Simple and extensible identity management service

Last update: Jan 9, 2022

Overview

AuthGuard

An easy-to-use, and easy-to-customize, identity server. It supports multiple authentication and authorization options and can be extended to support other ones, or add new features. It's an API-only solution, there is currently no dedicated dashboard.

Documentation

You can see the full documentation on the website here. OpenAPI documentation is available under the api module, and can also be found here. Tutorials are also available on the same website.

For the documentation of a specific plugin please visit the extensions repository and check that plugin readme.

Why Use AuthGuard?

Identity management is almost never the core part of apps, websites, or services. AuthGuard is a simple service which can be used to provide that so that you can focus on the important parts of what you are building. With AuthGuard you:

Have a ready identity management solution.
Have full control over your data.
Can easily extend it to make it fit your own needs even beyond authentication and authorization (e.g. integrating it with monitoring tools, or a data processing pipeline).
Are not tied to a certain database, or a class of databases. You can make it work with any database even ones which are not officially supported.
Have more advanced features available out-of-the-box like requiring OTPs, or re-entring passwords to perform certain actions..etc.

AuthGuard Distributions

There's no "one size fits all". AuthGuard is, more or less, a "kernel". In order for you to run it and make it usable, you need to create a distribution. An AuthGuard distribution is essentially AuthGuard + plugins. It's required to at least have a plugin providing data access implementation in order for the server to run. We have three standard distributions pre-built for three databases: MongoDB, PostgreSQL, MySQL. Standard distributions come with the following plugins:

Standard data access (persistence + cache)
JWT
Sessions
Account lock
Verification
Email
JavaMail provider (for SMTP, IMAP, and POP3)

Running Standard Distributions

Standard distributions are available as executable jar files, in releases or as container images. The images are hosted on GitHub Packages which you can pull and run. The images are:

Mongo Stadndard: ghcr.io/authguard/authguard-mongo-standard:<version>
Postgres Standard: ghcr.io/authguard/authguard-postgres-standard:<version>
MySQL Standard: ghcr.io/authguard/authguard-mysql-standard:<version>

Creating a Distribution

There are two ways to create a distribution:

Using a build system (Maven, Gradle, SBT...etc) by adding them as dependencies
Running the rest jar and setting the classpath manually

All modules are published as Maven artifacts to GitHub Packages, make sure that you add the correct repositories to you build configuration to be able to pull them. For example, if you are using Maven you need to add the following two repositories

 <repositories>
     <repository>
         <id>authguard-github</id>
         <name>GitHub AuthGuard Maven Packages</name>
         <url>https://maven.pkg.github.com/AuthGuard/AuthGuard</url>
     </repository>

     <repository>
         <id>exntesions-github</id>
         <name>GitHub AuthGuard Extensions Maven Packages</name>
         <url>https://maven.pkg.github.com/AuthGuard/extensions</url>
     </repository>
 </repositories>

Plugins

There are some standard plugins created and support by the AuthGuard team. Some are considered core parts and exist as modules in the main project, while the others get their own repository. The other standard extensions can be found in the extension repository.

JWT

A plugin which provides JWT exchanges and other features around JWTs:

JWT auth exchanges
JWT API keys
OAuth and OpenID Connect support

Sessions

A plugin to add support for sessions. Requires a session store to be provided by a DAL implementation.

Verification

The verification plugin will send a verification email to an email which needs to be verified. Requires an email provider implementation.

Account Lock

Adds support for locking accounts after a number of failed logins within a period.

LDAP

Adds support for LDAP-based authentication by using an LDAP server as an identity provider.

Email

Adds subscribers for events which may require sending emails. This plugin does not come with an email provider, and one must be added. We have an implementation using JavaMail and another one (provided as an example to how to use external APIs) using SendGrid API.

SMS

Similar to the email plugin, this one only adds definitions and subscribers, and an SMS provider implementation must be provided.

JavaMail

The standard email provider, it uses JavaMail library and support SMTP, IMAP, and POP3 protocols.

License and Price

The project in its entirety is open-source and no features are hidden behind a professional plan. It is also free of charge for non-commercial use. If you want to use it for a commercial product or a business, please support the project by purchasing a license from our store. The store is temporary until we move to a better one, but all license will be transferred.

Open-Source Credits

This project is made possible by other open-source projects, and they deserve the recognition.

Javalin
Apache Commons
Bouncy Castle
Auth0 JWT
Guice
Reflections
RxJava
Vertx
OkHttp
Vavr
Unbounded LDAP
Logback
Jackson
Immutables
Mapstruct
JUnit
Mockito
WireMock
AssertJ
Rest Assured
JavaMail

Comments

Bump h2 from 1.4.200 to 2.1.210 in /dal
Bumps h2 from 1.4.200 to 2.1.210.

Release notes

Sourced from h2's releases.

Version 2.1.210

Two security vulnerabilities in H2 Console (CVE-2022-23221 and possible DNS rebinding attack) are fixed.

Persistent databases created by H2 2.0.x don't need to be upgraded. Persistent databases created by H2 1.4.200 and older versions require export into SQL script with that old version and creation of a new database with the new version and execution of this script in it.

... (truncated)

Commits

ca926f8 Merge remote-tracking branch 'h2database/master'

be306de Version advancement

030eb72 Improve migration documentation

86d58c4 Merge pull request #3381 from katzyn/legacy

b613598 Typo

d6e4eb8 Add IDENTITY() and SCOPE_IDENTITY() to LEGACY mode

36e790d make javadoc happier

1c0ca27 Add "of this server" to adminWebExternalNames text

0f83f48 Convert host names to lower case

c5f11a5 Merge pull request #3378 from katzyn/lob

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 3
Bump h2 from 1.4.200 to 2.0.202 in /dal
Bumps h2 from 1.4.200 to 2.0.202.

Release notes

Sourced from h2's releases.

Version 2.0.202

Besides many dozens of fixed bugs, performance improvements, more adherence to a standard SQL syntax and type system, there are

Some new features:

Complete re-work of INFORMATION_SCHEMA to be more in-line with the standard

Support for new types: ARRAY, ROW, JAVA_OBJECT

Numerous bit, string, array and system functions implemented

Standard-based access to generated keys

JDBC 4.2 compliance

Support for JDK 7 is dropped

PageStore is discontinued

MVStore changes:

Descending MVMap and TransactionMap cursor

Disk space reclamation algorithm improvements

Between version 1.4.200 and version 2.0.202 there have been considerable changes, such that a simple update is not possible. The official way to upgrade is to do a BACKUP of your existing database USING YOUR CURRENT VERSION OF H2. Then create a fresh database USING THE NEW VERSION OF H2, then perform a SCRIPT to load your data.

Commits

bb50243 Merge pull request #3210 from andreitokar/master

bab777a Merge remote-tracking branch 'h2database/master'

7381627 Merge pull request #3211 from grandinj/Large-JSON-and-GEOMETRY-objects-#3016

5199387 fix link to changelog

3ada1aa include trivial bits of #3090

4c56d7c Merge pull request #3189 from imerik1/master

401e84d fix test

0bed95c Large JSON and GEOMETRY objects #3016

9ccde29 change link to h2.pdf

7309020 change release date

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 3
Bump h2 from 1.4.200 to 2.0.206 in /dal
Bumps h2 from 1.4.200 to 2.0.206.

Release notes

Sourced from h2's releases.

Version 2.0.206

Critical security issue with H2 console is fixed.

Also important changes included:

Version 2.0.204

Multilple regression fixes discovered after 2.0.202 release,

There are no persistence changes between 2.0.202 and 2.0.204, so jar file swap is enough, if database had been upgraded to 2.0.202 already, otherwise please read the message below:

Between version 1.4.200 and version 2.0.202 there have been considerable changes, such that a simple update is not possible. The official way to upgrade is to do a BACKUP of your existing database USING YOUR CURRENT VERSION OF H2. Then create a fresh database USING THE NEW VERSION OF H2, then perform a SCRIPT to load your data.

Version 2.0.202

Besides many dozens of fixed bugs, performance improvements, more adherence to a standard SQL syntax and type system, there are

Some new features:

Complete re-work of INFORMATION_SCHEMA to be more in-line with the standard

Support for new types: ARRAY, ROW, JAVA_OBJECT

Numerous bit, string, array and system functions implemented

Standard-based access to generated keys

JDBC 4.2 compliance

Support for JDK 7 is dropped

PageStore is discontinued

MVStore changes:

Descending MVMap and TransactionMap cursor

Disk space reclamation algorithm improvements

Between version 1.4.200 and version 2.0.202 there have been considerable changes, such that a simple update is not possible. The official way to upgrade is to do a BACKUP of your existing database USING YOUR CURRENT VERSION OF H2. Then create a fresh database USING THE NEW VERSION OF H2, then perform a SCRIPT to load your data.

Commits

3d957a0 Release 2.0.206 preparation

2b6e303 Update changelog

b24aa46 Check URL scheme

4a2e677 Get data types directly from linked tables from H2

69aff24 Fix ValueVarcharIgnoreCase.equals()

0ebf142 Fix group-sorted optimization for data types with different equal values

8aca5f4 Correct Date and Time part in tutorial.html

4bfd6f0 Add support of H2 2.0+ to source.html and sourceError.html

927c830 Update copyright years

abac6c8 Next development version

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 2
MySQL extension transaction is not closed properly

When multiple updates are made to the same record, and the first one fails, the second one gets a lock timeout. This is due to the first transaction not being closed properly upon failure. Hibernate with PostgreSQL driver handles that just fine, but MySQL driver fails.
bug high priority

opened by kmehrunes 1
A generic error is returned when an email address or phone number is updated

Instead of proper descriptive errors like those returned with POST requests, PATCH requests return generic errors which don't indicate that an email is already registered for example.

Happens only with mongo-dal extension.
bug high priority

opened by kmehrunes 1
Bump jackson-databind from 2.13.1 to 2.13.2.1 in /bom
Bumps jackson-databind from 2.13.1 to 2.13.2.1.

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
[Snyk] Upgrade org.apache.commons:commons-lang3 from 3.7 to 3.12.0
Snyk has created this PR to upgrade org.apache.commons:commons-lang3 from 3.7 to 3.12.0.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 6 versions ahead of your current version.

The recommended version was released 3 months ago, on 2021-02-26.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs
opened by snyk-bot 1
[Snyk] Upgrade io.reactivex.rxjava3:rxjava from 3.0.2 to 3.0.12
Snyk has created this PR to upgrade io.reactivex.rxjava3:rxjava from 3.0.2 to 3.0.12.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 14 versions ahead of your current version.

The recommended version was released 2 months ago, on 2021-04-08.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs
opened by snyk-bot 1
[Snyk] Upgrade com.google.inject:guice from 4.2.2 to 4.2.3
Snyk has created this PR to upgrade com.google.inject:guice from 4.2.2 to 4.2.3.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 1 version ahead of your current version.

The recommended version was released a year ago, on 2020-03-19.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs
opened by snyk-bot 1
[Snyk] Upgrade commons-validator:commons-validator from 1.4.0 to 1.7
Snyk has created this PR to upgrade commons-validator:commons-validator from 1.4.0 to 1.7.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 5 versions ahead of your current version.

The recommended version was released 9 months ago, on 2020-08-03.

The recommended version fixes:

Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:------------------------- | Arbitrary Code Execution
SNYK-JAVA-COMMONSBEANUTILS-30077 | 794/1000
Why? Mature exploit, Has a fix available, CVSS 7.3 | Mature

(*) Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs
opened by snyk-bot 1
Incorrectly mapped password conditions
When given passwords config with conditions for capital letters, small letters, special characters, or digits, the config is always mapped to false regardless of the provided value. Example:

passwords: algorithm: scrypt conditions: includeCaps: true minLength: 6

This won't lead to enforcing capital letters and only the length will be checked.
bug high priority
opened by kmehrunes 1
[Snyk] Security upgrade io.vertx:vertx-web-client from 3.9.12 to 4.3.7
Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 611/1000
Why? Recently disclosed, Has a fix available, CVSS 6.5 | HTTP Response Splitting
SNYK-JAVA-IONETTY-3167773 | io.vertx:vertx-web-client:
3.9.12 -> 4.3.7
| Yes | No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
opened by snyk-bot 0
[Snyk] Fix for 2 vulnerabilities
This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9 | Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426 | com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:
2.13.3 -> 2.14.0
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:
2.13.3 -> 2.14.0
| No | Proof of Concept | 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 | Stack-based Buffer Overflow
SNYK-JAVA-ORGYAML-3016888 | com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:
2.13.3 -> 2.14.0
| No | Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
opened by kmehrunes 0
[Snyk] Security upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-properties from 2.13.3 to 2.14.0
This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9 | Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426 | com.fasterxml.jackson.dataformat:jackson-dataformat-properties:
2.13.3 -> 2.14.0
| No | Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
opened by kmehrunes 0
Add custom constant parameters to emails and SMS providers

For example, if an email will show a link to the user, we can pass the base URL as a constant parameter in the configuration and then use it in a template. This will remove the need for maintaining two templates just because URLs will be different depending on the environment.
medium priority feature request

opened by kmehrunes 0
[Snyk] Security upgrade com.auth0:java-jwt from 3.18.3 to 3.19.3
This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9 | Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 | com.auth0:java-jwt:
3.18.3 -> 3.19.3
| No | Proof of Concept | 616/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.9 | Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426 | com.auth0:java-jwt:
3.18.3 -> 3.19.3
| No | Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS) 🦉 Denial of Service (DoS)
opened by kmehrunes 0

Releases(v0.17.1)

v0.17.1(Oct 20, 2022)
Extensions updates

Fixes https://github.com/AuthGuard/AuthGuard/issues/257

Fixes https://github.com/AuthGuard/AuthGuard/issues/257

Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(39.56 MB)
postgres-standard-standalone.jar(51.03 MB)
v0.17.0(Aug 25, 2022)
What's Changed

Support adding access details to JWT API keys by in https://github.com/AuthGuard/AuthGuard/pull/241

Extra OTP/passwordless parameters by in https://github.com/AuthGuard/AuthGuard/pull/248

Remove deprecated code by in https://github.com/AuthGuard/AuthGuard/pull/249

Full Changelog: https://github.com/AuthGuard/AuthGuard/compare/v0.16.0...v0.17.0
Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(39.55 MB)
postgres-standard-standalone.jar(51.03 MB)
v0.16.0(Jun 27, 2022)
What's Changed

Option to disable bootstrap, JWT verification, entities bootstrap by @kmehrunes in https://github.com/AuthGuard/AuthGuard/pull/232

Dependency upgrades by @kmehrunes in https://github.com/AuthGuard/AuthGuard/pull/234

Fix build errors under Java 17 by @kmehrunes in https://github.com/AuthGuard/AuthGuard/pull/239

Full Changelog: https://github.com/AuthGuard/AuthGuard/compare/v0.15.0...v0.16.0
Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(39.54 MB)
postgres-standard-standalone.jar(51.01 MB)
v0.15.0(May 22, 2022)
What's Changed

Accounts and credentials are now a single entity

Auth clients can no longer create create more than a single username identifier

Email and phone number identifiers are now automatically linked to their account email and phone number, updating the field also updates the linked identifier

Full Changelog: https://github.com/AuthGuard/AuthGuard/compare/v0.14.0...v0.15.0
Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(39.58 MB)
mysql-standard-standalone.jar(53.95 MB)
postgres-standard-standalone.jar(51.05 MB)
v0.14.0(May 12, 2022)
What's Changed

Support for reading JWT keys from environment variable

Require API key requests to specify the key type

Use Snowflake IDs instead of UUIDs

Make OTP and passwordless messages readable when printed

Full Changelog: https://github.com/AuthGuard/AuthGuard/compare/v0.13.0...v0.14.0
Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(39.57 MB)
mysql-standard-standalone.jar(53.94 MB)
postgres-standard-standalone.jar(51.04 MB)
v0.13.0(Apr 20, 2022)
New /auth/refresh endpoint instead of having to refresh using /auth/exchange

Action tokens now depend on OTP being defined explicitly in the config

Source code(tar.gz)
Source code(zip)
mongo-standard-standalone.jar(34.75 MB)
mysql-standard-standalone.jar(49.12 MB)
postgres-standard-standalone.jar(46.22 MB)
v0.12.1(Feb 1, 2022)

Fixed an issue with a dependency fiasco when SMS providers are not enabled.
Source code(tar.gz)
Source code(zip)
mongo-standard-0.12.1-standalone.jar(34.30 MB)
mysql-standard-0.12.1-standalone.jar(48.67 MB)
postgres-standard-0.12.1-standalone.jar(45.77 MB)
v0.12.0(Jan 25, 2022)
Password versioning

Multi-tenancy (FINALLY)

Few dependency upgrades

Source code(tar.gz)
Source code(zip)
mongo-standard-0.12.0-standalone.jar(34.30 MB)
mysql-standard-0.12.0-standalone.jar(48.67 MB)
postgres-standard-0.12.0-standalone.jar(45.77 MB)
v0.11.0(Dec 23, 2021)
Few fixes for social login with OAuth and OpenID Connect

Support creating accounts upon successful OIDC login

Tidier structure of token senders; now they are split across email and SMS extensions

Support for single-step password reset without a reset token

Support for expiring credentials

Bug fix for RxJava subscribers

Bug fix for authentication of inactive accounts with active credentials

Source code(tar.gz)
Source code(zip)
mongo-standard-0.11.0-standalone.jar(34.09 MB)
mysql-standard-0.11.0-standalone.jar(48.47 MB)
postgres-standard-0.11.0-standalone.jar(45.57 MB)
v0.10.0(Nov 24, 2021)
LDAP integration bug fixes

Action tokens

BOM now includes Javalin version for routes

Source code(tar.gz)
Source code(zip)
mongo-standard-0.10.0-standalone.jar(34.00 MB)
mysql-standard-0.10.0-standalone.jar(48.37 MB)
postgres-standard-0.10.0-standalone.jar(45.47 MB)
v0.9.0(Oct 17, 2021)
Support reading config values from system properties or environment variables

New endpoint to verify an API key without having to call the exchange endpoint

Simpler password reset flow

Added the source (the step that was taken to generate a token) to access tokens and sessions

Added user agent information to the session

A new endpoint to replace an identifier instead of performing two updates

Updated auth client permissions

Added the option to have default roles which are granted automatically

New endpoints to check if credentials and account emails exist

Token TTL was added to the tokens to let the clients know for how long the tokens will be valid

Misc bug fixes

Security vulnerabilities fixes

Few package updates

Source code(tar.gz)
Source code(zip)
mongo-standard-0.9.0-standalone.jar(33.98 MB)
mysql-standard-0.9.0-standalone.jar(48.36 MB)
postgres-standard-0.9.0-standalone.jar(45.46 MB)
v0.8.0(Aug 7, 2021)

Source code(tar.gz)
Source code(zip)
mongo-standard-0.8.0-standalone.jar(32.87 MB)
mysql-standard-0.8.0-standalone.jar(47.24 MB)
postgres-standard-0.8.0-standalone.jar(44.35 MB)
v0.7.0(Jun 15, 2021)
Upgraded versions of few libraries

Added a standard plugin to send passwordless tokens

Added missing exchanges for OTP and passwordless

Binding of email and SMS providers is enabled explicitly instead of depending on the presence of other properties

Made configuration and initialization error reporting more readable

Source code(tar.gz)
Source code(zip)
v0.6.1(May 29, 2021)

Minor build fix for GitHub actins
Source code(tar.gz)
Source code(zip)
v0.6.0(May 16, 2021)
Generate both ID and access tokens in a single request (part of the greater full OpenID Connect support)

Add optional token encryption using AES (only CBC at the moment) or elliptic curve

Minor refactoring

Source code(tar.gz)
Source code(zip)
v0.5.0(Apr 16, 2021)
The second release of the AuthGuard Kernel.

Name and phone number are now added to the account information

Endpoints to update certain fields of accounts were replaced with a single PATCH endpoint

We added endpoints for managing API keys beyond just generating them

API keys are now hashed with blake2b

Exchanges are now bound (injected) only if they're allowed by the configuration

ZonedDateTime was a hassle, we now consistently use OffsetDateTime instead

A new default Logback configuration

Source code(tar.gz)
Source code(zip)
0.3.0(Mar 28, 2021)

The first official release
Source code(tar.gz)
Source code(zip)