Skip to main content
Version: 1.12

2.1.x Release Notes

This page summarizes the major changes introduced after v2.0.17 and captured in the 2.1 line.

Nauthilus 2.1 focuses on protocol completeness, integration robustness, and operator ergonomics: notably SAML Single Logout support, stronger SAML request validation, improved OIDC behavior, URL-partial-decoded request headers, and more extensible Lua and configuration workflows.

2.1.0

Added

Identity Provider

  • SAML Single Logout request and response handling, including session fanout across participating services.
  • Optional signing support for SAML logout messages.
  • Validation support for signed SAML AuthnRequests.
  • Configurable legal notice and privacy policy links in the IdP footer and login pages.
  • Optional "Forgot password?" link on the login page.
  • Improved localized logout label handling and logout menu rendering.

OAuth/OIDC and Request Processing

  • Improved OIDC metadata discovery and token endpoint handling.
  • URL-partial decoding for incoming request-header values used by Nginx, header-auth, and basic-auth integrations.
  • HTTP request cancellation propagation across the core authentication pipeline and Lua-backed actions.

Lua, Testing, and Operations

  • Configuration validation mode via -config-check for validating configuration and exiting without starting the service.
  • Lua cache-flush hook support through lua.config.cache_flush_script_path and nauthilus_cache_flush(request).
  • Expanded ClickHouse integration with additional exported fields.
  • Reusable Lua builtin helper functions.
  • New Lua backend and action test frameworks with dbmock, plugin unit tests, miniredis, and order-sensitive mock expectations.

Changed

Security and Reliability

  • SAML signature validation is stricter and now includes additional signing configuration checks.
  • Header decoding is more robust through the new URL-partial-decoding path.
  • WebAuthn handling was refined with helper enhancements and an additional submission guard.
  • HTTP request cancellation handling in core and Lua actions was streamlined after the initial integration.

Cleanup and Tooling

  • Removed an unused LDAP WebAuthn credentials filter from configuration handling.
  • Docker workflow OCI annotations were updated for index,manifest.
  • CI guardrails and test coverage were expanded around Lua plugins, Redis-backed tests, and reproducible fixes.

Upgrade Notes

  1. If you use SAML Service Providers, review logout endpoints, bindings, and signing requirements before upgrading to 2.1.
  2. If you integrate Nauthilus via Nginx or header/basic auth, request-header values may now be URL-partially encoded and will be decoded before processing.
  3. If you use cache flush endpoints, you can now add a dedicated Lua cache-flush hook via lua.config.cache_flush_script_path.
  4. Consider adding -config-check to CI or deployment validation steps to fail fast on invalid configurations.