diff --git a/CHANGELOG.md b/CHANGELOG.md index e6791979..7381590c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,11 +6,31 @@ ## Breaking Changes +## Changes since v7.5.1 + +# V7.5.1 + +## Release Highlights +- 🐛 Several bugs have been squashed +- 🕵️‍♀️ Vulnerabilities have been addressed +- 📖Improved docs + +## Important Notes + +- This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible. +- The environment variable OAUTH2_PROXY_GOOGLE_GROUP has been deprecated in favor of OAUTH2_PROXY_GOOGLE_GROUPS. Next major release +will remove this option. This change makes sure that the configuration options follow the documentation. + +## Breaking Changes + +N/A + ## Changes since v7.5.0 - [#2220](https://github.com/oauth2-proxy/oauth2-proxy/pull/2220) Added binary and docker release platforms (@kvanzuijlen) - [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen) - [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider (@tuunit) - [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos) +- [#2208](https://github.com/oauth2-proxy/oauth2-proxy/pull/2208) Improved session documentation (@lathspell) - [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers (@tuunit) - [#2194](https://github.com/oauth2-proxy/oauth2-proxy/pull/2194) Fix Gitea token validation (@tuunit) @@ -26,6 +46,8 @@ ## Important Notes - This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible. +- This release was pushed with the wrong Docker platform type for arm64/armv8. Use v7.5.1 instead. +- This release introduced a bug with the Keycloak OIDC provider causing no scopes to be send along with the request. Use v7.5.1 instead. ## Breaking Changes diff --git a/docs/versioned_docs/version-7.5.x/configuration/sessions.md b/docs/versioned_docs/version-7.5.x/configuration/sessions.md index 8a4b640c..3a0706e7 100644 --- a/docs/versioned_docs/version-7.5.x/configuration/sessions.md +++ b/docs/versioned_docs/version-7.5.x/configuration/sessions.md @@ -52,6 +52,33 @@ in redis via the `SETEX` command. Encrypting every session uniquely protects the refresh/access/id tokens stored in the session from disclosure. +Additionally the browser only has to send a short Cookie with every request and not the whole JWT, which can get quite big. + +Two settings are used to configure the OAuth2 Proxy cookie lifetime: + + --cookie-refresh duration refresh the cookie after this duration; 0 to disable + --cookie-expire duration expire timeframe for cookie 168h0m0s + +The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server. +If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start +the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already +expired. + +The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the +Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the +available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid. +Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available. + +Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s". +It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate +it. This is especially relevant if the backend uses the JWT to make requests to other backends. +For this reason, it's advised to set the cookie-refresh a couple of seconds less than the Access-Token lifespan. + +Recommended settings: + +* cookie\_refresh := Access-Token lifespan - 1m +* cookie\_expire := Refresh-Token lifespan (i.e. Keycloak's client\_session\_idle) + #### Usage When using the redis store, specify `--session-store-type=redis` as well as the Redis connection URL, via @@ -68,4 +95,4 @@ Note that flags `--redis-use-sentinel=true` and `--redis-use-cluster=true` are m Note, if Redis timeout option is set to non-zero, the `--redis-connection-idle-timeout` must be less than [Redis timeout option](https://redis.io/docs/reference/clients/#client-timeouts). For example: if either redis.conf includes -`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` \ No newline at end of file +`timeout 15` or using `CONFIG SET timeout 15` the `--redis-connection-idle-timeout` must be at least `--redis-connection-idle-timeout=14` diff --git a/docs/versioned_docs/version-7.5.x/installation.md b/docs/versioned_docs/version-7.5.x/installation.md index 3c8c2224..2be4c6a0 100644 --- a/docs/versioned_docs/version-7.5.x/installation.md +++ b/docs/versioned_docs/version-7.5.x/installation.md @@ -10,7 +10,7 @@ slug: / b. Build with `$ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest` which will put the binary in `$GOPATH/bin` - c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, ARMv6 and ARM64 tags available) + c. Using the prebuilt docker image [quay.io/oauth2-proxy/oauth2-proxy](https://quay.io/oauth2-proxy/oauth2-proxy) (AMD64, PPC64LE, ARMv6, ARMv7, and ARM64 tags available) d. Using a [Kubernetes manifest](https://github.com/oauth2-proxy/manifests) (Helm)