v1.1.0

Authservice 1.1.0 fixes several CVEs and brings several new features:

• Added Token Exchange support: This release adds support for the OAuth2 Token Exchange flow. This can be used to exchange the token retrieved from the Identity provider for an internal token suitable for accessing internal services. This is a useful flow when the token obtained directly from the Identity Provider doesn't have access to all the services behind the Authservice.
• Redis connection parameters: In this release, the configuration has been enhanced to allow setting the Redis connection options when using Redis as a session store. This can be used to better configure Redis credentials or mTLS certificates.
• Better file watching: The watchers that watch for changes to files have been optimized. In previous releases, they were periodically loaded at a fixed interval. In this release, this has been refactored, and now the changes to watched files (client secret, redis credentials, OIDC CA files, etc) will be automatically reflected as they happen.
• CVE fixes:
  • CVE-2025-0913
  • CVE-2025-4673
  • CVE-2025-22866
  • CVE-2025-22871
  • CVE-2025-22874
  • CVE-2025-29923
  • CVE-2025-47907
  • GHSA-vrw8-fxc6-2r93

Detailed Changelog

• Bump Go to fix CVE-2025-22866 by @nacx in #272
• Bump to Go 1.24 by @nacx in #273
• Bump golang.org/x/net from 0.35.0 to 0.36.0 by @dependabot[bot] in #274
• Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 by @dependabot[bot] in #275
• fix logr configuration by @nacx in #276
• chore: auto-generate configuration docs by @nacx in #277
• Do not log secret value in secret reconcile by @nacx in #278
• Bump Go to 1.24.2 to fix CVE-2025-22871 by @nacx in #279
• Bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #280
• chore: upgrade to buf v2 and use native go tools by @nacx in #281
• Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 by @dependabot[bot] in #285
• Add ability to set cookie properties per OIDCConfig by @basvanbeek in #286
• CVE: bump golang to 1.24.4 to fix several CVEs by @nacx in #287
• Bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 by @dependabot[bot] in #288
• Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot[bot] in #290
• Bump golang.org/x/oauth2 from 0.26.0 to 0.27.0 by @dependabot[bot] in #291
• Implement OAuth2 Token Exchange to fetch tokens from internal authorization servers by @nacx in #292
• Generalize secret controller by @nacx in #293
• Fix CVE-2025-47907 by @nacx in #295
• Add support for POST client authentication method by @ilgatnau and @nacx in #296
• Add options to configure TLS and mTLS connections to Redis by @nacx in #294
• Unify file watching strategy in TLS config pool by @nacx in #297

New Contributors 🎉

• @basvanbeek made their first contribution in #286
• @ilgatnau made the first contribution adding support for using POST as a client auth method.

Full Changelog: v1.0.4...v1.1.0

v1.0.4

This is a patch release to fix CVE-2024-45337 and CVE-2024-45338.

What's Changed

• Bump golang.org/x/crypto from 0.21.0 to 0.31.0 by @dependabot in #269
• Fix CVE-2024-45338 by @nacx in #270
• Update copyright headers by @nacx in #271

Full Changelog: v1.0.3...v1.0.4

v1.0.3

Authservice 1.0.3 adds support for PKCE in the Authorization Code Grant Flow. Thanks @gdasson for your contribution! More details about PKCE can be found here:

https://oauth.net/2/pkce/
https://blog.postman.com/what-is-pkce/

It also comes with a change to not allow Client IDs to have the : character, as it breaks client authentication when calling the token endpoint. This is now properly validated and the configuration is rejected.

Detailed Changelog

• Validate that clientId does not contain ':' by @nacx in #266
• chore: use a better maintained and more flexible license checker tool by @nacx in #267
• Add support for PKCE by @gdasson in #265

New Contributors

• @gdasson made their first contribution in #265 🎉

Full Changelog: v1.0.2...v1.0.3

v1.0.2

This is a small bugfix release that includes fixes for several CVEs.

What's Changed

• Upgrade to Go 1.22.4 by @nacx in #260
• Upgrade to Go 1.22.5 to fix CVE-2024-24791 by @nacx in #261
• Upgrade to Go 1.23.1 by @nacx in #264

Full Changelog: v1.0.1...v1.0.2

v1.0.1

This is a bugfix release that includes fixes for several CVEs as well as fixes for small regressions introduced in v1.0.0.

In addition to the bug fixes, it also comes with the following added features:

• Reduces the number of requests to the OIDC well-known endpoint.
• Added support for retrieving the end-session endpoint from the OIDC Discovery endpoint.
• Enhanced identity Provider logging. Starting on v1.0.1 you can enable the idp logger at debug level to show all the requests and responses exchanged with the identity Provider in the authservice logs. Use with caution and only for debugging purposes, as these logs may contain sensitive information.
• Added examples to help getting started with authservice and Istio.
• Configured a nightly vulnerability scan job to report new vulnerabilities to the GitHub Code Scanning page.

Detailed changelog

• Allow customizing the Istio version to use in the e2e tests by @nacx in #243
• Upgrade Go to 1.22.2 to get rid of CVE-2023-45288 by @nacx in #244
• Configure nightly vulnerability scans and report upload by @nacx in #245
• Infer the JWS signing algorithm name by looking at the provided key by @erik-h in #247
• Use the OIDC Discovery end session endpoint if present by @nacx in #249
• Add a logger to log the calls to the Identity Provider by @nacx in #250
• Cache well-known responses to avoid making too much calls to the IdP by @nacx in #251
• Add minimal examples to make it easier to get started by @nacx in #252
• Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #253
• Fix scan job configuration by @nacx in #254
• Update code owners by @nacx in #248
• Update protoc-gen-go comment to fix make check by @sergicastro in #257
• Validate token_type case-insensitively by @jojonium in #256
• Fix flaky file watcher test by @sergicastro in #258

New Contributors

We want to thank our new contributors for taking the time to report issues, implement, and contribute the fixes. Thank you! 🙇‍♂️

• @erik-h made their first contribution in #247
• @jojonium made their first contribution in #256

Full Changelog: v1.0.0...v1.0.1

v1.0.0

authservice 1.0.0

This is the first release of the Go rewrite of the authservice! 🚀

This is a full rewrite of the project in pure Go, to improve code readability, testability, quality, and the overall maintainability of the project. It provides feature parity with the original project, and the Docker images that are published on the project's GitHub Docker registry can be used as a drop-in replacement for the old authservice ones.

This project adds extensive code coverage, several end-to-end test suites that verify the correct behavior of the supported OIDC flows, as well as a compatibility suite that runs with both images, the Go-based authservice and the old C++ authservice to make sure backward-compatibility is not broken.

In addition to the extensive tests and feature parity, this first release of the Go authservice fixes the following issues:

• Add integration tests that can run in CI
• Allow configuration of endpoints by configuring the OIDC Provider's well-known endpoint
• CI could automatically build container images on every commit to master which passes unit tests
• Update base image of Authservice container image
• Change the inline OIDC client configuration to reference of a k8s secret
• How to set the client secret from an existing kubernetes secret?

Check it out!

• Use the Docker image right away.
• Or read the Development Guide and start contributing!

Initial contributors

The first release of the Go rewrite of theauthservice has been crafted with a lot of dedication and work from @zhaohuabing, @sergicastro, and @nacx, and thoroughly tested by @sbko Thank you all for your contributions!

Full release changelog: https://github.com/istio-ecosystem/authservice/commits/v1.0.0

0.5.3-rc1

What's Changed

• Move the VERSION env to GITHUB_ENV. by @incfly in #221
• Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
• clean the commented out code. by @incfly in #224
• Use @envoy//bazel:boringssl by @dio in #228
• http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
• Enable FIPS for Linux only by @dio in #231

Full Changelog: 0.5.1...0.5.3-rc1

0.5.3

What's Changed

• Move the VERSION env to GITHUB_ENV. by @incfly in #221
• Fix the unmatched request handling by set the grpc status in payload. by @incfly in #223
• clean the commented out code. by @incfly in #224
• Use @envoy//bazel:boringssl by @dio in #228
• http: Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE by @dio in #230 #220
• Enable FIPS for Linux only by @dio in #231

Full Changelog: 0.5.1...0.5.3

0.5.2

Merge github.com:istio-ecosystem/authservice into release-0.5

0.5.2-rc1

Fix the unmatched request handling by set the grpc status in payload.…