|
1 | 1 | Release Notes |
2 | 2 | ============= |
3 | 3 |
|
| 4 | +0.15.0 |
| 5 | +------ |
| 6 | + |
| 7 | +### Added OAuth Client Assertion support |
| 8 | + |
| 9 | +Allows clients to authenticate to authorization server by using client assertion as specified by https://www.rfc-editor.org/rfc/rfc7523 and https://www.rfc-editor.org/rfc/rfc7521. |
| 10 | +The assertion can be provided by an external mechanism and available as a file on the file system or it can be explicitly set through OAuth configuration before running the Kafka client. |
| 11 | + |
| 12 | +Introduced the following new configuration options: |
| 13 | +- `oauth.client.assertion` |
| 14 | +- `oauth.client.assertion.location` |
| 15 | +- `oauth.client.assertion.type` |
| 16 | + |
| 17 | +See [PR 211](https://github.com/strimzi/strimzi-kafka-oauth/pull/211) |
| 18 | + |
| 19 | +### Added support for clients to read access token and refresh token from a file when authenticating |
| 20 | + |
| 21 | +Introduced the following new configuration options: |
| 22 | +- `oauth.refresh.token.location` |
| 23 | +- `oauth.access.token.location` |
| 24 | + |
| 25 | +See [PR 211](https://github.com/strimzi/strimzi-kafka-oauth/pull/211) |
| 26 | + |
| 27 | +### Added support for bearer token authentication when connecting to protected authorization server endpoints |
| 28 | + |
| 29 | +This is used by broker when connecting to JWKS and Introspection endpoints. Added to support talking to the Kubernetes API server's JWKS endpoint. |
| 30 | + |
| 31 | +Introduced the following new configuration options: |
| 32 | +- `oauth.server.bearer.token` |
| 33 | +- `oauth.server.bearer.token.location` |
| 34 | + |
| 35 | +The authentication configuration rules for configuring the introspection endpoint have been relaxed. |
| 36 | +Introspection endpoint can now be unprotected (no authentication configured on the listener) or it can be protected with |
| 37 | +`oauth.client.id` and `oauth.client.secret` to send `Basic` `Authorization` header or with the `oauth.server.bearer.token` or |
| 38 | +`oauth.server.bearer.token.location` when sending `Bearer` `Authorization` header. |
| 39 | + |
| 40 | +JWKS endpoint can now also be protected in the same way. |
| 41 | + |
| 42 | +See [PR 217](https://github.com/strimzi/strimzi-kafka-oauth/pull/217) |
| 43 | + |
| 44 | +### Fixed NullPointerException that occurred when OAuthKafkaPrincipalBuilder was used with Kerberos authentication |
| 45 | + |
| 46 | +See [PR 207](https://github.com/strimzi/strimzi-kafka-oauth/pull/207) |
| 47 | + |
| 48 | +### Fixed a user id extraction bug where `oauth.fallback.username.prefix` was ignored, and added `oauth.username.prefix` |
| 49 | + |
| 50 | +A bug was introduced in 0.13.0 that resulted in `oauth.fallback.username.prefix` being ignored. This PR fixes that. |
| 51 | + |
| 52 | +A new configuration option is introduced: `oauth.username.prefix`. |
| 53 | + |
| 54 | +This allows for the consistent mapping of user ids into the same name space and may be needed to prevent name collisions. |
| 55 | + |
| 56 | +See [PR 230](https://github.com/strimzi/strimzi-kafka-oauth/pull/230) |
| 57 | + |
| 58 | +### Added support for SASL extension parameters |
| 59 | + |
| 60 | +Adds support for passing SASL extensions via OAuth configuration options, by using a prefix: `oauth.sasl.extension.` |
| 61 | + |
| 62 | +If Kafka Broker uses some other custom `OAUTHBEARER` implementation, it may require SASL extensions options to be sent by the Kafka client. |
| 63 | + |
| 64 | +See [PR 231](https://github.com/strimzi/strimzi-kafka-oauth/pull/231) |
| 65 | + |
4 | 66 | 0.14.0 |
5 | 67 | ------ |
6 | 68 |
|
|
0 commit comments