v5.5.1

Fixes:

• fixed automatic release to Docker Hub: docker run predic8/membrane

v5.5.0

Changelog

• Added useXForwardedForAsClientAddr Flag to <accessControl>
  • Allows the last entry in X-Forwarded-For header

v5.4.1

Improvements:

• added option <openapi validateSecurity="yes"> to be able to selectively disable OpenAPI security validation (not advised ;-)
• added support for OpenID Connect RP-Initiated Logout 1.0, which will log the user out at the Authorization Server, if the server supports it

Fixes:

• upgraded dependencies

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.1 is therefore not working at the moment. Please build your own Docker image in the mean time.

v5.4.0

Changes since 5.3.5:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

Features:

• added <apiDocs/> aggregating API documentation from OpenAPI definitions across service proxies
• <openapi/> now validates scopes from various sources (e.g. API keys, JWT tokens, OAuth2 (also using JWT tokens))

Fixes:

• OpenAPI Validation: use most specific body schema for validation
• fixed <requireAuth errorStatus="..."/> by adding Content-Length: 0 to the response
• OAuth2: avoid session creation where none is needed
• minor access log fixes
• upgraded dependencies
• test fixes

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.0 is therefore not working at the moment. Please build your own Docker image in the mean time.

v5.3.5

Fixes since 5.3.4:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

v5.3.4

Changes since 5.3.3:

• improved OpenTelemetry reporting (changes in <openTelemetry> configuration)
• improved several problem URIs

Fixes:

• upgraded dependencies
• OpenAPI: support nested types
• added prometheus example
• support <requireAuth required="false" .../> to skip authentication, if no token is present
• support <requireAuth errorStatus="401" .../> to return specific error code on authentication failure
• support <oAuth2Resource2 afterErrorUrl="/foo" .../> to send user to error page after error during login
• support <oAuth2Resource2 onlyRefreshToken="true" .../> to allow Authorization Server to return no access token (only a refresh token)
• support <requireAuth scope="foo" oauth2="oauth2"/> and <requireAuth scope="bar" oauth2="oauth2"/> to request multiple access tokens from Authorization Server

v5.3.3

Changes:

• <oauth2Resource2/> and <jwtAuth/> now fully support using a HTTP proxy to access the OAuth2 authorization server
• <oauth2Resource2/> now prefers the form code POST, is offered by the OAuth2 authorization server
• <loginParameter/>s can be specified per-<requireAuth/>
• added workaround for Microsoft B2C not adhering to OIDC standard

Improvements:

• several test fixes
• upgraded several dependencies and Docker base image

v5.3.2

Improvements:

• APIKey example tests

Bug fixes:

• Fixed #852

v5.3.1

Changes:

• Memcached as Session and OriginalRequest Storage
• OAuth2Resource2Interceptor
  • Changes in Attribute/Child Element Configuration
  • Support additional Parameters
  • Support B2C UserFlows
  • Support Logout Endpoint

Fixes:

• SessionManagers handles multiple Cookies

v5.2.1

Changes:

• OpenAPI: added parameter validation (query parameters, HTTP headers)
• OpenAPI: added a JSON:API compatible endpoint returning the list of APIs
• OpenAPI: allow trailing slashes
• added OpenTelemetry support
• <accessControl>: RegEx & CIDR support
• <log>: also log ABORTed exchanges
• default variables for scripting contexts (Groovy, Javascript) are now standardized and documented on http://membrane-api.io/plugins/scripting.html
• migrated JKS keystores to PKCS12

Fixes:

• <prometheus>: added code="200" label, making metrics unique
• made rest2soap work with HTTPS
• several fixes from automated code analysis
• improved examples
• smaller fixes
• code cleanup
• dependency upgrade: logback-classic to 1.3.12, Spring to 6.0.16