mytoken-server 0.10.1

0.10.1 and 0.10.0 are equivalent

Features

• Add support for notifications:
  • Allows to create email notifications for various things
  • Allows to calendar invites for token expirations
  • Allows to create calendars and add token expirations to it; the ics feed can be subscribed to
  • Allows to manage notifications on the web-interface
• Add "Enforceable Restrictions"
  • Depending on a user attribute different restriction templates can be
    enforced
• Add possibility to have an healthcheck endpoint

Enhancements

• In the tokeninfo pane in the webinterface expired JWTs now get a more precise badge.
• Improved on returning json errors instead of html on api paths
• When not being logged in and no OP was selected now the 'Create new Mytoken' button in the webinterface is disabled.

Bugfixes

• Fixed an issue with parallel access to refresh tokens if token rotation is used; this problem could for example
  occur with EGI-checkin.
• Fixed unwanted behavior: If a profile was used and changes to the mytoken
  spec would be made in the consent screen that would narrow it down, the
  profile would still be applied.
• Fixed problems with the caching implementation.

Other

• Changed CORP settings for /api and /static as this lead to problems with oidc-agent.

Dependencies

• Bump go version from 1.19 to 1.22
• Bump github.com/coreos/go-oidc/v3 from 3.9.0 to 3.11.0
• Bump github.com/gliderlabs/ssh from 0.3.6 to 0.3.7
• Bump github.com/go-resty/resty/v2 from 2.11.0 to 2.16.2
• Bump github.com/go-sql-driver/mysql from 1.8.0 to 1.8.1
• Bump github.com/gofiber/fiber/v2 from 2.52.2 to 2.52.5
• Bump github.com/gofiber/template/mustache/v2 from 2.0.9 to 2.0.12
• Bump github.com/jmoiron/sqlx from 1.3.5 to 1.4.0
• Bump github.com/lestrrat-go/jwx from 1.2.29 to 1.2.30
• Bump github.com/pires/go-proxyproto from 0.7.0 to 0.8.0
• Bump github.com/redis/go-redis/v9 from 9.5.1 to 9.7.0
• Bump github.com/valyala/fasthttp from 1.52.0 to 1.57.0
• Bump golang.org/x/crypto from 0.21.0 to 0.30.0
• Bump golang.org/x/mod from 0.16.0 to 0.22.0
• Bump golang.org/x/oauth2 from 0.18.0 to 0.24.0
• Bump golang.org/x/term from 0.18.0 to 0.27.0

mytoken-server 0.9.2

Packaging

• Fixed mariadb-client dependecy for mytoken-server-migratedb on rpm based distros

Dependencies

• Bump github.com/go-sql-driver/mysql from 1.7.1 to 1.8.0
• Bump github.com/gofiber/fiber/v2 from to 2.52.0 2.52.2
• Bump github.com/gofiber/template/mustache/v2 from 2.0.8 to 2.0.9
• Bump github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29
• Bump github.com/redis/go-redis/v9 from 9.4.0 to 9.5.1
• Bump golang.org/x/crypto from 0.19.0 to 0.21.0
• Bump golang.org/x/mod from 0.15.0 to 0.16.0
• Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0
• Bump golang.org/x/term from 0.17.0 to 0.18.0

mytoken-server 0.9.1

Enhancements

• Improfile includes handling in the webitnerface restrictions editor.

Dependencies

• Bump golang.org/x/oauth2 from 0.15.0 to 0.17.0
• Bump golang.org/x/crypto from 0.17.0 to 0.19.0
• Bump golang.org/x/mod from 0.14.0 to 0.15.0
• Bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.9.0
• Bump github.com/gofiber/template/mustache/v2 from 2.0.7 to 2.0.8
• Bump github.com/lestrrat-go/jwx from 1.2.27 to 1.2.28
• Bump github.com/gofiber/fiber/v2 from 2.51.0 to 2.52.0
• Bump github.com/redis/go-redis/v9 from 9.3.1 to 9.4.0
• Bump github.com/valyala/fasthttp from 1.51.0 to 1.52.0
• Bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0
• Bump github.com/gliderlabs/ssh from 0.3.5 to 0.3.6
• Bump github.com/go-resty/resty/v2 from 2.10.0 to 2.11.0
• Bump golang.org/x/term from 0.15.0 to 0.17.0

mytoken-server 0.9.0

Changes

• Changed the tokeninfo history api when used with a mom_id, now multiple mom_ids can be passed in a single
  request. Also, the response now contains the mom_id in the entry object.

Features

• Added experimental support for OpenID Connect federations
• Added "Guest mode" to try mytoken out without using a real OP

API

• Added mom_id parameter to tokeninfo introspection response
• Added mom_id parameter to mytoken responses

Enhancements

• Webinterface: Improved the title / placeholder for the hosts restrictions key in the GUI editor to make it more
  clear that also subnets can be used.
• Webinterface: Changed the login provider selector and added search functionality
• Webinterface: Improved (re-)discovery of mytoken configuration
• Webinterface: Fixed a problem with scope discovery if there was no OP selected.
• Profiles: Improved / Fixed includes in especially restrictions when includes involve arrays.

Bugfixes

• Finally fixed a problem with database times when the database was not set to UTC.
• Fixed a bug where sometimes a 'state mismatch' occured

Dependencies

• Bump golang.org/x/mod from 0.11.0 to 0.14.0
• Bump golang.org/x/oauth2 from 0.9.0 to 0.15.0
• Bump golang.org/x/term from 0.9.0 to 0.15.0
• Bump golang.org/x/crypto from 0.10.0 to 0.16.0
• Bump golang.org/x/net from 0.14.0 to 0.17.0
• Bump github.com/valyala/fasthttp from 1.47.0 to 1.51.0
• Bump github.com/gofiber/fiber/v2 from 2.49.1 to 2.51.0
• Bump github.com/gofiber/template/mustache/v2 from 2.0.4 to 2.0.7
• Bump github.com/lestrrat-go/jwx from 1.2.26 to 1.2.27
• Bump github.com/redis/go-redis/v9 from 9.1.0 to 9.3.0
• Bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0
• Bump github.com/go-resty/resty/v2 from 2.7.0 to 2.10.0
• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1
• Bump github.com/coreos/go-oidc/v3 from 3.6.0 to 3.8.0

mytoken-server 0.8.1

mytoken 0.8.1

Enhancements

• Improved returned transfercodes (do not include l and I)

Bugfixes

• Fixed wrong (negative) expires_at time returned in tokeninfo for tokens without expiration
• Fixed response if token revocation call does not contain token

Dependencies

• Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3
• Bump golang.org/x/term from 0.8.0 to 0.9.0
• Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26
• Bump golang.org/x/crypto from 0.9.0 to 0.10.0
• Bump golang.org/x/mod from 0.10.0 to 0.11.0
• Bump github.com/gofiber/template from 1.8.1 to 1.8.2
• Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0
• Bump github.com/gofiber/fiber/v2 from 2.46.0 to 2.47.0

mytoken-server 0.8.0

mytoken 0.8.0

Features

• Added support for RFC8707 for requesting audience restricted ATs

Changes

• Default behavior for requesting audience restricted ATs is now according to RFC8707; the previous behavor can be
  configured with these options:

  audience:
    use_rfc8707: false
    request_parameter: "audience"
    space_separate_auds: true

API

• When creating a mytoken from a mytoken and it is returned as a transfer code the response now contains the
  mom_id of the created mytoken.

Bugfixes

• Fixed a bug where wrong dates where returned if the database used a different timezone than UTC.
• Fixed a bug in mytoken-migratedb were empty databases could not be setup.

Security Fixes

• Replaced the uuid library; the old library had a security flaw CVE-2021-3538

Dependencies

• Bump golang.org/x/term from 0.5.0 to 0.8.0
• Bump github.com/valyala/fasthttp from 1.44.0 to 1.47.0
• Bump golang.org/x/net from 0.6.0 to 0.7.0
• Bump golang.org/x/crypto from 0.6.0 to 0.9.0
• Bump golang.org/x/oauth2 from 0.5.0 to 0.8.0
• Bump golang.org/x/mod from 0.8.0 to 0.9.0
• Bump github.com/gofiber/helmet/v2 from 2.2.24 to 2.2.25
• Bump github.com/gofiber/template from 1.7.5 to 1.8.0
• Bump github.com/gofiber/fiber/v2 from 2.42.0 to 2.46.0
• Bump github.com/pires/go-proxyproto from 0.6.2 to 0.7.0
• Bump github.com/go-sql-driver/mysql from 1.7.0 to 1.7.1
• Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2
• Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0
• Replaced github.com/satori/go.uuid with github.com/gofrs/uuid

mytoken-server 0.7.2

mytoken 0.7.2

Bugfixes

• Fixed a bug in the webinterface where the metadata discovery was broken.

mytoken-server 0.7.1

mytoken 0.7.1

Bugfixes

• Fixed a bug with the local storage that caused problems with outdated discovery information

mytoken-server 0.7.0

mytoken 0.7.0

Features

• Webinterface has option to show event history for other mytokens in mytoken list.
• Webinterface has a new option in the tokeninfo pane to create a new mytoken with the same properties.
• Added server side profiles and templates
  • Can be used in the API, i.e. mytoken requests can include profiles, the capability, restrictions, and rotation
    claims can use templates
  • Can be used in the webinterface

Enhancements

• Improved responsiveness of webinterface
• Expired mytokens are now greyed-out in webinterface mytoken list
• The database auto-cleanup now only removes mytokens expired more than a month ago.
  • This allows expired tokens to be shown in a mytoken list for extended periods.
  • This also allows to obtain history for expired tokens (by using a mytoken with the manage_mytokens:list
    capability) for a longer time.
  • Mytokens are still directly deleted when revoked.
• Requests from private IPs (e.g. from within the same entwork where the server is located) are now geolocated to
  the country where the server stands.
• The 'Create Mytoken' tab in the webitnerface now supports an r query parameter that takes a base64 encoded
  request from which the form is prefilled.
  • This allows 'create-a-mytoken-with-these-properties' links.

API

• Added profile endpoint:
  • Any user can get list of groups
  • Any user can get profiles, and templates (capabilities, restrictions, rotation) for all the groups
  • Groups credentials are defined in the config file
    • With Basic authentication profiles and templates for the authenticated group can be created, updated, and deleted.
• Renamed revocation_id to mom_id
• Restructured capabilities related to other mytokens
• Added possibility to obtain history information for children and other tokens (capability)
• Added a name for OPs in the supported_providers of the mytoken configuration endpoint

Bugfixes

• Fixed a bug where transfer codes could be used just like a short token (but only while the transfer code did not
  expire)

mytoken-server 0.6.1

mytoken 0.6.1

API

• Changed the restriction ip key to hosts:
  • Backward compatibility is preserved. The legacy key ip is still accepted.
  • The hosts entry can contain:
    • Single ip address
    • Subnet address
    • Host name (with or without wildcard)
      • To compare against this, on request a reverse dns lookup is done for the request's ip address

Enhancements

• Location restriction can now be done with host names, not only plain ip addresses, see above for more details.
• Webinterface: Added message to tokeninfo after MT creation and TC exchange to indicate that users must copy the
  mytoken to persist it.
• Improved code quality

Bugfixes

• Fixed a bug in the web interface where the scope selection indicator for access tokens where not updated.

Dependencies

• Bump go version to 1.19
• Bump golang.org/x/mod from 0.5.1 to 0.7.0
• Bump golang.org/x/crypto to 0.2.0
• Bump golang.org/x/term to 0.2.0
• Bump github.com/gofiber/fiber/v2 from 2.37.1 to 2.39.0
• Bump github.com/gofiber/helmet/v2 from 2.2.16 to 2.2.18