NEWS for Qvisqve ============================================================================= This file has release notes for Qvisqve, an authorisation server and identity provider. Version 0.10+git, not yet released --------------------------------- * Disable gunicorn header size check. * Qvisqve can now manage clients, users, applications via the API. There is a command line tool, `qvisqvetool`, for doing that from the command line. * Bug fix: when Qvisqve redirects browser to the facade, after a successful user authentication, it now includes the `state` parameter from the original authorization request. * Change: users now have allowed scopes and Qvisqve will use those when setting scopes in the access token created at the end of the authorizaion code flow. * Change: the HTML code for the login form is now in a separate file, so it is easier to style. * API clients may now have a `sub` field, and if they do, tokens created using the client credentials grant variant of OAuth2 get their `sub` claim set accordingly. This is a first step towards allowing users to authorize API clients to act on their behalf. Version 0.9, released 2018-02-09 --------------------------------- * Rename from Salami to Qvisqve, which is Latin for "each and every subject". Version 0.8, released 2018-02-03 --------------------------------- * Salami now expects client secrets to be stored hashed in the config file, instead of as cleartext, as previously. This is obviously better for security: previously, anyone who could read the config file would get the secret directly. Now they have to brute-force guess it by hashing all possibilities. The hashing method attempts to make such brute-forcing harder by using a carefully chosen hashing algorithm (scrypt), and using salting to prevent rainbow tables. For each client, a random 16 byte string is generated (by reading /dev/urandom) as the salt. * A new script `salami-hash` is included to generate the hashed client secrets for the Salami config file. * This release is made only to facilitate internal testing. Version 0.7, released 2018-02-01 --------------------------------- * Add support for OAuth2 client credential grant. Do NOT use this yet. The credential is stored in cleartext server-side. * This release is made only to facilitate internal testing. Version 0.6, released 2017-11-17 --------------------------------- * `start_salami` fixed to set the right environment variable to point at the configuration file when starting Salami. Version 0.5, released 2017-11-16 --------------------------------- * `start_salami` script can now start production or debugging variants. * Yarn scenario tests have been added. Version 0.4, released 2017-11-15 --------------------------------- * Fixed `start_salami` to use the right log file for gunicorn3. Version 0.3, released 2017-11-15 --------------------------------- Version 0.2, released 2017-11-14 --------------------------------- Version 0.1, released 2017-11-14 ---------------------------------- First release.