Releases · tumbl3w33d/nexus-oauth2-proxy-plugin

22 Aug 14:42

3.0.0

0c05d20

3.0.0 Latest

Latest

This release adds support for H2 (instead of OrientDB) which is required for running with Nexus OSS starting from version 3.71.0. See their release notes and the related db migration guide.

Note: the db migration will not migrate the databases of this plugin and there is no migration logic available. That means you will lose your persisted API tokens and you need to inform your users that they need to fetch new ones from the UI.

Assets 3

11 Jul 14:37

github-actions

2.1.0

bac9f59

2.1.0

Added an icon for the admin's manage users dropdown.

Assets 3

11 Jun 12:26

github-actions

2.0.2

e2d8680

2.0.2

Yet another log noise reduction.

Assets 3

11 Jun 10:44

github-actions

2.0.1

60e88ba

2.0.1

Just reduced some log noise for the common case of local db users logging in programmatically.

Assets 3

04 Jun 10:20

github-actions

2.0.0

2c60208

2.0.0

This release changes the approach of how data of users that signed in via OAuth2 Proxy are stored in Nexus.

Before, the plugin tried to be smart by recycling the nexus local db and that worked to some extent but had two major drawbacks:

you were not able to distinguish between "real" local users and those who came via proxy (source attribute was default for both)
you needed to prefix your role names with idp- (again in order to distinguish because the source could not be properly persisted)

It was simply not possible to make use of the source attribute of users and roles because it gets overwritten in several places of internal nexus code.

Now there is a dedicated orient db for all purposes of this plugin which also allows for an own api token store for the user which means the original password field does not need to be abused anymore. The hashing is done the same as it is done for the original password file, though, so no clear text tokens are stored.

Programmatic access is now handled by the plugin itself. Before, the original mechanism of Nexus was used by simply not touching those requests. The behavior remains the same, but internally the matching is done against the new api token column.

Role mapping now works with the original "external role mapping" feature as it is done for sources like LDAP as well. The dropdown which offers role names gets populated with group names picked up by people signing in, so if one you expect is missing, make someone sign in who has the group. In the future it could make sense to provide an endpoint for extending that list without a user login.

Assets 3