Releases · go-authgate/authgate · GitHub

23 Jun 02:59

v0.36.0 Latest

Latest

Changelog

Features

6f18b38: feat(templates): display RFC 8707 allowed resources in admin client views (@appleboy)
ae593b4: feat(audit): OAuth client update diff logging with expandable UI (#256) (@appleboy)
aa2da58: feat(templates): show allowed resources on user app detail page (@appleboy)
67aa63f: feat(middleware): add rate limiting to /.well-known/* endpoints (@appleboy)
c9d852a: feat(templates): show token lifetime on client detail pages (@appleboy)
5abedae: feat(admin): show authorized user count on clients list (#257) (@appleboy)
11137d5: feat(templates): move remember-me checkbox above OAuth buttons with default checked (#259) (@appleboy)
40b629b: feat(audit): add client_name to all audit log entries with client_id (#260) (@appleboy)
98226eb: feat(admin): allow admins to reassign OAuth client owner (#262) (@appleboy)

Bug fixes

13e50c8: fix(oauth): handle provider error param in callback (#250) (@appleboy)
e89238c: fix(store): use ILIKE on PostgreSQL for case-insensitive search (@appleboy)
e1f1023: fix(middleware): record client IP in rate limit audit log (@appleboy)

Refactor

dae4f42: refactor(templates): remove allowed resources column from client list (@appleboy)
e5d4861: refactor(middleware): let buildAuditLog fill ActorIP automatically (@appleboy)
8402eec: refactor(handlers): trim whitespace from all query parameters (#261) (@appleboy)

Others

96866f3: test(oauth): dedup callback test boilerplate into doOAuthCallback helper (#251) (@appleboy)
05fd13f: feat(config)!: reject default and weak secrets at startup (#252) (@appleboy)
797962f: style(store): satisfy golangci-lint gofmt and staticcheck (@appleboy)

Contributors

appleboy

Assets 21

authgate-0.36.0-darwin-amd64

sha256:f5a0aabbeb40f10005fcb13db76f00c1e01eb2ab9d1a9b560c4dd8f699b20d84

59 MB 2026-06-23T02:59:32Z
authgate-0.36.0-darwin-amd64.xz

sha256:058f7ba1838880150f2bf333aa1c2e9b3b4b9389c33ac32b9dc607398d6f22b9

11.6 MB 2026-06-23T02:59:41Z
authgate-0.36.0-darwin-arm64

sha256:7cb7c2774feab7a7598ded1ac242757b50df8dcfbaad28546e177591fa4afb46

56.4 MB 2026-06-23T02:59:32Z
authgate-0.36.0-darwin-arm64.xz

sha256:b687fad64dba1ea726810e5fd1155306136b78818d52eca9b4757fdd110e8557

10.4 MB 2026-06-23T02:59:41Z
authgate-0.36.0-freebsd-amd64

sha256:fb6f172845dfd429add3bce47a66a66717ae7be90aae3f74acdff17044cd4829

57.8 MB 2026-06-23T02:59:37Z
authgate-0.36.0-freebsd-amd64.xz

sha256:ceeb0a5f1ba893ce1b1cb1e0f7c2a560c3f1278c1b09ae9b677ec8d7deace2fe

11.4 MB 2026-06-23T02:59:43Z
authgate-0.36.0-linux-amd64

sha256:9711983960425e825017fb256be21368e250bc3933bf5d4c4e3c338269d9375a

57.9 MB 2026-06-23T02:59:37Z
authgate-0.36.0-linux-amd64.xz

sha256:3e2903f8d229280c4b1609279a8a40e50159b1a9f3cecf37e3dfbc07c2dc1e59

11.4 MB 2026-06-23T02:59:42Z
authgate-0.36.0-linux-arm-5

sha256:2118e5069ecaa8e7de43c23b02de64b2bb780e4a626e1f5be441026391362cb5

54.9 MB 2026-06-23T02:59:32Z
authgate-0.36.0-linux-arm-5.xz

sha256:4bbbd7028cac1b1e194564b2fe174fe09b3f909e72862ae0d8961c9ce482f045

9.86 MB 2026-06-23T02:59:44Z
Source code (zip)

2026-06-22T14:50:59Z
Source code (tar.gz)

2026-06-22T14:50:59Z

16 Jun 05:43

v0.35.0

Changelog

Features

449e2a9: feat(templates): add admin-access notice to login page (#244) (@appleboy)
7cf860b: feat(authorizations): add pagination and search to listing pages (#246) (@appleboy)
1913a6e: feat(oauth): surface resource indicator rejection reasons (#248) (@appleboy)
99a7247: feat(templates): display timestamps in browser local timezone (@appleboy)
5862836: feat(oauth): add origin-locked path-prefix redirect_uri matching (#249) (@appleboy)

Bug fixes

24ced49: fix(middleware): render error pages via templ to avoid 500 (#247) (@appleboy)

Enhancements

74585b8: chore(deps): bump module dependencies (@appleboy)
3d6f7dc: chore: add docker-compose for local single-node deployment (@appleboy)

Build process updates

149dc47: ci: bump codecov/codecov-action from 6 to 7 (@appleboy)

Documentation updates

d3963b0: docs(config): document session and remember me env vars (#243) (@appleboy)

Contributors

appleboy

Assets 21

08 Jun 03:53

v0.34.0

Changelog

Features

862e2d7: feat(templates): integrate brand logo and favicons (#237) (@appleboy)
1703254: feat(templates): refresh brand logos with new blue palette (@appleboy)
c74947e: feat(apps): add authorized users page for app owners (#238) (@appleboy)

Bug fixes

7db8599: fix(oidc): drop unimplemented read/write scopes from discovery (#240) (@appleboy)

Refactor

beed71f: refactor(token): collapse token provider to concrete type (#235) (@appleboy)

Documentation updates

bc6e74d: docs(readme): add slides deck link (#242) (@appleboy)

Others

cae6091: feat(session)!: add active sessions page with remote sign-out (#241) (@appleboy)

Contributors

appleboy

Assets 21

02 Jun 02:33

v0.33.0

Changelog

Features

d90e42a: feat(admin): show full name beside username in client authorizations (#197) (@appleboy)
37a410c: feat(templates): display username with full name across admin views (#232) (@appleboy)
6d772b7: feat(audit): record and display actor full name in audit logs (#233) (@appleboy)

Bug fixes

710499e: fix(swagger): let Swagger UI follow the request origin (#199) (@appleboy)
90ea97e: fix(oauth): make device code and refresh token single-use (#203) (@appleboy)
c9880ed: fix(oauth): re-check user identity on code redemption (#204) (@appleboy)

Refactor

c50c520: refactor: simplify code across packages for clarity (#196) (@appleboy)
aa5c455: refactor: simplify handlers and user service (#200) (@appleboy)

Documentation updates

2e9516b: docs(oauth): surface and document GitLab login support (#195) (@appleboy)

Others

1cda90f: style(admin): widen client authorizations content area (@appleboy)
ad2ae26: feat(oauth)!: default STRICT_REDIRECT_URIS to true (#198) (@appleboy)
5690f9d: fix(oauth)!: prevent device scope escalation and MS account takeover (#201) (@appleboy)
1fc6059: fix(oauth)!: authenticate and authorize clients on refresh grant (#202) (@appleboy)

Contributors

appleboy

Assets 21

21 May 06:41

v0.32.0

Changelog

Features

0c5b680: feat(oauth): enforce HTTPS-or-loopback redirect URIs via STRICT_REDIRECT_URIS (#192) (@appleboy)

Documentation updates

e3cc642: docs(readme): surface MCP-grade security highlights (#191) (@appleboy)

Others

3d79b22: feat(oauth)!: enforce per-client resource allowlist (RFC 8707) (#193) (@appleboy)

Contributors

appleboy

Assets 21

17 May 14:37

v0.31.0

Changelog

Features

c8a79aa: feat(swagger): gate Swagger UI on ENABLE_SWAGGER instead of ENVIRONMENT (#188) (@appleboy)
4ffb6cd: feat(swagger): hide Swagger UI links when ENABLE_SWAGGER=false (#189) (@appleboy)
d17bf60: feat(oauth): add MCP / RFC 8707 + RFC 8414 compatibility (#187) (@appleboy)

Refactor

6ebdf57: refactor(swagger): thread SwaggerEnabled through NavbarProps via middleware (@appleboy)

Documentation updates

46d7ca3: docs(integrator): document RFC 8707 / RFC 8414 / MCP audience binding (#190) (@appleboy)

Contributors

appleboy

Assets 21

12 May 08:57

v0.30.0

Changelog

Features

8bec493: feat(admin): support user UUID search on admin users list (#185) (@appleboy)
83265e0: feat(auth): derive Microsoft username from on-prem AD sAMAccountName (#186) (@appleboy)

Enhancements

53c59ed: chore(deps): bump jackc/pgx/v5 to v5.9.2 for security fix (@appleboy)
09e5478: chore(deps): bump go directive to 1.25.10 (@appleboy)
4e54086: chore(deps): bump module dependencies (@appleboy)

Build process updates

7c5874d: ci: enable check-latest for setup-go to pick up new patches (@appleboy)

Contributors

appleboy

Assets 21

05 May 06:49

v0.29.0

Changelog

Features

06d6ce1: feat(auth): apply remember-me to third-party OAuth logins (#176) (@appleboy)
db92cda: feat(token): inject audience, project, and service_account claims (#177) (@appleboy)
ffaa80b: feat(token): support caller-supplied extra JWT claims (#178) (@appleboy)
0f5ae17: feat(token): emit server-attested domain claim from JWT_DOMAIN (#181) (@appleboy)
d5d28de: feat(token): emit server-attested uid claim from User.Username (#184) (@appleboy)

Bug fixes

0c1c417: fix(oidc): advertise all emitted JWT claims in discovery metadata (#179) (@appleboy)
1e0e432: fix(oidc): drop non-OIDC claims from discovery metadata (#180) (@appleboy)

Build process updates

5d66e0b: ci: bump trivy-action from v0.35.0 to v0.36.0 (@appleboy)

Documentation updates

a911da2: docs(env): document JWT_AUDIENCE in env example (@appleboy)
78300a2: docs(readme): align jwks endpoint row in api table (@appleboy)

Others

b2dc884: feat(token)!: namespace server-attested private claims under JWT_PRIVATE_CLAIM_PREFIX (#182) (@appleboy)

Contributors

appleboy

Assets 21

24 Apr 07:30

v0.28.0

Changelog

Features

08ac32f: feat(token): add per-client token lifetime profiles (#168) (@appleboy)
f0edb27: feat(docs): add Traditional Chinese translations with path-based locale routing (#170) (@appleboy)
4dbe23d: feat(docs): drive navbar docs dropdown from DocsMeta (@appleboy)
5f22002: feat(token): support inline JWT private key via JWT_PRIVATE_KEY_PEM (#175) (@appleboy)

Bug fixes

6ca46d6: fix(docs): populate docs nav entries on login page (#171) (@appleboy)

Documentation updates

ecbdbb1: docs: refresh project structure and document recent features (@appleboy)
8dfd812: docs: rewrite developer docs for integrator audience (#169) (@appleboy)
cc799a1: docs(swagger): hide favicon endpoint from swagger UI (@appleboy)
62b1787: docs(readme): use make instead of make build in build steps (#174) (@appleboy)

Contributors

appleboy

Assets 21

19 Apr 13:30

v0.27.0

Changelog

Features

b27659e: feat(store): set full name for seed admin account (@appleboy)
a4e763c: feat(server): support optional HTTPS via TLS cert/key env vars (#165) (@appleboy)
054fcf9: feat(oidc): persist and expose email_verified from OAuth providers (#166) (@appleboy)
1e42045: feat(admin): support newline input for redirect URIs via tag picker (#167) (@appleboy)

Contributors

appleboy

Assets 21