v2.30.3

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.3

Bugfixes:

• Bitbucket Cloud connector: replace /teams API w/ /workspaces
  (#2390, @rahulchheda)

  Note: Deprecated /teams endpoints were deleted by Atlassian, which broke the Bitbucket Cloud connector. Thus anyone using authentication through Bitbucket Cloud should upgrade Dex to the >= v2.30.3 version.

v2.30.2

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.2

This version is identical to v2.30.1.

We had some issues with CI when tagging v2.30.1 and tried tagging one more time. Ultimately, it turned out to be a permission issue. After fixing that both builds completed successfully.

v2.30.1

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.1

Security:

• Upgrade alpine (#2327, @sagikazarmark)

v2.30.0

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.0

Features:

• Improve auth flow error handling (#1862, @tkleczek)
• Create CRDs as apiextensions.k8s.io/v1 (#2025, @nabokihms)
• Read a namespace from the file for the Kubernetes storage client (#2092, @nabokihms)
• Update token periodically if Dex is running in a Kubernetes cluster (#2112, @nabokihms)

Bugfixes:

• Fix refreshing tokens that obtained with the password grant type (#2199, @hensur)
• Use only one sqlite3 connection to avoid the "database is locked" error (#2212, @salmanisd)

Minor changes:

• Add the ent-based postgres storage (#2121, @nabokihms)
• Demonstrate use of the htpasswd for the bCrypt hashing in static passwords (#2218, @jglick)

Dependencies:

• github.com/spf13/cobra 1.1.3 -> 1.2.1
• google.golang.org/grpc 1.38.0 -> 1.39.0
• google.golang.org/api 0.49.0 -> 0.52.0
• Build golang docker image 1.16.5-alpine3.13 -> 1.16.6-alpine3.13

v2.29.0

The official container image for this release can be pulled from

ghcr.io/dexidp/dex:v2.29.0

Features:

• Add sprig v3 functions to web templates (#2152, @nabokihms)
• Add ent-based sqlite3 storage (#1906, @nabokihms)
• Support setting the prompt type for the Microsoft connector (#1912, @ricky26)
• Embed web assets (#2054, @sagikazarmark)

Bugfixes:

• Defer creation of auth request (#1865, @al45tair)
• Use /token endpoint to get tokens with device flow (#2010, @nabokihms)
• Fix MySQL connection to use the provided port (#2100, @sagikazarmark)

Security:

• Use constant time comparison for client secret verification (#1861, @xtremerui)

Minor changes:

• Dependency upgrades
• Tons of small fixes and changes

Find more details in the v2.29.0 milestone.

Many thanks to everyone who contributed to this release!

v2.28.1

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.1

Bugfixes:

• Fix gomplate on ARM (#2053, @sagikazarmark)

v2.28.0

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.0

Features:

• Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (#1773, @HEllRZA)
• Allow configuration of returned auth proxy header (#1839, @seuf)
• Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (#1902, @heidemn-faro)
• Added the possibility to activate lowercase for UPN-Strings (#1888, @VF-mbrauer)
• Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (#1948, @nabokihms)
• Add gomplate to the docker image (#1893, @nabokihms)
• Graceful shutdown (#1963, @nabokihms)
• Allow public clients created with API to have no client_secret (#1871, @spohner)

Bugfixes:

• Fix the etcd PKCE AuthCode deserialization (#1908, @bnu0)
• Fix garbage collection logging of device codes and device request (#1918, @nabokihms)
• Discovery endpoint contains updated claims and auth methods (#1951, @nabokihms)
• Return invalid_grant error if auth code is invalid or expired (#1952, @nabokihms)
• Return an error to auth requests with the "request" parameter (#1956, @nabokihms)

Minor changes:

• Change default themes to light/dark (#1858, @nabokihms)
• Various developer experience improvements
• Dependency upgrades
• Tons of small fixes and changes

v2.27.0

Action Required

This security release addresses the following advisory: GHSA-m9hp-7r99-94h5

Dex users should immediately update to v2.27.0.

Assets

The official container images for this release can be pulled from:

• dexidp/dex:v2.27.0
• ghcr.io/dexidp/dex:v2.27.0

Make sure to always use an image with a version tag.

Changelog since v2.26.0

• connector/saml: Validate XML roundtrip data before processing request

• Build the sqlite storage backend via build tag so Dex can compile when cgo is disabled

• Update image versions

  • golang:1.15.6-alpine3.12
  • postgres:10.15
  • gcr.io/etcd-development/etcd:v3.4.9

• Copy module dependencies to Docker image for CVE scanning / dependency analysis

Maintenance

• MAINTAINERS: @srenatus is now Emeritus

• README.md: Use maintainers list for reporting security issues

• .github: Add release notes block to pull request template

• Fully automate dev setup with Gitpod

  Implements a fully-automated development setup using Gitpod.io, an
  online IDE for GitHub and GitLab that enables Dev-Environments-As-Code.
  This makes it easy for anyone to get a ready-to-code workspace for any branch,
  issue or pull request almost instantly with a single click.

• Enable CodeQL for the Dex repository

• docs: Fixup broken links

Dependencies

Added

• github.com/mattermost/xml-roundtrip-validator: 1a8688a
• gopkg.in/yaml.v3: 9f266ea

Changed

• github.com/jonboulle/clockwork: v0.1.0 → v0.2.0
• github.com/pkg/errors: v0.8.1 → v0.9.1
• github.com/russellhaering/goxmldsig: 7acd5e4 → v1.1.0
• github.com/stretchr/testify: v1.4.0 → v1.6.1

Removed

Nothing has changed.

v2.26.0

The official docker release for this release can be pulled from

dexidp/dex:v2.26.0
ghcr.io/dexidp/dex:v2.26.0

⚠️ As of this release the latest Docker image tag will always point to master. ⚠️
Make sure to always use an image with a version tag.

Features:

• Add constructor for static key strategy (#1802, @xtremerui)
• Add team groups support to bitbucket connector (#1688, @nabokihms)
• Allow Authorization header when doing CORS (#1819, @al45tair)
• Retry Kubernetes update requests (#1847, @nabokihms)
• PKCE support (#1784, @HEllRZA)
• Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost (#1822, @heidemn-faro)
• Architecture support for arm/arm64/amd64 docker images (#1781, @xunholy)

Bugfixes:

• Abort connector login if connector was already set (#1708, @tkleczek)
• Fix templates which asset path points to external URL (#1690, @nabokihms)
• Replace deprecated teams endpoint in bitbucket connector (#1812, @nabokihms)
• Log errors from login during password grant (#1830, @al45tair)
• Handle Kubernetes API conflicts properly for signing keys (#1835, @nabokihms)

Minor changes:

• Drop unnecessary else statement (#1769, @batara666)
• Update Go to 1.15 (#1806, @sagikazarmark)
• Minor CI fixes (#1815, #1856, @sagikazarmark)
• Minor linter changes (#1837, #1845, @nabokihms)
• Reduce image size without apk cache (#1836, @lcostea)
• Minor linter changes (#1853, @sagikazarmark)
• Add issue and PR templates (#1852, @nabokihms)

v2.25.0

The official docker release for this release can be pulled from

dexidp/dex:v2.25.0

Features:

• Move the API package to a separate module (#1741, @sagikazarmark)
• OAuth2 Device Authorization Grant (#1706, @justin-slowik)
• Support username, email and groups claim in OIDC connector (#1634, @xtremerui)

Bugfixes:

• Add offline_access scope in microsoft connector, if required (#1441, @jimmythedog)
• Allow the google connector to work without a service account (#1720, @candlerb)

Minor changes:

• Remove vendor (finally) (#1745, @sagikazarmark)
• Fix the LDAP example (#1762, @heidemn-faro)
• Relocate the example app (#1764, @sagikazarmark)