diff --git a/BREAKING.md b/BREAKING.md new file mode 100644 index 000000000..bfcb86bfa --- /dev/null +++ b/BREAKING.md @@ -0,0 +1,42 @@ +Breaking changes +================ + +Since Authelia is still under active development, it is subject to breaking changes. We then recommend you don't blindly use the latest +Docker image but pick a version instead and check this file before upgrading. This is where you will get information about breaking changes and about what you should do to overcome those changes. + +## Breaking in v3.14.0 + +### Headers in nginx configuration + +In order to support Traefik as a third party proxy interacting with Authelia some changes had to be made +to Authelia and the nginx proxy configuration. + +The `Host` header is not used anymore by Authelia in any way. It was previously used to compute the url of the link that is +sent by Authelia for confirming the identity of the user. In the new version X-Forwarded-Proto, X-Forwarded-Host +headers are used to build the URL. + +Authelia endpoint /api/verify does not produce the `Redirect` header containing the target URL the user is trying to visit. +This header was used in early versions to redirect the user to the login portal providing the target URL as a query parameter. +However this target URL can be computed automatically with the following statement: + + set $target_url $scheme://$http_host$request_uri; + + +## Breaking in v3.11.0 + +### ACL configuration + +ACL definition in the configuration file has been updated to allow more authorization use cases. +The change basically removed the three categories "any", "groups" and "users" to introduce an +iptables-like format where the authorization policy is just an ordered list of rules with a few +attributes among which the attribute called `subject` used to map old categories. + +So in order to upgrade from prior version, you simply need to flatten the rules you already have and +use the `subject` attribute to map your rules from the previous categories into the list. For `any` +rules, just don't specify the subject attribute, this rule will then apply to any user. For group-based +rules you can use `subject: 'group:mygroup'` where `mygroup` is the group you set authorizations for. +For user-based rules, use `subject: 'user:myuser'` where `myuser` is the user you set authorizations for. + +Please note that in the new system, the first matching rule applies and the next ones are not taken into +account. If no rule apply, the default policy still applies and if no default policy is provided, the `deny` +policy applies. \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a45c32b9..7d91d5a44 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +Release Notes - Version 3.14.0 +------------------------------ +* [BREAKING] Add official support for Traefik with a dedicated suite. +* Add support for network-based ACL rules allowing to apply different authorization strategies on different networks. +* Several bug fixes (unusual error message when using U2F, X-Forwarded-User and X-Forwarded-Groups was not propagated on bypassed endpoints). + Release Notes - Version 3.13.0 ------------------------------ * Rewrite Authelia portal in Typescript.