: validate that shared_key does not contain whitespace @travisgroth GH-427
  • httputil : wrap handlers for additional context @desimone GH-413
  • forward-auth: validate using forwarded uri header @branchmispredictor GH-600

# Fixed

  • proxy: fix unauthorized redirect loop for forward auth @desimone GH-448
  • proxy: fixed regression preventing policy reload GH-396

# Documentation

  • add cookie settings @danderson GH-429
  • fix typo in forward auth nginx example @travisgroth GH-445
  • improved sentence flow and other stuff @Rio GH-422
  • rename fwdauth to be forwardauth @desimone GH-447

# Dependency

  • chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate GH-452
  • chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate GH-458
  • chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate GH-431
  • chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate GH-414
  • chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate GH-415
  • chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate GH-453
  • chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate GH-433
  • chore(deps): update module google/go-cmp to v0.4.0 @renovate GH-454
  • chore(deps): update module spf13/viper to v1.6.1 @renovate GH-423
  • chore(deps): update module spf13/viper to v1.6.2 @renovate GH-459
  • chore(deps): update module square/go-jose to v2.4.1 @renovate GH-435

# v0.5.0

# New

  • Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
  • Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
  • Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
  • User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.

# Security

  • Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.

# Changed

  • Azure AD identity provider now uses globally unique and immutable ID for group membership.
  • Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable ID field.
  • Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
  • URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
  • OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable ID field.

# Removed

  • Force refresh has been removed from the dashboard.
  • Previous programmatic authentication endpoints (/api/v1/token) has been removed and is no longer supported.

# Fixed

  • Fixed an issue where cookie sessions would not clear on error.GH-376

# v0.4.2

# Security

  • Fixes vulnerabilities fixed in 1.13.2 including CVE-2019-17596.

# v0.4.1

# Fixed

  • Fixed an issue where requests handled by forward-auth would not be redirected back to the underlying route after successful authentication and authorization. GH-363
  • Fixed an issue where requests handled by forward-auth would add an extraneous query-param following sign-in causing issues in some configurations. GH-366

# v0.4.0

# New

  • Allow setting request headers on a per route basis in policy. GH-308
  • Support "forward-auth" integration with third-party ingresses and proxies. nginx, nginx-ingress, and Traefik are currently supported. GH-324
  • Add insecure transport / TLS termination support. GH-328
  • Add setting to override a route's TLS Server Name. GH-297
  • Pomerium's session can now be passed as a bearer-auth header or query string in addition to as a session cookie.
  • Add host to the main request logger middleware. GH-308
  • Add AWS cognito identity provider settings. GH-314

# Security

  • The user's original intended location before completing the authentication process is now encrypted and kept confidential from the identity provider. GH-316
  • Under certain circumstances, where debug logging was enabled, pomerium's shared secret could be leaked to http access logs as a query param. GH-338

# Fixed

  • Fixed an issue where CSRF would fail if multiple tabs were open. GH-306
  • Fixed an issue where pomerium would clean double slashes from paths. GH-262
  • Fixed a bug where the impersonate form would persist an empty string for groups value if none set. GH-303
  • Fixed HTTP redirect server which was not redirecting the correct hostname.

# Changed

  • The healthcheck endpoints (/ping) now returns the http status 405 StatusMethodNotAllowed for non-GET requests.
  • Authenticate service no longer uses gRPC.
  • The global request logger now captures the full array of proxies from X-Forwarded-For, in addition to just the client IP.
  • Options code refactored to eliminate global Viper state. GH-332
  • Pomerium will no longer default to looking for certificates in the root directory. GH-328
  • Pomerium will validate that either insecure_server, or a valid certificate bundle is set. GH-328

# Removed

  • Removed AUTHENTICATE_INTERNAL_URL/authenticate_internal_url which is no longer used.

# v0.3.1

# Security

  • Fixes vulnerabilities fixed in Go 1.13.1 including CVE-2019-16276.

# v0.3.0

# New

  • GRPC Improvements. GH-261 / GH-69

    • Enable WaitForReady to allow background retries through transient failures
    • Expose a configurable timeout for backend requests to Authorize and Authenticate
    • Enable DNS round_robin load balancing to Authorize and Authenticate services by default
  • Add ability to set client certificates for downstream connections. GH-259

# Fixed

  • Fixed non-amd64 based docker images.GH-284
  • Fixed an issue where stripped cookie headers would result in a cookie full of semi-colons (Cookie: ;;;). GH-285
  • HTTP status codes now better adhere to RFC7235. In particular, authentication failures reply with 401 Unauthorized while authorization failures reply with 403 Forbidden. GH-272

# Changed

  • Pomerium will now strip _csrf cookies in addition to session cookies. GH-285

  • Disabled gRPC service config. GH-280

  • A policy's custom certificate authority can set as a file or a base64 encoded blob(tls_custom_ca/tls_custom_ca_file). GH-259

  • Remove references to service named ports and instead use their numeric equivalent. GH-266

# v0.2.1

# Security

  • Fixes vulnerabilities fixed in Go 1.12.8 including CVE-2019-9512, CVE-2019-9514 and CVE-2019-14809.

# v0.2.0

# New

# Telemetry GH-35

  • Tracing GH-230 aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.

  • Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.

    • Add informational metrics. GH-227

    • GRPC Metrics Implementation. GH-218

      • Additional GRPC server metrics and request sizes
      • Improved GRPC metrics implementation internals
      • The GRPC method label is now 'grpc_method' and GRPC status is now grpc_client_status and grpc_server_status
    • HTTP Metrics Implementation. GH-220

      • Support HTTP request sizes on client and server side of proxy
      • Improved HTTP metrics implementation internals
      • The HTTP method label is now http_method, and HTTP status label is now http_status

# Changed

  • GRPC version upgraded to v1.22 GH-219
  • Add support for large cookie sessions by chunking. GH-211
  • Prefer curve X25519 to P256 for TLS connections. GH-233
  • Pomerium and its services will gracefully shutdown on interrupt signal. GH-230
  • Google now prompts the user to select a user account (by adding select_account to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.

# FIXED

  • Fixed potential race condition when signing requests. GH-240
  • Fixed panic when reloading configuration in single service mode GH-247

# v0.1.0

# NEW

  • Add programmatic authentication support. GH-177
  • Add Prometheus format metrics endpoint. GH-35
  • Add policy setting to enable self-signed certificate support. GH-179
  • Add policy setting to skip tls certificate verification. GH-179

# CHANGED

  • Policy to and from settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example should now be https://http.corp.domain.example).
  • Proxy's sign out handler {}/.pomerium/sign_out now accepts an optional redirect_uri parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. GH-183
  • Policy configuration can now be empty at startup. GH-190
  • Websocket support is now set per-route instead of globally. GH-204
  • Golint removed from amd64 container. GH-215
  • Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. GH-212

# FIXED

  • Fixed HEADERS environment variable parsing. GH-188
  • Fixed Azure group lookups. GH-190
  • If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. GH-211
  • Internal URLs like dashboard now start auth process to login a user if no session is found. GH-205.
  • When set,CookieDomain lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. GH-181

# v0.0.5

# NEW

  • Add ability to detect changes and reload policy configuration files. GH-150
  • Add user dashboard containing information about the current user's session. GH-123
  • Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. GH-73
  • Add Administrator (super user) account support (ADMINISTRATORS). GH-110
  • Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. GH-110
  • Add docker images and builds for ARM. GH-95
  • Add support for public, unauthenticated routes. GH-129

# CHANGED

  • Add Request ID to error pages. GH-144
  • Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.GH-115
  • Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. GH-153
  • User state is now maintained and scoped at the domain level vs at the route level. GH-128
  • Error pages contain a link to sign out from the current user session. GH-100
  • Removed LifetimeDeadline from sessions.SessionState.
  • Removed favicon specific request handling. GH-131
  • Headers are now configurable via the HEADERS configuration variable. GH-108
  • Refactored proxy and authenticate services to share the same session state cookie. GH-131
  • Removed instances of extraneous session state saves. GH-131
  • Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.GH-131
  • Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. GH-116
  • Changed docker images to be built from distroless. This fixed an issue with nsswitch GH-97, includes ca-certificates and limits the attack surface area of our images. GH-101
  • Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. GH-103
  • Content-Security-Policy hash updated to match new UI assets.

# FIXED

  • Fixed websocket support. GH-151
  • Fixed an issue where policy and routes were being pre-processed incorrectly. GH-132
  • Fixed an issue where golint was not being found in our docker image. GH-121

# v0.0.4

# CHANGED

  • HTTP Strict Transport Security is included by default and set to one year. GH-92
  • HTTP now redirects to HTTPS. GH-92
  • Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no public http handlers, only a gRPC service endpoint. GH-93
  • Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. GH-83
  • Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). GH-83

# FIXED

  • Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack GH-81

# DOCUMENTATION

# v0.0.3

# FEATURES

  • Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.

  • Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:

    • Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
    • Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
    • Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
    • Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.
  • WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.

# CHANGED

  • Added LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. GH-74
  • Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. GH-74
  • Updated generate_wildcard_cert.sh to generate a elliptic curve 256 cert by default.
  • Updated env.example to include a POLICY setting example.
  • Added IDP_SERVICE_ACCOUNT to env.example .
  • Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
  • Removed ROUTES settings which has been replaced by POLICY.
  • Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
  • Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
  • Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
  • Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
  • Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
  • Session expiration times are truncated at the second.
  • Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
  • Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.

# FIXED

  • http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. GH-58