Releases: oauth2-proxy/oauth2-proxy
v7.14.2
Release Highlights
- Revert AuthOnly endpoint change from v7.14.1 that caused issues when using
skip-provider-buttonenabled
Important Notes
- This release reverts the change made in v7.14.1 that caused issues when using the
skip-provider-buttonenabled. Now, when a session does not exist, the AuthOnly endpoint will send a 401 status code as expected instead of a 302 redirect. And instead we extended the documentation to clarify the behavior when usingnginxwithauth_requestandskip-provider-buttonand how to properly configure redirects for browser and API routes.
Excerpt from v7.14.0 release letter:
This release introduces a breaking change for Alpha Config users and moves us significantly
closer to removing legacy configuration parameters, making the codebase of OAuth2 Proxy more
future proof and extensible.
From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:
# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claim: user
- name: X-Custom-Secret-header
values:
- value: my-super-secret
# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claimSource:
claim: user
- name: X-Custom-Secret-header
values:
- secretSource:
value: my-super-secretFurthermore, Alpha Config now fully supports configuring the Server struct using YAML.
// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
// BindAddress is the address on which to serve traffic.
BindAddress string `yaml:"bindAddress,omitempty"`
// SecureBindAddress is the address on which to serve secure traffic.
SecureBindAddress string `yaml:"secureBindAddress,omitempty"`
// TLS contains the information for loading the certificate and key for the
// secure traffic and further configuration for the TLS server.
TLS *TLS `yaml:"tls,omitempty"`
}
// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
// Key is the TLS key data to use.
Key *SecretSource `yaml:"key,omitempty"`
// Cert is the TLS certificate data to use.
Cert *SecretSource `yaml:"cert,omitempty"`
// MinVersion is the minimal TLS version that is acceptable.
MinVersion string `yaml:"minVersion,omitempty"`
// CipherSuites is a list of TLS cipher suites that are allowed.
CipherSuites []string `yaml:"cipherSuites,omitempty"`
}More about how to use Alpha Config can be found in the documentation.
Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml
We are committed to Semantic Versioning and usually avoid breaking changes without a major version release.
Advancing Alpha Config toward its Beta stage required this exception, and even for the Alpha Config we try
to keep breaking changes in v7 to a minium. Thank you for understanding the need for this step to prepare
the project for future maintainability and future improvements like structured logging.
Breaking Changes
- Check release notes for v7.14.0
Changes since v7.14.1
- #3314 revert: fix: skip provider button auth only redirect (#3309) (@StefanMarkmann / @tuunit)
- #3315 docs: clarify browser vs API routes for nginx auth_request redirects (@StefanMarkmann)
Contributors
Assets 35
- 113 Bytes
2026-01-18T00:26:13Z - 18 MB
2026-01-18T00:26:10Z - 107 Bytes
2026-01-18T00:26:13Z - 113 Bytes
2026-01-18T00:26:13Z - 16.9 MB
2026-01-18T00:26:10Z - 107 Bytes
2026-01-18T00:26:14Z - 114 Bytes
2026-01-18T00:26:13Z - 17.1 MB
2026-01-18T00:26:10Z - 108 Bytes
2026-01-18T00:26:14Z - 112 Bytes
2026-01-18T00:26:14Z -
2026-01-18T00:19:26Z -
2026-01-18T00:19:26Z - Loading
v7.14.1
Release Highlights
- 🔵 Go1.25.6 and upgrade of dependencies to latest versions
- 🐛 Bug fixes
- AuthOnly now starts the auth flow and send status code 302 if no session exists and skip-provider-button is true
- Fixed static upstream validation issue due to incorrect defaults
Important Notes
Excerpt from v7.14.0 release letter.
https://github.com/oauth2-proxy/oauth2-proxy/releases/v7.14.0
This release introduces a breaking change for Alpha Config users and moves us significantly
closer to removing legacy configuration parameters, making the codebase of OAuth2 Proxy more
future proof and extensible.
From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:
# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claim: user
- name: X-Custom-Secret-header
values:
- value: my-super-secret
# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claimSource:
claim: user
- name: X-Custom-Secret-header
values:
- secretSource:
value: my-super-secretFurthermore, Alpha Config now fully supports configuring the Server struct using YAML.
// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
// BindAddress is the address on which to serve traffic.
BindAddress string `yaml:"bindAddress,omitempty"`
// SecureBindAddress is the address on which to serve secure traffic.
SecureBindAddress string `yaml:"secureBindAddress,omitempty"`
// TLS contains the information for loading the certificate and key for the
// secure traffic and further configuration for the TLS server.
TLS *TLS `yaml:"tls,omitempty"`
}
// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
// Key is the TLS key data to use.
Key *SecretSource `yaml:"key,omitempty"`
// Cert is the TLS certificate data to use.
Cert *SecretSource `yaml:"cert,omitempty"`
// MinVersion is the minimal TLS version that is acceptable.
MinVersion string `yaml:"minVersion,omitempty"`
// CipherSuites is a list of TLS cipher suites that are allowed.
CipherSuites []string `yaml:"cipherSuites,omitempty"`
}More about how to use Alpha Config can be found in the documentation.
Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml
We are committed to Semantic Versioning and usually avoid breaking changes without a major version release.
Advancing Alpha Config toward its Beta stage required this exception, and even for the Alpha Config we try
to keep breaking changes in v7 to a minium. Thank you for understanding the need for this step to prepare
the project for future maintainability and future improvements like structured logging.
Breaking Changes
Changes since v7.14.0
- #3309 fix: Return 302 redirect from AuthOnly endpoint when skip-provider-button is true (@StefanMarkmann)
- #3302 fix: static upstreams failing validation due to
passHostHeaderandproxyWebSocketsdefaults being set incorrectly (@sourava01 / @tuunit) - #3312 chore(deps): upgrade to go1.25.6 and latest dependencies (@tuunit)
Contributors
Assets 35
v7.14.0
Release Highlights
- 🕵️♀️ Vulnerabilities have been addressed
- 🗂️ Major Alpha Config YAML parsing revamped for better extensibility and preparing v8
- 🐛 Squashed some bugs
Important Notes
This release introduces a breaking change for Alpha Config users and moves us significantly
closer to removing legacy configuration parameters, making the codebase of OAuth2 Proxy more
future proof and extensible.
From v7.14.0 onward, header injection sources must be explicitly nested. If you
previously relied on squashed fields, update to the new structure before upgrading:
# before v7.14.0
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claim: user
- name: X-Custom-Secret-header
values:
- value: my-super-secret
# v7.14.0 and later
injectRequestHeaders:
- name: X-Forwarded-User
values:
- claimSource:
claim: user
- name: X-Custom-Secret-header
values:
- secretSource:
value: my-super-secretFurthermore, Alpha Config now fully supports configuring the Server struct using YAML.
// Server represents the configuration for the Proxy HTTP(S) configuration.
type Server struct {
// BindAddress is the address on which to serve traffic.
BindAddress string `yaml:"bindAddress,omitempty"`
// SecureBindAddress is the address on which to serve secure traffic.
SecureBindAddress string `yaml:"secureBindAddress,omitempty"`
// TLS contains the information for loading the certificate and key for the
// secure traffic and further configuration for the TLS server.
TLS *TLS `yaml:"tls,omitempty"`
}
// TLS contains the information for loading a TLS certificate and key
// as well as an optional minimal TLS version that is acceptable.
type TLS struct {
// Key is the TLS key data to use.
Key *SecretSource `yaml:"key,omitempty"`
// Cert is the TLS certificate data to use.
Cert *SecretSource `yaml:"cert,omitempty"`
// MinVersion is the minimal TLS version that is acceptable.
MinVersion string `yaml:"minVersion,omitempty"`
// CipherSuites is a list of TLS cipher suites that are allowed.
CipherSuites []string `yaml:"cipherSuites,omitempty"`
}More about how to use Alpha Config can be found in the documentation.
Example Alpha configuration: https://github.com/oauth2-proxy/oauth2-proxy/blob/955ab6b/contrib/local-environment/oauth2-proxy-alpha-config.yaml
We are committed to Semantic Versioning and usually avoid breaking changes without a major version release.
Advancing Alpha Config toward its Beta stage required this exception, and even for the Alpha Config we try
to keep breaking changes in v7 to a minium. Thank you for understanding the need for this step to prepare
the project for future maintainability and future improvements like structured logging.
Breaking Changes
- Alpha Config: header injection no longer supports squashed claim/secret sources; they must now be set explicitly (see example above).
Changes since v7.13.0
- #2628 feat(structured config): revamp of yaml parsing using mapstructure decoder and custom decoders (@tuunit)
- #3197 fix: NewRemoteKeySet is not using DefaultHTTPClient (@rsrdesarrollo / @tuunit)
- #3292 chore(deps): upgrade gomod and bump to golang v1.25.5 (@tuunit)
- #3304 fix: added conditional so default is not always set and env vars are honored fixes 3303 (@pixeldrew)
- #3264 fix: more aggressively truncate logged access_token (@MartinNowak / @tuunit)
- #3267 fix: Session refresh handling in OIDC provider (@gysel)
- #3290 fix: WebSocket proxy to respect PassHostHeader setting (@UnsignedLong)
Contributors
Assets 35
v7.13.0
Release Highlights
- 🕵️♀️ Vulnerabilities have been addressd
- 🐛 Squashed some bugs
Important Notes
By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both X-Forwarded-For and X_Forwarded-for will now be treated as equivalent and stripped away.
Please read our security advisory for CVE-2025-64484: GHSA-vjrc-mh2v-45x6
Furthermore, we now use the access_token for validating refreshed sessions in OIDC providers instead of the id_token. This is to align with the OIDC specification which states that id_tokens are not guaranteed to be issued when using refresh tokens. In future releases we might remove the id_token validation for sessions completely.
Breaking Changes
N/A
Changes since v7.12.0
- #3228 fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
- #3244 chore(deps): upgrade to latest go1.25.3 (@tuunit)
- #3238 chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds)
- #3237 - feat: add option to use organization id for preferred username in Google Provider (@pixeldrew)
- GHSA-vjrc-mh2v-45x6 fix: request header smuggling by stripping all normalized header variants (@tuunit)
- #1933 fix: validation of refreshed sessions using the access_token in the OIDC provider (@gysel / @tuunit)
- #2841 feat: add allowed_* constraint option to proxy endpoint query string (@jacobalberty)
Contributors
Assets 35
v7.12.0
Release Highlights
- 🕵️♀️ Vulnerabilities have been addressed
- 🦸 Support for Cidaas IDP
- 🐛 Squashed some bugs
Important Notes
Breaking Changes
Changes since v7.11.0
Contributors
Assets 35
v7.11.0
Release Highlights
- 🏢 Support for SourceHut (sr.ht) provider
- 🔍️ Support for more fine-grained control over the google admin-sdk scopes and optional google groups
- 🐛 Squashed some bugs
Important Notes
Firstly, fixed critical vulnerability where skip_auth_routes regex patterns matched against the full request URI (path + query parameters) instead of just the path, allowing authentication bypass attacks.
Secondly, fixed double-escaping of $ in regexes for Alpha Config upstreams path and rewriteTargets:
# Before
upstreams:
- id: web
path: ^/(.*)$$
rewriteTarget: /$$1
# After
upstreams:
- id: web
path: ^/(.*)$
rewriteTarget: /$1Breaking Changes
If your configuration relies on matching query parameters in skip_auth_routes patterns, you must update your regex patterns to match paths only. Review all skip_auth_routes entries for potential impact.
Example of affected configuration:
# This pattern previously matched both:
# - /api/foo/status (intended)
# - /api/private/sensitive?path=/status (bypass - now fixed)
skip_auth_routes: ["^/api/.*/status"]For detailed information, migration guidance, and security implications, see the security advisory.
Changes since v7.10.0
- #2615 feat(cookies): add option to set a limit on the number of per-request CSRF cookies oauth2-proxy sets (@bh-tt)
- #2605 fix: show login page on broken cookie (@Primexz)
- #2743 feat: allow use more possible google admin-sdk api scopes (@BobDu)
- #2359 feat: add SourceHut (sr.ht) provider(@bitfehler)
- #2524 fix: regex substitution for $ signs in upstream path handling before running envsubst (@dashkan / @tuunit)
- #3104 feat(cookie): add feature support for cookie-secret-file (@sandy2008)
- #3055 feat: support non-default authorization request response mode also for OIDC providers (@stieler-it)
- #3138 feat: make google_groups argument optional when using google provider (@sourava01)
- #3093 feat: differentiate between "no available key" and error for redis sessions (@nobletrout)
- GHSA-7rh7-c77v-6434 fix: skip_auth_routes bypass through query parameter inclusion
Contributors
Assets 35
v7.10.0
Release Highlights
- 🏢 Support for multiple orgs using the GitHub / Gitea provider
- 🔵 Golang version upgrade to v1.24.5
- 🕵️♀️ Vulnerabilities have been addressed
- 🐛 Squashed some bugs
Important Notes
Breaking Changes
Changes since v7.9.0
- #3072 feat: support for multiple github orgs #3072 (@daniel-mersch)
- #3116 feat: bump to go1.24.5 and full dependency update (@wardviaene / @dolmen)
- #3097 chore(deps): update alpine base image to v3.22.0
- #3101 fix: return error for empty Redis URL list (@dgivens)
Contributors
Assets 35
v7.9.0
Release Highlights
- 📨 OAuth 2.0 Multiple Response Type Encoding
- 📦️ Support for JWT encoded profile claims
- 🔵 Golang version upgrade to v1.23.8
- 🕵️♀️ Vulnerabilities have been addressed
- 🐛 Squashed some bugs
Important Notes
Breaking Changes
Changes since v7.8.2
- #3031 Fixes Refresh Token bug with Entra ID and Workload Identity #3027 by using client assertion when redeeming the token (@Richard87)
- #3001 Allow to set non-default authorization request response mode (@stieler-it)
- #3041 chore(deps): upgrade to latest golang v1.23.x release (@TheImplementer)
- #1916 fix: role extraction from access token in keycloak oidc (@Elektordi / @tuunit)
- #3014 feat: ability to parse JWT encoded profile claims (@ikarius)
Contributors
Assets 35
v7.8.2
Release Highlights
- 🐛 Cookie Expiration bug has been squashed
- 🔵 Golang version upgrade to v1.23.7
- 🕵️♀️ Vulnerabilities have been addressed
Important Notes
Breaking Changes
Changes since v7.8.1
- #2927 chore(deps/build): bump golang to 1.23 and use go.mod as single point of truth for all build files (@tuunit)
- #2697 Use
Max-Ageinstead ofExpiresfor cookie expiration (@matpen-wi) - #2969 Update golang.org/x/oauth2 to v0.27.0 to address CVE-2025-22868 (@dsymonds)
- #2977 Update golang.org/x/net to v0.36.0 to address CVE-2025-22870 (@dsymonds)
- #2982 chore(deps): remove go:generate tool from go.mod (@dolmen)
- #3011 chore(deps): update golang dependencies and pin to latest golang v1.23.x release (@tuunit)