Skip to content

Releases: tinyauthapp/tinyauth

v5.1.1-rc.1

v5.1.1-rc.1 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 16 Jul 14:21
04a06ec
chore: use blue color for totp generate

v5.1.1

v5.1.1 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 16 Jul 22:19
ac8703e

Tinyauth v5.1.1

Small patch fix release, contains fixes for #1011 and #1009.

Fixes

  • Abstain when OAuth whitelist is empty in ACLs @wwhsaber
  • Don't fail app on label provider initialization failure
  • Fix LDAP user lookup in basic-auth @tsushanth

New Contributors

Full Changelog: v5.1.0...v5.1.1

v5.1.0

Choose a tag to compare

@steveiliop56 steveiliop56 released this 15 Jul 13:51
9eabfe8

Tinyauth v5.1.0

Hey everyone, this is Tinyauth v5.1.0, and Tinyauth is now officially OpenID Connect™ Certified thanks to the amazing help of @Rycochet and @scottmckendry. Additionally, this release brings a lot of improvements in access controls (deny-by-default and Kubernetes yay!), LDAP and general UX improvements. It also addresses some important security vulnerabilities (1, 2, 3) that were responsibly disclosed by our amazing community. Have fun ;)

OpenID Certified

yep, we using that everywhere now

Note

Tinyauth has moved! All repositories now live under the new Tinyauth organization. Pull the new image from ghcr.io/tinyauthapp/tinyauth. The old image under my personal account will no longer be updated, so switch over when you can.

Note

The config file is now a stable feature. Please switch your configuration file flag to --configfile (or TINYAUTH_CONFIGFILE for environment variables).

Warning

This release contains security fixes. Please update as soon as possible.

Warning

Tinyauth v5.1.0 includes some hardening in the trusted proxies. In case you are using any of the IP ACLs, you may need to specify your proxy IP in TINYAUTH_AUTH_TRUSTEDPROXIES.

New Features

Authentication & Access Controls

  • Support for authentication through Tailscale
  • Deny-by-default access controls
  • Annotation-based access controls in Kubernetes @contre95
  • Global bypass by IP @scottmckendry
  • Provider-specific OAuth whitelists @puneetdixit200
  • OAuth whitelist file support @djedditt
  • Allow for NO_PROXY, HTTP_PROXY and HTTPS_PROXY for OAuth requests @florianilch

OpenID Connect

  • Expose all OpenID Connect claims through user attributes @scottmckendry
  • Run Tinyauth on a top-level domain to use it as a standalone OIDC provider @jacekkow
  • POST request support on the OIDC authorize endpoint
  • WebFinger support
  • Support for prompt parameter in OIDC
  • Support for max_age in OIDC

Database & Config

  • PostgreSQL as a database backend @scottmckendry
  • LDAP bind password file support @Rycochet
  • Config file loading is now stable, you will need to rename your CLI flag from --experimental.configfile to --configfile
  • Option to disable lockdown mode
  • Attempt to reconnect to LDAP server on start-up
  • Support for anonymous LDAP bind @nv6

Frontend

  • Merge language and theme selector in new quick actions menu

Improvements

  • Preserve login parameters throughout the frontend
  • Graceful shutdown on SIGTERM
  • Pass through the LDAP mail attribute instead of crafting one when it's available
  • Rework CLI commands for simpler and more intuitive output

Fixes

  • Fix open redirect vulnerability in the OpenID Connect server @Dredsen
  • Use the loaded public key in the OpenID Connect server when available @Dredsen
  • Fix lax trusted proxies configuration in IP ACLs
  • Remove lockdown mode and rework rate-limiting

Technical

  • Rework dependency injection with Dig
  • Rework the user context middleware
  • Rework frontend user/app context API paths (changes in /api/context/app and /api/context/user)
  • Switch package manager from Bun to PNPM
  • Update dependencies and translations

New Contributors

Full Changelog: v5.0.7...v5.1.0

v5.1.0-rc.3

v5.1.0-rc.3 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 15 Jul 12:32
dade1e2
refactor: rework rate limit logic (#1008)

nightly

nightly Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 16 Jul 00:36
84117ce
chore: remove star history from readme

v5.1.0-rc.2

v5.1.0-rc.2 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 14 Jul 13:57
c22925c
fix: use constant time in user checks (#1004)

v5.1.0-rc.1

v5.1.0-rc.1 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 10 Jul 21:32
11b534a
chore: add 1 day cooldown for dependabot updates

v5.1.0-beta.5

v5.1.0-beta.5 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 08 Jul 23:01
464769c
chore(deps): bump docker/setup-buildx-action from 4.1.0 to 4.2.0 (#967)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

v5.1.0-beta.4

v5.1.0-beta.4 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 06 Jul 20:53
73cc480
feat: improve binary size with build tags (#976)

v5.1.0-beta.3

v5.1.0-beta.3 Pre-release
Pre-release

Choose a tag to compare

@steveiliop56 steveiliop56 released this 03 Jul 13:58
6ab9c0a
feat: log warning when experimental features are enabled