Skip to content

Commit

Permalink
Release v7.5.1 (#2227)
Browse files Browse the repository at this point in the history
* Update changelog for v7.5.1 release

* Create versioned docs for release v7.5.x
Created using: yarn run docusaurus docs:version 7.5.x

---------

Co-authored-by: Joel Speed <[email protected]>
  • Loading branch information
kvanzuijlen and JoelSpeed authored Sep 22, 2023
1 parent 13af1b4 commit ef95957
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 2 deletions.
22 changes: 22 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,31 @@

## Breaking Changes

## Changes since v7.5.1

# V7.5.1

## Release Highlights
- 🐛 Several bugs have been squashed
- 🕵️‍♀️ Vulnerabilities have been addressed
- 📖Improved docs

## Important Notes

- This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
- The environment variable OAUTH2_PROXY_GOOGLE_GROUP has been deprecated in favor of OAUTH2_PROXY_GOOGLE_GROUPS. Next major release
will remove this option. This change makes sure that the configuration options follow the documentation.

## Breaking Changes

N/A

## Changes since v7.5.0
- [#2220](https://github.com/oauth2-proxy/oauth2-proxy/pull/2220) Added binary and docker release platforms (@kvanzuijlen)
- [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen)
- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider (@tuunit)
- [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos)
- [#2208](https://github.com/oauth2-proxy/oauth2-proxy/pull/2208) Improved session documentation (@lathspell)
- [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers (@tuunit)
- [#2194](https://github.com/oauth2-proxy/oauth2-proxy/pull/2194) Fix Gitea token validation (@tuunit)

Expand All @@ -26,6 +46,8 @@
## Important Notes

- This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
- This release was pushed with the wrong Docker platform type for arm64/armv8. Use v7.5.1 instead.
- This release introduced a bug with the Keycloak OIDC provider causing no scopes to be send along with the request. Use v7.5.1 instead.

## Breaking Changes

Expand Down
29 changes: 28 additions & 1 deletion docs/versioned_docs/version-7.5.x/configuration/sessions.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,33 @@ in redis via the `SETEX` command.
Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from
disclosure.

Additionally the browser only has to send a short Cookie with every request and not the whole JWT, which can get quite big.

Two settings are used to configure the OAuth2 Proxy cookie lifetime:

--cookie-refresh duration refresh the cookie after this duration; 0 to disable
--cookie-expire duration expire timeframe for cookie 168h0m0s

The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server.
If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start
the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already
expired.

The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the
Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the
available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid.
Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available.

Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s".
It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate
it. This is especially relevant if the backend uses the JWT to make requests to other backends.
For this reason, it's advised to set the cookie-refresh a couple of seconds less than the Access-Token lifespan.

Recommended settings:

* cookie\_refresh := Access-Token lifespan - 1m
* cookie\_expire := Refresh-Token lifespan (i.e. Keycloak's client\_session\_idle)

#### Usage

When using the redis store, specify `--session-store-type=redis` as well as the Redis connection URL, via
Expand All @@ -68,4 +95,4 @@ Note that flags `--redis-use-sentinel=true` and `--redis-use-cluster=true` are m

Note, if Redis timeout option is set to non-zero, the `--redis-connection-idle-timeout`
must be less than [Redis timeout option](https://redis.io/docs/reference/clients/#client-timeouts). For example: if either redis.conf includes
`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14`
`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14`
2 changes: 1 addition & 1 deletion docs/versioned_docs/version-7.5.x/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ slug: /

b. Build with `$ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest` which will put the binary in `$GOPATH/bin`

c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, ARMv6 and ARM64 tags available)
c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, ARMv6, ARMv7, and ARM64 tags available)

d. Using a [Kubernetes manifest](https://github.com/oauth2-proxy/manifests) (Helm)

Expand Down

0 comments on commit ef95957

Please sign in to comment.