Skip to main content
Version: 2.0

2.0.x Release Notes

This page summarizes the major changes introduced since the release/1.11 branch baseline and captured in the 2.0 line.

Nauthilus 2.0 is a major platform release that introduces a native IdP stack (OIDC + SAML), new MFA/WebAuthn capabilities, expanded OAuth/OIDC standards coverage, and additional security/runtime safeguards.

2.0.1

Fixed

  • Updated Nauthilus to v2.0.1 because the stable Dockerfile missed a required symlink.

2.0.0

Breaking Changes

Removed

  • SASLAuthd support was removed.
  • Hydra-specific code and static assets were removed.
  • Brute-force cold-start grace logic was removed (cold_start_grace_enabled, cold_start_grace_ttl, bf:cold:*, bf:seed:*).

Changed

  • Lua hook payload semantics changed from roles to scopes.
  • Endpoint and flow naming changed from 2FA to MFA.
  • Toolchain baseline changed to Go 1.26.
  • Brute-force persistence changed from hash-based blocking to dedicated ban keys with TTL (ban_time).
  • Redis key naming was normalized to lowercase in multiple areas.
  • In the native IdP Authorization Code flow introduced with 2.0, PKCE requires S256 (no plain method).
  • In the native IdP scope model introduced with 2.0, legacy user_info scope semantics are not used.

Brute-Force Redis Keyspace Changes

  • Legacy block hash key removed: "<prefix>BRUTEFORCE" -> replaced by per-network ban keys "<prefix>bf:ban:<network>" plus sharded index keys "<prefix>bf:bans:<0..F>".
  • RWP allowance storage changed: same prefix family (bf:rwp:allow:), but algorithm changed from set-based RWPAllowSet to sliding-window (RWPSlidingWindowCheck/RWPSlidingWindowCommit).
  • Toleration key prefix changed: "<prefix>bf:TR:{...}" -> "<prefix>bf:tr:{...}".
  • Base Redis key constants changed casing: USER -> user, PW_HIST -> pw_hist, PW_HIST_IPS -> pw_hist_ips, AFFECTED_ACCOUNTS -> affected_accounts.

Migration

  1. For new native IdP integrations in 2.0, configure OIDC Authorization Code clients to send code_challenge_method=S256.
  2. Remove SASLAuthd/Hydra-specific deployment dependencies.
  3. If you used SASLAuthd for Postfix: migrate to pfxhttp, which provides native Dovecot-SASL support for Postfix and can be integrated with Nauthilus via /api/v1/auth/json.
  4. Update Lua scripts from roles to scopes.
  5. Update routes, bookmarks, reverse-proxy rules, and monitoring checks from 2FA paths to MFA paths.
  6. Upgrade CI/local build environments to Go 1.26.
  7. If migrating from 1.11 Hydra-based OIDC setups, revalidate scope/claim mapping, UserInfo behavior, consent, logout, and token lifecycle semantics against the native 2.0 IdP.
  8. Clean up legacy brute-force and history keys in Redis before go-live of 2.0 (at least old BF/USER/TR/PW_HIST keyspace).
  9. Recheck brute-force rules for explicit ban_time values to match your security policy.

Redis Migration Commands (Example)

Run these commands against the configured Redis logical DB before enabling production traffic on 2.0.

# OPTIONAL (if acceptable in your environment): full cleanup
# redis-cli -n <db> FLUSHDB

# Targeted cleanup of legacy brute-force and history keys:
redis-cli -n <db> --scan --pattern '<prefix>BRUTEFORCE*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>USER*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>PW_HIST*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>AFFECTED_ACCOUNTS*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>bf:TR:*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>bf:cold:*' | xargs -r -L 500 redis-cli -n <db> UNLINK
redis-cli -n <db> --scan --pattern '<prefix>bf:seed:*' | xargs -r -L 500 redis-cli -n <db> UNLINK

Notes:

  • Replace <db> with your Redis DB index and <prefix> with server.redis.prefix.
  • UNLINK is preferred over DEL for large keyspaces.
  • In Redis Cluster, run this against each primary shard.

Added

Identity Provider

  • Native OIDC and SAML2 IdP flows as core platform capabilities.
  • SAML SSO/SLO support.
  • OIDC front-channel and back-channel logout support.
  • OIDC key rotation and token introspection endpoint support.

OAuth/OIDC

  • Device Authorization Grant (RFC 8628).
  • OIDC client authentication framework.
  • Token issuance semantics: id_token is issued only when openid is requested.
  • Access-token rotation and invalidation behavior aligned with RFC 6749 intent.
  • Granular localized consent with per-client consent TTL and scope-aware caching.

MFA and WebAuthn

  • Per-client MFA restrictions and require_mfa enforcement.
  • MFA self-service management scope and extended MFA APIs.
  • Recovery codes and recovery-code login paths.
  • WebAuthn capabilities: advanced selection logic, device naming, last-used tracking, and LDAP/WebAuthn workflows.
  • First-factor outcome persistence with HMAC-backed integrity checks.

Security and Operations

  • Privilege drop and chroot support.
  • Stricter session/cookie state handling and cleanup across IdP/MFA flows.
  • Single-use enforcement for device-code verification.
  • Open-redirect protections in logout/verification templates.
  • /healthz endpoint.
  • Optional GET handling for /oidc/token.
  • Additional access-log detail, including explicit OIDC client authentication method.
  • Brute-force bans now expire via ban_time instead of effectively persisting indefinitely in the old BRUTEFORCE hash model.

Tooling and Extensibility

  • OIDC test client support for authorization code, device code, and client credentials flows.
  • SAML/OIDC test clients and PAM module integrations.
  • Extensible config loader support for patching/include resolution.

Changed

Internal Architecture

  • Authentication and authorization flow handling was refactored toward explicit FSM-style transitions.
  • Flow-state and cleanup behavior across IdP/MFA paths was consolidated.
  • Sensitive-data handling was migrated to secret.Value and broader byte-slice usage.
  • Redis/brute-force internals were refactored for sharded key/index behavior and enforcement caching refinements.
  • IdP frontend, Lua integration, and backend service wiring were reorganized for clearer module boundaries.

Upgrade Checklist

  1. Upgrade build/runtime toolchains to Go 1.26.
  2. Configure PKCE S256 for all Authorization Code clients integrated with the native IdP.
  3. Remove SASLAuthd and Hydra operational dependencies.
  4. Update integrations from 2FA naming/paths to MFA naming/paths.
  5. Update Lua hooks (roles -> scopes).
  6. If migrating from Hydra-based OIDC (1.11), re-run integration tests for scope/claim mapping, UserInfo, device flow, introspection, consent, logout, and token lifecycle behavior on the native 2.0 IdP.
  7. Revalidate SAML SP metadata/certificate/attribute mappings.
  8. Run a Redis keyspace migration cleanup (or full Redis flush if acceptable) before switching production traffic to 2.0.