V2.2

Improvements & Bug Fixes:

• #278 Cookie Name validation (thanks @tanuck)
• #292 Strip sensitive URL parameters from log output (thanks @nickmiller-wf)
• #299 Update vendor'd oauth2/google (thanks @tamsky)
• #205 #339 -pass-user-headers options (thanks @jsievers)
• #346 warn on oversized cookies (thanks @bdwyertech)
• #349 Add /oauth2/sign_out endpoint (thanks @braincube-io)
• #354 fix windows build (thanks @ploxiln)
• #355 Improvements to release build scripting (thanks @ploxiln)
• #359 Fix //... redirect checking (thanks @arnottcr)
• #360 CSRF protection for OAuth flow (thanks @arnottcr @TheRook)
• #362 -ssl-insecure-skip-verify option
• #319 nginx oauth_request fixes (thanks @ashkulz)
• #365 fix http-address parsing (thanks @travisofthenorth)
• #370 -skip-auth-preflight option to skip preflight OPTIONS requests (thanks @idntfy)

Provider Bug Fixes & Improvements

• #274 Azure provider (thanks @ElDiabloComputatore)
• #357 Skip 404 errors when looking up Google groups (thanks @mtak @wrapp)

Docs:

• #272, #273 nginx auth_request documentation updates (thanks @semenko)
• #290 - skip-provider-button (thanks @MarkHerhold)

V2.1 New Providers

Upgrading from 2.0 should be transparent for most users. The format for specifying cookie secret has changed so some users may have a cookie be base64 decoded now and will have to re-generate a new cookie secret that matches the requirements for -pass-access-token.

New Providers:

• Azure #170 thanks @eelcocramer
• Gitlab #211 thanks @pmosbach
• Github Enterprise #197 #269
• Facebook #270

New Features:

• Restrict google apps authentication to specific google groups on your domain #139 thanks @jburnham
• Serve up static files directly #142 thanks @Tenzer
• Request Signing (for securing a publicly accessible endpoint) #147 thanks @mbland
• Nginx auth_request support #153 thanks @mbland
• Set basic-auth password for upstream requests #129 thanks @jburnham
• Set google approval prompt #131 thanks @ebardsley

Bug Fixes:

• Support base64 cookie secrets to make it possible to use completely random seed values #227 thanks @ploxiln @ntrepid8
• dist.sh compatability with GNU #249 thanks @jhoblitt
• Check email validity on all requests #126 thanks @tomtaylor mattk42
• Fix running on alternate URL prefixes #148 thanks @johnboxall
• Ignore spaces in authorized email list #184 thanks @stanhu
• Validate state param while redirecting #194 thanks @r4um
• Doc updates thanks @sricola @gust1n @rhencke @philips @mbland @funkymrrogers

Version 2.0.1

This is a bug fix release fixing cookie refresh handling, and OAuth2 refresh token handling (#115, #116, #117). It is recommended for all users.

Version 2.0

There are several backwards incompatible changes relating to various configuration settings. Please see the details below if upgrading from a previous version.

Changes and New Features

#76 #77 #78 - provider refactoring (thanks @mbland)
#79 - MyUSA provider (thanks @mbland)
#80 #81 - pass provider access token upstream (thanks @mbland)
#82 - Bug Fix: redirect to / from Sign In url (thanks @mbland)
#83 - Case insensitive email comparisons (thanks @mbland)
#84 - LinkedIn provider (thanks @balshor)
#90 - pass /robots.txt upstream (thanks @mbland)
#88 #107 - -cookie-refresh (thanks @mbland)
#89 #93 #106 - auto-reload authenticated emails file
#98 #109 - GitHub provider
#85 #102 - project rename to OAuth2 Proxy (contributions from @pidah)
#91 - disable email validation --email-domain=*
#109 - better provider error logs
#99 - native TLS support
#104 - support multiple Oauth2 Proxies on same domain (thanks @tonymeng)

Upgrading from v1.x

• --google-apps-domain is now --email-domain
• Environment config variables are now OAUTH2_PROXY_....
• The cookie name is now _oauth2_proxy (and configurable with --cookie-name)
• --cookie-https-only option has been removed (use --cookie-secure)

Version 1.1.1

This is a bugfix release

• #74 fixes a regression introduced in #17 affecting validity of upstream requests

Version 1.1

Upgrading from 1.0

There are no incompatibility issues upgrading from 1.0, but users who disable secure cookies (enabled by default) should migrate to use --cookie-secure=false instead of --cookie-https-only=false.

New Features and Changes

• #40 fix loading environment variables
• #46 allow hiding custom login form when using htpasswd
• #54 documentation fixes (thanks @rhoml)
• #50 support white listing URLs from authentication via -skip-auth-regex (thanks @vishnuchilamakuru)
• #57 new -cookie-http-only setting (thanks @tomtaylor)
• #63 support listening on sockets (thanks @dhowden)
• #66 improve option parsing errors (thanks @mbland)
• #68 new -pass-host-header option (thanks @johnboxall)
• #70 ability to customize the sign-in template (contributions from @Tetsuharu and @hughes)
• #17 fix handling of encoded slashes in request path (contributions from @adrian-gomez)
• #69 make -redirect-uri optional (contributions from @mondotron)
• #71 rename -cookie-https-only to -cookie-secure to remove confusion
• #73 enhanced request access log configurable with -request-logging=false

1.0

Upgrading from 0.1

There have been significant updates to configuration options in this release including two backwards incompatible changes. Cookies are now set to httpsonly by default, and the naming of environment variables used for configuration has changed.

New Features / Changes since 0.1

• #25 - update for google OAuth migration
• #35 - Pass authenticated email as X-Forwarded-Email to enable SSO for tools like splunk that require the email address - thanks @rogerhu
• #30 - /ping endpoint - thanks @jswank
• #22 - fix timing attack on cookie validation - thanks @dbrgn
• #34 - set httponly cookie
• #36 - updated Sign In Templates (better mobile support)
• #20 - support configuration via config file
• #37 - update environment variable parsing
• #38 - switch to gpm for dependency management
• #38 - enable httpsonly cookies by default