• GRPC Improvements. #261 and #69

    • Enable WaitForReady to allow background retries through transient failures
    • Expose a configurable timeout for backend requests to Authorize and Authenticate
    • Enable DNS round_robin load balancing to Authorize and Authenticate services by default
  • Add ability to set client certificates for downstream connections. GH-259



  • A policy's custom certificate authority can set as a file or a base64 encoded blob(tls_custom_ca/tls_custom_ca_file). GH-259

  • Remove references to service named ports and instead use their numeric equivalent. GH-266



Telemetry [GH-35]

  • Tracing [GH-230] aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.

  • Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.

    • Add informational metrics. [GH-227]

    • GRPC Metrics Implementation. [GH-218]

      • Additional GRPC server metrics and request sizes
      • Improved GRPC metrics implementation internals
      • The GRPC method label is now 'grpc_method' and GRPC status is now grpc_client_status and grpc_server_status
    • HTTP Metrics Implementation. [GH-220]

      • Support HTTP request sizes on client and server side of proxy
      • Improved HTTP metrics implementation internals
      • The HTTP method label is now http_method, and HTTP status label is now http_status


  • GRPC version upgraded to v1.22 [GH-219]
  • Add support for large cookie sessions by chunking. [GH-211]
  • Prefer curve X25519 to P256 for TLS connections. [GH-233]
  • Pomerium and its services will gracefully shutdown on interrupt signal. [GH-230]
  • Google now prompts the user to select a user account (by adding select_account to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.


  • Fixed potential race condition when signing requests. [GH-240]
  • Fixed panic when reloading configuration in single service mode [GH-247]



  • Add programmatic authentication support. [GH-177]
  • Add Prometheus format metrics endpoint. [GH-35]
  • Add policy setting to enable self-signed certificate support. [GH-179]
  • Add policy setting to skip tls certificate verification. [GH-179]


  • Policy to and from settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example should now be https://http.corp.domain.example).
  • Proxy's sign out handler {}/.pomerium/sign_out now accepts an optional redirect_uri parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. [GH-183]
  • Policy configuration can now be empty at startup. [GH-190]
  • Websocket support is now set per-route instead of globally. [GH-204]
  • Golint removed from amd64 container. [GH-215]
  • Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. [GH-212]


  • Fixed HEADERS environment variable parsing. [GH-188]
  • Fixed Azure group lookups. [GH-190]
  • If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. [GH-211]
  • Internal URLs like dashboard now start auth process to login a user if no session is found. [GH-205].
  • When set,CookieDomain lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. [GH-181]



  • Add ability to detect changes and reload policy configuration files. [GH-150]
  • Add user dashboard containing information about the current user's session. [GH-123]
  • Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. [GH-73]
  • Add Administrator (super user) account support (ADMINISTRATORS). [GH-110]
  • Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. [GH-110]
  • Add docker images and builds for ARM. [GH-95]
  • Add support for public, unauthenticated routes. [GH-129]


  • Add Request ID to error pages. [GH-144]
  • Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.[GH-115]
  • Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. [GH-153]
  • User state is now maintained and scoped at the domain level vs at the route level. [GH-128]
  • Error pages contain a link to sign out from the current user session. [GH-100]
  • Removed LifetimeDeadline from sessions.SessionState.
  • Removed favicon specific request handling. [GH-131]
  • Headers are now configurable via the HEADERS configuration variable. [GH-108]
  • Refactored proxy and authenticate services to share the same session state cookie. [GH-131]
  • Removed instances of extraneous session state saves. [GH-131]
  • Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.[GH-131]
  • Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. [GH-116]
  • Changed docker images to be built from distroless. This fixed an issue with nsswitch [GH-97], includes ca-certificates and limits the attack surface area of our images. [GH-101]
  • Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. [GH-103]
  • Content-Security-Policy hash updated to match new UI assets.


  • Fixed websocket support. [GH-151]
  • Fixed an issue where policy and routes were being pre-processed incorrectly. [GH-132]
  • Fixed an issue where golint was not being found in our docker image. [GH-121]



  • HTTP Strict Transport Security is included by default and set to one year. [GH-92]
  • HTTP now redirects to HTTPS. [GH-92]
  • Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no public http handlers, only a gRPC service endpoint. [GH-93]
  • Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83]
  • Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). [GH-83]


  • Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack [GH-81]




  • Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.

  • Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:

    • Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
    • Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
    • Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
    • Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.
  • WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.


  • Added LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74]
  • Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. [GH-74]
  • Updated to generate a elliptic curve 256 cert by default.
  • Updated env.example to include a POLICY setting example.
  • Added IDP_SERVICE_ACCOUNT to env.example .
  • Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
  • Removed ROUTES settings which has been replaced by POLICY.
  • Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
  • Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
  • Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
  • Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
  • Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
  • Session expiration times are truncated at the second.
  • Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
  • Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.


  • http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. [GH-58]