Core Changelog

Please refer to the upgrade guide before upgrading.

note

Versioning

Pomerium uses Semantic Versioning. In practice, this means for a given version number vMAJOR.MINOR.PATCH (for example, v0.1.0):

MAJOR indicates an incompatible API change
MINOR indicates a new, backwards-compatible functionality
PATCH indicates a backwards-compatible bug fix

As Pomerium is still pre-v1.0.0, you should expect breaking changes between releases.

v0.28.0 (2024-11-11)

Full Changelog

New

More flexible PPL string matchers.
Add new jwt issuer format route option.
Add an 'issuer' field to the /.well-known/pomerium endpoint.
Add new request header variable 'pomerium.jwt'.

Changed

Better error serialization for requests from kubectl.
Improved header evaluation performance in the authorize service.
Improved RouteID calculation performance (used for generating configuration with large numbers of routes).

Bug Fixes

Fix enterprise detection in the dashboard.
Fix response code redirect option.

v0.27.2 (2024-10-22)

Full Changelog

Pomerium Zero

Add a Pomerium Core to Pomerium Zero import tool, allowing you to bring your existing Pomerium configuration into Pomerium Zero.
Add active users reporting, for self-serve billing in Pomerium Zero. End user information is pseudonymized and reported to Pomerium Zero, in order to bill paid organizations according to the number of active users across the organization as a whole.

Fixed

Improve handling of transient errors from the databroker.
Fix a data race in the in-memory databroker storage backend.
Remove an incorrect “unknown config option” warning message when the set_response_headers config file key is present.

Changes

For any routes where the Kubernetes Service Account Token option is set, allow both websockets and SPDY connection upgrades. (One of these is necessary for commands like kubectl exec and kubectl port-forward to work correctly, depending on your version of Kubernetes.)
Previously, the Log Level option could affect the default value of the Authorize Log Fields option: setting the main log level to debug would change the default set of authorize log fields to include headers (logging all HTTP request headers). This undocumented behavior has been removed, and these two options are now entirely independent.
Remove some currently-unused configuration options:
- databroker_storage_cert_file
- databroker_storage_key_file
- databroker_storage_ca_file
- databroker_storage_tls_skip_verify
- grpc_client_dns_roundrobin
Various other minor code clean-up.

v0.27.1 (2024-09-26)

Full Changelog

Pomerium v0.27.1 includes a fix to the databroker service API authorization logic. Certain service account tokens from Pomerium Zero or Pomerium Enterprise could grant unintended authorization to the databroker service API. See the CVE-2024-47616 for more information.

Security

Additional validation checks for gRPC API authorization. This update resolves a security vulnerability that we believe affects only certain Pomerium Enterprise and Pomerium Zero deployments.

Fixed

The user info dashboard page (at URL path /.pomerium/) now provides user info also for the programmatic access flow (see issue #5246).
The user info dashboard page now correctly displays group membership info for Pomerium Enterprise deployments with directory sync configured.

v0.27.0 (2024-09-10)

Full Changelog

What's Changed

Breaking

proxy: deprecate the /.pomerium/jwt endpoint by @kenjenkins in https://github.com/pomerium/pomerium/pull/5254
zero/k8s: use Deployment instead of StatefulSet by @wasaga in https://github.com/pomerium/pomerium/pull/5248

New

authorize: use uuid for jti, current time for iat and exp by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5147
config: add databroker_storage_connection_string_file by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5242
config: add mTLS UserPrincipalName SAN match by @kenjenkins in https://github.com/pomerium/pomerium/pull/5177
config: add runtime flag to allow disabling config hot-reload (#5079) by @kralicky in https://github.com/pomerium/pomerium/pull/5112
envoy: allow TLS 1.3 for upstream connections by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5263
envoy: log TLS connection failures in the mTLS reject_connection mode by @kralicky in https://github.com/pomerium/pomerium/pull/5210
envoy: resource monitoring & overload manager configuration by @kralicky in https://github.com/pomerium/pomerium/pull/5106
envoy: support http2 prior knowledge for insecure upstream targets (h2c://) by @kralicky in https://github.com/pomerium/pomerium/pull/5205
ui: add "Policy ID" label to error details page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5127
ui: add request id to upstream error page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5166
ui: add user info link to error page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5158
ui: user info dashboard improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5128
zero/connect: add re-run health checks command by @wasaga in https://github.com/pomerium/pomerium/pull/5219
zero/k8s: write bootstrap configuration to a secret by @kralicky in https://github.com/pomerium/pomerium/pull/5114

Fixes

authorize: require new login when authenticate url changes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5165
controlplane: avoid calling Close on nil listener by @kenjenkins in https://github.com/pomerium/pomerium/pull/5156
databroker/leaser: set timeout on ReleaseLease by @wasaga in https://github.com/pomerium/pomerium/pull/5208
logging: add support for using the standard grpc env vars to control log severity and verbosity by @kralicky in https://github.com/pomerium/pomerium/pull/5120
session: do not invalidate based on ID token by @kenjenkins in https://github.com/pomerium/pomerium/pull/5182
ui: fix cycle in profile data by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5168
ui: set Cache-Control: no-cache, tweak sign-out cancel button behavior by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5264
zero/connect: ignore unknown message types by @wasaga in https://github.com/pomerium/pomerium/pull/5223
zero/health-checks: fix early checks sometimes missing by @wasaga in https://github.com/pomerium/pomerium/pull/5229
zero/health-checks: zero route availability improvements by @wasaga in https://github.com/pomerium/pomerium/pull/5111

Changed

authenticate: rework session ID token handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/5178
authorize: add request-id to error messages by @wasaga in https://github.com/pomerium/pomerium/pull/5267
ci: do not include timestamp into buildmeta by @wasaga in https://github.com/pomerium/pomerium/pull/5215
config: optimize policy iterators by @kralicky in https://github.com/pomerium/pomerium/pull/5184
config: sort runtime flags, name consistency by @kenjenkins in https://github.com/pomerium/pomerium/pull/5255
envoy: upgrade to v1.31.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5183
github: update README.md by @cmo-pomerium in https://github.com/pomerium/pomerium/pull/5163
github: update README.md by @nikhil-pomerium in https://github.com/pomerium/pomerium/pull/5253
go: update to Go 1.23 by @kralicky in https://github.com/pomerium/pomerium/pull/5216
logging: change log.Error function by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5251
logging: convert warnings to info or error by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5235
proto: update protoc dependencies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5218
ui: update logo by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5249
zero: refactor controller by @wasaga in https://github.com/pomerium/pomerium/pull/5134
zero/api: generate error methods for response types by @kralicky in https://github.com/pomerium/pomerium/pull/5252
zero/api: reset token and url cache if 401 is received by @wasaga in https://github.com/pomerium/pomerium/pull/5256
zero/api: switch to github.com/oapi-codegen/oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5226
zero/bundle-download: update metadata by @wasaga in https://github.com/pomerium/pomerium/pull/5212
zero/cmd: make it more evident what caused shutdown by @wasaga in https://github.com/pomerium/pomerium/pull/5209
zero/connect: add telemetry request command by @wasaga in https://github.com/pomerium/pomerium/pull/5131
zero/k8s: set externalTrafficPolicy: Local by @wasaga in https://github.com/pomerium/pomerium/pull/5266
zero/telemetry: add hostname and version by @wasaga in https://github.com/pomerium/pomerium/pull/5146
zero/telemetry: add prometheus streaming converter to OTLP by @wasaga in https://github.com/pomerium/pomerium/pull/5132
zero/telemetry: collect limited core metrics by @wasaga in https://github.com/pomerium/pomerium/pull/5142
zero/telemetry: internal envoy stats scraper and metrics producer by @wasaga in https://github.com/pomerium/pomerium/pull/5136
zero/telemetry: refactor telemetry and controller by @wasaga in https://github.com/pomerium/pomerium/pull/5135

Dependency Updates

bump busybox from 5eef5ed to 9ae97d3 in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5161
bump busybox from 9ae97d3 to 8274294 in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5260
bump braces from 3.0.2 to 3.0.3 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5139
bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5124
bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5202
bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5123
bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5159
bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5201
bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5258
bump the github-actions group with 9 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5121
bump the github-actions group with 4 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5160
bump the github-actions group with 9 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5200
bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5259
bump the go group with 27 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5122
bump the go group with 21 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5162
bump the go group across 1 directory with 26 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5207
bump the go group across 1 directory with 28 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5262
bump github.com/docker/docker from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5193
bump github.com/opencontainers/runc from 1.1.12 to 1.1.14 by @dependabot in https://github.com/pomerium/pomerium/pull/5261
bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5169
bump micromatch from 4.0.5 to 4.0.8 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5240
replace usages of x/exp/maps + bump golang.org/x/exp by @kralicky in https://github.com/pomerium/pomerium/pull/5221

v0.26.1 (2024-07-01)

Full Changelog

Pomerium v0.26.1 includes multiple security updates:

The Pomerium user info page (at /.pomerium) unintentionally included serialized OAuth 2.0 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. For more details, please see the official CVE statement.

Credit to Vadim Sheydaev, also known as Enr1g for reporting this issue.
This release includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address the following security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to https://github.com/advisories/GHSA-c5q2-7r4c-mv6g.

Security

envoy: upgrade to v1.30.3 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5155
userinfo: remove excess userinfo data by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5148
update the pomerium/webauthn dependency (#5125) by @kenjenkins in https://github.com/pomerium/pomerium/pull/5157

Fixed

autocert: fix filter chain, handshake by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5151

v0.26.0 (2024-05-17)

Full Changelog

Breaking

Changes that are expected to cause an incompatibility.

config: remove deprecated client_ca option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4918
envoy: set explicit hostname on cluster endpoints by @kenjenkins in https://github.com/pomerium/pomerium/pull/5018

New

authenticate: apply branding to sign out pages by @kenjenkins in https://github.com/pomerium/pomerium/pull/5044
authorize: add support for rego print statements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5049
authorize: log service account user ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/4964
authorize: return non-html errors on denied by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4904
config: add runtime flags by @wasaga in https://github.com/pomerium/pomerium/pull/5050
config: add support for TCP proxy chaining by @kenjenkins in https://github.com/pomerium/pomerium/pull/5053
config: add support for stripping the port for matching routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5085
config: disable gRPC ingress when address is the empty string by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5058
config: implement direct response by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4960
databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4905
envoy: clean up temporary directory on start by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4914
envoy: format envoy local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5067
envoy: only enable port reuse on linux by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5066
identity: add enabler by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5084
identity: dynamic authenticator registration by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5105
identity: refactor identity manager by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5091
logging: less verbose logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5040
ppl: add client cert SAN match criteria by @kenjenkins in https://github.com/pomerium/pomerium/pull/4913
ppl: add groups criterion by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4916
ui: fix page title by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4957
zero: add route reachability health check by @wasaga in https://github.com/pomerium/pomerium/pull/5093
zero: add service accounts support by @wasaga in https://github.com/pomerium/pomerium/pull/5031
zero: add storage health check by @wasaga in https://github.com/pomerium/pomerium/pull/5074
zero: health check building config from databroker source by @wasaga in https://github.com/pomerium/pomerium/pull/5104
zero: lower log level by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5065
zero: upgrade oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4953

Fixed

authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5060
envoy: exclude unauthorized access from local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5108
kubernetes: fix impersonate group header by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5090
zero: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4961
zero: fix bootstrap config path by @wasaga in https://github.com/pomerium/pomerium/pull/5035
zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4969

Changed

authenticate: rework CORS headers log entry by @kenjenkins in https://github.com/pomerium/pomerium/pull/4900
authorize: result denied improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4952
config: remove cookie secure option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4907
config: fix typo by @wasaga in https://github.com/pomerium/pomerium/pull/4963
core: move telemetry requestid to pkg directory by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4911
core: switch to uber mock by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5073
core: use context.WithoutCancel by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4959
envoy: address strconv.Atoi warnings by @kenjenkins in https://github.com/pomerium/pomerium/pull/5076
envoy: enable TCP keepalive for internal clusters by @kenjenkins in https://github.com/pomerium/pomerium/pull/4902
envoy: migrate deprecated overload setting by @kenjenkins in https://github.com/pomerium/pomerium/pull/5082
envoy: preserve Go's max file limit for Envoy by @kenjenkins in https://github.com/pomerium/pomerium/pull/5102
envoy: upgrade to v1.30.1 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5080
logging: use standard logger by @wasaga in https://github.com/pomerium/pomerium/pull/5096
opa: update for rego 1.0 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4895
ui: adds upstream error page by @nhayfield in https://github.com/pomerium/pomerium/pull/5113
ui: improve frontend build size by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5109
zero: add user-agent to requests by @wasaga in https://github.com/pomerium/pomerium/pull/5078
zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in https://github.com/pomerium/pomerium/pull/5064
zero: add connect health check by @wasaga in https://github.com/pomerium/pomerium/pull/5086
zero: add common healthcheck package, zero reporter and first xds check by @wasaga in https://github.com/pomerium/pomerium/pull/5059
zero: add shared secret to the cluster bootstrap params by @wasaga in https://github.com/pomerium/pomerium/pull/5030
zero: only report healthcheck transitions by @wasaga in https://github.com/pomerium/pomerium/pull/5068
zero: remove unused changeset code by @wasaga in https://github.com/pomerium/pomerium/pull/4915
zero: reset back to inmem databroker if connection string is empty by @wasaga in https://github.com/pomerium/pomerium/pull/4955
zero: simplify control loop lease retry code by @wasaga in https://github.com/pomerium/pomerium/pull/4979
zero: update oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4898

Dependency Updates

chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4974
chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4922
chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4972
chore(deps): bump busybox from ba76950 to 6d9ac92 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4950
chore(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4926
chore(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.39.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4989
chore(deps): bump distroless/base-debian12 from 0a93daa to 5eae9ef in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4970
chore(deps): bump distroless/base-debian12 from 996c583 to 1d91d5f by @dependabot in https://github.com/pomerium/pomerium/pull/4980
chore(deps): bump distroless/base from 6c1e34e to 9d4e568 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4971
chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4923
chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4978
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4932
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.6 by @dependabot in https://github.com/pomerium/pomerium/pull/5015
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4930
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.1 to 1.25.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4992
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5016
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4939
chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4942
chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5032
chore(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5075
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4935
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4945
chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4933
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4986
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4984
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4944
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5000
chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4940
chore(deps): bump github.com/klauspost/compress from 1.17.5 to 1.17.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4995
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.66 to 7.0.67 by @dependabot in https://github.com/pomerium/pomerium/pull/4996
chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4919
chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4937
chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5017
chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4949
chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.49.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4998
chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4999
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4928
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.24.1 to 3.24.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5001
chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4990
chore(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5004
chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4920
chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5013
chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5077
chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5012
chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4924
chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4925
chore(deps): bump google-github-actions/auth from 2.1.0 to 2.1.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4976
chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4938
chore(deps): bump google.golang.org/api from 0.161.0 to 0.168.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5010
chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4948
chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5011
chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5009
chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4975
chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4947
chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.45.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4983
chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4946
chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.22.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5003
chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4987
chore(deps): bump mikefarah/yq from 4.40.5 to 4.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4977
chore(deps): bump node from 8d0f16f to fd01154 by @dependabot in https://github.com/pomerium/pomerium/pull/4921
chore(deps): bump node from fd01154 to f3299f1 by @dependabot in https://github.com/pomerium/pomerium/pull/4981
chore(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4973
chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5024
chore(deps): bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5023
chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5045
chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5046
chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5095
chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5098
chore(deps): bump the github-actions group with 1 update by @dependabot in https://github.com/pomerium/pomerium/pull/5025
chore(deps): bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5047
chore(deps): bump the github-actions group with 5 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5094
chore(deps): bump the go group with 10 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5026
chore(deps): bump the go group with 15 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5048
chore(deps): bump the go group with 29 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5097
chore(deps): update UI dependencies by @kenjenkins in https://github.com/pomerium/pomerium/pull/5088
chore(deps): bump @trivago/prettier-plugin-sort-imports from 2.0.4 to 4.3.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5054
chore(deps): bump @babel/traverse from 7.16.10 to 7.23.2 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5055
ci: upgrade to Go 1.22 by @wasaga in https://github.com/pomerium/pomerium/pull/4967
core/lint: upgrade golangci-lint, replace interface with any by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5099
envoy: set to v1.29.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5042
envoy: upgrade to v1.29.3 by @wasaga in https://github.com/pomerium/pomerium/pull/5056
update dev Dockerfiles to use Go 1.22.2 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5063

v0.25.2 (2024-04-05)

Full Changelog

Changed

envoy: upgrade to v1.28.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5057

v0.25.1 (2024-03-13)

Full Changelog

Changed

ci: bump Go to 1.21.8 in docker by @wasaga in https://github.com/pomerium/pomerium/pull/5027
connect: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4962
core/ci: check docker base images by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5028
core/zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5019

v0.25.0 (2024-01-10)

Full Changelog

Breaking

config: remove support for base64 encoded certificates in the certificates field. It may only contain file locations. See https://github.com/pomerium/pomerium/pull/4718 by @calebdoxsey for details.
config: remove debug option, always use json logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4857

New

authenticate: Refactoring identity authenticators to initiate redirect. For AWS Cognito, please allow the following sign out https://{AUTHENTICATE_DOMAIN}/.pomerium/signed_out URL. See more details in https://github.com/pomerium/pomerium/pull/4858 by @calebdoxsey.
Initial support for the Pomerium Zero closed beta is included in this release.

Fixed

config: add support for maps in environments, i.e. env IDP_REQUEST_PARAMS='{"x":"y"}' ... by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4717
core: fix graceful stop by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4865
databroker: fix nil data unmarshal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4734
databroker: fix Patch() error handling for in-memory databroker backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4838
databroker: hijack connections for notification listeners by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4806
databroker: prevent nil data in the databroker deleted records by @wasaga in https://github.com/pomerium/pomerium/pull/4736
databroker: REDIS backend has been removed in the previous release, https://github.com/pomerium/pomerium/pull/4768 by @calebdoxsey cleans up some remaining references.
envoy: Rewrite the remove_pomerium_cookie lua function to handle = inside of cookie values. by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4641
metrics: enforce text/plain metric format by @kenjenkins in https://github.com/pomerium/pomerium/pull/4774
zero: group funcs that need run within a lease by @wasaga in https://github.com/pomerium/pomerium/pull/4862

Changed

authenticate: add stateful flow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4822
authenticate: change how sessions are deleted by @kenjenkins in https://github.com/pomerium/pomerium/pull/4893
authenticate: getUserInfoData() cleanup by @kenjenkins in https://github.com/pomerium/pomerium/pull/4818
authenticate: move events.go out of internal/authenticateflow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4852
authenticate: move stateless flow logic by @kenjenkins in https://github.com/pomerium/pomerium/pull/4820
authenticate: move logAuthenticateEvent by @kenjenkins in https://github.com/pomerium/pomerium/pull/4821
authenticate: remove extra UpdateUserInfo() call by @kenjenkins in https://github.com/pomerium/pomerium/pull/4813
authenticate: Update the initialization logic for the authenticate, authorize, and proxy services to automatically select between the stateful authentication flow and the stateless authentication flow, depending on whether Pomerium is configured to use the hosted authenticate service. This change ensures a single IdP session is maintained for all user visits, enabling a single sign out behaviour for installations with IdP configured. @kenjenkins in https://github.com/pomerium/pomerium/pull/4765
authenticate: verify redirect in Callback test by @kenjenkins in https://github.com/pomerium/pomerium/pull/4894
config: Add a global config option for pass_identity_headers, in addition to existing per-route option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4720
config: disable strict-transport-security header with staging autocert by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4741
config: no longer stub out HPKE public key fetch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4853
config: remove unnecessary authenticate route when using hosted authenticate (authenticate.pomerium.app) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4719
runtime: automatically determine goroutine max cap by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4766
runtime: update to Go 1.21.4 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4770
session: add unit tests for gRPC wrapper methods by @kenjenkins in https://github.com/pomerium/pomerium/pull/4713
tests: add tool for renewing test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4742
tests: check for profile cookies by @kenjenkins in https://github.com/pomerium/pomerium/pull/4847
tests: renew test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4738
tests: re-generate test configurations by @kenjenkins in https://github.com/pomerium/pomerium/pull/4816
zero: add linear probabilistic counter for MAU estimation by @wasaga in https://github.com/pomerium/pomerium/pull/4776
zero: add more verbose logging about background control loops by @wasaga in https://github.com/pomerium/pomerium/pull/4815
zero: add reporter by @wasaga in https://github.com/pomerium/pomerium/pull/4855
zero: add support for managed mode from config file by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4756
zero: better code reuse by @wasaga in https://github.com/pomerium/pomerium/pull/4758
zero: calculate DAU and MAU by @wasaga in https://github.com/pomerium/pomerium/pull/4810
zero: fix restart behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4753
zero: rebase and merge feature/zero branch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4745
zero: set drwx------ for cache dir by @wasaga in https://github.com/pomerium/pomerium/pull/4764
zero: support gzipped blobs by @wasaga in https://github.com/pomerium/pomerium/pull/4767
zero: use os.UserCacheDir for boostrap config path by @kenjenkins in https://github.com/pomerium/pomerium/pull/4744
zero: use production urls by default by @wasaga in https://github.com/pomerium/pomerium/pull/4814

Dependency

bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4692
bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4830
bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4694
bump actions/setup-node from 4.0.0 to 4.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4888
bump actions/setup-python from 4.7.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4827
bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4825
bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4889
bump busybox from 3fbc632 to 1ceb872 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4824
bump busybox from 1ceb872 to ba76950 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4884
bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4750
bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4873
bump distroless/base from 46c5b9b to b31a6e0 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4670
bump distroless/base from b31a6e0 to 6c1e34e in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4885
bump distroless/base-debian12 from 5e24c7a to 996c583 by @dependabot in https://github.com/pomerium/pomerium/pull/4882
bump distroless/base-debian12 from d2890b2 to 5e24c7a by @dependabot in https://github.com/pomerium/pomerium/pull/4658
bump distroless/base-debian12 from d64f548 to 1dfdb5e in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4671
bump distroless/base-debian12 from 1dfdb5e to 0a93daa in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4886
bump docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4777
bump docker/metadata-action from 5.0.0 to 5.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4826
bump docker/metadata-action from 5.3.0 to 5.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4891
bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4840
bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4751
bump github.com/bits-and-blooms/bitset from 1.11.0 to 1.13.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4876
bump github.com/caddyserver/certmagic from 0.19.2 to 0.20.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4836
bump github.com/cloudflare/circl from 1.3.3 to 1.3.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4674
bump github.com/coreos/go-oidc/v3 from 3.6.0 to 3.8.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4791
bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4880
bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4680
bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4685
bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4677
bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4878
bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4790
bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4793
bump github.com/go-chi/chi/v5 from 5.0.10 to 5.0.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4875
bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4760
bump github.com/jackc/pgx/v5 from 5.4.3 to 5.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4803
bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4871
bump github.com/klauspost/compress from 1.17.0 to 1.17.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4798
bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @dependabot in https://github.com/pomerium/pomerium/pull/4801
bump github.com/minio/minio-go/v7 from 7.0.63 to 7.0.65 by @dependabot in https://github.com/pomerium/pomerium/pull/4812
bump github.com/minio/minio-go/v7 from 7.0.65 to 7.0.66 by @dependabot in https://github.com/pomerium/pomerium/pull/4868
bump github.com/oapi-codegen/runtime from 1.0.0 to 1.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4870
bump github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4799
bump github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4879
bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4872
bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4672
bump github.com/prometheus/common from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4686
bump github.com/shirou/gopsutil/v3 from 3.23.9 to 3.23.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4794
bump github.com/shirou/gopsutil/v3 from 3.23.11 to 3.23.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4874
bump github.com/spf13/viper from 1.16.0 to 1.18.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4861
bump github.com/VictoriaMetrics/fastcache from 1.12.1 to 1.12.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4802
bump github.com/yuin/gopher-lua from 1.1.0 to 1.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4832
bump golang from 1.21.4-bookworm to 1.21.5-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4828
bump golang from a6b787c to 1415bb0 by @dependabot in https://github.com/pomerium/pomerium/pull/4883
bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860. This includes a patch for GO-2023-2402 / CVE-2023-48795 (Terrapin). Note that Pomerium does not use the affected golang.org/x/crypto/ssh package from this module.
bump golang.org/x/net from 0.17.0 to 0.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4792
bump golang.org/x/oauth2 from 0.12.0 to 0.15.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4797
bump golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4748
bump golang.org/x/time from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4796
bump google-github-actions/auth from 1.1.1 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4778
bump google-github-actions/setup-gcloud from 1.1.1 to 2.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4890
bump google.golang.org/api from 0.143.0 to 0.153.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4835
bump google.golang.org/api from 0.153.0 to 0.154.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4867
bump google.golang.org/protobuf from 1.31.1-0.20231027082548-f4a6c1f6e5c1 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4877
bump mikefarah/yq from 4.35.2 to 4.40.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4780
bump mikefarah/yq from 4.40.3 to 4.40.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4829
bump mikefarah/yq from 4.40.4 to 4.40.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4887
bump node from 42a4d97 to 5f21943 by @dependabot in https://github.com/pomerium/pomerium/pull/4659
bump node from 445acd9 to 8d0f16f by @dependabot in https://github.com/pomerium/pomerium/pull/4881
bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4688
bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4693
zero/openapi: pin v1.0.0 of a runtime by @wasaga in https://github.com/pomerium/pomerium/pull/4851

v0.24.0 (2023-11-16)

Full Changelog

Breaking

config: remove set_authorization_header option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4489
core/config: remove support for base64 encoded certificates by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4725
databroker: remove redis storage backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4699

New

databroker: build config concurrently, option to bypass validation by @wasaga in https://github.com/pomerium/pomerium/pull/4655

Fixed

core/authenticate: refactor idp sign out by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4582
core/authenticate: validate the identity profile by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4545
core/authorize: check for expired tokens by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4543
core/identity: fix slow restart by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4542
core/storage: fix nil data unmarshal by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4739

Changed

Add metric request error in log by @sylr in https://github.com/pomerium/pomerium/pull/4585
authorize: build evaluators cache in parallel by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4731
authorize: reuse policy evaluators where possible by @kenjenkins in https://github.com/pomerium/pomerium/pull/4710
config: do not add route headers to global map by @kenjenkins in https://github.com/pomerium/pomerium/pull/4629
core/config: add config version, additional telemetry by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4645
core/config: add support for maps in environments by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4728
core/config: refactor change dispatcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4657
core/config: refactor file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4702
core/config: remove version by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4653
core/controlplane: apply configuration changes in a background thread by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4649
core/envoy: fix remove cookie lua script by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4732
core/events: refactor the events.Target to use mutexes instead of a background goroutine by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4700
core/filemgr: use xxhash instead of sha512 for filenames by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4697
core/hpke: reduce memory usage from zstd by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4650
cryptutil: remove unused functions by @kenjenkins in https://github.com/pomerium/pomerium/pull/4541
databroker: add patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4704
databroker: add reconciler by @wasaga in https://github.com/pomerium/pomerium/pull/4709
databroker: add utility recordset and changeset by @wasaga in https://github.com/pomerium/pomerium/pull/4701
databroker: changeset: prevent nil data in the deleted records by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4737
Docs: remove tcp example by @ZPain8464 in https://github.com/pomerium/pomerium/pull/4616
identity: override TokenSource expiry behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4632
identity: preserve session refresh schedule by @kenjenkins in https://github.com/pomerium/pomerium/pull/4633
identity: rework session refresh error handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/4638
integration: renew test certs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4740
proto: add id to certificate by @wasaga in https://github.com/pomerium/pomerium/pull/4706
protoutil: add OverwriteMasked method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4651
reconciler: allow custom comparison function by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4727
rework session updates to use new patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4705
storage/inmemory: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4654
storage/postgres: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4656
upgrade envoy to v1.28.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4635
xds: add type url to log by @wasaga in https://github.com/pomerium/pomerium/pull/4696

Dependency

chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4496
chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4562
chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4611
chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4497
chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4501
chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4557
chore(deps): bump busybox from caa382c to 3fbc632 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4549
chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4518
chore(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4579
chore(deps): bump coverallsapp/github-action from 2.2.1 to 2.2.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4560
chore(deps): bump distroless/base from b0216a3 to 46c5b9b in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4550
chore(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4554
chore(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4552
chore(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4553
chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4498
chore(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4555
chore(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4559
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 by @dependabot in https://github.com/pomerium/pomerium/pull/4522
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.40 by @dependabot in https://github.com/pomerium/pomerium/pull/4581
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.40 to 1.18.42 by @dependabot in https://github.com/pomerium/pomerium/pull/4599
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4524
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4521
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.5 to 1.40.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4600
chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4526
chore(deps): bump github.com/CAFxX/httpcompression from 0.0.8 to 0.0.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4572
chore(deps): bump github.com/docker/docker from 24.0.2+incompatible to 24.0.6+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4570
chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4646
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4517
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4528
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4607
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4531
chore(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4566
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 by @dependabot in https://github.com/pomerium/pomerium/pull/4527
chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4530
chore(deps): bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4606
chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4523
chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4603
chore(deps): bump github.com/prometheus/procfs from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4602
chore(deps): bump github.com/rs/cors from 1.9.0 to 1.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4574
chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4601
chore(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4598
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 by @dependabot in https://github.com/pomerium/pomerium/pull/4519
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.8 to 3.23.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4605
chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4499
chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4532
chore(deps): bump google.golang.org/api from 0.138.0 to 0.141.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4578
chore(deps): bump google.golang.org/api from 0.141.0 to 0.143.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4608
chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4575
chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4640
chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4626
chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4580
chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4502
chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4563
chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4516
chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4577
chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4503
chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4610
chore(deps): bump node from f41231b to 7923c64 by @dependabot in https://github.com/pomerium/pomerium/pull/4551
chore(deps): bump node from 7923c64 to 2daec43 by @dependabot in https://github.com/pomerium/pomerium/pull/4609
chore(deps): bump node from 850d8e1 to f41231b by @dependabot in https://github.com/pomerium/pomerium/pull/4533
chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4505
chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4556
chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4612
chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4515
chore(deps): bump @fontsource/dm-mono from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4573
chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4619
chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4508
chore(deps): bump @fontsource/dm-sans from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4561
chore(deps): bump @fontsource/dm-sans from 5.0.12 to 5.0.13 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4593
chore(deps): bump @mui/icons-material from 5.3.1 to 5.14.9 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4567
chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4279
core/go: upgrade go.mod by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4711

v0.23.0 (2023-08-24)

Full Changelog

New

adds success colors for statuses in the 200 range #4314 (@nhayfield)
authenticate: add aws cognito #4137 (@wasaga)
authorize: log id token claims separately from id token #4394 (@calebdoxsey)
config: add cookie_same_site option #4148 (@calebdoxsey)
hpke: compress query string #4147 (@calebdoxsey)

Fixed

autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
config: validate log levels #4367 (@calebdoxsey)
databroker: fix fast forward #4192 (@calebdoxsey)
databroker: sort configs #4190 (@calebdoxsey)
envoy: set re2 limits very high #4187 (@calebdoxsey)
envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)
fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)

Dependency

chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4153 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 #4239 (@dependabot[bot])
chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 #4176 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 #4203 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 #4221 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.1.2 to 2.2.0 #4241 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
chore(deps): bump debian from 1fbdbcf to 4291be2 #4160 (@dependabot[bot])
chore(deps): bump debian from 4291be2 to cd9b6e7 #4206 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 #4264 (@dependabot[bot])
chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 #4242 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4154 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.5.0 to 2.7.0 #4262 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
chore(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #4263 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.25 #4208 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.2 to 1.33.0 #4139 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.33.0 to 1.34.0 #4260 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.0 to 4.2.1 #4156 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #4158 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 #4226 (@dependabot[bot])
chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #4170 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.5+incompatible #4141 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.5+incompatible to 23.0.6+incompatible #4164 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.6+incompatible to 24.0.1+incompatible #4183 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 24.0.1+incompatible to 24.0.2+incompatible #4205 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.0 to 1.0.1 #4185 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #4247 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.0 #4155 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.3 #4267 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
chore(deps): bump github.com/klauspost/compress from 1.16.0 to 1.16.5 #4177 (@dependabot[bot])
chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.1.0 to 1.1.1 #4184 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.55 #4202 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.55 to 7.0.56 #4243 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.52.0 #4142 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.1 #4235 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 #4157 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 #4268 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #4162 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.43.0 #4172 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.43.0 to 0.44.0 #4244 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.0 to 3.3.1 #4204 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.1 to 3.3.2 #4248 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.3 to 1.9.0 #4179 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.3 to 3.23.4 #4165 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.4 to 3.23.5 #4225 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #4200 (@dependabot[bot])
chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 #4238 (@dependabot[bot])
chore(deps): bump golang from 1.20.3-buster to 1.20.4-buster #4161 (@dependabot[bot])
chore(deps): bump golang from 1.20.4-buster to 1.20.5-buster #4227 (@dependabot[bot])
chore(deps): bump golang from b0f97bf to eb3f9ac #4271 (@dependabot[bot])
chore(deps): bump golang from 4cf6dc4 to 6be6011 #4207 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.118.0 to 0.120.0 #4143 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.120.0 to 0.121.0 #4159 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.121.0 to 0.125.0 #4222 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.121.0 to 0.126.0 #4236 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #4166 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 #4182 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 #4266 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #4174 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 #4178 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
chore(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 #4163 (@dependabot[bot])
chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
chore(deps): bump google-github-actions/auth from 1.1.0 to 1.1.1 #4173 (@dependabot[bot])
chore(deps): bump google-github-actions/setup-gcloud from 1.1.0 to 1.1.1 #4175 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 #4240 (@dependabot[bot])
chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.33.3 to 4.34.1 #4201 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
chore(deps): bump node from 3801c22 to 850d8e1 #4416 (@dependabot[bot])
chore(deps): bump node from 05824f7 to 3801c22 #4322 (@dependabot[bot])
chore(deps): bump node from f658ece to 05824f7 #4272 (@dependabot[bot])
chore(deps): bump node from df5a66e to f658ece #4252 (@dependabot[bot])
chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
dependencies: pin node to lts #4218 (@wasaga)
dependencies: upgrade otel #4395 (@calebdoxsey)

Changed

add downstream mTLS integration test cases (main) #4234 (@kenjenkins)
add integration test for client_crl setting #4384 (@kenjenkins)
add integration test for https IP address route #4476 (@kenjenkins)
add integration test for Pomerium JWT #4472 (@kenjenkins)
add JWT timestamp formatting workaround #4270 (@kenjenkins)
authenticate: remove extraneous error log #4319 (@kenjenkins)
authorize: add support for logging id token #4392 (@calebdoxsey)
authorize: allow client certificate intermediates #4451 (@kenjenkins)
authorize: check CRLs only for leaf certificates #4480 (@kenjenkins)
authorize: do not redirect if invalid client cert #4344 (@kenjenkins)
authorize: do not rely on Envoy client cert validation #4438 (@kenjenkins)
authorize: fix policy numbers in evaluator test #4387 (@kenjenkins)
authorize: implement client certificate CRL check #4439 (@kenjenkins)
authorize: incorporate mTLS validation from Envoy #4374 (@kenjenkins)
authorize: remove a nolint directive #4375 (@kenjenkins)
authorize: remove incorrect "valid-client-certificate" reason #4470 (@kenjenkins)
authorize: remove JWT timestamp format workaround #4321 (@kenjenkins)
authorize: rework token substitution in headers #4456 (@kenjenkins)
autocert: use new OCSP error type #4437 (@kenjenkins)
chore: unnecessary use of fmt.Sprintf #4349 (@testwill)
ci: updates #4269 (@calebdoxsey)
config: add decode hook for the SANMatcher type #4464 (@kenjenkins)
config: deprecate tls_downstream_client_ca #4461 (@kenjenkins)
config: simplify default set response headers #4196 (@calebdoxsey)
config: support client certificate SAN match #4453 (@kenjenkins)
config: support arbitrary nested config structs #4440 (@kenjenkins)
config: validate cookie_secure option #4484 (@kenjenkins)
cryptutil: update CRL parsing #4454 (@kenjenkins)
dependabot: improvements #4261 (@calebdoxsey)
envoy: add a filter to store client cert info #4372 (@kenjenkins)
envoy: check for nil ssl() in client cert script #4466 (@kenjenkins)
envoy: configure upstream IP SAN match as needed #4380 (@kenjenkins)
envoy: separate gRPC listener configuration #4365 (@kenjenkins)
fix lint warning in pkg/envoy #4181 (@kenjenkins)
improve certificate matching performance #4186 (@calebdoxsey)
logs: add ip address to access logs #4391 (@calebdoxsey)
organize go.mod #4320 (@kenjenkins)
pin to a debian:latest image for casource base image #4250 (@kenjenkins)
replace docker publish action ::set-output usage #4359 (@kenjenkins)
storage: add indexes for postgres #4479 (@calebdoxsey)
stub out HPKE public key fetch for self-hosted authenticate #4360 (@kenjenkins)
upgrade main #4457 (@wasaga)
Update README.md #4146 (@desimone)
Update SECURITY.md #4144 (@desimone)

v0.22.3 (2023-08-21)

Full Changelog

Changed

add integration test for https IP address route #4477 (@kenjenkins)
add integration test for Pomerium JWT #4473 (@kenjenkins)
add JWT timestamp formatting workaround #4309 (@backport-actions-token[bot])
authorize: populate issuer even when policy is nil #4213 (@backport-actions-token[bot])
autocert: suppress OCSP stapling errors #4373 (@backport-actions-token[bot])
backport #4368 (@calebdoxsey)
ci: fix lint workflow (#4229) #4311 (@kenjenkins)
config: update logic for checking overlapping certificates (#4216) #4217 (@calebdoxsey)
config: simplify default set response headers #4212 (@backport-actions-token[bot])
envoy: configure upstream IP SAN match as needed #4382 (@backport-actions-token[bot])
github-actions: remove license check #4475 (@kenjenkins)
pin to a debian:latest image for casource base image (#4250) #4310 (@kenjenkins)

v0.22.2 (2023-05-26)

Full Changelog

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Changed

databroker: sort configs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4191
databroker: fix fast forward by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4194
envoy: set re2 limits very high by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4189
fix WillHaveCertificateForServerName check to be strict match for derived cert name by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4169
improve certificate matching performance by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4188

v0.22.1 (2023-05-04)

Full Changelog

Changed

envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4152

v0.22.0 (2023-05-01)

Full Changelog

Security

Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.

Changed

add google cloud creds to ignore #3906 (@wasaga)
apple: fix userinfo #3974 (@calebdoxsey)
Appleid #3959 (@mnestor)
authenticate: add events #4051 (@wasaga)
authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
authenticate: fix callback handler for split mode #4008 (@wasaga)
chore(deps): bump actions/checkout from 3.4.0 to 3.5.0 #4078 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 #3924 (@dependabot[bot])
config: remove source, remove deadcode, fix linting issues #4118 (@calebdoxsey)
databroker: add list types method #3937 (@calebdoxsey)
envoy: optimize listener #3952 (@wasaga)
maybe fix flaky test #3929 (@calebdoxsey)
move hpke public key handler out of internal #4065 (@wasaga)
remove log message when no provider defined #3936 (@calebdoxsey)
Update SECURITY.md #4145 (@backport-actions-token[bot])
webauthn: only return known device credentials that match the given type #3981 (@calebdoxsey)

New

authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
authenticate: only use csrf none for apple #3979 (@calebdoxsey)
config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)
support loading route configuration via rds #4098 (@calebdoxsey)
urlutil: add version to query string #4028 (@calebdoxsey)

Fixed

authenticate: always trust the passed in idp #3917 (@calebdoxsey)
authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
autocert: fix certmagic cache logging #4134 (@calebdoxsey)
config: fix set_response_headers #4026 (@calebdoxsey)
derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
fix webauthn url #3983 (@calebdoxsey)
hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
store authenticate state on creation #4064 (@wasaga)
tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)

Dependency

chore(deps): bump actions/cache from 3.2.3 to 3.2.4 #3923 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.4 to 3.2.5 #3962 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.5 to 3.2.6 #4019 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.6 to 3.3.1 #4054 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 #3912 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.1.3 to 1.2.2 #4017 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.2.2 to 1.2.4 #4041 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
chore(deps): bump debian from 12931ad to 50cf570 #3950 (@dependabot[bot])
chore(deps): bump debian from 50cf570 to 7b16406 #3970 (@dependabot[bot])
chore(deps): bump debian from 7b16406 to c1c4bb9 #4042 (@dependabot[bot])
chore(deps): bump debian from c1c4bb9 to d4bbca2 #4085 (@dependabot[bot])
chore(deps): bump debian from d4bbca2 to 1fbdbcf #4115 (@dependabot[bot])
chore(deps): bump distroless/base from 4f9fe94 to 9687cd3 #3968 (@dependabot[bot])
chore(deps): bump distroless/base from 5812871 to 357bc96 #4102 (@dependabot[bot])
chore(deps): bump distroless/base from 76b0529 to 4f9fe94 #3948 (@dependabot[bot])
chore(deps): bump distroless/base from 8e770ae to 5812871 #4025 (@dependabot[bot])
chore(deps): bump distroless/base from 9687cd3 to 8e770ae #3995 (@dependabot[bot])
chore(deps): bump distroless/base from 9eeffdc to 76b0529 #3928 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 #3942 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 #3941 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4055 (@dependabot[bot])
chore(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0 #3961 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 #3946 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.14 #4002 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 #4018 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.8 to 1.18.10 #3927 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.0 to 1.30.1 #3925 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.1 to 1.30.2 #3944 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.2 to 1.30.3 #3998 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.3 to 1.30.5 #4024 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.2 #3947 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.22+incompatible to 20.10.23+incompatible #3911 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible #3967 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.2 #4020 (@dependabot[bot])
chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.2.0 to 5.3.0 #3964 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.3.0 to 5.3.1 #4039 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.4 to 1.1.0 #4000 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
chore(deps): bump github.com/natefinch/atomic from 0.0.0-20200526193002-18c0533a5b09 to 1.0.1 #4021 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.2 #4023 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.50.0 #4056 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.41.0 #4035 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 #3920 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.1 to 3.23.2 #4037 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 #3910 (@dependabot[bot])
chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.12.0 to 1.12.1 #4057 (@dependabot[bot])
chore(deps): bump github.com/yuin/gopher-lua from 0.0.0-20200816102855-ee81675732da to 1.1.0 #4022 (@dependabot[bot])
chore(deps): bump golang from 413cd9e to 73c225b #4114 (@dependabot[bot])
chore(deps): bump golang from 4447a7f to f8fbd74 #3969 (@dependabot[bot])
chore(deps): bump golang from 57dbdd5 to 97c3e1d #4084 (@dependabot[bot])
chore(deps): bump golang from d99d361 to 9628a1a #4043 (@dependabot[bot])
chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster #3949 (@dependabot[bot])
chore(deps): bump golang from 1.20.0-buster to 1.20.1-buster #3997 (@dependabot[bot])
chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 #4038 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 #3993 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 #3963 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 #4036 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
chore(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 #3943 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 #3913 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 #3940 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 #3999 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.52.3 #3926 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0 #3965 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 #3921 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 #3994 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.31.1 to 4.31.2 #4040 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #3922 (@dependabot[bot])
dependencies: upgrade go and envoy #4116 (@calebdoxsey)

v0.21.4 (2023-05-26)

Security

Full Changelog

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Changed

authorize: fix IsInternal check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4199
autocert: fix certmagic cache logging by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4135

v0.21.3 (2023-03-23)

Full Changelog

Changed

authorize: move sign out and jwks urls to route, update issuer for JWT #4049 (@backport-actions-token[bot])
ci: build version branch images #4062 (@backport-actions-token[bot])
hpke: move published public keys to a new endpoint #4048 (@backport-actions-token[bot])

v0.21.2 (2023-02-23)

Full Changelog

Changed

authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
fix webauthn url #3988 (@backport-actions-token[bot])
webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])

v0.21.1 (2023-02-16)

Full Changelog

Changed

authenticate: save the session cookie with a different name by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3984
lua: fix rewrite response headers to handle dashes in URLs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3986

v0.21.0 (2023-02-09)

Full Changelog

Changed

add google cloud creds to ignore #3907 (@backport-actions-token[bot])
authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
docker: switch to debian #3939 (@backport-actions-token[bot])
envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
events: remove xds configuraton update #3792 (@wasaga)
identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
tls_derive: rename for consistency #3905 (@wasaga)
use tlsClientConfig instead of custom dialer #3830 (@wasaga)

Breaking

proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
remove forward auth #3628 (@calebdoxsey)

New

authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
authorize: log check() error #3846 (@wasaga)
auto tls #3856 (@wasaga)
config: add option for tls renegotiation #3773 (@calebdoxsey)
config: add support for extended TCP route URLs #3845 (@calebdoxsey)
derive CA from pre-shared key #3815 (@wasaga)
explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
hpke: add hpke package #3761 (@calebdoxsey)
httputil: add cookie chunker #3775 (@calebdoxsey)
httputil: ignore errors < 400 #3781 (@calebdoxsey)
identity: add identity profile #3777 (@calebdoxsey)
mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
urlutil: add time validation functions #3776 (@calebdoxsey)

Fixed

autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
config: add missing options #3882 (@calebdoxsey)
config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
identity: fix expired session deletion #3855 (@calebdoxsey)
jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
oidc: fix token revocation #3810 (@calebdoxsey)
postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
proxy: fix sign out redirect #3827 (@calebdoxsey)
storage: ignore removed fields when deserializing the data #3768 (@wasaga)
webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)

Dependency

bump goreleaser to v4.1.1 #3919 (@backport-actions-token[bot])
chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
chore(deps): bump alpine from b95359c to 8914eb5 #3802 (@dependabot[bot])
chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
chore(deps): bump debian from 9583740 to 880aa5f #3803 (@dependabot[bot])
chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
chore(deps): bump distroless/base from cd1bf87 to 9283685 #3804 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
upgrade to golang-lru v2 #3771 (@calebdoxsey)

v0.20.1 (2023-05-26)

Full Changelog

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Changed

autocert: use atomic pointer to allow nil by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3817
identity: fix expired session deletion by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3857
identity: fix nil reference error when there is no authenticator by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3932
jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3809
oidc: fix token revocation by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3818
postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3877
storage: ignore removed fields when deserializing the data by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3772

v0.20.0 (2022-11-14)

Full Changelog

Breaking

envoyconfig: add all routes to all filter chains #3596 (@calebdoxsey)
groups via directory sync are no longer supported #3633 (@calebdoxsey)

Security

httputil: remove error details #3703 (@calebdoxsey)

New

authorize: fix user caching #3734 (@calebdoxsey)
authorize: performance improvements #3723 (@calebdoxsey)
config: disable Strict-Transport-Security when using a self-signed certificate #3743 (@calebdoxsey)
config: generate cookie secret if not set in all-in-one mode #3742 (@calebdoxsey)
config: default to http2 #3660 (@calebdoxsey)
controlplane: move jwks.json endpoint to control plane #3691 (@calebdoxsey)
postgres: increase record batch size #3708 (@calebdoxsey)
sessions: check idp id to detect provider changes to force session invalidation #3707 (@calebdoxsey)

Fixed

authenticate: get/set identity provider id for all sessions #3597 (@calebdoxsey)
authorize: enforce service account expiration #3661 (@calebdoxsey)
config: allow blank identity providers when loading sessions for service account support #3709 (@calebdoxsey)
config: disable envoy admin by default, expose stats via envoy route #3677 (@calebdoxsey)
controlplane: fix /.well-known/pomerium missing CORS headers #3738 (@calebdoxsey)
fileutil: update watcher to use fsnotify and polling #3663 (@calebdoxsey)
postgres: return an empty list of addresses on dns errors #3637 (@calebdoxsey)
ppl: support special characters in claim keys #3639 (@calebdoxsey)

Changed

add config option check logging #3722 (@wasaga)
authenticate: remove ecjson #3688 (@calebdoxsey)
authenticate: update user info dashboard to show group info for enterprise #3736 (@calebdoxsey)
device: add generic methods for working with user+session devices #3710 (@calebdoxsey)
envoyconfig: fix databroker health checks #3706 (@calebdoxsey)
fix unused key warnings in routes #3711 (@wasaga)
keep trace span context #3724 (@wasaga)
postgres: handle unknown types #3632 (@calebdoxsey)
test: use T.TempDir to create temporary test directory #3725 (@Juneezee)
upgrade envoy to v1.23.1 #3599 (@calebdoxsey)

Dependency

bump Envoy to 1.23.2 #3739 (@wasaga)
bump protoc to 3.21.7 #3646 (@wasaga)
chore(deps): bump actions/cache from 3.0.10 to 3.0.11 #3671 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.8 to 3.0.10 #3642 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.0.2 to 3.1.0 #3652 (@dependabot[bot])
chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 #3700 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 #3681 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.4.1 to 3.5.0 #3641 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.5.0 to 3.5.1 #3672 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.2.0 to 4.3.0 #3651 (@dependabot[bot])
chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 #3698 (@dependabot[bot])
chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
chore(deps): bump debian from 1b1d158 to 9583740 #3719 (@dependabot[bot])
chore(deps): bump debian from 3d2aa50 to 6005bd9 #3625 (@dependabot[bot])
chore(deps): bump debian from 6005bd9 to 1b1d158 #3656 (@dependabot[bot])
chore(deps): bump distroless/base from 4689543 to 6ef742b #3654 (@dependabot[bot])
chore(deps): bump distroless/base from 59fe963 to 8a7afd5 #3627 (@dependabot[bot])
chore(deps): bump distroless/base from 65afaf8 to 59fe963 #3616 (@dependabot[bot])
chore(deps): bump distroless/base from 6ef742b to 9681f07 #3676 (@dependabot[bot])
chore(deps): bump distroless/base from 856944e to cd1bf87 #3732 (@dependabot[bot])
chore(deps): bump distroless/base from 8a7afd5 to 4689543 #3647 (@dependabot[bot])
chore(deps): bump distroless/base from 9681f07 to 856944e #3702 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 #3673 (@dependabot[bot])
chore(deps): bump docker/login-action from 2.0.0 to 2.1.0 #3682 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.0.0 to 2.2.1 #3679 (@dependabot[bot])
chore(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 #3675 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.16.3 to 0.17.0 #3604 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.17.0 to 0.17.1 #3619 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.17.1 to 0.17.2 #3644 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 #3605 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 #3612 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.17+incompatible to 20.10.18+incompatible #3614 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.18+incompatible to 20.10.19+incompatible #3666 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.19+incompatible to 20.10.20+incompatible #3694 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.20+incompatible to 20.10.21+incompatible #3712 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.10 to 0.6.13 #3648 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.8.0 #3731 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.8 #3624 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.10 #3630 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 #3713 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 #3667 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 #3697 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #3611 (@dependabot[bot])
chore(deps): bump github.com/google/go-jsonnet from 0.18.0 to 0.19.1 #3715 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v4 from 4.17.1 to 4.17.2 #3603 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 #3620 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0 #3650 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1 #3729 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.0 to 0.4.1 #3668 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #3696 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.7 to 3.22.8 #3606 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 #3643 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #3613 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 #3728 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 #3695 (@dependabot[bot])
chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.10.0 to 1.12.0 #3623 (@dependabot[bot])
chore(deps): bump go.opencensus.io from 0.23.0 to 0.24.0 #3727 (@dependabot[bot])
chore(deps): bump golang from 403f389 to b448089 #3718 (@dependabot[bot])
chore(deps): bump golang from d71125b to 4b2498d #3626 (@dependabot[bot])
chore(deps): bump golang from 1.19.0-buster to 1.19.1-buster #3617 (@dependabot[bot])
chore(deps): bump golang from 1.19.1-buster to 1.19.2-buster #3655 (@dependabot[bot])
chore(deps): bump golang from 1.19.2-buster to 1.19.3-buster #3733 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
chore(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.2 #3674 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.100.0 to 0.101.0 #3714 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.94.0 to 0.95.0 #3618 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.95.0 to 0.96.0 #3622 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.96.0 to 0.97.0 #3629 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.97.0 to 0.98.0 #3645 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.98.0 to 0.99.0 #3670 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.99.0 to 0.100.0 #3693 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.0 #3649 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.50.0 to 1.50.1 #3669 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 #3680 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.27.3 to 4.27.5 #3615 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.27.5 to 4.28.1 #3653 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.28.1 to 4.28.2 #3690 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.28.2 to 4.29.2 #3717 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.1 to 4.15.0 #3631 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.0 to 4.15.1 #3658 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.1 to 4.15.2 #3699 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.2 to 4.15.3 #3716 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.3 to 4.15.4 #3726 (@dependabot[bot])

v0.19.2 (2023-05-26)

Full Changelog

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Changed

authorize: enforce service account expiration by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3662
config: disable envoy admin by default, expose stats via envoy route by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3684
fileutil: update watcher to use fsnotify and polling (#3663) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3685
httputil: remove error details by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3705
postgres: return an empty list of addresses on dns errors by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3638
ppl: support special characters in claim keys by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3640

v0.19.1 (2022-09-08)

Full Changelog

Changed

c0a88707 authenticate: get/set identity provider id for all sessions (#3608)
c3ef43cd upgrade envoy to v1.23.1 (#3600)

Docker images

docker pull pomerium/pomerium:v0.19.1
docker pull pomerium/pomerium:nonroot-v0.19.1
docker pull pomerium/pomerium:debug-v0.19.1
docker pull pomerium/pomerium:debug-nonroot-v0.19.1

v0.19.0 (2022-09-01)

Full Changelog

New

add the traces error details #3557 (@nhayfield)
authorize: add policy error details for custom error messages #3542 (@calebdoxsey)
autocert: add support for ACME TLS-ALPN #3590 (@calebdoxsey)
config: add branding settings #3558 (@calebdoxsey)
controlplane: add well-known endpoint to the controlplane http handler #3555 (@calebdoxsey)
Dynamic style changes #3544 (@nhayfield)
envoy: upgrade to 1.23.0 #3560 (@calebdoxsey)
envoyconfig: add virtual host domains for certificates in addition to routes #3593 (@calebdoxsey)

Fixed

add front end support for optional first paragraph of markdown on err... #3546 (@nhayfield)
atomicutil: use atomicutil.Value wherever possible #3517 (@calebdoxsey)
authenticate: add CORS headers to jwks endpoint #3574 (@calebdoxsey)
authenticate: fix branding for webauthn device registration page #3572 (@calebdoxsey)
authorize: handle user-unauthenticated response for deny blocks #3559 (@calebdoxsey)
envoyconfig: add authority header to outbound gRPC requests #3545 (@calebdoxsey)
Fix typos #3575 (@alexrudd2)
postgres: remove not null constraint on data column of record changes table #3594 (@calebdoxsey)
publish to any-distro #3570 (@calebdoxsey)
sets: convert set types to generics #3519 (@calebdoxsey)
Update README.md #3569 (@cmo-pomerium)

Dependency

chore(deps): bump actions/cache from 3.0.5 to 3.0.6 #3537 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.6 to 3.0.7 #3552 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.7 to 3.0.8 #3565 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.2.1 to 3.3.0 #3583 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.1.0 to 4.2.0 #3535 (@dependabot[bot])
chore(deps): bump actions/stale from 5.1.0 to 5.1.1 #3513 (@dependabot[bot])
chore(deps): bump alpine from 6af1b11 to 7580ece #3512 (@dependabot[bot])
chore(deps): bump alpine from 7580ece to bc41182 #3553 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 #3586 (@dependabot[bot])
chore(deps): bump debian from 1c34464 to 4567e1e #3508 (@dependabot[bot])
chore(deps): bump debian from 4567e1e to b9b1f4a #3538 (@dependabot[bot])
chore(deps): bump debian from b9b1f4a to 3d2aa50 #3588 (@dependabot[bot])
chore(deps): bump distroless/base from 3a62194 to ec73486 #3554 (@dependabot[bot])
chore(deps): bump distroless/base from d6db599 to 3a62194 #3511 (@dependabot[bot])
chore(deps): bump distroless/base from ec73486 to 65afaf8 #3568 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 #3536 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.16.0 to 0.16.2 #3532 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.16.2 to 0.16.3 #3563 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.46.2 to 1.47.2 #3499 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.47.2 to 1.47.3 #3522 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.47.3 to 1.48.0 #3541 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v4 from 4.16.1 to 4.17.0 #3533 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v4 from 4.17.0 to 4.17.1 #3582 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 #3523 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.2 to 3.3.0 #3540 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #3530 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.3 to 0.8.0 #3516 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.27.0 to 1.28.0 #3587 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.6 to 3.22.7 #3524 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.21.0 to 1.22.0 #3551 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #3581 (@dependabot[bot])
chore(deps): bump golang from 6960d62 to 477b10a #3527 (@dependabot[bot])
chore(deps): bump golang from a7a23f1 to d84495e #3589 (@dependabot[bot])
chore(deps): bump golang from 1.18-buster to 1.18.4-buster #3509 (@dependabot[bot])
chore(deps): bump golang from 1.18.4-buster to 1.19.0-buster #3539 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.88.0 to 0.89.0 #3514 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.89.0 to 0.90.0 #3525 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.90.0 to 0.91.0 #3531 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.91.0 to 0.92.0 #3550 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.92.0 to 0.93.0 #3562 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.93.0 to 0.94.0 #3580 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.49.0 #3579 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #3515 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 #3585 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.26.1 to 4.27.2 #3526 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.27.2 to 4.27.3 #3584 (@dependabot[bot])
chore(deps): bump pomerium/backport from a2e620de9fc4166f774ee2a389e170046cfad426 to 1.1.1 #3564 (@dependabot[bot])
chore(deps): bump pre-commit/action from 876132a3c26aa072b09eab6c5395b4749eeb2435 to 3.0.0 #3567 (@dependabot[bot])
chore(deps): bump tibdex/github-app-token from 1.5.1 to 1.6 #3566 (@dependabot[bot])
deployment: update RELEASING.md #3503 (@desimone)

v0.18.1 (2023-05-26)

Full Changelog

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Changed

publish to any-distro (#3570) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3571
postgres: remove not null constraint on data column of record changes table by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3595

v0.18.0 (2022-07-27)

Full Changelog

New

add databroker multi lease handlers #3255 (@wasaga)
add lease name to the log #3498 (@wasaga)
add metrics aggregation #3452 (@wasaga)
add x-request-id in responses #3366 (@wasaga)
allow pomerium to be embedded as a library #3415 (@wasaga)
authenticate: allow changing the authenticate service URL at runtime #3378 (@calebdoxsey)
authenticate: show the device enrolled page as the user info page #3151 (@calebdoxsey)
authorize: add name claim #3238 (@calebdoxsey)
authorize: track session and service account access date #3220 (@calebdoxsey)
authorize: use query instead of sync for databroker data #3377 (@calebdoxsey)
databroker: add support for field masks on Put #3210 (@calebdoxsey)
databroker: add support for putting multiple records #3291 (@calebdoxsey)
databroker: add support for query filtering #3369 (@calebdoxsey)
databroker: add support for syncing by type #3412 (@calebdoxsey)
directory: support non-base64 encoded service accounts #3150 (@calebdoxsey)
do not require idp set in the bootstrap config, as it may be later configured via the databroker #3386 (@wasaga)
eliminate global events manager #3422 (@wasaga)
envoy: upgrade to 1.21.1 #3186 (@calebdoxsey)
envoy: use typed extension protocol options for static bootstrap cluster #3268 (@calebdoxsey)
Expand PR template #3403 (@alexfornuto)
github: pin github actions #3183 (@calebdoxsey)
grpc: regenerate protobuf code #3208 (@calebdoxsey)
grpc: wait for connect to be ready before making calls #3253 (@calebdoxsey)
identity: batch directory updates #3411 (@calebdoxsey)
integration: add test for query string params #3302 (@calebdoxsey)
postgres: databroker storage backend #3370 (@calebdoxsey)
postgres: registry support #3454 (@calebdoxsey)
storage: add filter expressions, upgrade go to 1.18.1 #3365 (@calebdoxsey)
storage: add filtering to SyncLatest #3368 (@calebdoxsey)
try pinning docker dependency #3185 (@calebdoxsey)
ui: remove version #3184 (@calebdoxsey)

Fixed

authenticate: fix debug and metrics endpoints #3212 (@calebdoxsey)
authenticate: fix internal service URL CORS check #3279 (@calebdoxsey)
authenticate: fix internal service URL dashboard redirect #3305 (@calebdoxsey)
authenticate: fix internal url with webauthn #3194 (@calebdoxsey)
authenticate: save session for bare webauthn redirects, consider external service URL to be a pomerium url #3280 (@calebdoxsey)
authorize: add request id to context #3497 (@calebdoxsey)
authorize: allow missing user for authorization #3421 (@calebdoxsey)
authorize: fix device synchronization #3482 (@calebdoxsey)
authorize: fix not found check #3410 (@calebdoxsey)
authorize: fix x-forwarded-uri #3479 (@calebdoxsey)
authorize: pass idp id for webauthn url, allow unauthenticated access to static files #3282 (@calebdoxsey)
authorize: show plain text error page for traefik and nginx #3477 (@calebdoxsey)
autocert: continue on error #3476 (@calebdoxsey)
config: fix DefaultTransport so it is still a *http.Transport #3257 (@calebdoxsey)
databroker: fix in-memory backend deadlock #3300 (@calebdoxsey)
deployment: update syntax installing dlv in debug image #3179 (@travisgroth)
device enrollment: fix ip address #3430 (@calebdoxsey)
envoyconfig: prevent nil reproxy handler #3345 (@wasaga)
fix: close the ticker after opened #3318 (@clwluvw)
fix: The built binary file is missing "ui/dist/index.js" and "ui/dist... #3391 (@cfanbo)
github: fix missing groups #3171 (@calebdoxsey)
httputil/reproxy: fix policy transport #3322 (@calebdoxsey)
options: fix overlapping certificate test #3492 (@calebdoxsey)
postgres: fix CIDR query #3389 (@calebdoxsey)
postgres: fix record deletion #3446 (@calebdoxsey)
userinfo: embed assets as data URLs for forward auth #3460 (@calebdoxsey)
userinfo: fix missing profile picture #3154 (@calebdoxsey)

Dependency

bump envoy to 1.21.3 #3413 (@wasaga)
chore(deps): bump actions/cache from 2 to 3 #3167 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.0 to 3.0.1 #3235 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.1 to 3.0.2 #3265 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.2 to 3.0.3 #3399 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.3 to 3.0.4 #3440 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.4 to 3.0.5 #3489 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.0.0 to 3.0.1 #3275 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.0.1 to 3.0.2 #3297 (@dependabot[bot])
chore(deps): bump actions/download-artifact from 2.1.0 to 3 #3202 (@dependabot[bot])
chore(deps): bump actions/setup-go from 2.2.0 to 3 #3204 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.0.0 to 3.1.0 #3362 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.1.0 to 3.2.0 #3384 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.2.0 to 3.2.1 #3470 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.0.0 to 3.1.0 #3236 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.1.0 to 3.1.1 #3267 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.1.1 to 3.2.0 #3363 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.2.0 to 3.3.0 #3400 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.3.0 to 3.4.0 #3471 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.4.0 to 3.4.1 #3490 (@dependabot[bot])
chore(deps): bump actions/setup-python from 3.0.0 to 3.1.0 #3234 (@dependabot[bot])
chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 #3266 (@dependabot[bot])
chore(deps): bump actions/setup-python from 3.1.2 to 4 #3439 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.0.0 to 4.1.0 #3472 (@dependabot[bot])
chore(deps): bump actions/stale from 5.0.0 to 5.1.0 #3488 (@dependabot[bot])
chore(deps): bump actions/upload-artifact from 2.3.1 to 3 #3203 (@dependabot[bot])
chore(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 #3374 (@dependabot[bot])
chore(deps): bump async from 2.6.3 to 2.6.4 #3278 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.0 to 0.4.1 #3164 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 2.10.0 to 3 #3336 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 #3501 (@dependabot[bot])
chore(deps): bump docker/login-action from 1.14.1 to 2 #3338 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 #3317 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 1.7.0 to 2 #3337 (@dependabot[bot])
chore(deps): bump docker/setup-qemu-action from 1.2.0 to 2 #3339 (@dependabot[bot])
chore(deps): bump eventsource from 1.1.0 to 1.1.1 #3388 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.15.3 to 0.15.4 #3143 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.15.4 to 0.16.0 #3198 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.2 to 4.1.3 #3264 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 #3360 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.12+incompatible to 20.10.13+incompatible #3142 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.13+incompatible to 20.10.14+incompatible #3199 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.14+incompatible to 20.10.15+incompatible #3335 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.15+incompatible to 20.10.16+incompatible #3359 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.16+incompatible to 20.10.17+incompatible #3417 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.4 #3312 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 #3166 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 #3162 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.45.0 to 1.45.2 #3200 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.45.2 to 1.46.0 #3334 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.46.0 to 1.46.1 #3357 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.46.1 to 1.46.2 #3373 (@dependabot[bot])
chore(deps): bump github.com/google/btree from 1.0.1 to 1.1.1 #3402 (@dependabot[bot])
chore(deps): bump github.com/google/btree from 1.1.1 to 1.1.2 #3434 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 #3315 (@dependabot[bot])
chore(deps): bump github.com/martinlindhe/base36 from 1.1.0 to 1.1.1 #3437 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.2 to 1.0.3 #3469 (@dependabot[bot])
chore(deps): bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 #3292 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.38.0 to 0.38.1 #3144 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.38.1 to 0.39.0 #3232 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 #3311 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0 #3395 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.1 #3468 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.42.1 to 0.42.2 #3483 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.8.1 to 3.9.1 #3381 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 #3358 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.32.1 to 0.33.0 #3230 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.33.0 to 0.34.0 #3298 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.34.0 to 0.35.0 #3438 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.35.0 to 0.37.0 #3486 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.26.1 to 1.27.0 #3418 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.2 to 3.22.3 #3231 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.3 to 3.22.4 #3313 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.4 to 3.22.5 #3396 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.5 to 3.22.6 #3464 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 #3273 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 #3380 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 #3165 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 #3397 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 #3435 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.7.5 #3448 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.70.0 to 0.72.0 #3152 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.72.0 to 0.73.0 #3163 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.73.0 to 0.74.0 #3233 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.74.0 to 0.75.0 #3296 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.75.0 to 0.77.0 #3314 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.77.0 to 0.79.0 #3347 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.79.0 to 0.80.0 #3372 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.80.0 to 0.81.0 #3382 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.81.0 to 0.82.0 #3401 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.82.0 to 0.83.0 #3416 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.83.0 to 0.84.0 #3436 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.84.0 to 0.85.0 #3447 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.85.0 to 0.86.0 #3463 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.86.0 to 0.87.0 #3484 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.87.0 to 0.88.0 #3500 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.44.0 to 1.45.0 #3141 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 #3294 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 #3361 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 #3393 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.47.0 to 1.48.0 #3487 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 #3197 (@dependabot[bot])
chore(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 #3394 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3 #3375 (@dependabot[bot])
chore(deps): bump jandelgado/gcov2lcov-action from 1.0.8 to 1.0.9 #3376 (@dependabot[bot])
chore(deps): bump jandelgado/gcov2lcov-action from fc567b789b78d676959759edfb9b7a30e884fc1d to 1.0.9 #3385 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.21.1 to 4.22.1 #3145 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.22.1 to 4.23.1 #3168 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.23.1 to 4.24.2 #3201 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.24.2 to 4.24.5 #3276 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.24.5 to 4.25.1 #3316 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.25.1 to 4.25.2 #3383 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.25.2 to 4.25.3 #3449 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.25.3 to 4.26.1 #3491 (@dependabot[bot])
chore(deps): bump minimist from 1.2.5 to 1.2.6 #3189 (@dependabot[bot])
chore(deps): bump minimist from 1.2.5 to 1.2.6 in /ui #3188 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.0 to 4.14.1 #3274 (@dependabot[bot])
deps: bump backport action version #3224 (@travisgroth)
use generic version of btree #3404 (@wasaga)

Changes

Allow docs changes without review #3242 (@alexfornuto)
ci: use forked backport to copy original PR labels #3223 (@travisgroth)
databroker: support rotating shared secret #3502 (@calebdoxsey)
deployment: remove vals based entrypoint #3254 (@travisgroth)
deployment: remove vals based entrypoint #3254 (@travisgroth)
docs: fix a typo in auth0 config example #3332 (@imlonghao)
docs: update changelog and upgrade notes for enterprise v0.17 #3105 (@travisgroth)
github-actions: build docker platforms together #3426 (@calebdoxsey)
replace fmt.Sprintf with net.JoinHostPort #3407 (@cfanbo)
Revert "databroker: add support for field masks on Put" #3217 (@calebdoxsey)
Revert "userinfo: embed assets as data URLs for forward auth" #3474 (@calebdoxsey)

v0.17.4 (2023-05-26)

Full Changelog

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

v0.17.3 (2023-05-05)

Full Changelog

Changes

authenticate: fix internal service URL CORS check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3328
authenticate: fix internal service URL dashboard redirect by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3306
DOCS: Add device identity video https://github.com/pomerium/pomerium/pull/3307
DOCS: Update changelog https://github.com/pomerium/pomerium/pull/3308
DOCS: update helm values file https://github.com/pomerium/pomerium/pull/3287
fix: close the ticker after opened by @clwluvw https://github.com/pomerium/pomerium/pull/3323
httputil/reproxy: fix policy transport by @calebdoxsey https://github.com/pomerium/pomerium/pull/3324
Update docs for supported Ingress annotations https://github.com/pomerium/pomerium/pull/3325

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3

v0.17.2 (2022-04-22)

Full Changelog

Fixed

Add UUID to docs yaml blocks (#3251) [#3259] (@alexfornuto)
authorize: pass idp id for webauthn url, allow unauthenticated access to static files [#3284] (@calebdoxsey)
config: fix DefaultTransport so it is still a *http.Transport [#3260] (@calebdoxsey)

Dependency

chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 [#3266]

v0.17.1 (2022-03-30)

Full Changelog

Security Notice

This release includes a fix to a medium severity security issue.

We recommend that all users upgrade.

Security

authenticate: fix debug and metrics endpoints #3215 (@backport-actions-token[bot])

Fixed

authenticate: fix internal url with webauthn #3195 (@backport-actions-token[bot])
github: fix missing groups #3176 (@backport-actions-token[bot])

v0.17.0 (2022-03-04)

Full Changelog

New

adds pomerium version to the user info endpoint #3093 (@nhayfield)
authenticate: add device-enrolled page #2892 (@calebdoxsey)
authenticate: fix expiring user info endpoint #2976 (@calebdoxsey)
controlplane: add compression middleware #3000 (@calebdoxsey)
directory: save IDP errors to databroker, put event handling in dedicated package #2957 (@calebdoxsey)
frontend: react+mui #3004 (@calebdoxsey)
google: support groups for users outside of the organization #2950 (@calebdoxsey)
grpc: remove ptypes references #3078 (@calebdoxsey)
last known metric error #2974 (@wasaga)
remove deprecated ioutil usages #2877 (@cfanbo)
return explicit error when directory sync is disabled #2949 (@wasaga)
session: remove unused session state properties #3022 (@calebdoxsey)
Style update for User Info Endpoint #3055 (@nhayfield)
userinfo: add webauthn buttons to user info page #3075 (@calebdoxsey)

Fixed

auth0: support explicit domains in the service account #2980 (@calebdoxsey)
auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])
authenticate: add callback endpoint #2931 (@calebdoxsey)
authenticate: support webauthn redirects to non-pomerium domains #2936 (@calebdoxsey)
config: fix httptest local certificate #3056 (@calebdoxsey)
config: fix policy matching for regular expressions #2966 (@calebdoxsey)
config: fix TLS config when address and grpc_address are the same #2975 (@calebdoxsey)
databroker: use contextual logging for errors, use original record type for encryption #3096 (@calebdoxsey)
deployment: enable goreleaser buildx #2968 (@travisgroth)
deployment: fix distroless base arch #2925 (@travisgroth)
deployment: only include pomerium binary #3007 (@travisgroth)
devices: shrink credentials by removing unnecessary data #2951 (@calebdoxsey)
devices: treat undefined device types as any #2927 (@calebdoxsey)
envoy: check certificates for must-staple flag and drop them if they are missing the response #2909 (@calebdoxsey)
fix link for picture in avatar #3066 (@nhayfield)
fix: frontend html tag mismatch #2954 (@cfanbo)
handle device states in deny block, fix default device type #2919 (@calebdoxsey)
integration: fix default port for verify service #2895 (@calebdoxsey)
proxy: fix error page #3020 (@calebdoxsey)
Remove spurious \ tags #2946 (@sylr)
userinfo: fix logout button, add sign out confirm page #3058 (@calebdoxsey)
webauthn: use absolute URL for delete redirect #2935 (@calebdoxsey)

Dependency

chore(deps): bump actions/setup-node from 2 to 3 #3089 (@dependabot[bot])
chore(deps): bump actions/setup-python from 2 to 3 #3088 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.20.2 to 4.21.1 #3087 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.69.0 to 0.70.0 #3086 (@dependabot[bot])
chore(deps): bump url-parse from 1.5.7 to 1.5.10 #3085 (@dependabot[bot])
chore(deps): bump prismjs from 1.26.0 to 1.27.0 #3084 (@dependabot[bot])
deps: bump envoy to v1.20.2 #3082 (@travisgroth)
chore(deps): bump mikefarah/yq from 4.20.1 to 4.20.2 #3072 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.68.0 to 0.69.0 #3071 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.44.0 to 1.44.2 #3070 (@dependabot[bot])
chore(deps): bump url-parse from 1.5.1 to 1.5.7 #3068 (@dependabot[bot])
chore(deps): bump github.com/gorilla/websocket from 1.4.2 to 1.5.0 #3052 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.18.1 to 4.20.1 #3051 (@dependabot[bot])
chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 #3043 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 #3041 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.37.1 to 0.37.2 #3040 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.66.0 to 0.68.0 #3033 (@dependabot[bot])
deps: increase yarn network timeout #3018 (@travisgroth)
chore(deps): bump github.com/caddyserver/certmagic from 0.15.2 to 0.15.3 #3014 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.1 #3013 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.12 to 3.22.1 #3012 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.1 to 1.0.2 #3011 (@dependabot[bot])
chore(deps): bump mermaid from 8.12.1 to 8.13.10 #3010 (@dependabot[bot])
chore(deps): bump follow-redirects from 1.14.1 to 1.14.7 #3009 (@dependabot[bot])
chore(deps): bump prismjs from 1.24.1 to 1.26.0 #3008 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.17.2 to 4.18.1 #2989 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 #2988 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.43.0 to 1.44.0 #2987 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.65.0 to 0.66.0 #2986 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 #2985 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.16.2 to 4.17.2 #2963 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.6 to 0.5.7 #2962 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 #2961 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.3.0 to 0.4.0 #2942 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 #2941 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.2 to 0.6.3 #2940 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.36.0 to 0.36.1 #2939 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 #2913 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 #2912 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.35.0 to 0.36.0 #2911 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi from 1.5.4 to 4.1.2+incompatible #2910 (@dependabot[bot])
envoy: upgrade to 1.20.1 #2902 (@calebdoxsey)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.11 to 3.21.12 #2886 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.0 to 1.8.2 #2855 (@dependabot[bot])
chore(deps): bump github.com/google/go-jsonnet from 0.17.0 to 0.18.0 #2854 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.16.1 to 4.16.2 #2853 (@dependabot[bot])

Deployment

deployment: remove DST cert workaround from debug image #2958 (@travisgroth)
deployment: multi-arch master images #2896 (@travisgroth)

Changed

config: add idp_client_id and idp_client_secret to protobuf #3060 (@calebdoxsey)
Extract email for active directory users that don't have access to exchange #3053 (@JBodkin-Amphora)
disable blank github issues #2898 (@travisgroth)

v0.16.4 (2022-02-25)

Full Changelog

Dependency

deps: update envoy to v1.19.3 #3083 (@travisgroth)

v0.16.3 (2022-02-11)

Full Changelog

Fixed

deployment: only include pomerium binary #3007 (@travisgroth)
auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])

v0.16.2 (2022-01-25)

Full Changelog

Fixed

config: fix policy matching for regular expressions #2969 (@backport-actions-token[bot])

v0.16.1 (2022-01-19)

Full Changelog

Fixed

webauthn: use absolute URL for delete redirect #2937 (@backport-actions-token[bot])
handle device states in deny block, fix default device type #2924 (@backport-actions-token[bot])
integration: fix default port for verify service #2908 (@backport-actions-token[bot])

v0.16.0 (2021-12-22)

Full Changelog

Breaking

identity: only assign access\_type uri params to google. #2782 (@desimone)
tls: fallback to self-signed certificate #2760 (@calebdoxsey)
github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)

New

more idp metrics #2842 (@wasaga)
devices: add experimental icon #2836 (@calebdoxsey)
devices: switch "default" device type to two built-in default device types #2835 (@calebdoxsey)
dashboard: improve display of device credentials, allow deletion #2829 (@calebdoxsey)
ppl: add support for http_path and http_method #2813 (@calebdoxsey)
config: add internal service URLs #2801 (@calebdoxsey)
envoy: add hash policy and routing key for hash-based load balancers #2791 (@calebdoxsey)
authorize: support X-Pomerium-Authorization in addition to Authorization #2780 (@calebdoxsey)
envoy: treat configuration errors as fatal #2777 (@calebdoxsey)
envoy: add support for bind_config bootstrap options #2772 (@calebdoxsey)
authenticate: redirect / to /.pomerium/ #2770 (@calebdoxsey)
device: add type id and credential id to enrollment for easier referencing #2749 (@calebdoxsey)
databroker: add additional log for config source #2718 (@calebdoxsey)
grpc: remove peer field from logs #2712 (@calebdoxsey)
desktop client api #2711 (@wasaga)
telemetry: improve zipkin error logs #2710 (@calebdoxsey)
authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
ppl: add support for additional data #2696 (@calebdoxsey)
Add additional ACME CA (autocert) options #2695 (@hslatman)
skip configuration updates to the most recent one #2690 (@wasaga)
authenticate: add support for webauthn #2688 (@calebdoxsey)
webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
devices: add device protobuf types #2682 (@calebdoxsey)
cryptutil: add SecureToken #2681 (@calebdoxsey)
config/envoyconfig: better duplicate message #2661 (@desimone)
pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
ppl: pass contextual information through policy #2612 (@calebdoxsey)
add description to service accounts #2611 (@nhayfield)
DOCS: Add copy button to code snippets #2597 (@alexfornuto)
pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
cli: update tcp log output format #2586 (@travisgroth)
directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
google: support provider URL #2567 (@calebdoxsey)
config: remove signature_key_algorithm #2557 (@calebdoxsey)
allow pomerium to start without certs #2555 (@wasaga)
integration: kubernetes support #2536 (@calebdoxsey)
integration: nginx #2532 (@calebdoxsey)
integration: add traefik tests #2530 (@calebdoxsey)
envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
config: remove headers #2522 (@calebdoxsey)
integration: add multi test #2519 (@calebdoxsey)
Remove api from GitLab defaultScope #2518 (@alexfornuto)
integration: add single-cluster integration tests #2516 (@calebdoxsey)
integration: remove tests #2514 (@calebdoxsey)
github: support provider URL #2490 (@calebdoxsey)
protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
fix go get, improve redis test #2450 (@calebdoxsey)
all: remove unused handler code #2439 (@desimone)

Security

identity: fix user refresh #2724 (@calebdoxsey)
deps: update envoy to 1.19.1 #2526 (@travisgroth)

Fixed

add docs for ingress regex path #2822 (@wasaga)
Add docs team as a code owner of packages.json #2605 (@alexfornuto)
Add redirect for installation #2618 (@alexfornuto)
add service account redirects #2664 (@alexfornuto)
adjust comment blocking #2488 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2645 (@backport-actions-token[bot])
Auth0 Doc Refresh #2494 (@alexfornuto)
config: allow specifying auto codec type in all-in-one mode #2846 (@calebdoxsey)
config: detect changes to the kubernetes service account token file #2767 (@calebdoxsey)
Copy edit to changelog entry #2786 (@alexfornuto)
dashboard: add confirmation dialog, fix button in firefox #2841 (@calebdoxsey)
deps: update goreleaser #2757 (@travisgroth)
DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
Docs: Add Grafana Integration Guide #2742 (@alexfornuto)
DOCS: add Grafana to Guides index #2808 (@alexfornuto)
Docs: Add spdy annotation #2747 (@alexfornuto)
docs: add updated icon asset #2580 (@travisgroth)
Docs: Batch Updates #2628 (@alexfornuto)
docs: clarify custom request header limitations #2471 (@desimone)
DOCS: Collapse IDP Header #2641 (@alexfornuto)
Docs: Correct Claim Example #2689 (@alexfornuto)
DOCS: CORS preflight in console #2642 (@alexfornuto)
DOCS: Create Consolidated Troubleshooting Guide and Replace FAQ #2797 (@alexfornuto)
Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
DOCS: Fix indentation in API doc #2798 (@alexfornuto)
Docs: Fix merged PR #2546 (@alexfornuto)
Docs: Reference gRPC API Docs #2717 (@alexfornuto)
docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
docs: rename updated icon image #2582 (@travisgroth)
DOCS: Standardize Relative Links #2651 (@alexfornuto)
docs: update branding #2435 (@desimone)
docs: update branding, concepts #2445 (@desimone)
docs: update codeowners #2451 (@travisgroth)
Docs: Update Community Page #2713 (@cmo-pomerium)
docs: update default version to v0.15 #2437 (@travisgroth)
docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
Docs: Update JWT Verification Guide #2746 (@alexfornuto)
Docs: Update Kubernetes Dashboard Guide #2759 (@alexfornuto)
docs: update pomerium-cli location #2790 (@travisgroth)
Docs: Update Securing Kubernetes Guide #2758 (@alexfornuto)
Docs: Update Traefik Example Headers #2732 (@alexfornuto)
docs: use generic email #2484 (@alexfornuto)
Docs/batch link fixes #2621 (@alexfornuto)
document binding service to 443 #2487 (@alexfornuto)
Document Enterprise API #2595 (@alexfornuto)
Document moving routes #2460 (@alexfornuto)
Document Pomerium Policy Language #2784 (@alexfornuto)
Document Pomerium Policy Language #2789 (@backport-actions-token[bot])
Document recovery token generation #2579 (@alexfornuto)
Document tracing sample rate in console #2461 (@alexfornuto)
Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
envoyconfig: fix tls_downstream_client_ca for non-standard ports #2802 (@calebdoxsey)
Fix IdP client metrics #2810 (@travisgroth)
Fix typo in docs #2683 (@nihaals)
fix typo in docs #2819 (@wasaga)
fix: Fixed return description error #2825 (@cfanbo)
Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
internal/telemetry: fix grpc server metrics #2811 (@travisgroth)
Minor fix in routes documentation #2714 (@Kerwood)
New Topic Page: Original Request Context #2569 (@alexfornuto)
Refresh and Update TCP documentation #2627 (@alexfornuto)
Remove forward_auth_url from Enterprise #2779 (@alexfornuto)
specify expected audience in Console config #2442 (@alexfornuto)
TCP Client Doc #2561 (@alexfornuto)
typo #2644 (@alexfornuto)
Update AWS cognito IdP doc #2498 (@alexfornuto)
Update Azure IdP Doc #2497 (@alexfornuto)
Update binary install doc #2447 (@alexfornuto)
Update CODEOWNERS #2603 (@alexfornuto)
Update create TLS command to quote strings. #2694 (@FutureMatt)
Update Docker Quickstart #2482 (@alexfornuto)
update GitHub IdP doc #2503 (@alexfornuto)
Update GitLab IdP doc #2520 (@alexfornuto)
Update Helm Instructions #2467 (@alexfornuto)
Update IdP Overview Page #2493 (@alexfornuto)
Update Okta IdP doc #2491 (@alexfornuto)
update OneLogin IdP doc #2533 (@alexfornuto)
Update overview/architecture.md #2701 (@cmo-pomerium)
Update Ping Identity IdP #2537 (@alexfornuto)
Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
wrap header example values as inline code. #2474 (@alexfornuto)
Wrap mkcert command in quotes #2481 (@alexfornuto)

Dependency

chore(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 #2834 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 #2833 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 #2832 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 #2831 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.11+incompatible to 20.10.12+incompatible #2817 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.0 #2816 (@dependabot[bot])
dev build support for darwin-arm64 from envoy tip #2815 (@wasaga)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.10 to 3.21.11 #2807 (@dependabot[bot])
chore(deps): bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 #2806 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 #2805 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.35.0 #2804 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.15.1 to 4.16.1 #2803 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 #2785 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.14.2 to 4.15.1 #2783 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible #2776 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3 #2775 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.6.3 to 4.14.2 #2774 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.15.1 to 0.15.2 #2769 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.1 to 4.1.2 #2768 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.1 to 0.34.2 #2765 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.0 to 1.0.1 #2764 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.21.0 to 5.21.1 #2763 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.1 to 1.43.0 #2756 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.0 to 0.34.1 #2755 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 #2754 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 #2753 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.20.0 to 5.21.0 #2752 (@dependabot[bot])
dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
chore(deps): bump google.golang.org/api from 0.58.0 to 0.60.0 #2737 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
bump protoc-validate #2606 (@wasaga)
chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
ci: use go 1.17.x #2492 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
Hadolint #2363 (@stephengroat)

Deployment

deployment: migrate pomerium-cli automation to new repo #2771 (@travisgroth)
deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
deployment: update goreleaser syntax #2524 (@travisgroth)

Changed

move NewGRPCClientConn to public package #2826 (@wasaga)
rm cli code #2824 (@wasaga)
ci: remove hadolint #2726 (@travisgroth)
ci: ignore multiple run commands #2566 (@travisgroth)
redirect logo to the marketing site #2441 (@alexfornuto)
ci: use github app for backport credentials #2369 (@travisgroth)

v0.15.8 (2021-12-17)

Full Changelog

Fixed

authorize: fix nginx infinite redirect #2812 (@calebdoxsey)

Documentation

DOCS: add Grafana to Guides index #2809 (@backport-actions-token[bot])
DOCS: Fix indentation in API doc #2799 (@backport-actions-token[bot])
Docs: Update Kubernetes Dashboard Guide #2795 (@backport-actions-token[bot])
Docs: Update Securing Kubernetes Guide #2792 (@backport-actions-token[bot])
Docs: Update JWT Verification Guide #2787 (@backport-actions-token[bot])

Dependency

deps: pin release to latest go version #2827 (@travisgroth)

v0.15.7 (2021-11-15)

Full Changelog

Fixed

autocert: remove log #2750 (@backport-actions-token[bot])

Security

identity: fix user refresh #2725 (@backport-actions-token[bot])

Documentation

Docs: Add Grafana Integration Guide #2762 (@backport-actions-token[bot])
Docs: Add spdy annotation #2751 (@backport-actions-token[bot])
Docs: Ingress Controller #2745 (@backport-actions-token[bot])
Docs: Update Traefik Example Headers #2741 (@backport-actions-token[bot])
Docs: Update Community Page #2731 (@backport-actions-token[bot])
Minor fix in routes documentation #2721 (@backport-actions-token[bot])
Docs: Reference gRPC API Docs #2720 (@backport-actions-token[bot])
Update overview/architecture.md #2707 (@backport-actions-token[bot])

v0.15.6 (2021-11-04)

Full Changelog

Breaking

github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)

New

Add additional ACME CA (autocert) options #2695 (@hslatman)
add description to service accounts #2611 (@nhayfield)
all: remove unused handler code #2439 (@desimone)
allow pomerium to start without certs #2555 (@wasaga)
authenticate: add support for webauthn #2688 (@calebdoxsey)
authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
cli: update tcp log output format #2586 (@travisgroth)
config: remove headers #2522 (@calebdoxsey)
config/envoyconfig: better duplicate message #2661 (@desimone)
cryptutil: add SecureToken #2681 (@calebdoxsey)
databroker: add additional log for config source #2718 (@calebdoxsey)
desktop client api #2711 (@wasaga)
devices: add device protobuf types #2682 (@calebdoxsey)
directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
DOCS: Add copy button to code snippets #2597 (@alexfornuto)
envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
fix go get, improve redis test #2450 (@calebdoxsey)
github: support provider URL #2490 (@calebdoxsey)
google: support provider URL #2567 (@calebdoxsey)
grpc: remove peer field from logs #2712 (@calebdoxsey)
integration: add multi test #2519 (@calebdoxsey)
integration: add single-cluster integration tests #2516 (@calebdoxsey)
integration: add traefik tests #2530 (@calebdoxsey)
integration: kubernetes support #2536 (@calebdoxsey)
integration: nginx #2532 (@calebdoxsey)
integration: remove tests #2514 (@calebdoxsey)
pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
ppl: add support for additional data #2696 (@calebdoxsey)
ppl: pass contextual information through policy #2612 (@calebdoxsey)
protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
Remove api from GitLab defaultScope #2518 (@alexfornuto)
skip configuration updates to the most recent one #2690 (@wasaga)
telemetry: improve zipkin error logs #2710 (@calebdoxsey)
webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)

Fixed

add host-rewrite options to config.proto #2668 (@wasaga)
authclient: clone TLS configuration to prevent overriding NextProtos #2594 (@calebdoxsey)
authenticate: add databroker versions to session cookie #2709 (@calebdoxsey)
authenticate: always update user record on login #2719 (@calebdoxsey)
authorize: fix google cloudrun header audience #2558 (@calebdoxsey)
authorize: fix X-Pomerium-Claim-Groups #2539 (@calebdoxsey)
authorize: use session.user_id in headers #2571 (@calebdoxsey)
autocert: remove log #2584 (@calebdoxsey)
deployment: relocate pomerium-cli to /usr/bin #2727 (@travisgroth)
fix forward-auth, logging #2509 (@calebdoxsey)
grpc: disable gRPC connection re-use across services #2515 (@calebdoxsey)
grpc: send client traffic through envoy #2469 (@calebdoxsey)
options: remove refresh_cooldown, add allow_spdy to proto #2446 (@calebdoxsey)
ppl: use session.user_id instead of user.id for user criterion #2562 (@calebdoxsey)
protoc: add xds repo #2687 (@calebdoxsey)
tcptunnel: force the use of HTTP/1.1 during ALPN #2593 (@calebdoxsey)
userinfo: format exp, iat and updated_at #2585 (@calebdoxsey)

Security

identity: fix user refresh #2724 (@calebdoxsey)
deps: update envoy to 1.19.1 #2526 (@travisgroth)

Documentation

Add docs team as a code owner of packages.json #2605 (@alexfornuto)
Add redirect for installation #2618 (@alexfornuto)
add service account redirects #2664 (@alexfornuto)
adjust comment blocking #2488 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
Auth0 Doc Refresh #2494 (@alexfornuto)
DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
docs: add updated icon asset #2580 (@travisgroth)
Docs: Batch Updates #2628 (@alexfornuto)
docs: clarify custom request header limitations #2471 (@desimone)
DOCS: Collapse IDP Header #2641 (@alexfornuto)
Docs: Correct Claim Example #2689 (@alexfornuto)
DOCS: CORS preflight in console #2642 (@alexfornuto)
Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
Docs: Fix merged PR #2546 (@alexfornuto)
Docs: Ingress Controller #2667 (@alexfornuto)
Docs: Reference gRPC API Docs #2717 (@alexfornuto)
docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
docs: rename updated icon image #2582 (@travisgroth)
DOCS: Standardize Relative Links #2651 (@alexfornuto)
docs: update branding #2435 (@desimone)
docs: update branding, concepts #2445 (@desimone)
docs: update codeowners #2451 (@travisgroth)
Docs: Update Community Page #2713 (@cmo-pomerium)
docs: update default version to v0.15 #2437 (@travisgroth)
docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
Docs: Update Traefik Example Headers #2732 (@alexfornuto)
docs: use generic email #2484 (@alexfornuto)
Docs/batch link fixes #2621 (@alexfornuto)
document binding service to 443 #2487 (@alexfornuto)
Document Enterprise API #2595 (@alexfornuto)
Document moving routes #2460 (@alexfornuto)
Document recovery token generation #2579 (@alexfornuto)
Document tracing sample rate in console #2461 (@alexfornuto)
Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
Fix typo in docs #2683 (@nihaals)
Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
Minor fix in routes documentation #2714 (@Kerwood)
New Topic Page: Original Request Context #2569 (@alexfornuto)
Refresh and Update TCP documentation #2627 (@alexfornuto)
specify expected audience in Console config #2442 (@alexfornuto)
TCP Client Doc #2561 (@alexfornuto)
typo #2644 (@alexfornuto)
Update AWS cognito IdP doc #2498 (@alexfornuto)
Update Azure IdP Doc #2497 (@alexfornuto)
Update binary install doc #2447 (@alexfornuto)
Update CODEOWNERS #2603 (@alexfornuto)
Update create TLS command to quote strings. #2694 (@FutureMatt)
Update Docker Quickstart #2482 (@alexfornuto)
update GitHub IdP doc #2503 (@alexfornuto)
Update GitLab IdP doc #2520 (@alexfornuto)
Update Helm Instructions #2467 (@alexfornuto)
Update IdP Overview Page #2493 (@alexfornuto)
Update Okta IdP doc #2491 (@alexfornuto)
update OneLogin IdP doc #2533 (@alexfornuto)
Update overview/architecture.md #2701 (@cmo-pomerium)
Update Ping Identity IdP #2537 (@alexfornuto)
Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
wrap header example values as inline code. #2474 (@alexfornuto)
Wrap mkcert command in quotes #2481 (@alexfornuto)

Dependency

dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
bump protoc-validate #2606 (@wasaga)
chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
ci: use go 1.17.x #2492 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
Hadolint #2363 (@stephengroat)

Changed

ci: remove hadolint #2726 (@travisgroth)
ci: ignore multiple run commands #2566 (@travisgroth)
redirect logo to the marketing site #2441 (@alexfornuto)
deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
deployment: update goreleaser syntax #2524 (@travisgroth)

v0.15.5 (2021-10-22)

Full Changelog

New

skip configuration updates to the most recent one #2692 (@backport-actions-token[bot])

Changed

Update create TLS command to quote strings. #2697 (@backport-actions-token[bot])
DOCS: CORS preflight in console #2693 (@backport-actions-token[bot])
Docs: Correct Claim Example #2691 (@backport-actions-token[bot])
Fix typo in docs #2684 (@backport-actions-token[bot])
deployment: remove DST_Root_CA_X3 from docker images #2698 (@travisgroth)

v0.15.4 (2021-10-14)

Full Changelog

New

protoutil: add NewAny method for deterministic serialization #2662 (@backport-actions-token[bot])

Fixed

backport: host rewrite #2669 (@wasaga)

Documentation

Add redirect for installation #2620 (@backport-actions-token[bot])
add service account redirects #2665 (@backport-actions-token[bot])
DOC: Copy edits to Okta IdP doc. #2625 (@backport-actions-token[bot])
Docs: Batch Updates #2640 (@backport-actions-token[bot])
DOCS: Collapse IDP Header #2649 (@backport-actions-token[bot])
Docs: cross-reference links between concepts and reference #2650 (@backport-actions-token[bot])
Docs: Ingress Controller #2667 (@alexfornuto)
docs: remove extra word / updated docs link #2639 (@backport-actions-token[bot])
DOCS: Standardize Relative Links (#2651) #2654 (@alexfornuto)
DOCS: Update Enterprise Reference Docs #2624 (@backport-actions-token[bot])
Docs/batch link fixes #2622 (@backport-actions-token[bot])
Document Enterprise API #2619 (@backport-actions-token[bot])
Fixed 'kubtctl' typo on releases page #2680 (@backport-actions-token[bot])
Refresh and Update TCP documentation #2679 (@backport-actions-token[bot])
TCP Client Doc #2626 (@backport-actions-token[bot])
typo #2646 (@backport-actions-token[bot])

v0.15.3 (2021-09-17)

Full Changelog

New

cli: update tcp log output format #2587 (@travisgroth)

Fixed

backport 2593 and 2594 to 0.15 #2598 (@calebdoxsey)

Documentation

Add docs team as a code owner of packages.json #2607 (@backport-actions-token[bot])
DOCS: Add copy button to code snippets #2600 (@backport-actions-token[bot])
docs: add updated icon asset #2581 (@backport-actions-token[bot])
docs: rename updated icon image #2583 (@backport-actions-token[bot])
Document recovery token generation #2601 (@backport-actions-token[bot])
New Topic Page: Original Request Context #2602 (@backport-actions-token[bot])

Changed

Update CODEOWNERS #2604 (@backport-actions-token[bot])

v0.15.2 (2021-09-03)

Full Changelog

New

allow pomerium to start without certs #2556 (@backport-actions-token[bot])

Fixed

authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])

Documentation

docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
Docs: Fix merged PR #2547 (@backport-actions-token[bot])
Update Ping Identity IdP #2545 (@backport-actions-token[bot])
update OneLogin IdP doc #2544 (@backport-actions-token[bot])
docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])

v0.15.0 (2021-08-05)

Full Changelog

Breaking

config: remove support for ed25519 signing keys #2430 (@calebdoxsey)

New

authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
authorize: log additional session details #2419 (@calebdoxsey)
authorize: log service account and impersonation details #2354 (@calebdoxsey)
authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
ci: use revive instead of golint #2370 (@calebdoxsey)
config: add support for embedded PPL policy #2401 (@calebdoxsey)
config: add warning about http URLs #2358 (@calebdoxsey)
directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
envoyconfig: improvements #2402 (@calebdoxsey)
evaluator: use cryptutil.Hash for script spans #2384 (@desimone)
k8s: add flush-credentials command #2379 (@calebdoxsey)
ppl: remove support for aliases #2400 (@calebdoxsey)
registry/redis: call publish from within lua function #2337 (@calebdoxsey)
sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)

Fixed

authorize: add sid to JWT claims #2420 (@calebdoxsey)
authorize: allow redirects on deny #2361 (@calebdoxsey)
authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
authorize: support boolean deny results #2338 (@calebdoxsey)
ci: update gcloud action #2393 (@travisgroth)
config: remove grpc server max connection age options #2427 (@calebdoxsey)
disable http/2 for websockets #2399 (@calebdoxsey)
envoy: only check for pid with monitor #2355 (@calebdoxsey)
envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
fix: timeout in protobuf #2341 (@wasaga)
google: remove WithHTTPClient #2391 (@calebdoxsey)
telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)

Security

envoy: only allow embedding #2368 (@calebdoxsey)

Documentation

doc updates #2433 (@calebdoxsey)
Docs bug fixes #2362 (@alexfornuto)
Docs sorting #2346 (@alexfornuto)
docs: clarify device identity, not state via client certs #2428 (@desimone)
docs: only secure schemes are supported #2408 (@desimone)
docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
Enterprise Docs #2390 (@alexfornuto)
Installation Docs Restructuring #2406 (@alexfornuto)
symlink security policy to root of project #2396 (@desimone)
Update Console installs to match signing_key #2432 (@alexfornuto)
Update installation source for mkcert #2340 (@alexfornuto)
update v0.15 changelog #2436 (@travisgroth)
v0.15 release notes #2409 (@travisgroth)

Dependency

chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
ci: convert to FOSSA scan #2371 (@travisgroth)

Changed

build: add envoy files to make clean #2411 (@travisgroth)
ci: use github app for backport credentials #2369 (@travisgroth)
databroker: tests #2367 (@calebdoxsey)
envoy: bump to 1.19 #2392 (@travisgroth)
redis: increase timeout on test #2425 (@calebdoxsey)
redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)

v0.14.8 (2021-08-26)

Full Changelog

Security

deps: bump envoy to v0.17.4 #2535 (@travisgroth)

Documentation

Docs backporting #2351 (@alexfornuto)
Docs bug fixes #2364 (@github-actions[bot])
docs: google gcp / workspace instructions #2350 (@github-actions[bot])
docs: only secure schemes are supported #2410 (@backport-actions-token[bot])

Dependency

chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)

Changed

ci: update gcloud action #2538 (@backport-actions-token[bot])

v0.15.1 (2021-08-25)

Full Changelog

Fixed

options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])

Security

deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])

Documentation

adjust comment blocking #2489 (@backport-actions-token[bot])
Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
docs: update branding #2440 (@backport-actions-token[bot])
docs: update branding, concepts #2449 (@backport-actions-token[bot])
docs: update codeowners #2506 (@backport-actions-token[bot])
docs: update default version to v0.15 #2438 (@backport-actions-token[bot])
docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
docs: use generic email #2485 (@backport-actions-token[bot])
document binding service to 443 #2499 (@backport-actions-token[bot])
Document moving routes #2466 (@backport-actions-token[bot])
Document tracing sample rate in console #2465 (@backport-actions-token[bot])
Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
redirect logo to the marketing site #2443 (@backport-actions-token[bot])
Remove api from GitLab defaultScope #2528 (@backport-actions-token[bot])
specify expected audience in Console config #2444 (@backport-actions-token[bot])
Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
Update Azure IdP Doc #2504 (@backport-actions-token[bot])
Update binary install doc #2452 (@backport-actions-token[bot])
Update Docker Quickstart (#2482) #2486 (@alexfornuto)
update GitHub IdP doc #2508 (@backport-actions-token[bot])
Update GitLab IdP doc #2529 (@backport-actions-token[bot])
Update Helm Instructions #2505 (@backport-actions-token[bot])
Update IdP Overview Page #2502 (@backport-actions-token[bot])
Update Okta IdP doc #2495 (@backport-actions-token[bot])
wrap header example values as inline code. #2479 (@backport-actions-token[bot])

Dependency

chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])

Deployment

deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)

v0.15.0 (2021-08-05)

Full Changelog

Breaking

config: remove support for ed25519 signing keys #2430 (@calebdoxsey)

New

authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
authorize: do not send redirects to gRPC #2314 (@wasaga)
authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
authorize: log additional session details #2419 (@calebdoxsey)
authorize: log service account and impersonation details #2354 (@calebdoxsey)
authorize: preserve original context #2247 (@wasaga)
authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
ci: use revive instead of golint #2370 (@calebdoxsey)
cli: use proxy from environment #2316 (@tskinn)
config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
config: add support for embedded PPL policy #2401 (@calebdoxsey)
config: add warning about http URLs #2358 (@calebdoxsey)
databroker: implement leases #2172 (@calebdoxsey)
directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
envoy: add full version #2287 (@calebdoxsey)
envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
envoy: refactor envoy embedding #2296 (@calebdoxsey)
envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
envoyconfig: improvements #2402 (@calebdoxsey)
envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
evaluator: use cryptutil.Hash for script spans #2384 (@desimone)
k8s: add flush-credentials command #2379 (@calebdoxsey)
Pomerium Policy Language #2202 (@calebdoxsey)
ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
ppl: convert config policy to ppl #2218 (@calebdoxsey)
ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
ppl: remove support for aliases #2400 (@calebdoxsey)
proxy: add idle timeout #2319 (@wasaga)
registry: implement redis backend #2179 (@calebdoxsey)
registry/redis: call publish from within lua function #2337 (@calebdoxsey)
report instance hostname in xds events #2175 (@wasaga)
sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
telemetry: add hostname tag to metrics #2191 (@wasaga)
telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
xds: retry storing configuration events #2266 (@calebdoxsey)

Fixed

authorize: add sid to JWT claims #2420 (@calebdoxsey)
authorize: allow redirects on deny #2361 (@calebdoxsey)
authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
authorize: grpc health check #2200 (@wasaga)
authorize: only redirect for HTML pages #2264 (@calebdoxsey)
authorize: round timestamp #2258 (@wasaga)
authorize: support boolean deny results #2338 (@calebdoxsey)
ci: update gcloud action #2393 (@travisgroth)
config: remove grpc server max connection age options #2427 (@calebdoxsey)
config: warn about unrecognized keys #2256 (@wasaga)
darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
deployment: fix empty version on master builds #2193 (@travisgroth)
directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
disable http/2 for websockets #2399 (@calebdoxsey)
envoy: add global response headers to local replies #2217 (@calebdoxsey)
envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
envoy: disable hot-reload for macos #2259 (@calebdoxsey)
envoy: exit if envoy exits #2240 (@calebdoxsey)
envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
envoy: only check for pid with monitor #2355 (@calebdoxsey)
envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
fix: timeout in protobuf #2341 (@wasaga)
forward auth: don't strip query parameters #2216 (@wasaga)
google: remove WithHTTPClient #2391 (@calebdoxsey)
ocsp: reload on response changes #2286 (@wasaga)
options: s/shared-key/shared secret #2257 (@desimone)
policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
ppl: fix not/nor rules #2313 (@calebdoxsey)
proxy / controplane: use old upstream cipher suite #2196 (@desimone)
redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)

Security

envoy: only allow embedding #2368 (@calebdoxsey)
deps: bump envoy to v1.17.3 #2198 (@travisgroth)

Documentation

add support for latest version of code-server #2229 (@bpmct)
doc updates #2433 (@calebdoxsey)
Docs bug fixes #2362 (@alexfornuto)
Docs sorting #2346 (@alexfornuto)
docs: add v0.14 feature highlights #2183 (@travisgroth)
docs: add v0.14 feature highlights #2184 (@github-actions[bot])
docs: clarify device identity, not state via client certs #2428 (@desimone)
docs: google gcp / workspace instructions #2272 (@desimone)
docs: Match Tenses #2214 (@alexfornuto)
docs: only secure schemes are supported #2408 (@desimone)
docs: rm broken link #2215 (@alexfornuto)
docs: update _redirects #2237 (@desimone)
docs: update helm values for chart v20.0.0 #2242 (@travisgroth)
docs: update slack link to vanity url #2177 (@travisgroth)
docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
Enterprise Docs #2390 (@alexfornuto)
fix(docs): use correct name for code-server #2223 (@jsjoeio)
Helm Quickstart Update #2380 (@alexfornuto)
Installation Docs Restructuring #2406 (@alexfornuto)
symlink security policy to root of project #2396 (@desimone)
Transmission BitTorrent Client Guide #2281 (@alexfornuto)
Update Console installs to match signing_key #2432 (@alexfornuto)
Update installation source for mkcert #2340 (@alexfornuto)
Update kubernetes-dashboard.md #2285 (@WeeHong)
Update programmatic-access.md #2190 (@yyolk)
v0.15 release notes #2409 (@travisgroth)

Dependency

chore(deps): bump github.com/caddyserver/certmagic from 0.13.0 to 0.13.1 #2188 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.13.1 to 0.14.0 #2291 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 #2252 (@dependabot[bot])
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.2 to 8.8.3 #2232 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.3 to 8.9.0 #2249 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.9.0 to 8.10.0 #2276 (@dependabot[bot])
chore(deps): bump github.com/golang/mock from 1.5.0 to 1.6.0 #2290 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 #2253 (@dependabot[bot])
chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
chore(deps): bump github.com/lithammer/shortuuid/v3 from 3.0.6 to 3.0.7 #2211 (@dependabot[bot])
chore(deps): bump github.com/mitchellh/hashstructure/v2 from 2.0.1 to 2.0.2 #2251 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.4 #2255 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.6.5 to 3.7.0 #2303 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 #2294 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.23.0 to 0.24.0 #2210 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.24.0 to 0.25.0 #2234 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.25.0 to 0.29.0 #2289 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.21.0 to 1.22.0 #2209 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.22.0 to 1.23.0 #2293 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.4 to 3.21.5 #2274 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.7.1 to 1.8.0 #2305 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 #2317 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.16.0 to 1.17.0 #2254 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.45.0 to 0.46.0 #2186 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.46.0 to 0.47.0 #2233 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.47.0 to 0.48.0 #2295 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.48.0 to 0.49.0 #2315 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.37.0 to 1.37.1 #2207 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 #2231 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.0 #2318 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.15.0 to 5.16.0 #2187 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.16.0 to 5.17.0 #2208 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.17.0 to 5.18.0 #2292 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.18.0 to 5.19.1 #2304 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
chore(deps): bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 #2273 (@dependabot[bot])
chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
ci: convert to FOSSA scan #2371 (@travisgroth)
darwin: use x86 envoy build for arm64 #2246 (@calebdoxsey)
dependency: update /x/net #2227 (@desimone)
deps: upgrade to go-jose v3 #2284 (@calebdoxsey)

Changed

build: add envoy files to make clean #2411 (@travisgroth)
ci: add coveralls #2279 (@travisgroth)
ci: use github app for backport credentials #2369 (@travisgroth)
databroker: tests #2367 (@calebdoxsey)
envoy: bump to 1.19 #2392 (@travisgroth)
internal/envoy: add debugging information if envoy is no longer running #2320 (@travisgroth)
redis: increase timeout on test #2425 (@calebdoxsey)
redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)

v0.14.7 (2021-06-24)

Full Changelog

Fixed

directory/azure: add paging support to user group members call #2312 (@github-actions[bot])

v0.14.6 (2021-06-16)

Full Changelog

Fixed

authorize: only redirect for HTML pages (#2264) #2298 (@calebdoxsey)

v0.14.5 (2021-06-07)

Full Changelog

Fixed

envoy: fix usage of codec_type with alpn #2278 (@github-actions[bot])
authorize: round JWT claim timestamps #2260 (@wasaga)

Documentation

docs: update helm values for chart v20.0.0 #2244 (@github-actions[bot])
docs: update _redirects #2238 (@github-actions[bot])

v0.14.4 (2021-05-24)

Full Changelog

Fixed

authorize: add rego functions to custom evaluator #2236 (@calebdoxsey)

v0.14.3 (2021-05-21)

Full Changelog

Fixed

authorize: fix custom rego panic #2226 (@calebdoxsey)

Changed

envoy: add global response headers to local replies #2225 (@github-actions[bot])

v0.14.2 (2021-05-17)

Full Changelog

Fixed

Revert "authenticate,proxy: add same site lax to cookies" #2204 (@github-actions[bot])

Documentation

Update programmatic-access.md #2205 (@github-actions[bot])

v0.14.1 (2021-05-13)

Full Changelog

Fixed

proxy / controplane: use old upstream cipher suite #2197 (@github-actions[bot])

Security

deps: bump envoy to v1.17.3 #2199 (@github-actions[bot])

Documentation

docs: update slack link to vanity url #2178 (@github-actions[bot])

v0.14.0 (2021-05-04)

Full Changelog

New

assets: use embed instead of statik #1960 (@calebdoxsey)
authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
authenticate: fix default sign out url #2061 (@calebdoxsey)
authenticate: validate origin of signout #1876 (@desimone)
authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
authorize: audit log had duplicate "message" key #2141 (@desimone)
authorize: audit logging #2050 (@calebdoxsey)
authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
authorize: fix unsigned URL #2118 (@calebdoxsey)
authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
authorize: refactor store locking #2151 (@calebdoxsey)
authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
autocert: remove non-determinism #1932 (@calebdoxsey)
change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
ci: pin goreleaser version #1900 (@travisgroth)
cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
config: add client_crl #2157 (@calebdoxsey)
config: add headers to config proto #1996 (@calebdoxsey)
config: add metrics_basic_auth option #1917 (@calebdoxsey)
config: add rewrite_response_headers option #1961 (@calebdoxsey)
config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
config: add support for codec_type #2156 (@calebdoxsey)
config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
config: don't change address value on databroker or authorize #2092 (@travisgroth)
config: fix redirect routes from protobuf #1930 (@travisgroth)
config: log config source changes #1959 (@calebdoxsey)
config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
config: remove validate side effects #2109 (@calebdoxsey)
config: rename headers to set_response_headers #2081 (@calebdoxsey)
config: support map of jwt claim headers #1906 (@calebdoxsey)
config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
config: use getters for certificates #2001 (@calebdoxsey)
config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
control plane: add request id to all error pages #2149 (@desimone)
controlplane: add global headers to virtualhost #1861 (@desimone)
controlplane: save configuration events to databroker #2153 (@calebdoxsey)
crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
cryptutil: use bytes for hmac #2067 (@calebdoxsey)
databroker: add options for maximum capacity #2095 (@calebdoxsey)
databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
databroker: return server version in Get #2039 (@wasaga)
databroker: store issued at timestamp with session #2173 (@calebdoxsey)
databroker: store server version in backend #2142 (@calebdoxsey)
deployment: update alpine debug image dependencies #2154 (@travisgroth)
Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
envoy: re-implement recommended defaults #2123 (@calebdoxsey)
envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
envoy: validate binary checksum #1908 (@calebdoxsey)
envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
Fix process cpu usage metric #1979 (@wasaga)
fix registry test #1911 (@wasaga)
google: fix default provider URL #1928 (@calebdoxsey)
httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
identity: infer email from mail claim #1977 (@calebdoxsey)
identity: record metric for last refresh #1936 (@calebdoxsey)
let pass custom dial opts #2144 (@wasaga)
log context #2107 (@wasaga)
metrics_address should be optional parameter #2087 (@wasaga)
metrics: add TLS options #1939 (@calebdoxsey)
middleware: basic auth equalize lengths of input #1934 (@desimone)
onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
options: header only applies to routes and authN #1862 (@desimone)
ping: identity and directory providers #1975 (@calebdoxsey)
propagate changes back from encrypted backend #2079 (@wasaga)
protoutil: add generic transformer #2023 (@calebdoxsey)
proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
redis: add redis cluster support #1992 (@calebdoxsey)
redis: add support for redis-sentinel #1991 (@calebdoxsey)
redis: fix deletion versioning #1871 (@calebdoxsey)
Remove internal/protoutil. #1893 (@yegle)
support host:port in metrics_address #2042 (@wasaga)
telemetry: add installation id #2017 (@calebdoxsey)
telemetry: add process collector for envoy #1948 (@calebdoxsey)
unique envoy cluster ids #1858 (@wasaga)
use build_info as liveness gauge metric #1940 (@wasaga)
xds extended event #2158 (@wasaga)
xds: fix misdirected script #1895 (@calebdoxsey)
xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)

Security

authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
ci: remove codecov #2161 (@travisgroth)
deps: bump envoy to 1.17.2 #2113 (@travisgroth)
deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
internal/envoy: always extract envoy #2160 (@travisgroth)
proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)

Documentation

docs: add breaking sa changes in v0.13 #1919 (@desimone)
docs: add info note to set_response_headers #2162 (@calebdoxsey)
docs: add inline instructions to generate signing-key #2164 (@desimone)
docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
docs: add load balancing weight documentation #1883 (@travisgroth)
docs: add threat model to security page #2097 (@desimone)
docs: add v0.13 to docs site menu #1913 (@travisgroth)
docs: additional load balancing documentation #1875 (@travisgroth)
docs: fix query param name #1920 (@calebdoxsey)
docs: mention alternative bearer token header format #2155 (@travisgroth)
docs: misc upgrade notes and changelog #1884 (@travisgroth)
docs: update changelog for v0.13.0 #1909 (@desimone)
docs: update community slack link #2063 (@travisgroth)
docs: update security policy #1897 (@desimone)
docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)
ping: add documentation #1976 (@calebdoxsey)
Update data-storage.md #1941 (@TanguyPatte)
Update local-oidc.md #1994 (@dharmendrakariya)

Dependency

chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
chore(deps): update yaml v2 to v3 #1927 (@desimone)
deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
deps: switch from renovate to dependabot #2069 (@travisgroth)
do not require project be in GOPATH/src #2078 (@wasaga)
fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
use cached envoy #2132 (@wasaga)

Deployment

ci: cache build and test binaries #1938 (@desimone)
ci: go 1.16.x, cached tests #1937 (@desimone)
deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
deployment: update get-envoy script and release hooks #2111 (@travisgroth)
deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])

Changed

Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
add default gitlab url #2044 (@contrun)
authorize: remove log #2122 (@calebdoxsey)
ci: deploy latest release to test environment #1916 (@travisgroth)
ci: deploy master to integration environments #1973 (@travisgroth)
config related metrics #2065 (@wasaga)
config: expose viper policy hooks #1947 (@calebdoxsey)
controlplane: maybe fix flaky test #1873 (@calebdoxsey)
envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
in-memory service registry #1892 (@wasaga)
logs: strip query string #1894 (@calebdoxsey)
oidc: use groups claim from ID token if present #1970 (@bonifaido)
proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
remove generated code from code coverage metrics #1857 (@travisgroth)
Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)

v0.14.0-rc2 (2021-04-29)

Full Changelog

New

config: remove validate side effects #2109 (@calebdoxsey)
control plane: add request id to all error pages #2149 (@desimone)
controlplane: save configuration events to databroker #2153 (@calebdoxsey)
databroker: add options for maximum capacity #2095 (@calebdoxsey)
Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
envoy: re-implement recommended defaults #2123 (@calebdoxsey)
let pass custom dial opts #2144 (@wasaga)
log context #2107 (@wasaga)

Fixed

deployment: update alpine debug image dependencies #2154 (@travisgroth)
authorize: refactor store locking #2151 (@calebdoxsey)
databroker: store server version in backend #2142 (@calebdoxsey)
authorize: audit log had duplicate "message" key #2141 (@desimone)
httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
authorize: fix unsigned URL #2118 (@calebdoxsey)
authorize: support arbitrary jwt claims #2102 (@calebdoxsey)

Security

deps: bump envoy to 1.17.2 #2113 (@travisgroth)

Documentation

docs: mention alternative bearer token header format #2155 (@travisgroth)
docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)

Dependency

use cached envoy #2132 (@wasaga)
chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])

Deployment

deployment: update get-envoy script and release hooks #2111 (@travisgroth)
deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)

Changed

authorize: remove log #2122 (@calebdoxsey)

v0.14.0-rc1 (2021-04-22)

Full Changelog

Breaking

directory: remove provider from user id #2068 (@calebdoxsey)

New

assets: use embed instead of statik #1960 (@calebdoxsey)
authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
authorize: audit logging #2050 (@calebdoxsey)
authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
autocert: remove non-determinism #1932 (@calebdoxsey)
config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
config: add metrics_basic_auth option #1917 (@calebdoxsey)
config: add rewrite_response_headers option #1961 (@calebdoxsey)
config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
config: log config source changes #1959 (@calebdoxsey)
config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
config: rename headers to set_response_headers #2081 (@calebdoxsey)
config: support map of jwt claim headers #1906 (@calebdoxsey)
config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
config: use getters for certificates #2001 (@calebdoxsey)
crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
cryptutil: use bytes for hmac #2067 (@calebdoxsey)
databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
databroker: return server version in Get #2039 (@wasaga)
envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
envoy: validate binary checksum #1908 (@calebdoxsey)
envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
identity: infer email from mail claim #1977 (@calebdoxsey)
identity: record metric for last refresh #1936 (@calebdoxsey)
metrics: add TLS options #1939 (@calebdoxsey)
middleware: basic auth equalize lengths of input #1934 (@desimone)
ping: identity and directory providers #1975 (@calebdoxsey)
protoutil: add generic transformer #2023 (@calebdoxsey)
proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
redis: add redis cluster support #1992 (@calebdoxsey)
redis: add support for redis-sentinel #1991 (@calebdoxsey)
Remove internal/protoutil. #1893 (@yegle)
support host:port in metrics_address #2042 (@wasaga)
telemetry: add installation id #2017 (@calebdoxsey)
telemetry: add process collector for envoy #1948 (@calebdoxsey)
use build_info as liveness gauge metric #1940 (@wasaga)
xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)

Fixed

authenticate: fix default sign out url #2061 (@calebdoxsey)
authenticate: validate origin of signout #1876 (@desimone)
authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
ci: pin goreleaser version #1900 (@travisgroth)
cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
config: add headers to config proto #1996 (@calebdoxsey)
config: don't change address value on databroker or authorize #2092 (@travisgroth)
config: fix redirect routes from protobuf #1930 (@travisgroth)
config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
controlplane: add global headers to virtualhost #1861 (@desimone)
databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
Fix process cpu usage metric #1979 (@wasaga)
fix registry test #1911 (@wasaga)
google: fix default provider URL #1928 (@calebdoxsey)
metrics_address should be optional parameter #2087 (@wasaga)
onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
options: header only applies to routes and authN #1862 (@desimone)
propagate changes back from encrypted backend #2079 (@wasaga)
proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
redis: fix deletion versioning #1871 (@calebdoxsey)
unique envoy cluster ids #1858 (@wasaga)
xds: fix misdirected script #1895 (@calebdoxsey)
xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)

Security

authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)

Documentation

docs: add breaking sa changes in v0.13 #1919 (@desimone)
docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
docs: add load balancing weight documentation #1883 (@travisgroth)
docs: add threat model to security page #2097 (@desimone)
docs: add v0.13 to docs site menu #1913 (@travisgroth)
docs: additional load balancing documentation #1875 (@travisgroth)
docs: fix query param name #1920 (@calebdoxsey)
docs: misc upgrade notes and changelog #1884 (@travisgroth)
docs: update changelog for v0.13.0 #1909 (@desimone)
docs: update community slack link #2063 (@travisgroth)
docs: update security policy #1897 (@desimone)
ping: add documentation #1976 (@calebdoxsey)
Update data-storage.md #1941 (@TanguyPatte)
Update local-oidc.md #1994 (@dharmendrakariya)

Dependency

chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
chore(deps): update yaml v2 to v3 #1927 (@desimone)
deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
deps: switch from renovate to dependabot #2069 (@travisgroth)
do not require project be in GOPATH/src #2078 (@wasaga)
fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
skip REDIS cluster test if GOOS != linux #2045 (@wasaga)

Deployment

ci: cache build and test binaries #1938 (@desimone)
ci: go 1.16.x, cached tests #1937 (@desimone)
deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])

Changed

Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
add default gitlab url #2044 (@contrun)
ci: deploy latest release to test environment #1916 (@travisgroth)
ci: deploy master to integration environments #1973 (@travisgroth)
config related metrics #2065 (@wasaga)
config: expose viper policy hooks #1947 (@calebdoxsey)
controlplane: maybe fix flaky test #1873 (@calebdoxsey)
envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
in-memory service registry #1892 (@wasaga)
logs: strip query string #1894 (@calebdoxsey)
oidc: use groups claim from ID token if present #1970 (@bonifaido)
proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
remove generated code from code coverage metrics #1857 (@travisgroth)
Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)

v0.13.6 (2021-04-17)

Full Changelog

Security

deps: upgrade envoy to 1.16.3 #2096 (@travisgroth)

Documentation

docs: update community slack link #2064 (@github-actions[bot])

v0.13.5 (2021-04-06)

Full Changelog

Fixed

change require_proxy_protocol to use_proxy_protocol #2058 (@github-actions[bot])

v0.13.4 (2021-03-31)

Full Changelog

Security

proxy: restrict programmatic URLs to localhost #2047 (@travisgroth)
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2046 (@travisgroth)

v0.13.3 (2021-03-12)

Full Changelog

New

identity: infer email from mail claim #1978 (@github-actions[bot])

v0.13.2 (2021-02-25)

Full Changelog

Documentation

Update data-storage.md #1942 (@github-actions[bot])

Changed

proxy: redirect to dashboard for logout #1945 (@github-actions[bot])

v0.13.1 (2021-02-22)

Full Changelog

Fixed

config: fix redirect routes from protobuf #1931 (@github-actions[bot])
google: fix default provider URL #1929 (@github-actions[bot])

Documentation

docs: fix query param name #1923 (@github-actions[bot])
docs: add breaking sa changes in v0.13 #1921 (@github-actions[bot])
docs: add v0.13 to docs site menu #1914 (@github-actions[bot])

Changed

ci: deploy releases to test environment (#1916) #1918 (@travisgroth)

This Changelog was automatically generated by github_changelog_generator

v0.13.0 (2021-02-17)

Full Changelog

Breaking

authorize: remove admin #1833 (@calebdoxsey)
remove user impersonation and service account cli #1768 (@calebdoxsey)

New

authorize: allow access by user id #1850 (@calebdoxsey)
authorize: remove DataBrokerData input #1847 (@calebdoxsey)
opa: format rego files #1845 (@calebdoxsey)
policy: add new certificate-authority option for downstream mTLS client certificates #1835 (@calebdoxsey)
metrics: human readable cluster name #1834 (@wasaga)
upstream endpoints load balancer weights #1830 (@wasaga)
controlplane: only add listener virtual domains for addresses matching the current TLS domain #1823 (@calebdoxsey)
authenticate: delay evaluation of OIDC provider #1802 (@calebdoxsey)
config: require shared key if using redis backed databroker #1801 (@travisgroth)
upstream health check config #1796 (@wasaga)
new skip_xff_append option #1788 (@wasaga)
policy: add outlier_detection #1786 (@calebdoxsey)
reduce memory usage by handling http/2 coalescing via a lua script #1779 (@calebdoxsey)
add support for proxy protocol on HTTP listener #1777 (@calebdoxsey)
config: support redirect actions #1776 (@calebdoxsey)
config: detect underlying file changes #1775 (@calebdoxsey)
authenticate: update user info screens #1774 (@desimone)
jws: remove issuer #1754 (@calebdoxsey)

Fixed

redis: fix deletion versioning #1874 (@github-actions[bot])
rego: handle null #1853 (@calebdoxsey)
config: fix data race #1851 (@calebdoxsey)
deployment: set maintainer field in packages #1848 (@travisgroth)
xds: fix always requiring client certificates #1844 (@calebdoxsey)
fix go:generate for envoy config #1826 (@calebdoxsey)
controlplane: only enable STATIC dns when all adresses are IP addresses #1822 (@calebdoxsey)
config: fix databroker policies #1821 (@calebdoxsey)
config: fix hot-reloading #1820 (@calebdoxsey)
Revert "reduce memory usage by handling http/2 coalescing via a lua script" #1785 (@calebdoxsey)
google: fix nil name #1771 (@calebdoxsey)
autocert: improve logging #1767 (@travisgroth)

Documentation

github: add tag suggestion to checklist #1819 (@desimone)
docs: add reference to the go-sdk #1800 (@desimone)
updated host rewrite docs #1799 (@vihardesu)
docs: update menu for v0.12 #1755 (@travisgroth)
Update GitLab provider docs #1591 (@bradjones1)
Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)

Dependency

chore(deps): update module go.opencensus.io to v0.22.6 #1842 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.11 #1841 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 44e461b #1840 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to f9ce19e #1839 (@renovate[bot])
chore(deps): update module stretchr/testify to v1.7.0 #1816 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.26.0 #1815 (@renovate[bot])
chore(deps): update module mitchellh/mapstructure to v1.4.1 #1814 (@renovate[bot])
chore(deps): update module google/uuid to v1.2.0 #1813 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.35.0 #1812 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.10 #1811 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.4.1 #1810 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 8081c04 #1809 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to d3ed898 #1808 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5f4716e #1807 (@renovate[bot])
chore(deps): update oidc to v3 #1783 (@desimone)
chore(deps): update vuepress monorepo to v1.8.0 #1761 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.8 #1760 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.3.1 #1759 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.2.1 #1758 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c7d5778 #1757 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.38.0 #1656 (@renovate[bot])

Deployment

ci: fix usage of env variable in latest tag #1791 (@travisgroth)
databroker: rename cache service #1790 (@calebdoxsey)
ci: fix deprecated command in latestTag step #1763 (@travisgroth)

Changed

docs: additional load balancing documentation #1882 (@github-actions[bot])
authenticate: validate origin of signout #1881 (@github-actions[bot])
config: add CertificateFiles to FileWatcherSource list #1880 (@github-actions[bot])
ci: enable backporting from forks #1854 (@travisgroth)
ci: fix version metadata in non-releases #1836 (@travisgroth)
protobuf: upgrade protoc to 3.14 #1832 (@calebdoxsey)
Update codeowners #1831 (@travisgroth)
config: return errors on invalid URLs, fix linting #1829 (@calebdoxsey)
grpc: use custom resolver #1828 (@calebdoxsey)
controlplane: return errors in xds build methods #1827 (@calebdoxsey)
include envoy's proto specs into config.proto #1817 (@wasaga)
expose all envoy cluster options in policy #1804 (@wasaga)
autocert: store certificates separately from config certificates #1794 (@calebdoxsey)
move file change detection before autocert #1793 (@calebdoxsey)
config: support multiple destination addresses #1789 (@calebdoxsey)
ci: license check action #1773 (@travisgroth)
authorize: move impersonation into session/service account #1765 (@calebdoxsey)

v0.12.2 (2021-02-02)

Full Changelog

Fixed

[Backport 0-12-0] deployment: set maintainer field in packages #1849 (@github-actions[bot])

Changed

[Backport 0-12-0] ci: fix usage of env variable in latest tag #1806 (@github-actions[bot])
[Backport 0-12-0] docs: add reference to the go-sdk #1803 (@github-actions[bot])

v0.12.1 (2021-01-13)

Full Changelog

Fixed

[Backport 0-12-0] google: fix nil name #1772 (@github-actions[bot])
[Backport 0-12-0] autocert: improve logging #1769 (@travisgroth)

Documentation

[Backport 0-12-0] docs: update menu for v0.12 #1762 (@github-actions[bot])

Deployment

[Backport 0-12-0] ci: fix deprecated command in latestTag step #1764 (@github-actions[bot])

v0.12.0 (2021-01-07)

Full Changelog

New

tcp: prevent idle stream timeouts for TCP and Websocket routes #1744 (@calebdoxsey)
telemetry: add support for datadog tracing #1743 (@calebdoxsey)
use incremental API for envoy xDS #1732 (@calebdoxsey)
cli: add version command #1726 (@desimone)
add TLS flags for TCP tunnel #1725 (@calebdoxsey)
k8s cmd: use authclient package #1722 (@calebdoxsey)
internal/controlplane: 0s default timeout for tcp routes #1716 (@travisgroth)
use impersonate groups if impersonate email is set #1701 (@calebdoxsey)
unimpersonate button #1700 (@calebdoxsey)
TCP client command #1696 (@calebdoxsey)
add support for TCP routes #1695 (@calebdoxsey)
internal/directory: use gitlab provider url option #1689 (@nghnam)
improve ca cert error message, use GetCertPool for databroker storage #1666 (@calebdoxsey)
implement new redis storage backend with go-redis package #1649 (@calebdoxsey)
authenticate: oidc frontchannel-logout endpoint #1586 (@pflipp)

Fixed

remove :443 or :80 from proxy URLs in authclient #1733 (@calebdoxsey)
tcptunnel: handle invalid http response codes #1727 (@calebdoxsey)
update azure docs #1723 (@calebdoxsey)
config: fix ignored yaml fields #1698 (@travisgroth)
fix concurrency race #1675 (@calebdoxsey)
don't create users when updating sessions #1671 (@calebdoxsey)

Documentation

update google docs #1738 (@calebdoxsey)
docs: add TCP guide #1714 (@travisgroth)
docs: tcp support #1712 (@travisgroth)
docs: replace httpbin with verify #1702 (@desimone)
docs: fix nginx config #1691 (@desimone)
remove "see policy" phrase in settings docs #1668 (@calebdoxsey)
docs: add allowed_idp_claims docs #1665 (@travisgroth)
docs: add v0.11 link to version menu #1663 (@travisgroth)

Dependency

chore(deps): update module google/uuid to v1.1.4 #1729 (@renovate[bot])
dev: update linter #1728 (@desimone)
chore(deps): update codecov/codecov-action action to v1.1.1 #1720 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 6772e93 #1719 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to eec23a3 #1718 (@renovate[bot])
chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3.4.0 #1710 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.9.0 #1709 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.3 #1708 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.4 #1707 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.1.0 #1706 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 8c77b98 #1705 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 986b41b #1704 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9d13527 #1703 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.25.2 #1685 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.2 #1684 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.8 #1683 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 40ec1c2 #1682 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 09787c9 #1681 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 08078c5 #1680 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ac852fb #1679 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5f87f34 #1678 (@renovate[bot])

Deployment

ci: upgrade yq syntax for v4 #1745 (@travisgroth)
deployment: Fix docker and rpm workflows #1687 (@travisgroth)
ci: fix pomerium-cli rpm name #1661 (@travisgroth)

Changed

ci: fix typo in yq image #1746 (@travisgroth)
fix coverage #1741 (@calebdoxsey)
fix error wrapping #1737 (@calebdoxsey)
Revert "set recommended defaults" #1735 (@calebdoxsey)
set recommended defaults #1734 (@calebdoxsey)
internal/telemetry/metrics: update redis metrics for go-redis #1694 (@travisgroth)

v0.11.1 (2020-12-11)

Full Changelog

Fixed

[Backport 0-11-0] fix concurrency race #1676 (@github-actions[bot])
[Backport 0-11-0] don't create users when updating sessions #1672 (@github-actions[bot])

Documentation

[Backport 0-11-0] remove "see policy" phrase in settings docs #1669 (@github-actions[bot])
[Backport 0-11-0] docs: add allowed_idp_claims docs #1667 (@github-actions[bot])
[Backport 0-11-0] docs: add v0.11 link to version menu #1664 (@github-actions[bot])

Deployment

[Backport 0-11-0] ci: fix pomerium-cli rpm name #1662 (@travisgroth)

v0.11.0 (2020-12-04)

Full Changelog

Breaking

remove deprecated cache_service_url config option #1614 (@calebdoxsey)
add flag to enable user impersonation #1514 (@calebdoxsey)

New

microsoft: add support for common endpoint #1648 (@desimone)
use the directory email when provided for the jwt #1647 (@calebdoxsey)
fix profile image on dashboard #1637 (@calebdoxsey)
wait for initial sync to complete before starting control plane #1636 (@calebdoxsey)
authorize: add signature algo support (RSA / EdDSA) #1631 (@desimone)
replace GetAllPages with InitialSync, improve merge performance #1624 (@calebdoxsey)
cryptutil: more explicit decryption error #1607 (@desimone)
add paging support to GetAll #1601 (@calebdoxsey)
attach version to gRPC server metadata #1598 (@calebdoxsey)
use custom default http transport #1576 (@calebdoxsey)
update user info in addition to refreshing the token #1572 (@calebdoxsey)
databroker: add audience to session #1557 (@calebdoxsey)
authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
autocert: support certificate renewal #1516 (@calebdoxsey)
add policy to allow any authenticated user #1515 (@pflipp)
debug: add pprof endpoints #1504 (@calebdoxsey)
databroker: require JWT for access #1503 (@calebdoxsey)
authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
forward-auth: use envoy's ext_authz check #1482 (@desimone)
auth0: implement directory provider #1479 (@grounded042)
azure: incremental sync #1471 (@calebdoxsey)
auth0: implement identity provider #1470 (@calebdoxsey)
dashboard: format timestamps #1468 (@calebdoxsey)
directory: additional user info #1467 (@calebdoxsey)
directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
config: add support for host header rewriting #1457 (@calebdoxsey)
proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
databroker: add support for querying the databroker #1443 (@calebdoxsey)
config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
okta: handle deleted groups #1418 (@calebdoxsey)
controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
azure: add support for nested groups #1408 (@calebdoxsey)
authorize: add support for service accounts #1374 (@calebdoxsey)
Cuonglm/improve timeout error message #1373 (@cuonglm)
internal/directory/okta: remove rate limiter #1370 (@cuonglm)
proxy/controlplane: make health checks debug level #1368 (@desimone)
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
proxy: support websocket timeouts #1362 (@calebdoxsey)
proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
certmagic: improve logging #1358 (@calebdoxsey)
logs: add new log scrubber #1346 (@calebdoxsey)
Allow setting the shared secret via an environment variable. #1337 (@rspier)
authorize: add jti to JWT payload #1328 (@calebdoxsey)
all: add signout redirect url #1324 (@cuonglm)
proxy: remove unused handlers #1317 (@desimone)
azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
cache: support databroker option changes #1294 (@calebdoxsey)
authenticate: move databroker connection to state #1292 (@calebdoxsey)
authorize: use atomic state for properties #1290 (@calebdoxsey)
proxy: move properties to atomically updated state #1280 (@calebdoxsey)
Improving okta API requests #1278 (@cuonglm)
authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
authenticate: support reloading IDP settings #1273 (@calebdoxsey)
Rate limit for okta #1271 (@cuonglm)
config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
config: allow reloading of telemetry settings #1255 (@calebdoxsey)
databroker: add support for config settings #1253 (@calebdoxsey)
config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
authorize: add databroker url check #1228 (@desimone)
internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)

Fixed

fix config race #1660 (@calebdoxsey)
fix ordering of autocert config source #1640 (@calebdoxsey)
pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
forward-auth: fix special character support for nginx #1578 (@desimone)
proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
fix querying claim data on the dashboard #1560 (@calebdoxsey)
github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
fix databroker requiring signed jwt #1538 (@calebdoxsey)
authorize: add redirect url to debug page #1533 (@desimone)
internal/frontend: resolve authN helper url #1521 (@desimone)
fwd-auth: match nginx-ingress config #1505 (@desimone)
authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
ci: ensure systemd unit file is in packages #1481 (@travisgroth)
identity manager: fix directory sync timing #1455 (@calebdoxsey)
proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
httputil: remove retry button #1438 (@desimone)
proxy: always use https for application callback #1433 (@travisgroth)
controplane: remove p-521 EC #1420 (@desimone)
redirect-server: add config headers to responses #1416 (@calebdoxsey)
proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
Desimone/authenticate default logout #1390 (@desimone)
proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
internal/envoy: start epoch from 0 #1387 (@travisgroth)
internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
internal/controlplane: add telemetry http handler #1353 (@travisgroth)
autocert: fix locking issue #1310 (@calebdoxsey)
authorize: log users and groups #1303 (@desimone)
proxy: fix wrong applied middleware #1298 (@cuonglm)
internal/directory/okta: fix wrong API query filter #1296 (@cuonglm)
autocert: fix bootstrapped cache store path #1283 (@desimone)
config: validate databroker settings #1260 (@calebdoxsey)
internal/autocert: re-use cert if renewing failed but cert not expired #1237 (@cuonglm)

Security

chore(deps): update envoy 1.16.1 #1613 (@desimone)

Documentation

move signing key algorithm documentation into yaml file #1646 (@calebdoxsey)
update docs #1645 (@desimone)
docs: update build badge #1635 (@travisgroth)
docs: add cache_service_url upgrade notice #1621 (@travisgroth)
docs: use standard language for lists #1590 (@desimone)
Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)
move docs to settings.yaml #1579 (@calebdoxsey)
docs: add round logo #1574 (@desimone)
add settings.yaml file #1540 (@calebdoxsey)
update the documentation for auth0 to include group/role information #1502 (@grounded042)
examples: fix nginx example #1478 (@desimone)
docs: add architecture diagram for cloudrun #1444 (@travisgroth)
fix(examples): Use X-Pomerium-Claim headers #1422 (@tdorsey)
chore(docs): Fix typo in example policy #1419 (@tdorsey)
docs: fix grammar #1412 (@shinebayar-g)
docs: Add Traefik + Kubernetes example #1411 (@travisgroth)
Remove typo on remove_request_headers docs #1388 (@whs)
docs: update azure docs #1377 (@desimone)
docs: add nginx example #1329 (@travisgroth)
docs: use .com sitemap hostname #1274 (@desimone)
docs: fix in-action video #1268 (@travisgroth)
docs: image, sitemap and redirect fixes #1263 (@travisgroth)
Fix broken logo link in README.md #1261 (@cuonglm)
docs/docs: fix wrong okta service account field #1251 (@cuonglm)
[Backport latest] Docs/enterprise button #1247 (@github-actions[bot])
Docs/enterprise button #1245 (@desimone)
remove rootDomain from examples #1244 (@karelbilek)
docs: add / redirect #1241 (@desimone)
docs: prepare for enterprise / oss split #1238 (@desimone)

Dependency

chore(deps): update module open-policy-agent/opa to v0.25.1 #1659 (@renovate[bot])
chore(deps): update module lithammer/shortuuid/v3 to v3.0.5 #1658 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.34.0 #1657 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 9ee31aa #1655 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9317641 #1654 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c7110b5 #1653 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to be400ae #1652 (@renovate[bot])
deps: update hashstructure v2 #1632 (@desimone)
chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3 #1630 (@renovate[bot])
chore(deps): update module yaml to v2.4.0 #1629 (@renovate[bot])
chore(deps): update module google/go-cmp to v0.5.4 #1628 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to c8d3bf9 #1627 (@renovate[bot])
chore(deps): update module google/go-jsonnet to v0.17.0 #1611 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.15 #1610 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 9b1e624 #1609 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to c1f2f97 #1608 (@renovate[bot])
chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (@renovate[bot])
chore(deps): update mikefarah/yq action to v3.4.1 #1567 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (@renovate[bot])
chore(deps): update olegtarasov/get-tag action to v2 #1552 (@renovate[bot])
chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (@renovate[bot])
chore(deps): update actions/setup-go action to v2 #1550 (@renovate[bot])
chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.7.1 #1531 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.1 #1530 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (@renovate[bot])
chore(deps): update module golang/protobuf to v1.4.3 #1525 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (@renovate[bot])
chore(deps): upgrade envoy to v0.16.0 #1519 (@desimone)
deployment: run go mod tidy #1512 (@desimone)
chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (@renovate[bot])
chore(deps): update module go.opencensus.io to v0.22.5 #1510 (@renovate[bot])
chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (@renovate[bot])
deployment: pin /x/sys to fix dockertest #1491 (@desimone)
chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (@renovate[bot])
deps: update envoy arm64 to v1.15.1 #1475 (@travisgroth)
chore(deps): envoy 1.15.1 #1473 (@desimone)
chore(deps): update vuepress monorepo to v1.6.0 #1463 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (@renovate[bot])
deps: go mod tidy #1434 (@travisgroth)
chore(deps): update module rs/zerolog to v1.20.0 #1431 (@renovate[bot])
chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (@renovate[bot])
chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.1 #1406 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (@renovate[bot])
Run go mod tidy #1384 (@cuonglm)
chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (@renovate[bot])
deps: ensure renovate runs go mod tidy #1357 (@travisgroth)
deps: go mod tidy #1356 (@travisgroth)
Update module open-policy-agent/opa to v0.23.2 #1351 (@renovate[bot])
Update module google/uuid to v1.1.2 #1350 (@renovate[bot])
Update module google/go-cmp to v0.5.2 #1349 (@renovate[bot])
Update module google.golang.org/grpc to v1.31.1 #1348 (@renovate[bot])
Update google.golang.org/genproto commit hash to 2bf3329 #1347 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.5.4 #1323 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (@renovate[bot])
chore(deps): update module gorilla/mux to v1.8.0 #1321 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.0 #1320 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c890458 #1319 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (@renovate[bot])
Upgrade zipkin-go to v0.2.3 #1288 (@cuonglm)
chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (@renovate[bot])
chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (@renovate[bot])
.github/workflows: upgrade to go1.15 #1258 (@cuonglm)
Fix tests failed with go115 #1257 (@cuonglm)
chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (@renovate[bot])
Update module google.golang.org/api to v0.30.0 #1235 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (@renovate[bot])

Deployment

deployment: enable multi-arch release images #1643 (@travisgroth)
ci: add bintray publishing #1618 (@travisgroth)
ci: remove bad quoting in publish steps #1617 (@travisgroth)
ci: update tag parsing step #1616 (@travisgroth)
remove memberlist #1615 (@calebdoxsey)
ci: automatically update test environment with master #1562 (@travisgroth)
deployment: add debug build / container / docs #1513 (@travisgroth)
deployment: Generate deb and rpm packages #1458 (@travisgroth)
deployment: bump release go to v1.15.x #1439 (@desimone)
ci: publish cloudrun latest tag #1398 (@travisgroth)
deployment: fully split release archives and brews #1365 (@travisgroth)
Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (@rspier)
Use apt-get instead of apt to eliminate warning. #1344 (@rspier)
deployment: add goimports with path awareness #1316 (@desimone)

Changed

identity/oidc/azure: goimports #1651 (@travisgroth)
fix panic when deleting a record twice from the inmemory data store #1639 (@calebdoxsey)
ci: improve release snapshot name template #1602 (@travisgroth)
ci: fix release workflow syntax #1592 (@travisgroth)
ci: update changelog generation to script #1589 (@travisgroth)
[Backport 0-10-0] docs: add round logo #1575 (@github-actions[bot])
tidy #1494 (@desimone)
dev: add remote container debug configs #1459 (@desimone)
ci: add stale issue automation #1366 (@travisgroth)
internal/urlutil: remove un-used constants #1326 (@cuonglm)
integration: add forward auth test #1312 (@cuonglm)
pkg/storage/redis: update tests to use local certs + upstream image #1306 (@travisgroth)
config: omit empty subpolicies in yaml/json #1229 (@travisgroth)
Cuonglm/increase coverrage 1 #1227 (@cuonglm)

v0.11.0-rc2 (2020-11-19)

Full Changelog

New

add paging support to GetAll #1601 (@calebdoxsey)
attach version to gRPC server metadata #1598 (@calebdoxsey)

Fixed

pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)

Dependency

chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])

Changed

ci: improve release snapshot name template #1602 (@travisgroth)

v0.11.0-rc1 (2020-11-13)

Full Changelog

Breaking

add flag to enable user impersonation #1514 (@calebdoxsey)

New

use custom default http transport #1576 (@calebdoxsey)
update user info in addition to refreshing the token #1572 (@calebdoxsey)
databroker: add audience to session #1557 (@calebdoxsey)
authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
autocert: support certificate renewal #1516 (@calebdoxsey)
add policy to allow any authenticated user #1515 (@pflipp)
debug: add pprof endpoints #1504 (@calebdoxsey)
databroker: require JWT for access #1503 (@calebdoxsey)
authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
forward-auth: use envoy's ext_authz check #1482 (@desimone)
auth0: implement directory provider #1479 (@grounded042)
azure: incremental sync #1471 (@calebdoxsey)
auth0: implement identity provider #1470 (@calebdoxsey)
dashboard: format timestamps #1468 (@calebdoxsey)
directory: additional user info #1467 (@calebdoxsey)
directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
config: add support for host header rewriting #1457 (@calebdoxsey)
proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
databroker: add support for querying the databroker #1443 (@calebdoxsey)
config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
okta: handle deleted groups #1418 (@calebdoxsey)
controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
azure: add support for nested groups #1408 (@calebdoxsey)
authorize: add support for service accounts #1374 (@calebdoxsey)
Cuonglm/improve timeout error message #1373 (@cuonglm)
internal/directory/okta: remove rate limiter #1370 (@cuonglm)
proxy/controlplane: make health checks debug level #1368 (@desimone)
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
proxy: support websocket timeouts #1362 (@calebdoxsey)
proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
certmagic: improve logging #1358 (@calebdoxsey)
logs: add new log scrubber #1346 (@calebdoxsey)
Allow setting the shared secret via an environment variable. #1337 (@rspier)
authorize: add jti to JWT payload #1328 (@calebdoxsey)
all: add signout redirect url #1324 (@cuonglm)
proxy: remove unused handlers #1317 (@desimone)
azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
cache: support databroker option changes #1294 (@calebdoxsey)
authenticate: move databroker connection to state #1292 (@calebdoxsey)
authorize: use atomic state for properties #1290 (@calebdoxsey)
proxy: move properties to atomically updated state #1280 (@calebdoxsey)
Improving okta API requests #1278 (@cuonglm)
authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
authenticate: support reloading IDP settings #1273 (@calebdoxsey)
Rate limit for okta #1271 (@cuonglm)
config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
config: allow reloading of telemetry settings #1255 (@calebdoxsey)
databroker: add support for config settings #1253 (@calebdoxsey)
config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
authorize: add databroker url check #1228 (@desimone)
internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)

Fixed

forward-auth: fix special character support for nginx #1578 (@desimone)
proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
fix querying claim data on the dashboard #1560 (@calebdoxsey)
github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
fix databroker requiring signed jwt #1538 (@calebdoxsey)
authorize: add redirect url to debug page #1533 (@desimone)
internal/frontend: resolve authN helper url #1521 (@desimone)
fwd-auth: match nginx-ingress config #1505 (@desimone)
authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
ci: ensure systemd unit file is in packages #1481 (@travisgroth)
identity manager: fix directory sync timing #1455 (@calebdoxsey)
proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
httputil: remove retry button #1438 (@desimone)
proxy: always use https for application callback #1433 (@travisgroth)
controplane: remove p-521 EC #1420 (@desimone)
redirect-server: add config headers to responses #1416 (@calebdoxsey)
proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
Desimone/authenticate default logout #1390 (@desimone)
proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
internal/envoy: start epoch from 0 #1387 (@travisgroth)
internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
internal/controlplane: add telemetry http handler #1353 (@travisgroth)
autocert: fix locking issue #1310 (@calebdoxsey)
authorize: log users and groups #1303 (@desimone)
proxy: fix wrong applied middleware #1298 (@cuonglm)
internal/directory/okta: fix wrong API query filter #1296 (@cuonglm)
autocert: fix bootstrapped cache store path #1283 (@desimone)
config: validate databroker settings #1260 (@calebdoxsey)
internal/autocert: re-use cert if renewing failed but cert not expired #1237 (@cuonglm)

Documentation

docs: use standard language for lists #1590 (@desimone)
Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)
move docs to settings.yaml #1579 (@calebdoxsey)
docs: add round logo #1574 (@desimone)
add settings.yaml file #1540 (@calebdoxsey)
update the documentation for auth0 to include group/role information #1502 (@grounded042)
examples: fix nginx example #1478 (@desimone)
docs: add architecture diagram for cloudrun #1444 (@travisgroth)
fix(examples): Use X-Pomerium-Claim headers #1422 (@tdorsey)
chore(docs): Fix typo in example policy #1419 (@tdorsey)
docs: fix grammar #1412 (@shinebayar-g)
docs: Add Traefik + Kubernetes example #1411 (@travisgroth)
Remove typo on remove_request_headers docs #1388 (@whs)
docs: update azure docs #1377 (@desimone)
docs: add nginx example #1329 (@travisgroth)
docs: use .com sitemap hostname #1274 (@desimone)
docs: fix in-action video #1268 (@travisgroth)
docs: image, sitemap and redirect fixes #1263 (@travisgroth)
Fix broken logo link in README.md #1261 (@cuonglm)
docs/docs: fix wrong okta service account field #1251 (@cuonglm)
[Backport latest] Docs/enterprise button #1247 (@github-actions[bot])
Docs/enterprise button #1245 (@desimone)
remove rootDomain from examples #1244 (@karelbilek)
docs: add / redirect #1241 (@desimone)
docs: prepare for enterprise / oss split #1238 (@desimone)

Dependency

chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (@renovate[bot])
chore(deps): update mikefarah/yq action to v3.4.1 #1567 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (@renovate[bot])
chore(deps): update olegtarasov/get-tag action to v2 #1552 (@renovate[bot])
chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (@renovate[bot])
chore(deps): update actions/setup-go action to v2 #1550 (@renovate[bot])
chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.7.1 #1531 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.1 #1530 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (@renovate[bot])
chore(deps): update module golang/protobuf to v1.4.3 #1525 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (@renovate[bot])
chore(deps): upgrade envoy to v0.16.0 #1519 (@desimone)
deployment: run go mod tidy #1512 (@desimone)
chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (@renovate[bot])
chore(deps): update module go.opencensus.io to v0.22.5 #1510 (@renovate[bot])
chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (@renovate[bot])
deployment: pin /x/sys to fix dockertest #1491 (@desimone)
chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (@renovate[bot])
deps: update envoy arm64 to v1.15.1 #1475 (@travisgroth)
chore(deps): envoy 1.15.1 #1473 (@desimone)
chore(deps): update vuepress monorepo to v1.6.0 #1463 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (@renovate[bot])
deps: go mod tidy #1434 (@travisgroth)
chore(deps): update module rs/zerolog to v1.20.0 #1431 (@renovate[bot])
chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (@renovate[bot])
chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.1 #1406 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (@renovate[bot])
Run go mod tidy #1384 (@cuonglm)
chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (@renovate[bot])
deps: ensure renovate runs go mod tidy #1357 (@travisgroth)
deps: go mod tidy #1356 (@travisgroth)
Update module open-policy-agent/opa to v0.23.2 #1351 (@renovate[bot])
Update module google/uuid to v1.1.2 #1350 (@renovate[bot])
Update module google/go-cmp to v0.5.2 #1349 (@renovate[bot])
Update module google.golang.org/grpc to v1.31.1 #1348 (@renovate[bot])
Update google.golang.org/genproto commit hash to 2bf3329 #1347 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.5.4 #1323 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (@renovate[bot])
chore(deps): update module gorilla/mux to v1.8.0 #1321 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.0 #1320 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c890458 #1319 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (@renovate[bot])
Upgrade zipkin-go to v0.2.3 #1288 (@cuonglm)
chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (@renovate[bot])
chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (@renovate[bot])
.github/workflows: upgrade to go1.15 #1258 (@cuonglm)
Fix tests failed with go115 #1257 (@cuonglm)
chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (@renovate[bot])
Update module google.golang.org/api to v0.30.0 #1235 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (@renovate[bot])

Deployment

ci: automatically update test environment with master #1562 (@travisgroth)
deployment: add debug build / container / docs #1513 (@travisgroth)
deployment: Generate deb and rpm packages #1458 (@travisgroth)
deployment: bump release go to v1.15.x #1439 (@desimone)
ci: publish cloudrun latest tag #1398 (@travisgroth)
deployment: fully split release archives and brews #1365 (@travisgroth)
Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (@rspier)
Use apt-get instead of apt to eliminate warning. #1344 (@rspier)
deployment: add goimports with path awareness #1316 (@desimone)

Changed

ci: fix release workflow syntax #1592 (@travisgroth)
ci: update changelog generation to script #1589 (@travisgroth)
[Backport 0-10-0] docs: add round logo #1575 (@github-actions[bot])
tidy #1494 (@desimone)
dev: add remote container debug configs #1459 (@desimone)
ci: add stale issue automation #1366 (@travisgroth)
internal/urlutil: remove un-used constants #1326 (@cuonglm)
integration: add forward auth test #1312 (@cuonglm)
pkg/storage/redis: update tests to use local certs + upstream image #1306 (@travisgroth)
config: omit empty subpolicies in yaml/json #1229 (@travisgroth)
Cuonglm/increase coverrage 1 #1227 (@cuonglm)

v0.10.6 (2020-09-30)

Full Changelog

Changed

docs: Update changelog for v0.10.6 #1477 (@travisgroth)
[Backport 0-10-0] deps: update envoy arm64 to v1.15.1 #1476 (@github-actions[bot])
[Backport 0-10-0] chore(deps): envoy 1.15.1 #1474 (@github-actions[bot])

v0.10.5 (2020-09-28)

Full Changelog

Documentation

docs: Update changelog for v0.10.5 #1469 (@travisgroth)

Changed

redis: use pubsub instead of keyspace events #1451 (@calebdoxsey)

v0.10.4 (2020-09-22)

Full Changelog

Documentation

docs: update 0.10.4 changelog #1441 (@travisgroth)
Add v0.10.4 changelog entry #1437 (@travisgroth)

Changed

[Backport 0-10-0] httputil: remove retry button #1440 (@github-actions[bot])
[Backport 0-10-0] proxy: always use https for application callback #1435 (@github-actions[bot])
[Backport 0-10-0] redirect-server: add config headers to responses #1427 (@github-actions[bot])
[Backport 0-10-0] controplane: remove p-521 EC #1423 (@github-actions[bot])
[Backport 0-10-0] controlplane: support P-384 / P-512 EC curves #1410 (@github-actions[bot])

v0.10.3 (2020-09-11)

Full Changelog

Changed

Update changelog for v0.10.3 #1401 (@travisgroth)
[Backport 0-10-0] ci: publish cloudrun latest tag #1399 (@github-actions[bot])
[Backport 0-10-0] proxy: remove impersonate headers for kubernetes #1396 (@travisgroth)
[Backport 0-10-0] docs: update azure docs #1385 (@github-actions[bot])
internal/directory/okta: remove rate limiter (#1370) #1371 (@cuonglm)
[Backport 0-10-0] internal/directory/okta: acceept non-json service account #1360 (@github-actions[bot])
[Backport 0-10-0] internal/controlplane: add telemetry http handler #1355 (@github-actions[bot])
[Backport 0-10-0] docs: add nginx example #1339 (@github-actions[bot])

v0.10.2 (2020-08-26)

Full Changelog

Documentation

docs: update change log for 0.10.2 #1330 (@travisgroth)

Changed

Backport go 1.15 changes for 0-10-0 #1334 (@travisgroth)
[Backport 0-10-0] internal/directory/okta: improve API requests #1332 (@travisgroth)
autocert: fix locking issue (#1310) #1311 (@calebdoxsey)

v0.10.1 (2020-08-20)

Full Changelog

Documentation

[Backport 0-10-0] Docs/enterprise button #1246 (@github-actions[bot])
[Backport 0-10-0] docs: add / redirect #1242 (@github-actions[bot])

Changed

docs: v0.10.1 changelog #1308 (@travisgroth)
[Backport 0-10-0] pkg/storage/redis: update tests to use local certs + upstream image #1307 (@github-actions[bot])
azure: support deriving credentials from client id, client secret and... #1301 (@calebdoxsey)
[Backport 0-10-0] autocert: fix bootstrapped cache store path #1291 (@github-actions[bot])
[Backport 0-10-0] docs: use .com sitemap hostname #1275 (@github-actions[bot])
[Backport 0-10-0] docs: fix in-action video #1269 (@github-actions[bot])
[Backport 0-10-0] docs: image, sitemap and redirect fixes #1265 (@github-actions[bot])
[Backport 0-10-0] docs: prepare for enterprise / oss split #1239 (@github-actions[bot])
[Backport 0-10-0] authorize: add databroker url check #1231 (@github-actions[bot])
[Backport 0-10-0] config: omit empty subpolicies in yaml/json #1230 (@github-actions[bot])

v0.10.0

Changes

Add storage backend interface @cuonglm GH-1072
all: update outdated comments about OptionsUpdater interface @cuonglm GH-1207
Allow specify go executable in Makefile @cuonglm GH-1008
audit: add protobuf definitions @calebdoxsey GH-1047
authenticate: hide impersonation form from non-admin users @cuonglm GH-979
authenticate: move impersonate from proxy to authenticate @calebdoxsey GH-965
authenticate: remove useless/duplicated code block @cuonglm GH-962
authenticate: revoke current session oauth token before sign out @cuonglm GH-964
authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
authorize: add evaluator store @calebdoxsey GH-1105
authorize: add test for denied response @cuonglm GH-1197
authorize: avoid serializing databroker data map to improve performance @calebdoxsey GH-995
authorize: clear session state if session was deleted in databroker @cuonglm GH-1053
authorize: derive check response message from reply message @cuonglm GH-1193
authorize: include "kid" in JWT header @cuonglm GH-1049
authorize: store policy evaluator on success only @cuonglm GH-1206
authorize/evaluator: add more test cases @cuonglm GH-1198
authorize/evaluator: fix wrong custom policies decision @cuonglm GH-1199
authorize/evaluator/opa: use route policy object instead of array index @cuonglm GH-1001
cache: add client telemetry @travisgroth GH-975
cache: add test for runMemberList @cuonglm GH-1007
cache: attempt to join memberlist cluster for sanity check @travisgroth GH-1004
cache: fix missing parameter @travisgroth GH-1005
cache: only run memberlist for in-memory databroker @travisgroth GH-1224
ci: Add cloudrun build @travisgroth GH-1097
ci: support rc releases @travisgroth GH-1011
cmd/pomerium-cli: do not require terminal with cached creds @travisgroth GH-1196
config: add check to assert service account is required for policies with allowed_groups @desimone GH-997
config: add support for policies stored in the databroker @calebdoxsey GH-1099
config: additional kubernetes token source support @travisgroth GH-1200
config: allow setting directory sync interval and timeout @cuonglm GH-1098
config: default to google idp credentials for serverless @travisgroth GH-1170
config: fix loading storage client cert from wrong location @travisgroth GH-1212
config: Set loopback address by ipv4 IP @travisgroth GH-1116
cryptutil: move to pkg dir, add token generator @calebdoxsey GH-1029
deployment: fix brew creation for pomerium-cli @travisgroth GH-1192
directory.Group entry for groups @calebdoxsey GH-1118
docs/docs: update upgrading to mention redis storage backend @cuonglm GH-1172
envoy: disable idle timeouts to controlplane @travisgroth GH-1000
grpc: rename internal/grpc to pkg/grpc @calebdoxsey GH-1010
grpc: use relative paths in codegen @desimone GH-1106
grpcutil: add functions for JWTs in gRPC metadata @calebdoxsey GH-1165
Increasing authorize coverage @cuonglm GH-1221
integration: add dummy value for idp_service_account @cuonglm GH-1009
internal/controlplane: set envoy prefix rewrite if present @cuonglm GH-1034
internal/controlplane: using envoy strip host port matching @cuonglm GH-1126
internal/databroker: handle new db error @cuonglm GH-1129
internal/databroker: store server version @cuonglm GH-1121
internal/directory: improve google user groups list @cuonglm GH-1092
internal/directory: use both id and name for group @cuonglm GH-1086
internal/directory/google: return both group e-mail and id @travisgroth GH-1083
internal/frontend/assets/html: make timestamp human readable @cuonglm GH-1107
internal/sessions: handle claims "ver" field generally @cuonglm GH-990
internal/urlutil: add tests for GetDomainsForURL @cuonglm GH-1183
memberlist: use bufio reader instead of scanner @calebdoxsey GH-1002
config: options refactor @calebdoxsey GH-1088
pkg: add grpcutil package @calebdoxsey GH-1032
pkg/storage: add package docs @cuonglm GH-1078
pkg/storage: change backend interface to return error @cuonglm GH-1131
pkg/storage: introduce storage.Backend Watch method @cuonglm GH-1135
pkg/storage: make Watch returns receive only channel @cuonglm GH-1211
pkg/storage/redis: do not use timeout to signal redis conn to stop @cuonglm GH-1155
pkg/storage/redis: fix multiple data race @cuonglm GH-1210
pkg/storage/redis: metrics updates @travisgroth GH-1195
pkg/storage/redis: move last version to redis @cuonglm GH-1134
proxy: add support for spdy upgrades @travisgroth GH-1203
proxy: avoid second policy validation @travisgroth GH-1204
proxy: refactor handler setup code @travisgroth GH-1205
set session state expiry @calebdoxsey GH-1215
Sleep longer before running integration tests @cuonglm GH-968
telemetry: add tracing spans to cache and databroker @travisgroth GH-987

New

authenticate: allow hot reloaded admin users config @cuonglm [GH-984]
authenticate: support hot reloaded config @cuonglm GH-984
authorize: custom rego policies @calebdoxsey GH-1123
authorize: include "kid" in JWT headers @cuonglm [GH-1046]
azure: use OID for user id in session @calebdoxsey GH-985
config: add pass_identity_headers @cuonglm [GH-903]
config: add remove_request_headers @cuonglm [GH-822]
config: both base64 and file reference can be used for "certificates" @dmitrif [GH-1055]
config: change config key parsing to attempt Base64 decoding first. @dmitrif GH-1055
config: change default log level to INFO @cuonglm [GH-902]
custom rego in databroker @calebdoxsey GH-1124
databroker server backend config @cuonglm GH-1127
databroker: add encryption for records @calebdoxsey GH-1168
deploy: Add homebrew tap publishing @travisgroth GH-1179
deployment: cut separate archive for cli @desimone GH-1177
directory: add service account struct and parsing method @calebdoxsey GH-971
envoy: enable strip host port matching @cuonglm [GH-1126]
github: implement github directory provider @calebdoxsey GH-963
google: store directory information by user id @calebdoxsey GH-988
identity: support custom code flow request params @desimone GH-998
implement google cloud serverless authentication @calebdoxsey GH-1080
internal/directory/okta: store directory information by user id @cuonglm GH-991
internal/directory/onelogin: store directory information by user id @cuonglm GH-992
kubernetes apiserver integration @calebdoxsey GH-1063
pkg/storage/redis: add authentication support @cuonglm GH-1159
pkg/storage/redis: add redis TLS support @cuonglm GH-1163
pomerium-cli k8s exec-credential @calebdoxsey GH-1073
redis storage backend @cuonglm GH-1082
telmetry: add databroker storage metrics and tracing @travisgroth GH-1161
use custom binary for arm64 linux release @calebdoxsey GH-1065

Fixed

authenticate: fix wrong condition checking in VerifySession @cuonglm GH-1146
authenticate: fix wrong SignIn telemetry name @cuonglm GH-1038
authorize: Force redirect scheme to https @travisgroth GH-1075
authorize: strip port from host header if necessary @cuonglm GH-1175
authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026
authorize/evaluator/opa/policy: fix allow rules with impersonate @cuonglm GH-1094
cache: fix data race in NotifyJoin @cuonglm GH-1028
ci: fix arm docker image releases @travisgroth GH-1178
ci: Prevent dirty git state @travisgroth GH-1117
ci: release fixes @travisgroth GH-1181
config: fix deep copy of config @calebdoxsey GH-1089
controlplane: add robots route @desimone GH-966
deploy: ensure pomerium-cli is built correctly @travisgroth GH-1180
deployment: fix pomerium-cli release @desimone GH-1104
envoy: Set ExtAuthz Cluster name to URL Host @travisgroth GH-1132
fix databroker restart versioning, handle missing sessions @calebdoxsey GH-1145
fix lint errors @travisgroth GH-1171
fix redirect loop, remove user/session services, remove duplicate deleted_at fields @calebdoxsey GH-1162
handle example.com and example.com:443 @calebdoxsey GH-1153
internal/controlplane: enable envoy use remote address @cuonglm GH-1023
internal/databroker: fix wrong server version init @cuonglm GH-1125
pkg/grpc: fix wrong audit protoc gen file @cuonglm GH-1048
pkg/storage/redis: handling connection to redis backend failure @cuonglm GH-1174
pomerium-cli: fix kubernetes token caching @calebdoxsey GH-1169
pomerium-cli: kubernetes fixes @calebdoxsey GH-1176
proxy: do not set X-Pomerium-Jwt-Assertion/X-Pomerium-Claim-* headers by default @cuonglm [GH-903]
proxy: fix invalid session after logout in forward auth mode @cuonglm GH-1062
proxy: fix redirect url with traefik forward auth @cuonglm GH-1037
proxy: fix wrong forward auth request @cuonglm GH-1030

Documentation

docs: Update synology.md @roulesse GH-1219
docs: add installation section @travisgroth GH-1223
docs: add kubectl config commands @travisgroth GH-1152
docs: add kubernetes docs @calebdoxsey GH-1087
docs: add recipe for TiddlyWiki on Node.js @favadi GH-1143
docs: add required in cookie_secret @mig4ng GH-1142
docs: add warnings cones around requiring IdP Service Accounts @travisgroth GH-999
docs: cloud Run / GCP Serverless @travisgroth GH-1101
docs: document preserve_host_header with policy routes to static ip @cuonglm GH-1024
docs: fix incorrect example middleware @travisgroth GH-1128
docs: fix links, clarify upgrade guide for v0.10 @desimone GH-1220
docs: fix minor errors @travisgroth GH-1214
docs: Kubernetes topic @travisgroth GH-1222
docs: Move examples repo into main repo @travisgroth GH-1102
docs: Redis and stateful storage docs @travisgroth GH-1173
docs: refactor sections, consolidate examples @desimone GH-1164
docs: rename docs/reference to docs/conceptststststststststs @desimone GH-1182
docs: service account instructions for azure @calebdoxsey GH-969
docs: service account instructions for gitlab @calebdoxsey GH-970
docs: update architecture diagrams + descriptions @travisgroth GH-1218
docs: update GitHub documentation for service account @calebdoxsey GH-967
docs: Update Istio VirtualService example @jeffhubLR GH-1006
docs: update okta service account docs to match new format @calebdoxsey GH-972
Docs: Update README stating specific requirements for SIGNING_KEY @bradjones1 GH-1217
docs: update reference docs @desimone GH-1208
docs: update service account instructions for OneLogin @calebdoxsey GH-973
docs: update upgrading document for breaking changes @calebdoxsey GH-974
docs/.vuepress: fix missing local-oidc recipes section @cuonglm GH-1147
docs/configuration: add doc for trailing slash limitation in "To" field @cuonglm GH-1040
docs/docs: add changelog for #1055 @cuonglm GH-1084
docs/identity-providers: document gitlab default scopes changed @cuonglm GH-980
docs/recipes: add local oidc example @cuonglm GH-1045

Dependency

chore(deps): bump envoy to 1.15.0 @desimone GH-1119
chore(deps): google.golang.org/genproto commit hash to da3ae01 @renovate GH-1138
chore(deps): module google/go-cmp to v0.5.1 @renovate GH-1139
chore(deps): update envoy to 1.14.4 @desimone GH-1076
chore(deps): update github.com/skratchdot/open-golang commit hash to eef8423 @renovate GH-1108
chore(deps): update golang.org/x/crypto commit hash to 123391f @renovate GH-1184
chore(deps): update golang.org/x/crypto commit hash to 948cd5f @renovate GH-1056
chore(deps): update golang.org/x/net commit hash to 4c52546 @renovate GH-1017
chore(deps): update golang.org/x/net commit hash to ab34263 @renovate GH-1057
chore(deps): update golang.org/x/sync commit hash to 6e8e738 @renovate GH-1018
chore(deps): update google.golang.org/genproto commit hash to 11fb19a @renovate GH-1109
chore(deps): update google.golang.org/genproto commit hash to 8145dea @renovate GH-1185
chore(deps): update google.golang.org/genproto commit hash to 8698661 @renovate GH-1058
chore(deps): update google.golang.org/genproto commit hash to 8e8330b @renovate GH-1039
chore(deps): update google.golang.org/genproto commit hash to ee7919e @renovate GH-1019
chore(deps): update google.golang.org/genproto commit hash to fbb79ea @renovate GH-945
chore(deps): update module cenkalti/backoff/v4 to v4.0.2 @renovate GH-946
chore(deps): update module contrib.go.opencensus.io/exporter/jaeger to v0.2.1 @renovate GH-1186
chore(deps): update module contrib.go.opencensus.io/exporter/zipkin to v0.1.2 @renovate GH-1187
chore(deps): update module envoyproxy/go-control-plane to v0.9.6 @renovate GH-1059
chore(deps): update module go.opencensus.io to v0.22.4 @renovate GH-948
chore(deps): update module golang/mock to v1.4.4 @renovate GH-1188
chore(deps): update module google.golang.org/api to v0.28.0 @renovate GH-949
chore(deps): update module google.golang.org/api to v0.29.0 @renovate GH-1060
chore(deps): update module google.golang.org/grpc to v1.30.0 @renovate GH-1020
chore(deps): update module google.golang.org/grpc to v1.31.0 @renovate GH-1189
chore(deps): update module google.golang.org/protobuf to v1.25.0 @renovate GH-1021
chore(deps): update module google/go-cmp to v0.5.0 @renovate GH-950
chore(deps): update module hashicorp/memberlist to v0.2.2 @renovate GH-951
chore(deps): update module open-policy-agent/opa to v0.21.0 @renovate GH-952
chore(deps): update module open-policy-agent/opa to v0.21.1 @renovate GH-1061
chore(deps): update module open-policy-agent/opa to v0.22.0 @renovate GH-1110
chore(deps): update module prometheus/client_golang to v1.7.0 @renovate GH-953
chore(deps): update module prometheus/client_golang to v1.7.1 @renovate GH-1022
chore(deps): update module spf13/cobra to v1 @renovate GH-1111
chore(deps): update module spf13/viper to v1.7.1 @renovate GH-1190
chore(deps):s bump opa v0.21.0 @desimone GH-993

v0.9.1

Security

envoy: fixes CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters

v0.9.0

New

proxy: envoy is now used to handle proxying
authenticate: add jwks and .well-known endpoint @desimone [GH-745]
authorize: add client mTLS support @calebdoxsey [GH-751]

Fixed

cache: fix closing too early @calebdoxsey [GH-791]
authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
authenticate: clear session if ctx fails @desimone [GH-806]
telemetry: fix autocache labels @travisgroth [GH-805]
telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]

Changes

authenticate: remove authorize url validate check @calebdoxsey [GH-790]
authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
envoy: enable zipkin tracing @travisgroth [GH-737]
envoy: improvements to logging @calebdoxsey [GH-742]
envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
envoy: support ports in hosts for routing @calebdoxsey [GH-748]
forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
sessions/state: add nickname claim @BenoitKnecht [GH-755]
state: infer user (user) from subject (sub) @desimone [GH-772]
telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
telemetry: service label updates @travisgroth [GH-802]
xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]

Documentation

docs: add mTLS recipe @calebdoxsey [GH-807]
docs: add argo recipe @calebdoxsey [GH-803]
docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
docs: typo on configuration doc @kintoandar [GH-800]
docs: docs regarding claim headers @strideynet [GH-782]
docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
docs: add note about unsupported platforms @calebdoxsey [GH-799]
docs: expose config parameters in sidebar @travisgroth [GH-797]
docs: update examples @travisgroth [GH-796]

v0.8.3

Changes

state: infer user (user) from subject (sub) @desimone GH-772
proxy/forward-auth: block expired request prior to 302 @desimone GH-773

v0.8.2

Security

This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762]

v0.8.1

Fixed

authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]

v0.8.0

To see a complete list of changes see the diff.

New

cryptutil: add automatic certificate management @desimone GH-644
implement path-based route matching @calebdoxsey GH-615
internal/identity: implement github provider support @Lumexralph GH-582
proxy: add configurable JWT claim headers @travisgroth (#596)
proxy: remove extra session unmarshalling @desimone (#592)

Changes

ci: Switch integration tests from minikube to kind @travisgroth GH-656
integration-tests: add CORS test @calebdoxsey GH-662
integration-tests: add websocket enabled/disabled test @calebdoxsey GH-661
integration-tests: set_request_headers and preserve_host_header options @calebdoxsey GH-668
pre-commit: add pre-commit configuration @calebdoxsey GH-666
proxy: improve JWT header behavior @travisgroth GH-642

Fixed

authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624
authorize: fix unexpected panic on reload @travisgroth GH-652
site: fix site on mobile @desimone GH-597

Documentation

deploy: autocert documentation and defaults @travisgroth GH-658

v0.7.5

Fixed

authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624

v0.7.4

Fixed

pomerium-cli: fix service account cli @desimone GH-613

v0.7.3

Fixed

Upgrade gRPC to 1.27.1 @travisgroth GH-609

v0.7.2

Changes

proxy: remove extra session unmarshalling @desimone GH-592
proxy: add configurable JWT claim headers @travisgroth GH-596
grpcutil: remove unused pkg @desimone GH-593

Fixed

site: fix site on mobile @desimone GH-597

Documentation

site: fix site on mobile @desimone GH-597

Dependency

chore(deps): update vuepress monorepo to v1.4.0 @renovate GH-559

v0.7.1

There were no changes in the v0.7.1 release, but we updated the build process slightly.

v0.7.0

New

*: remove import path comments @desimone GH-545
authenticate: make callback path configurable @desimone GH-493
authenticate: return 401 for some specific error codes @cuonglm GH-561
authorization: log audience claim failure @desimone GH-553
authorize: use jwt instead of state struct @desimone GH-514
authorize: use opa for policy engine @desimone GH-474
cmd: add cli to generate service accounts @desimone GH-552
config: Expose and set default GRPC Server Keepalive Parameters @travisgroth GH-509
config: Make IDP_PROVIDER env var mandatory @mihaitodor GH-536
config: Remove superfluous Options.Checksum type conversions @travisgroth GH-522
gitlab/identity: change group unique identifier to ID @Lumexralph GH-571
identity: support oidc UserInfo Response @desimone GH-529
internal/cryptutil: standardize leeway to 5 mins @desimone GH-476
metrics: Add storage metrics @travisgroth GH-554

Fixed

cache: add option validations @desimone GH-468
config: Add proper yaml tag to Options.Policies @travisgroth GH-475
ensure correct service name on GRPC related metrics @travisgroth GH-510
fix group impersonation @desimone GH-569
fix sign-out bug , fixes #530 @desimone GH-544
proxy: move set request headers before handle allow public access @ohdarling GH-479
use service port for session audiences @travisgroth GH-562

Documentation

fix the typo @ilgooz GH-566
fix kubernetes dashboard recipe docs @desimone GH-504
make from source quickstart @desimone GH-519
update background @desimone GH-505
update helm for v3 @desimone GH-469
various fixes @desimone GH-478
fix cookie_domain @nitper GH-472

Dependency

chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate GH-480
chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate GH-537
chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate GH-574
chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate GH-538
chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate GH-481
chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate GH-556
chore(deps): update module fatih/color to v1.9.0 @renovate GH-575
chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate GH-539
chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate GH-557
chore(deps): update module go.opencensus.io to v0.22.3 @renovate GH-483
chore(deps): update module golang/mock to v1.4.0 @renovate GH-470
chore(deps): update module golang/mock to v1.4.3 @renovate GH-540
chore(deps): update module golang/protobuf to v1.3.4 @renovate GH-485
chore(deps): update module golang/protobuf to v1.3.5 @renovate GH-541
chore(deps): update module google.golang.org/api to v0.20.0 @renovate GH-495
chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate GH-496
chore(deps): update module gorilla/mux to v1.7.4 @renovate GH-506
chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate GH-497
chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate GH-513
chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate GH-558
chore(deps): update module prometheus/client_golang to v1.4.1 @renovate GH-498
chore(deps): update module prometheus/client_golang to v1.5.0 @renovate GH-531
chore(deps): update module prometheus/client_golang to v1.5.1 @renovate GH-543
chore(deps): update module rakyll/statik to v0.1.7 @renovate GH-517
chore(deps): update module rs/zerolog to v1.18.0 @renovate GH-507
chore(deps): update module yaml to v2.2.8 @renovate GH-471
ci: Consolidate matrix build parameters @travisgroth GH-521
dependency: use go mod redis @desimone GH-528
deployment: throw away golanglint-ci defaults @desimone GH-439
deployment: throw away golanglint-ci defaults @desimone GH-439
deps: enable automerge and set labels on renovate PRs @travisgroth GH-527
Roll back grpc to v1.25.1 @travisgroth GH-484

v0.6.0

New

authenticate: support backend refresh @desimone GH-438
cache: add cache service @desimone GH-457

Changed

authorize: consolidate gRPC packages @desimone GH-443
config: added yaml tags to all options struct fields @travisgroth GH-394,gh-397
config: improved config validation for shared_secret @travisgroth GH-427
config: Remove CookieRefresh GH-428 @u5surf GH-436
config: validate that shared_key does not contain whitespace @travisgroth GH-427
httputil : wrap handlers for additional context @desimone GH-413
forward-auth: validate using forwarded uri header @branchmispredictor GH-600

Fixed

proxy: fix unauthorized redirect loop for forward auth @desimone GH-448
proxy: fixed regression preventing policy reload GH-396

Documentation

add cookie settings @danderson GH-429
fix typo in forward auth nginx example @travisgroth GH-445
improved sentence flow and other stuff @Rio GH-422
rename fwdauth to be forwardauth @desimone GH-447

Dependency

chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate GH-452
chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate GH-458
chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate GH-431
chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate GH-414
chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate GH-415
chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate GH-453
chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate GH-433
chore(deps): update module google/go-cmp to v0.4.0 @renovate GH-454
chore(deps): update module spf13/viper to v1.6.1 @renovate GH-423
chore(deps): update module spf13/viper to v1.6.2 @renovate GH-459
chore(deps): update module square/go-jose to v2.4.1 @renovate GH-435

v0.5.0

New

Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.

Security

Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.

Changed

Azure AD identity provider now uses globally unique and immutable ID for group membership.
Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership is now determined by the globally unique and immutable ID field.
Okta now requires an additional set of credentials to be used to query for group membership set as a service account.
URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership is now determined by the globally unique and immutable ID field.

Removed

Force refresh has been removed from the dashboard.
Previous programmatic authentication endpoints (/api/v1/token) has been removed and is no longer supported.

Fixed

Fixed an issue where cookie sessions would not clear on error.GH-376

v0.4.2

Security

Fixes vulnerabilities fixed in 1.13.2 including CVE-2019-17596.

v0.4.1

Fixed

Fixed an issue where requests handled by forward-auth would not be redirected back to the underlying route after successful authentication and authorization. GH-363
Fixed an issue where requests handled by forward-auth would add an extraneous query-param following sign-in causing issues in some configurations. GH-366

v0.4.0

New

Allow setting request headers on a per route basis in policy. GH-308
Support "forward-auth" integration with third-party ingresses and proxies. nginx, nginx-ingress, and Traefik are currently supported. GH-324
Add insecure transport / TLS termination support. GH-328
Add setting to override a route's TLS Server Name. GH-297
Pomerium's session can now be passed as a bearer-auth header or query string in addition to as a session cookie.
Add host to the main request logger middleware. GH-308
Add AWS cognito identity provider settings. GH-314

Security

The user's original intended location before completing the authentication process is now encrypted and kept confidential from the identity provider. GH-316
Under certain circumstances, where debug logging was enabled, pomerium's shared secret could be leaked to http access logs as a query param. GH-338

Fixed

Fixed an issue where CSRF would fail if multiple tabs were open. GH-306
Fixed an issue where pomerium would clean double slashes from paths. GH-262
Fixed a bug where the impersonate form would persist an empty string for groups value if none set. GH-303
Fixed HTTP redirect server which was not redirecting the correct hostname.

Changed

The healthcheck endpoints (/ping) now returns the http status 405 StatusMethodNotAllowed for non-GET requests.
Authenticate service no longer uses gRPC.
The global request logger now captures the full array of proxies from X-Forwarded-For, in addition to just the client IP.
Options code refactored to eliminate global Viper state. GH-332
Pomerium will no longer default to looking for certificates in the root directory. GH-328
Pomerium will validate that either insecure_server, or a valid certificate bundle is set. GH-328

Removed

Removed AUTHENTICATE_INTERNAL_URL/authenticate_internal_url which is no longer used.

v0.3.1

Security

Fixes vulnerabilities fixed in Go 1.13.1 including CVE-2019-16276.

v0.3.0

New

GRPC Improvements. GH-261 / GH-69
- Enable WaitForReady to allow background retries through transient failures
- Expose a configurable timeout for backend requests to Authorize and Authenticate
- Enable DNS round_robin load balancing to Authorize and Authenticate services by default
Add ability to set client certificates for downstream connections. GH-259

Fixed

Fixed non-amd64 based docker images.GH-284
Fixed an issue where stripped cookie headers would result in a cookie full of semi-colons (Cookie: ;;;). GH-285
HTTP status codes now better adhere to RFC7235. In particular, authentication failures reply with 401 Unauthorized while authorization failures reply with 403 Forbidden. GH-272

Changed

Pomerium will now strip _csrf cookies in addition to session cookies. GH-285
Disabled gRPC service config. GH-280
A policy's custom certificate authority can set as a file or a base64 encoded blob(tls_custom_ca/tls_custom_ca_file). GH-259
Remove references to service named ports and instead use their numeric equivalent. GH-266

v0.2.1

Security

Fixes vulnerabilities fixed in Go 1.12.8 including CVE-2019-9512, CVE-2019-9514 and CVE-2019-14809.

v0.2.0

New

Telemetry GH-35

Tracing GH-230 aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.
- Add Jaeger support. GH-230
Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.
- Add informational metrics. GH-227
- GRPC Metrics Implementation. GH-218
  - Additional GRPC server metrics and request sizes
  - Improved GRPC metrics implementation internals
  - The GRPC method label is now 'grpc_method' and GRPC status is now grpc_client_status and grpc_server_status
- HTTP Metrics Implementation. GH-220
  - Support HTTP request sizes on client and server side of proxy
  - Improved HTTP metrics implementation internals
  - The HTTP method label is now http_method, and HTTP status label is now http_status

Changed

GRPC version upgraded to v1.22 GH-219
Add support for large cookie sessions by chunking. GH-211
Prefer curve X25519 to P256 for TLS connections. GH-233
Pomerium and its services will gracefully shutdown on interrupt signal. GH-230
Google now prompts the user to select a user account (by adding select_account to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.

Fixed

Fixed potential race condition when signing requests. GH-240
Fixed panic when reloading configuration in single service mode GH-247

v0.1.0

New

Add programmatic authentication support. GH-177
Add Prometheus format metrics endpoint. GH-35
Add policy setting to enable self-signed certificate support. GH-179
Add policy setting to skip tls certificate verification. GH-179

CHANGED

Policy to and from settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example should now be https://http.corp.domain.example).
Proxy's sign out handler {}/.pomerium/sign_out now accepts an optional redirect_uri parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. GH-183
Policy configuration can now be empty at startup. GH-190
Websocket support is now set per-route instead of globally. GH-204
Golint removed from amd64 container. GH-215
Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. GH-212

Fixed

Fixed HEADERS environment variable parsing. GH-188
Fixed Azure group lookups. GH-190
If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. GH-211
Internal URLs like dashboard now start auth process to login a user if no session is found. GH-205.
When set,CookieDomain lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. GH-181

v0.0.5

New

Add ability to detect changes and reload policy configuration files. GH-150
Add user dashboard containing information about the current user's session. GH-123
Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. GH-73
Add Administrator (super user) account support (ADMINISTRATORS). GH-110
Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. GH-110
Add docker images and builds for ARM. GH-95
Add support for public, unauthenticated routes. GH-129

CHANGED

Add Request ID to error pages. GH-144
Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.GH-115
Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. GH-153
User state is now maintained and scoped at the domain level vs at the route level. GH-128
Error pages contain a link to sign out from the current user session. GH-100
Removed LifetimeDeadline from sessions.SessionState.
Removed favicon specific request handling. GH-131
Headers are now configurable via the HEADERS configuration variable. GH-108
Refactored proxy and authenticate services to share the same session state cookie. GH-131
Removed instances of extraneous session state saves. GH-131
Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.GH-131
Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. GH-116
Changed docker images to be built from distroless. This fixed an issue with nsswitch GH-97, includes ca-certificates and limits the attack surface area of our images. GH-101
Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. GH-103
Content-Security-Policy hash updated to match new UI assets.

Fixed

Fixed websocket support. GH-151
Fixed an issue where policy and routes were being pre-processed incorrectly. GH-132
Fixed an issue where golint was not being found in our docker image. GH-121

v0.0.4

CHANGED

HTTP Strict Transport Security is included by default and set to one year. GH-92
HTTP now redirects to HTTPS. GH-92
Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no public http handlers, only a gRPC service endpoint. GH-93
Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. GH-83
Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). GH-83

Fixed

Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack GH-81

DOCUMENTATION

Added synology tutorial. GH-96
Added certificates documentation. GH-79

v0.0.3

FEATURES

Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:
- Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
- Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
- Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
- Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.
WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.

CHANGED

Added LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. GH-74
Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. GH-74
Updated generate_wildcard_cert.sh to generate a elliptic curve 256 cert by default.
Updated env.example to include a POLICY setting example.
Added IDP_SERVICE_ACCOUNT to env.example .
Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
Removed ROUTES settings which has been replaced by POLICY.
Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
Session expiration times are truncated at the second.
Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.

Fixed

http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. GH-58

Versioning​

v0.28.0 (2024-11-11)​

New​

Changed​

Bug Fixes​

v0.27.2 (2024-10-22)​

Pomerium Zero​

Fixed​

Changes​

v0.27.1 (2024-09-26)​

Security​

Fixed​

v0.27.0 (2024-09-10)​

What's Changed​

Breaking​

New​

Fixes​

Changed​

Dependency Updates​

v0.26.1 (2024-07-01)​

Security​

Fixed​

v0.26.0 (2024-05-17)​

Breaking​

New​

Fixed​

Changed​

Dependency Updates​

v0.25.2 (2024-04-05)​

Changed​

v0.25.1 (2024-03-13)​

Changed​

v0.25.0 (2024-01-10)​

Breaking​

New​

Fixed​

Changed​

Dependency​

v0.24.0 (2023-11-16)​

Breaking​

New​

Fixed​

Changed​

Dependency​

v0.23.0 (2023-08-24)​

New​

Fixed​

Dependency​

Changed​

v0.22.3 (2023-08-21)​

Changed​

v0.22.2 (2023-05-26)​

Security​

Changed​

v0.22.1 (2023-05-04)​

Changed​

v0.22.0 (2023-05-01)​

Security​

Changed​

New​

Fixed​

Dependency​

v0.21.4 (2023-05-26)​

Security​

Changed​

v0.21.3 (2023-03-23)​

Changed​

v0.21.2 (2023-02-23)​

Changed​

v0.21.1 (2023-02-16)​

Changed​

v0.21.0 (2023-02-09)​

Changed​

Breaking​

New​

Fixed​

Dependency​

v0.20.1 (2023-05-26)​

Security​

Changed​

Versioning

v0.28.0 (2024-11-11)

New

Changed

Bug Fixes

v0.27.2 (2024-10-22)

Pomerium Zero

Fixed

Changes

v0.27.1 (2024-09-26)

Security

Fixed

v0.27.0 (2024-09-10)

What's Changed

Breaking

New

Fixes

Changed

Dependency Updates

v0.26.1 (2024-07-01)

Security

Fixed

v0.26.0 (2024-05-17)

Breaking

New

Fixed

Changed

Dependency Updates

v0.25.2 (2024-04-05)

Changed

v0.25.1 (2024-03-13)

Changed

v0.25.0 (2024-01-10)

Breaking

New

Fixed

Changed

Dependency

v0.24.0 (2023-11-16)

Breaking

New

Fixed

Changed

Dependency

v0.23.0 (2023-08-24)

New

Fixed

Dependency

Changed

v0.22.3 (2023-08-21)

Changed

v0.22.2 (2023-05-26)

Security

Changed

v0.22.1 (2023-05-04)

Changed

v0.22.0 (2023-05-01)

Security

Changed

New

Fixed

Dependency

v0.21.4 (2023-05-26)

Security

Changed

v0.21.3 (2023-03-23)

Changed

v0.21.2 (2023-02-23)

Changed

v0.21.1 (2023-02-16)

Changed

v0.21.0 (2023-02-09)

Changed

Breaking

New

Fixed

Dependency

v0.20.1 (2023-05-26)

Security

Changed