|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## 8.0.0 (2021-08-08) |
| 4 | + |
| 5 | +This is a breaking release, if you were using the openid_connect frontend. To |
| 6 | +keep compatibility: |
| 7 | + |
| 8 | +1. Install the proxy with `pip install satosa[pyop_mongo]` in order to fetch |
| 9 | + the right dependencies. |
| 10 | +2. If you were not using the `client_db_path` option then set the new option |
| 11 | + `client_db_uri` to the value of `db_uri`. |
| 12 | + |
| 13 | +- The internal data now hold the authenticating authority as part of the |
| 14 | + AuthenticationInformation object |
| 15 | + (`satosa.internal::AuthenticationInformation::authority`). |
| 16 | +- The Context object now holds a dictionary of query string params |
| 17 | + (`context.qs_params`). |
| 18 | +- The Context object now holds a dictionary of http headers |
| 19 | + (`context.http_headers`). |
| 20 | +- The Context object now holds a dictionary of server headers |
| 21 | + (`context.server_headers`). |
| 22 | +- The Context object now holds the request method (`context.request_method`). |
| 23 | +- The Context object now holds the request uri (`context.request_uri`). |
| 24 | +- The Context object now holds a dictionary of http headers. |
| 25 | +- frontends: the openid_connect frontend has a new configuration option |
| 26 | + `signing_key_id` to set the `kid` field on the jwks endpoint. |
| 27 | +- frontends: the openid_connect frontend dependency `pyop` has been updated |
| 28 | + to work with both Redis and MongoDB. This changed how its dependencies are |
| 29 | + set. This is reflected in this package's new extras that can be set to |
| 30 | + `pyop_mongo` (to preserve the previous behaviour), or `pyop_redis`. |
| 31 | +- frontends: the openid_connect frontend filters out unset claims. |
| 32 | +- frontends: the openid_connect frontend has a new option |
| 33 | + `extra_id_token_claims` to define in the config per client which extra claims |
| 34 | + should be added to the ID Token to also work with those clients. |
| 35 | +- frontends: the openid_connect frontend has a new option `client_db_uri` to |
| 36 | + specify a database connection string for the client database. If unset, |
| 37 | + `client_db_path` will be used to load the clients from a file. |
| 38 | + Previously, the option `db_uri` was used to set the client database string. |
| 39 | + If you were relying on this behaviour, add the `client_db_uri` option with |
| 40 | + the same value as `db_uri`. |
| 41 | +- frontends: document the `client_db_path` option for openid_connect |
| 42 | +- frontends: the openid_connect frontend has a new configuration option |
| 43 | + `id_token_lifetime` to set the lifetime of the ID token in seconds. |
| 44 | +- frontends: the saml2 frontend has a new option `enable_metadata_reload` to |
| 45 | + expose an endpoint (`/<module_name>/reload-metadata`) that allows external |
| 46 | + triggers to reload the frontend's metadata. This setting is disabled by |
| 47 | + default. It is up to the user to protect the endpoint if enabled. This |
| 48 | + feature requires pysaml2 > 7.0.1 |
| 49 | +- backends: the saml2 backend derives the encryption keys based on the |
| 50 | + `encryption_keypairs` configuration option, otherwise falling back to |
| 51 | + the `key_file` and `cert_file` pair. This is now reflected in the internal |
| 52 | + pysaml2 configuration. |
| 53 | +- backends: the saml2 backend `sp` property is now of type |
| 54 | + `saml2.client::Saml2Client` instead of `saml2.client_base::Base`. This allows |
| 55 | + us to call the higer level method |
| 56 | + `saml2.client::Saml2Client::prepare_for_negotiated_authenticate` instead of |
| 57 | + `saml2.client_base::Base::create_authn_request` to properly behave when |
| 58 | + needing to sign the AuthnRequest using the Redirect binding. |
| 59 | +- backends: the saml2 backend has a new option `enable_metadata_reload` to |
| 60 | + expose an endpoint (`/<module_name>/reload-metadata`) that allows external |
| 61 | + triggers to reload the backend's metadata. This setting is disabled by |
| 62 | + default. It is up to the user to protect the endpoint if enabled. This |
| 63 | + feature requires pysaml2 > 7.0.1 |
| 64 | +- backends: new ReflectorBackend to help with frontend debugging easier and |
| 65 | + developing quicker. |
| 66 | +- backends: the saml2 backend has a new configuration option |
| 67 | + `send_requester_id` to specify whether Scoping/RequesterID element should be |
| 68 | + part of the AuthnRequest. |
| 69 | +- micro-services: new DecideBackendByTargetIssuer micro-service, to select |
| 70 | + a target backend based on the target issuer. |
| 71 | +- micro-services: new DiscoToTargetIssuer micro-service, to set the discovery |
| 72 | + protocol response to be the target issuer. |
| 73 | +- micro-services: new IdpHinting micro-service, to detect if an idp-hinting |
| 74 | + feature has been requested and set the target entityID. Enabling this |
| 75 | + micro-service will result in skipping the discovery service and using the |
| 76 | + specified entityID as the IdP to be used. The IdP entityID is expected to be |
| 77 | + specified as a query-param value on the authentication request. |
| 78 | +- micro-services: new AttributePolicy micro-service, which is able to force |
| 79 | + attribute policies for requester by limiting results to a predefined set of |
| 80 | + allowed attributes. |
| 81 | +- micro-services: the PrimaryIdentifier micro-service has a new option |
| 82 | + `replace_subject_id` to specify whether to replace the `subject_id` with the |
| 83 | + constructed primary identifier. |
| 84 | +- micro-services: PrimaryIdentifier is set only if there is a value. |
| 85 | +- micro-services: AddSyntheticAttributes has various small fixes. |
| 86 | +- micro-services: ScopeExtractorProcessor can handle string values. |
| 87 | +- dependencies: the `pystache` package has been replaced by `chevron`, as |
| 88 | + `pystache` seems to be abandoned and will not work with python v3.10 and |
| 89 | + `setuptools` v58 or newer. This package is a dependency of the |
| 90 | + `satosa.micro_services.attribute_generation.AddSyntheticAttributes` |
| 91 | + micro-service. |
| 92 | +- tests: MongoDB flags have been updated to cater for deprecated flags. |
| 93 | +- docs: updated with information about the newly added micro-services. |
| 94 | +- docs: various typo fixes. |
| 95 | +- docs: various example configuration fixes. |
| 96 | + |
| 97 | + |
3 | 98 | ## 7.0.3 (2021-01-21) |
4 | 99 |
|
5 | 100 | - dependencies: Set minimum pysaml2 version to v6.5.1 to fix internal XML |
|
0 commit comments