We document all notable changes to this project in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
3.1.1 - 2023-02-02
- The
sts/:name
endpoint should have been seal-wrapped like the correspondingcreds/:name
endpoint.
3.1.0 - 2023-01-23
- Add support for configuring the maximum valid lifetime of a token with a new
maximum_expiry_seconds
parameter on thecreds/:name
andself/:name
endpoints. - The OAuth 2.0 token exchange flow (RFC 8693) for impersonation is now
supported by reading from the
sts/:name
endpoint.
3.0.0 - 2021-09-20
- It is now possible to manage multiple authorization servers at the same time
by writing separate provider configurations to the
servers/:name
endpoint. Listing servers is supported at theservers
endpoint. - Additionally, server configurations support a new
client_secrets
field that was not present in the plugin configuration in v2. When this field is set to a list, the plugin will attempt to use each secret in order until it receives a successful provider response. - The plugin configuration supports selecting a default server to use by setting
the
default_server
field. When upgrading from v2, this field will be automatically set to maintain backward compatibility. - It is no longer necessary to explicitly specify a state when requesting an authorization code URL. The plugin will generate a random state and return it in the response.
- Add the new tuning option
tune_reap_server_deleted_seconds
to control how long the plugin should wait before automatically deleting credentials that refer to a nonexistent (deleted) server.
- [BREAKING] The plugin configuration no longer supports configuring a single
provider for the entire engine. Instead, configure a provider using the new
servers/:name
endpoint and reference it in credentials. - [BREAKING] The
config/auth_code_url
endpoint has been removed and replaced by theauth-code-url
endpoint, which accepts a server name as a parameter. - [BREAKING] The
config/self/:name
endpoint has been removed, and it is no longer possible to store an access token using the client credentials flow by reading from an unconfigured path at theself/:name
endpoint. Instead, initialize such an access token by writing to theself/:name
endpoint with any necessary configuration first. - The device code flow support library now sends an
Accept: application/json
header to improve compatibility with legacy device code endpoints that support both JSON and form-encoded responses.
- The scheduled processes for refreshing credentials, reaping credentials, and managing the device code flow no longer start on a Vault server configured as a performance secondary, performance standby, or disaster recovery secondary.
- Remove darwin/386 from distribution as it is no longer supported by Go or Vault.
2.2.0 - 2021-07-13
- Add additional performance tuning options for provider timeouts and automatic credential reaping.
2.1.1 - 2021-06-25
- Fix a regression that caused the automatic credential refresher to be disabled on configurations written before v2.1.0.
2.1.0 - 2021-06-24
- Add support for multi-tenant Azure AD apps. This is done by giving an ability
to set the
tenant
provider option on a per-credential basis if not explicitly specified in the provider configuration. If no tenant is provided, the tenant now defaults to allowing any Azure AD account. - The check interval for refreshing tokens is now configurable using the
tune_refresh_check_interval_seconds
option. It can also be explicitly disabled by setting the interval to 0.
- The Google provider now uses an OpenID implementation, which allows it to also
retrieve data from the
id_token
. Write a new plugin configuration to take advantage of this feature.
2.0.0 - 2021-04-09
- [BREAKING] The path to configure a token for client credentials exchange has
changed from
self/:name/config
toconfig/self/:name
. - [BREAKING] Deleting a client credentials exchange token no longer also deletes
the configuration associated with it. To also delete the configuration, delete
config/self/:name
instead. - The names of credentials are now unrestricted, except that they cannot end
with a colon (
:
) character or have a colon immediately before a slash (/
).
1.10.1 - 2021-04-07
- Fix a regression that caused the
minimum_seconds
field of a credential read request to be ignored. - Correctly request updated user information when an OIDC token is refreshed.
1.10.0 - 2021-03-29
- The OAuth 2.0 device authorization flow (RFC 8628) is now supported by
specifying
grant_type=urn:ietf:params:oauth:grant-type:device_code
when creating a credential.
- Specifying a client secret when configuring the engine is now optional.
1.9.0 - 2021-01-19
- The OAuth 2.0 client credentials flow is now supported using the new
self
endpoints.
- Errors caused by configuration problems in the OIDC provider are now correctly propagated to the HTTP response with a 400 status code.
- The
nonce
provider option for the OIDC authorization code exchange is now passed to the ID token verification routine. - Nonce validation is only performed during OIDC authorization code exchange or refresh token flow if the plugin user specifies a nonce to validate against; otherwise, it is assumed that the nonce data is invalid or non-conforming to the OpenID Connect Core specification.
- Per the OpenID Connect Core specification, ID tokens will only be revalidated during refresh if the server sends a new ID token. Otherwise, they are passed through unmodified from the original exchange.
- The
testutil
package now uses a*provider.Token
instead of a*oauth2.Token
for mocks, allowing theExtraData
to be customized. - It is now optional for providers to expose an authorization code URL.
1.8.3 - 2020-12-17
- Allow combined workflow to upload actual archives in addition to checksums.
1.8.2 - 2020-12-17
- Combine CI and release workflows so that release assets can be attached.
1.8.1 - 2020-12-17
- Fix workflow configuration to properly create GitHub releases.
1.8.0 - 2020-12-17
- Add support for OpenID Connect as a provider.
- Use a collection of locks (256, distributed uniformly among credential keys) instead of a global mutex to improve performance.
- Because we now have a more complete OpenID Connect provider, the option to
provide a
discovery_url
to the custom provider has been removed. Existing configurations that make use of thediscovery_url
will continue to work as intended.
- Switch to GitHub Actions and remove dependency on semantic-release.
1.7.0 - 2020-10-27
- Add
minimum_seconds
credential read option.
1.6.0 - 2020-09-28
- Allow additional characters in credential names.
1.5.0 - 2020-09-28
- Log error codes from exchanging or refreshing tokens for debugging.
1.4.0 - 2020-09-28
- Add
discovery_url
provider option to the custom provider to allow discovery of a corresponding OAuth 2 endpoint.
1.3.0 - 2020-07-13
- Add support for Google as a provider.
1.2.0 - 2020-04-06
- Add
refresh_token
field when writing a new credential to handle cases where the OAuth 2 exchange initially occurred out of band.
1.1.1 - 2019-10-07
- Do not propagate API errors from providers when token refresh fails.
1.1.0 - 2019-09-19
- The token type is now returned as part of the credential read operation.
1.0.0 - 2019-09-18
- Initial release of the plugin.