SimpleAuth v1.0.3

Two major additions: shared SSO session cookie for multi-app deployments, and authoritative samaccountname JWT claim with AD-identity self-healing. Plus documented Docker Compose + Postgres healthcheck pattern.

Both features are non-breaking and do not require any DB migration.

✨ Shared SSO Session Cookie (optional, off by default)

A single SimpleAuth instance can now provide seamless SSO across multiple apps — even apps on different subdomains, even iframed — without multi-realm complexity.

How it works:

• On login (any flow: password / Kerberos / OIDC), SimpleAuth sets a browser cookie (__sa_sso) scoped to its own host only.
• On subsequent redirects from any app to SimpleAuth, the cookie is validated and fresh tokens are issued immediately — the login page is never shown.
• Works across different subdomains because apps never see the cookie. Only SimpleAuth does.

Behavior:

• Idle TTL (default 8h, configurable): bumped every time the user hits SimpleAuth. Active users stay signed in indefinitely (up to max).
• Absolute max TTL (default 720h / 30 days, configurable): hard cap regardless of activity.
• Single-logout: GET /sauth/logout destroys the cookie + session row. POST /sauth/realms/{realm}/protocol/openid-connect/logout with an id_token_hint kills every session for that user across every browser.
• Admin revocation: DELETE /api/admin/users/{guid}/sessions now kills shared SSO sessions too.
• Self-expiry: expired sessions cleaned hourly.

Security:

• HttpOnly + Secure (when TLS) + SameSite=Strict (TLS) / Lax (HTTP)
• 256-bit session IDs from crypto/rand
• Every resolve re-checks: user exists, not disabled, not admin-revoked
• Cookie is host-only (no Domain= attribute) — cannot leak to parent domain
• Redirect URI allowlist still enforced on the fast-path

Enable:

AUTH_ENABLE_SESSION_SSO=true
AUTH_SESSION_SSO_IDLE_TTL=8h       # optional, default 8h
AUTH_SESSION_SSO_MAX_TTL=720h      # optional, default 30 days

Or toggle from the admin UI → Settings → Single Sign-On.

See docs/CONFIGURATION.md#shared-sso-session-cookie for the full security table and operational guidance.

🆔 Authoritative samaccountname JWT Claim

For apps that use SimpleAuth for authentication only and maintain their own role/permission tables, email and preferred_username are not reliable identity keys in AD-heavy environments:

• AD admins reuse email for role accounts ([email protected])
• Kerberos principals can be UPN-shaped, making preferred_username a misleading user@domain string instead of the real jsmith
• This broke authz lookups in many production integrations

New JWT claim: samaccountname

• Populated from the LDAP sAMAccountName attribute on every successful LDAP or Kerberos auth
• Stable across email/UPN/display-name changes in AD
• Absent for local (non-AD) users — fall back to preferred_username or sub
• Emitted by all token flows: access token, refresh, impersonate, OIDC authorize/token
• Also present in /api/auth/userinfo and OIDC /userinfo responses

Kerberos JIT provisioning fixed:

• JIT now uses the authoritative sAMAccountName from the LDAP search result as the primary identity mapping, with the Kerberos cname as a secondary key.
• Duplicate-account bug fixed: when Kerberos cname ≠ sAMAccountName, we no longer silently create a new user on every login.

Self-healing (zero-op migration):

• Existing users whose JWTs previously had wrong preferred_username values automatically get the correct samaccountname claim on their next login — no admin action, no DB migration, no downtime.
• Old mappings are preserved; new mappings are added opportunistically.

App migration:
Apps that key their internal authz tables on user identity should switch their lookup key from email → samaccountname. Zero code changes required on SimpleAuth's side; apps update at their own pace.

See docs/API.md — authn-only app pattern for the full guidance.

📖 Documentation

New: Docker Compose + Postgres healthcheck pattern

Previously undocumented: when Postgres is used as the backend, SimpleAuth must wait for Postgres to be healthy before starting. Without a proper healthcheck + depends_on: condition: service_healthy, SimpleAuth retries 5× and then refuses to start (since v1.0.2). This release documents the correct pattern in full in docs/DEPLOYMENT-GUIDE.md, including a "why all three pieces matter" table.

Complete JWT Claims Reference

docs/API.md now has a full claim-by-claim table showing which fields come from LDAP (with attribute names), which are SimpleAuth-owned, and which are OIDC-only — including a minimal-claims example for the "LDAP returned nothing" case.

Config reference updated

New env vars (AUTH_ENABLE_SESSION_SSO, AUTH_SESSION_SSO_IDLE_TTL, AUTH_SESSION_SSO_MAX_TTL) documented in README, CONFIGURATION.md, and DEPLOYMENT-GUIDE.md.

⬆️ Upgrade

Drop-in replacement for v1.0.2. No action required.

• Existing tokens remain valid.
• Existing users remain logged in.
• New claims (samaccountname) start appearing on the next login — apps can adopt them incrementally.
• Session SSO is off by default — no behavior change unless you enable it.
• No DB migration needed for either feature.

Docker:

docker pull bodaay/simpleauth:1.0.3

Binary:
Download the appropriate binary below and replace your existing simpleauth. Restart the service.

Full Changelog: v1.0.2...v1.0.3

Full Changelog: v1.0.2...v1.0.3

SimpleAuth v1.0.2

Documentation overhaul — AI-agent-proof integration guide.

What's New

• Integration Guide in README — explains JWT, redirect URIs, CORS, base path from scratch. Three complete login flows with full curl examples.
• Deployment Guide (new doc) — reverse proxy setup, wildcard security risks, first-login user provisioning pattern, Kerberos SSO flow, token lifecycle, production checklist.
• SDK Important boxes — every SDK README now starts with the 3 things you must know (15-min TTL, /sauth base path, AdminKey).
• All examples use environment variable fallbacks for SimpleAuth URL.

Why

Multiple AI agents and developers failed to integrate because docs assumed OAuth2 knowledge, had incomplete URLs, and missing required parameters. This release fixes that — every URL is full, every parameter is explained, every response is shown.

Upgrade

Drop-in replacement for v1.0.1. No code changes.

Full Changelog: v1.0.1...v1.0.2

SimpleAuth v1.0.1

Patch release — fixes CSRF cookie not being set on TLS-disabled deployments (behind reverse proxy).

Fix

• CSRF Secure flag now driven by TLSDisabled config instead of hardcoded true
• SameSite relaxed to Lax when running plain HTTP behind a reverse proxy
• Without this fix, browsers silently dropped the CSRF cookie on form POST over HTTP, breaking the login form

Upgrade

Drop-in replacement for v1.0.0. No config changes needed.

SimpleAuth v1.0.0

The simplest way to add authentication to any app.

Single binary · 10MB · Zero dependencies · Full Kerberos SSO · Standard OIDC provider

What's New

• OIDC is first-class — standard OpenID Connect provider with discovery, authorization code flow, token endpoint, userinfo
• Auto-SSO — configurable countdown animation with cancel button
• PostgreSQL support — migrate from BoltDB via Admin UI, switch backends with one click
• Runtime settings — redirect URIs, CORS, password policy, rate limiting all manageable from Admin UI
• Token revocation — access tokens can be revoked immediately (blacklist)
• Linux SSO script — auto-configures krb5.conf + browser policies for all major browsers
• Security hardened — timing-safe admin key, CSRF on login forms, rate limit bypass fix, open redirect fix
• Branding guide aligned — consistent dark/light themes across all pages

Breaking Changes from v0.x

• Default base path changed to /sauth (set AUTH_BASE_PATH="" for root)
• Default access token TTL changed to 15 minutes (set AUTH_JWT_ACCESS_TTL=8h for old behavior)
• Empty redirect URIs list now rejects all redirects (set AUTH_REDIRECT_URIS explicitly)
• Trusted proxies default to trust none (set AUTH_TRUSTED_PROXIES if behind reverse proxy)
• ClientID, ClientSecret, Realm removed from all SDKs

Docker

docker load -i simpleauth.tar
docker run -d -p 8080:8080 \
  -e AUTH_HOSTNAME=auth.example.com \
  -e AUTH_REDIRECT_URIS=https://myapp.example.com/callback \
  -v simpleauth-data:/data \
  simpleauth

Admin UI at https://<hostname>/sauth/admin

Full Changelog: v0.8.0...v0.8.1

Full Changelog: v0.7.6...v0.8.0

Full Changelog: v0.7.5...v0.7.6

Full Changelog: v0.7.4...v0.7.5

Full Changelog: v0.7.3...v0.7.4

Full Changelog: v0.7.2...v0.7.3