1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
NEWS for Qvisqve
=============================================================================
This file has release notes for Qvisqve, an authorisation server and
identity provider.
Version 0.10+git, not yet released
---------------------------------
* Disable gunicorn header size check.
* Qvisqve can now manage clients, users, applications via the API.
There is a command line tool, `qvisqvetool`, for doing that from the
command line.
* Bug fix: when Qvisqve redirects browser to the facade, after a
successful user authentication, it now includes the `state`
parameter from the original authorization request.
* Change: users now have allowed scopes and Qvisqve will use those
when setting scopes in the access token created at the end of the
authorizaion code flow.
* Change: the HTML code for the login form is now in a separate file,
so it is easier to style.
* API clients may now have a `sub` field, and if they do, tokens
created using the client credentials grant variant of OAuth2 get
their `sub` claim set accordingly. This is a first step towards
allowing users to authorize API clients to act on their behalf.
Version 0.9, released 2018-02-09
---------------------------------
* Rename from Salami to Qvisqve, which is Latin for "each and every
subject".
Version 0.8, released 2018-02-03
---------------------------------
* Salami now expects client secrets to be stored hashed in the config
file, instead of as cleartext, as previously. This is obviously
better for security: previously, anyone who could read the config
file would get the secret directly. Now they have to brute-force
guess it by hashing all possibilities.
The hashing method attempts to make such brute-forcing harder by
using a carefully chosen hashing algorithm (scrypt), and using
salting to prevent rainbow tables. For each client, a random 16 byte
string is generated (by reading /dev/urandom) as the salt.
* A new script `salami-hash` is included to generate the hashed client
secrets for the Salami config file.
* This release is made only to facilitate internal testing.
Version 0.7, released 2018-02-01
---------------------------------
* Add support for OAuth2 client credential grant. Do NOT use this yet.
The credential is stored in cleartext server-side.
* This release is made only to facilitate internal testing.
Version 0.6, released 2017-11-17
---------------------------------
* `start_salami` fixed to set the right environment variable to point
at the configuration file when starting Salami.
Version 0.5, released 2017-11-16
---------------------------------
* `start_salami` script can now start production or debugging
variants.
* Yarn scenario tests have been added.
Version 0.4, released 2017-11-15
---------------------------------
* Fixed `start_salami` to use the right log file for gunicorn3.
Version 0.3, released 2017-11-15
---------------------------------
Version 0.2, released 2017-11-14
---------------------------------
Version 0.1, released 2017-11-14
----------------------------------
First release.
|
