OpenID Connect変更履歴 - Plugin - v3.7.x

古いプラグインバージョンのドキュメントを閲覧しています。

Changelog

Added support for Redis caching introspection results with the new fields cluster_cache_strategy and cluster_cache_redis. When configured, the plugin will share the token introspection response cache across nodes configured to use the same Redis database.
Added the claims_forbidden property to restrict access.
Fixed an issue where anonymous consumers could be cached as nil under a certain condition.
Updated the rediscovery to use a short lifetime (5s) if the last discovery failed.
Fixed an issue where using_pseudo_issuer didn’t work when sending PATCH requests.

Added support for DPoP (Demonstrating Proof-of-Possession) token validation. You can enable it using the configuration parameter proof_of_possession_dpop.
Added support for JWT Secured Authorization Requests (JAR) on Authorization and Pushed Authorization (PAR) endpoints. See the configuration parameter require_signed_request_object.
Added support for JARM response modes: query.jwt, form_post.jwt, fragment.jwt, and jwt.

Features:

The configuration parameters scopes, login_redirect_uri, logout_redirect_uri, and introspection_headers_values can now be referenced as secrets in the Kong Vault.
Extended the token_post_args_client configuration parameter to support injection from headers.
Added support for explicit proof key for code exchange (PKCE).
Added support for pushed authorization requests (PAR).
Added support for the tls_client_auth and self_signed_tls_client_auth authentication methods, allowing mTLS client authentication with the IdP.

Fixes:

Fixed logout URI suffix detection by using the normalized version of kong.request.get_forwarded_path() instead of ngx.var.request_uri, especially when passing query strings to logout.
The introspection_headers_values configuration parameter can now be encrypted.
Removed the unwanted argument ignore_signature.userinfo from the userinfo_load function.
Added support for consumer group scoping by using the PDK kong.client.authenticate function.
Fixed the cache key collision when config issuer and extra_jwks_uris contain the same URI.
The plugin now correctly handled boundary conditions for token expiration time checking.
The plugin now updates the time when calculating token expiration.

Added the new field unauthorized_destroy_session. When set to true, it destroys the session when receiving an unauthorized request by deleting the user’s session cookie.
Added the new field using_pseudo_issuer. When set to true, the plugin instance will not discover configuration from the issuer.
Added support for public clients for token revocation and introspection.
Added support for designating parameter names introspection_token_param_name and revocation_token_param_name.
Added support for mTLS proof of possession. The feature is available by enabling proof_of_possession_mtls.

This plugin now supports the error reason header. This header can be turned off by setting expose_error_code to false.
OpenID Connect now supports adding scope to the token cache key by setting token_cache_key_include_scope to true.
Changed some log levels from notice to error for better visibility.
Correctly set the right table key on log and message.
If an invalid opaque token is provided but verification fails, the plugin now prints the correct error.

The plugin has been updated to use version 4.0.0 of the lua-resty-session library which introduced several new features such as the possibility to specify audiences. The following configuration parameters have been affected:

Added:

Renamed:

authorization_cookie_lifetime to authorization_rolling_timeout
authorization_cookie_samesite to authorization_cookie_same_site
authorization_cookie_httponly to authorization_cookie_http_only
session_cookie_lifetime to session_rolling_timeout
session_cookie_idletime to session_idling_timeout
session_cookie_samesite to session_cookie_same_site
session_cookie_httponly to session_cookie_http_only
session_memcache_prefix to session_memcached_prefix
session_memcache_socket to session_memcached_socket
session_memcache_host to session_memcached_host
session_memcache_port to session_memcached_port
session_redis_cluster_maxredirections to session_redis_cluster_max_redirections

Removed:

Added the session_redis_username and session_redis_password configuration parameters.

These parameters replace the session_redis_auth field, which is now deprecated and planned to be removed in 3.x.x.
Added the resolve_distributed_claims configuration parameter.
The client_id, client_secret, session_secret, session_redis_username, and session_redis_password configuration fields are now marked as referenceable, which means they can be securely stored as secrets in a vault. References must follow a specific format.

Starting with Kong Gateway 2.7.0.0, if keyring encryption is enabled, the config.client_id, config.client_secret, config.session_auth, and config.session_redis_auth parameter values will be encrypted.

Additionally, the d, p, q, dp, dq, qi, oth, r, t, and k fields inside openid_connect_jwks.previous[...]. and openid_connect_jwks.keys[...] will be marked as encrypted.

There’s a bug in Kong Gateway that prevents keyring encryption from working on deeply nested fields, so the encrypted=true setting does not currently have any effect on the nested fields in this plugin.
The plugin now allows Redis cluster nodes to be specified by hostname through the session_redis_cluster_nodes field, which is helpful if the cluster IPs are not static.

The OpenID Connect plugin can now handle JWT responses from a userinfo endpoint.
Added support for JWE introspection.
Added a new parameter, by_username_ignore_case, which allows consumer_by username values to be matched case-insensitive with identity provider (IdP) claims.

前へ OpenID Connect with Okta