4.1.0

• Support assigning UIDs and GIDs using Google Firestore. When this is enabled, UID and GID information from the upstream OpenID Connect provider or from LDAP is ignored, and instead Gafaelfawr assigns UIDs and GIDs to usernames and group names on first use. UIDs and GIDs for usernames and group names will be retrieved from Firestore on initial authentication if already assigned. Currently, OpenID Connect (via CILogon or a generic server) must be used as the authentication provider to use Google Firestore UID and GID assignment.
• Add an optional enrollment URL configuration when CILogon or generic OpenID Connect is used with LDAP lookups of the username. If this is set and the sub claim in the ID token does not resolve to a user entry in LDAP, the user will be redirected to this URL instead of an error page.
• Group information from LDAP is now retrieved dynamically when needed instead of stored with an authentication token, so it will change dynamically if the user's groups change in LDAP. This does not affect the token's scopes, only the group information retrieved by a user-info API request.
• Support authenticated simple binds to an LDAP server. This requires setting the Helm config.ldap.userDn parameter and adding a new ldap-password secret.
• Support retrieving the username from LDAP when using an upstream OpenID Connect provider. This is configured with the new config.ldap.usernameBaseDn and config.ldap.usernameSearchAttr Helm parameters.
• Use the image from the GitHub Container Registry instead of Docker Hub.
• Update dependencies.

4.0.0

As of this release, the only supported mechanism for installing Gafaelfawr is as part of the Vera C. Rubin Science Platform, using Phalanx.

• The Gafaelfawr token lifetime is now configured with config.tokenLifetimeMinutes instead of config.issuer.expMinutes.
• The internal OpenID Connect server now puts the numeric UID in a uid_number claim rather than uidNumber for consistency with the naming scheme of other claims.
• InfluxDB 1.x token generation is now configured with config.influxdb.enabled and config.influxdb.username without the issuer component.
• Drop support for restricting the upstream OpenID Connect provider to specific key IDs. This prevents upstream key rotation for dubious security benefit given that Gafaelfawr still verifies the issuer URL and then reaches out to its .well-known endpoints to retrieve the public key and verify the key signature.
• Log token scopes as proper lists instead of space- or comma-separated strings.
• Return 404 with a proper error if the OpenID Connect server routes are accessed when Gafaelfawr is not configured to act as an OpenID Connect server.
• Drop support for Python 3.9.
• Update dependencies.

3.6.0

• Add support for retrieving the user's numeric UID from LDAP when authenticating with an OpenID Connect provider.
• Add required dependency for LDAP support to the Docker image.
• Speed up tests somewhat.
• Improve the development documentation.
• Update dependencies.

3.5.0

• Add support for obtaining group membership information from LDAP. Currently, this can only be used in conjunction with the OpenID Connect authentication provider.
• Add Helm chart support for using a generic OpenID Connect provider for authentication.
• Update dependencies.

3.4.1

• Fix database initialization with gafaelfawr init, which is also run on pod startup.
• Update dependencies.

3.4.0

• Gafaelfawr now uses async SQLAlchemy for all database calls, which avoids latency affecting the whole process when a request requires database queries or writes.
• Internal and notebook tokens are now acquired, when needed, while holding a per-user cache lock. This means that when a flood of requests that all require a delegated token come in at the same time, a given Gafaelfawr process allows only the first request to proceed and blocks the rest until it completes. All the other requests are then served from the cache. This fixes a deadlock observed in previous versions of Gafaelfawr under heavy load from a single user who does not have a cached delegated token.
• Update dependencies.

3.3.0

• The Docker image now starts a single async Python process rather than running multiple processes using Gunicorn. This follows the FastAPI upstream recommendations for applications running under Kubernetes. Scaling in Kubernetes is better-handled by spawning multiple pods rather than running multiple frontend processes in each pod.
• Update the base Docker image to Debian bullseye and Python 3.9.
• Require Python 3.9 or later.
• Update dependencies.

3.2.1

• Catch exceptions in the custom resource background thread. Retry up to ten times for Kubernetes exceptions, and crash the entire process on unknown exceptions or more than ten consecutive Kubernetes failures. This prevents a problem where the token update pod continues running and appears to be healthy, but the watcher thread has crashed so it's doing nothing.
• Switch to aioredis 2.0. Unfortuantely, this breaks mockaioredis, so only the Docker tests (which use a real Redis server) can be run for the time being.
• Update dependencies.

3.2.0

• Return HTML errors from login failures instead of JSON. The HTML is currently entirely unstyled. Add a new Helm configuration option, config.errorFooter, that is included in the HTML of any error message that is shown.
• Fail authentication and show an error if the user is not a member of any of the groups configured in config.groupMapping.
• Revoke the GitHub OAuth authorization if the login fails due to no known groups or an invalid username, since in both cases we want to force GitHub to redo the attribute release.
• HTTP headers are not guaranteed to support character sets other than ASCII, and Starlette forces them to ISO 8859-1. This interferes with correctly passing the user's full name to protected services via HTTP headers. Therefore, drop support for sending the user's full name via X-Auth-Request-Name. The name can still be retrieved from the /auth/api/v1/user-info API endpoint.

3.1.0

• Correctly handle paginated replies from GitHub for the team membership of a user.
• On explicit logout (via /logout), revoke the OAuth authorization for the user if they authenticated with GitHub. This forces a re-release of attributes on subsequent authentication, which will make it easier for users to resolve problems with incorrect attribute releases (if, for instance, they attempted to log in before their team membership was complete).
• Depend on Safir 2.x and drop remaining aiohttp dependency paths. Remove code that is now supplied by Safir. Share one httpx.AsyncClient across all requests and close it when the application is shut down.
• Fix sorting of tokens retrieved from the admin API to sort by created date before token string.