dex

The official container image for this release can be pulled from

ghcr.io/dexidp/dex:v2.29.0

Features:

• Add sprig v3 functions to web templates (#2152, @nabokihms)
• Add ent-based sqlite3 storage (#1906, @nabokihms)
• Support setting the prompt type for the Microsoft connector (#1912, @ricky26)
• Embed web assets (#2054, @sagikazarmark)

Bugfixes:

• Defer creation of auth request (#1865, @al45tair)
• Use /token endpoint to get tokens with device flow (#2010, @nabokihms)
• Fix MySQL connection to use the provided port (#2100, @sagikazarmark)

Security:

• Use constant time comparison for client secret verification (#1861, @xtremerui)

Minor changes:

• Dependency upgrades
• Tons of small fixes and changes

Find more details in the v2.29.0 milestone.

Many thanks to everyone who contributed to this release!

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.1

Bugfixes:

• Fix gomplate on ARM (#2053, @sagikazarmark)

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.0

Features:

• Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (#1773, @HEllRZA)
• Allow configuration of returned auth proxy header (#1839, @seuf)
• Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (#1902, @heidemn-faro)
• Added the possibility to activate lowercase for UPN-Strings (#1888, @VF-mbrauer)
• Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (#1948, @nabokihms)
• Add gomplate to the docker image (#1893, @nabokihms)
• Graceful shutdown (#1963, @nabokihms)
• Allow public clients created with API to have no client_secret (#1871, @spohner)

Bugfixes:

• Fix the etcd PKCE AuthCode deserialization (#1908, @bnu0)
• Fix garbage collection logging of device codes and device request (#1918, @nabokihms)
• Discovery endpoint contains updated claims and auth methods (#1951, @nabokihms)
• Return invalid_grant error if auth code is invalid or expired (#1952, @nabokihms)
• Return an error to auth requests with the "request" parameter (#1956, @nabokihms)

Minor changes:

• Change default themes to light/dark (#1858, @nabokihms)
• Various developer experience improvements
• Dependency upgrades
• Tons of small fixes and changes

Action Required

This security release addresses the following advisory: https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5

Dex users should immediately update to v2.27.0.

Assets

The official container images for this release can be pulled from:

• dexidp/dex:v2.27.0
• ghcr.io/dexidp/dex:v2.27.0

Make sure to always use an image with a version tag.

Changelog since v2.26.0

• connector/saml: Validate XML roundtrip data before processing request

• Build the sqlite storage backend via build tag so Dex can compile when cgo is disabled

• Update image versions

  • golang:1.15.6-alpine3.12
  • postgres:10.15
  • gcr.io/etcd-development/etcd:v3.4.9

• Copy module dependencies to Docker image for CVE scanning / dependency analysis

Maintenance

• MAINTAINERS: @srenatus is now Emeritus

• README.md: Use maintainers list for reporting security issues

• .github: Add release notes block to pull request template

• Fully automate dev setup with Gitpod

  Implements a fully-automated development setup using Gitpod.io, an
  online IDE for GitHub and GitLab that enables Dev-Environments-As-Code.
  This makes it easy for anyone to get a ready-to-code workspace for any branch,
  issue or pull request almost instantly with a single click.

• Enable CodeQL for the Dex repository

• docs: Fixup broken links

Dependencies

Added

• github.com/mattermost/xml-roundtrip-validator: 1a8688a
• gopkg.in/yaml.v3: 9f266ea

Changed

• github.com/jonboulle/clockwork: v0.1.0 → v0.2.0
• github.com/pkg/errors: v0.8.1 → v0.9.1
• github.com/russellhaering/goxmldsig: 7acd5e4 → v1.1.0
• github.com/stretchr/testify: v1.4.0 → v1.6.1

Removed

Nothing has changed.

The official docker release for this release can be pulled from

dexidp/dex:v2.26.0
ghcr.io/dexidp/dex:v2.26.0

⚠️ As of this release the latest Docker image tag will always point to master. ⚠️
Make sure to always use an image with a version tag.

Features:

• Add constructor for static key strategy (#1802, @xtremerui)
• Add team groups support to bitbucket connector (#1688, @nabokihms)
• Allow Authorization header when doing CORS (#1819, @al45tair)
• Retry Kubernetes update requests (#1847, @nabokihms)
• PKCE support (#1784, @HEllRZA)
• Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost (#1822, @heidemn-faro)
• Architecture support for arm/arm64/amd64 docker images (#1781, @xUnholy)

Bugfixes:

• Abort connector login if connector was already set (#1708, @tkleczek)
• Fix templates which asset path points to external URL (#1690, @nabokihms)
• Replace deprecated teams endpoint in bitbucket connector (#1812, @nabokihms)
• Log errors from login during password grant (#1830, @al45tair)
• Handle Kubernetes API conflicts properly for signing keys (#1835, @nabokihms)

Minor changes:

• Drop unnecessary else statement (#1769, @batara666)
• Update Go to 1.15 (#1806, @sagikazarmark)
• Minor CI fixes (#1815, #1856, @sagikazarmark)
• Minor linter changes (#1837, #1845, @nabokihms)
• Reduce image size without apk cache (#1836, @lcostea)
• Minor linter changes (#1853, @sagikazarmark)
• Add issue and PR templates (#1852, @nabokihms)

The official docker release for this release can be pulled from

dexidp/dex:v2.25.0

Features:

• Move the API package to a separate module (#1741, @sagikazarmark)
• OAuth2 Device Authorization Grant (#1706, @justin-slowik)
• Support username, email and groups claim in OIDC connector (#1634, @xtremerui)

Bugfixes:

• Add offline_access scope in microsoft connector, if required (#1441, @jimmythedog)
• Allow the google connector to work without a service account (#1720, @candlerb)

Minor changes:

• Remove vendor (finally) (#1745, @sagikazarmark)
• Fix the LDAP example (#1762, @heidemn-faro)
• Relocate the example app (#1764, @sagikazarmark)

This release publishes the existing V2 API under a separate module.

The existing API package will remain available for backward compatibility reasons,
but new features will only be added to the new module.

Usage

Although Dex remains backward compatible and continues to provide the API under the original location,
we highly recommend replacing it with the new location in your project (if you use the official API package):

go get github.com/dexidp/dex/api/[email protected]

Then replace every occurrence of github.com/dexidp/dex/api with github.com/dexidp/dex/api/v2 in your code.

Finally, make sure to get rid of the main Dex module dependency:

go mod tidy

We also recommend using the new API module instead of manually downloading the proto and generating client stubs using protoc.
Read more about the reasons below. (tl;dr: certain future changes might break backward compatibility for these consumers)

History

Dex V2 came with a major rewrite of its API using gRPC and Protobuf.
Consumers of this new API generally followed one of two paths in their applications:

Many users imported the github.com/dexidp/dex/api package directly.
While this worked quite well for most of the time,
it introduced a dependency between consuming projects and the main Dex module itself (with all of its own dependencies).
Sometimes this caused conflicts with other dependencies of the project (aka. dependency hell).
Using Dex this way also forced us to remain backward compatible in a bunch of other areas.

To solve the dependency problem, many consumers decided to download the single proto file from the repository
and generate client stubs themselves. This turned out to be a great alternative to importing the whole Dex project
(just to use its generated API package).

Changes in Protocol Buffers

For quite some time, we wanted to break this status quo.
We tried to steer users away from importing Dex and recommended generating stubs instead.

Ultimately, the recent changes introduced in the Protobuf V2 API for Go lead us to our current solution.
Namely, the new requirement of having a go_package directive in every proto file basically forces us to provide a package with generated code and
makes code generation on the consumer side nearly impossible. (Obviously, someone can hack around this limitation, but it can't be solved nicely)

Although this requirement does not affect us at the moment, since we still use the V1 API for Protobuf,
in the future we might want to upgrade to the new API. So we decided to find a better, official place for the Dex API that consumers can use
without depending on the Dex project itself.

Dedicated API package

We spent some time with experimenting, trying to find the best possible option.
We wanted to find a solution that's backward compatible, but also fits into our future plans with Dex.

After a few iterations, we ended up creating a new package under the original API package, called /v2 and we made it a separate Go module.
This allows us to keep the API close to the main project and lets consumers import the API without the rest of Dex's dependencies.

The first tag of this package is v2.0.0 and we intend to keep versioning this package, separately from the main Dex project.
When adding new features to the API, we will tag new minor versions. Breaking changes will result in a new major version of the API,
which may also result in a major Dex version, but that's still in the future.

Thanks to protobuf's backward compatibility (and our BC promise for the API),
you should be able to talk to Dex with older API versions (compared to the one compiled into Dex itself),
but we recommend using the same version. Although the proto itself should be backward compatible,
the API package depends on gRPC, which is (unfortunately) known to break things between different versions
(thanks to the relatively large shared library).

Future of Dex's API

We have plans to extend the API with new features. Most of them should be backward compatible changes,
so they will likely be added to the v2 API.

That being said, there are a bunch of changes that will break backward compatibility and as such, will require a v3 release.
Although we know it will happen, we don't have it on our near term roadmap. Whether the v2 and v3 will coexist or not is still undecided,
but there is a chance they can.

If you have any questions related to this release, feel free to open an issue or reach out on the #dexidp
channel in the Kubernetes Slack workspace.

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.24.0

Features:

• Keystone connector: Added Email to Identity (#1681, @kenperkins, @chrigl)
• Atlassian Crowd connector: allow preferred_username claim to be set (#1684, @ mvdkleijn)
• Github connector: pass redirect_uri (#1700, @sockmister)
• server: allow having no secret for static public clients (#1701, @tkleczek)
• SAML connector: add flag for filtering groups (#1704, @srenatus)

Bug fixes, misc changes:

• CI: add mysql service (#1674, @bonifaido)
• CI: increase go lint timeout (#1676, @bonifaido)
• storage/kubernetes: wrap Kubernetes host address in square brackets for IPv6 (#1645, @JerrySunWRS)
• storage/kubernetes: remove shadowed ResourceVersion from connector (#1673, @ktravis)
• server/handlers: do not fail login if refresh token gone (#1670, @klarose)
• server/handlers: automatic consistency fixing in case of missing refresh token in db (#1678, @Teeed)
• Adding slack channel to README (#1686, @kenperkins)
• OIDC connector: add Icon (#1692, @nabokihms)
• OpenShift connector: rootCA option (#1694, @nabokihms)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.23.0

Features:

• connector: Atlassian Crowd connector (#1515 , @diafour, @nabokihms )
• connector/ldap: add multiple user to group mapping (#1612, @vi7 )
• Add support for password grant (#926, @xtremerui, Zach Brown)
• Add ability to set ID and Secret from environment variables for static clients (#1664, @yann-soubeyrand, @lhotrifork)

Bugfixes:

• Provider icons use the connector name, not the ID (#1576, @nabokihms)
• storage/mysql: increase auth_request.state length to 4096 (#1659, @bonifaido )

Minor changes:

• dependency upgrades (#1640, #1641, @sagikazarmark )
• storage/sql: allow specifying sql flavor specific migrations (#1659)
• Make prompt configurable for OIDC offline_access (#1656, @commixon )
• Setting email for OpenShift connector (#1661 , @sabre1041)
• Various documentation fixes (#1644, @cmurphy #1648, @int128)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.22.0

Features:

• google: Implement group whitelisting (#1591, @bonifaido)
• Read static password hash from environment variable (#1601, @krishnadurai)
• OpenShift connector (#1599, @sabre1041)

Bugfixes:

• Provider icons use the connector name, not the ID (#1576, @nabokihms)
• MySQL idle connection limiet (#1609, @PeopleRange)
• OIDC Email scope check (#1610, @nabokihms)
• google: Fix group retrieval (#1627, @jfrabaute)
• Prometheus is optional for the server (#1625, @xtremerui)

Minor changes:

• Moved to GitHub actions from TravisCI (#1596, #1605, @sagikazarmark)
• Improved conformance tests (#1556, @tkleczek)
• Upgraded Go to 1.13 and Alpine to 3.10 (#1592, @bonifaido)
• Improved code quality by introducing better linter settings (#1603, #1604, @sagikazarmark)
• microsoft: Improved connector tests (#1622, @chlunde)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.21.0

Notes:

The "only" main feature of this release is around OIDC and Google groups which were pretty long-awaited. 🎉

Features:

• Implement refreshing with Google (#1180, @JoelSpeed)
• Fetch groups in a Google Connector (#1185, @JoelSpeed)
• Add option to enable groups for oidc connectors (#1434, @jacksontj)

Bugfixes:

• Fix spelling errors in docs (#1569, @bhageena)
• preferred_username claim added on refresh token (#1586, @serhiimakogon)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.20.0

Notes:

The preferred_username OIDC claim was added to the ID Token in case of GitLab, GitHub, LDAP. This claim could be extended to other providers as well later on.

Features:

• connector/saml: Adding group filtering (#1544, @kenperkins)
• Run getUserInfo prior to claim enforcement (#1545, @jacksontj)
• server: templates: use relative URLs to refer to assets (#1554, @yanniszark)
• add preffered_username to idToken (#1566, @bonifaido )

Bug fixes, misc changes:

• gitlab: add groups scope by default when filtering is requested (#1520, @bonifaido)
• Fix typo (#1543, @wassan128)
• Fix typo (#1551, @gosharplite)
• storage/mysql: support pre-5.7.20 instances with tx_isolation only (#1550, @bonifaido)
• Fix URLs in curl cmd as stated in the overview doc (#1558, @aijingyc)
• Add note for redirect uri (#1568, @life1347)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.19.0

Notes:

• Following Mozilla's recommendations for secure TLS settings in the
  "Intermediate" compatibility mode, some insecure cipher suitess have been
  removed, overriding Golang's standard set of ciphers. In the unlikely event
  that this makes one of your clients NOT work with Dex anymore (and there's
  a decent reason for not being able to update that client), please file an
  issue. See #1540 for details.
• As mentioned in documentation, Kubernetes TPR suppport is removed in this
  release.

Features:

• connector/LDAP: display login error (#1530, @bonifaido)
• HTTPS/gRPC: Use a more conservative set of CipherSuites (#1540, @stevendanna)

Bug fixes, misc changes:

• Update ADOPTERS.md (#1534, @jthabet)
• storage/kubernetes: Removing Kubernetes TPR support (#1517, @venezia)
• Dockerfile: build with Golang 1.12.9 (#1529, @dkuerner)
• Kubernetes docs: Clarify the origin of openid-ca (#1521, @erwinvaneyk)
• Code update: Replace x/net/context with stdlib context (#, @erwinvaneyk)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.18.0

Features:

• Storage: New MySQL storage backend (#1485, @bonifaido)
• gRPC: Add reflection to gRPC API (#1512, @venezia)
• Add option to always display connector selection even if there's only one (#1505, @MarcDufresne)
• Added "connector_id" to skip straight to a connector (#1481, @LanceH)
• Allow arbitrary data to be passed to templates (#1504, @MarcDufresne)
• Gitlab: implement useLoginAsID as in GitHub connector (#1497, @bonifaido)
• Microsoft: option for group UUIDs instead of name and group whitelist (#1446, @maksd)
• gRPC: Add VerifyPassword to API (#1486, @AlbanSeurat)

Bug fixes, misc changes:

• MAINTAINERS: add @bonifaido (#1492, @srenatus)
• Update ADOPTERS.md (#1495, @pbochynski; #1494, @tanmaykm; #1493, @srenatus)
• example-app: add connector_id (#1496, @srenatus)
• Docs: fix MySQL sample query (#1498, @mkontani)
• Code quality: fix some lint issues (#1500, @srenatus)
• gRPC: fix logging in VerifyPassword (#1502, @srenatus)
• Return config validation errors in one go (#1439, @sks)
• Update all deps (#1501, @srenatus)
• Return HTTP 400 for invalid state parameter (#1490, @momokatte)
• Adjusting Makefile so that golint will compile (#1509, @venezia)
• Add tests for some callback handler error conditions (#1510, @momokatte)
• Add examples for recent additions to oauth2 configuration options (#1516, @tpdownes)
• Bump deps for http2 issues (#1519, @srenatus)
• Connectors: refactor filter code into a helper package (#1480, @srenatus)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.17.0

Notes:

• Dex finally offers a user info endpoint. While this doesn't expose any
  more information than is included in the ID tokens, it allows for using
  Dex in integrations that demand such an endpoint.
• With this release, the Linkedin connector is usable again!

Features:

• Add UserInfo endpoint (#1473, @alindeman, @jackielii, and @fjbsantiago)
• Linkedin: Update to use v2 APIs (#1460, @tanmaykm)
• server: add metrics for CORS handlers (#1429, @tsuna)
• OIDC: Add option to hit the optional userinfo endpoint (#1433, @jacksontj)
• OIDC: Make userID configurable (#1448, @cappyzawa)
• OIDC: Make userName configurable (#1459, @flarno11)
• GitLab: support for group whitelist (#1436, @bonifaido)

Bug fixes, misc changes:

• Print appropriate error when listing connectors fails (#1443, @deric)
• Bitbucket docs: update permission requirements (#1435, @bonifaido)
• Round out logging interface with functions for all levels (#1432, @alindeman)
• Fix typo in SAMLConnector interface (#1430, @mkontani)
• travis: replace golang 1.10 and 1.11 with 1.12 (#1457, @srenatus)
• OIDC: truely ignore "email_verified" claim if configured that way (#1456, @srenatus)
• MAINTAINERS: remove ericchiang@ (#1478, @ericchiang)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.16.0

Features:

• Add an option to the OpenID Connect connector to always set email_verified to true (#1417, @gezb)
• Docker image no longer runs dex as root (#1426, @justaugustus)

Bug fixes, misc changes:

• Dex now logs client name instead of client_id (#1427, @yann-soubeyrand)
• Fixes for Go 1.11.4 modules (#1402, @lstoll)
• Refactor logging to use an interface instead of logrus directly (#1408, @sagikazarmark)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.15.0

Notes:

• Minimum TLS version bumped to v1.2: if you are using Dex to serve on TLS directly, please make sure clients support TLS v1.2 before upgrading.

Features:

• Added Active Directory and Kubelogin integration sample (#1390, @okamototk)
• Added option to use GitHub login as id (#1396, @jtnord)

Bug fixes, misc changes:

• Dockerfile Go version bumped to v1.11.5 (#1389, @ericchiang)
• Minimum TLS version bumped to TLSv1.2 (#1392, @stevendanna)
• Added @JoelSpeed as maintainer (#1394, @srenatus)
• Added tests for LDAP filtering (#1249, @srenatus)
• Print Access token in example app (#1395, @hainesc)
• Add periodic storage health checking (#1397, @ericchiang)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.14.0

Notes:

• Users of the Gitlab connector need to pay attention: The connector now uses a less powerful
  scope. This is a good enhancement in terms of securiting your bases, but it may need special care
  when upgrading!

Features:

• There's a brand new Keystone connector! (#1374, @knangia, @joannanosek, and @kbalka)
• Github connector now returns a full group list when no org is specified, and you have
  opted-in to that behaviour (#1340, #1349, @alexmt)
• Github connector allows for a 'both' option to use team name AND slug in TeamNameField (#1345, @vito)
• Gitlab connector no longer requires to API scope (#1351, @gypsydiver)
• Postgres storage backeng now works with UNIX sockets (#1346, #1352, @vito)
• Postgres storage backend now exposes some tunables (#1357, @sr)
• gRPC API: Add UpdateClient (#1275, @ccojocar)
• Make expiry of auth requests configurable (#1372, @mxey)
• LDAP connector - add emailSuffix config option (#1380, @dkess)

Bug fixes, misc changes:

• Render error message provided by connector if user authentication failed (#1339, @alexmt)
• Fix bogus conformance failure due to time zones (#1344, @vito)
• Improved LDAP errors from upgrading go-ldap (#1338, @sr)
• Removed incomplete, unmaintained storage adapters for CockroachDB and MySQL (#1343, @vito)
• Removed unused startup scripts, adapted docs (#1350, @sr)
• LDAP connector: Document that 'DN' must be in capitals (#1359, @OwenTuz)
• Kubernetes docs: clarify steps around use/creation of TLS assets (#1358, @OwenTuz)
• Bumped github.com/lib/pq (#1367, @vito)
• Migrate to go modules (#1365, #1369, @josdotso)
• Makefile: cleanups for newer versions of Go (#1368, @ericchiang)
• Dockerfile: update to Go 1.11.3 (#1373, @ericchiang)
• Replace "GET", "POST" to http.MethodGet and http.MethodPost (#1377, @hainesc)

The official docker release for this release can be pulled from

quay.io/dexidp/dex:v2.13.0

Features:

• Update to Go 1.11 (#1325, @ericchiang)
• Mock connector support refresh tokens (#1245, scotthew1)
• Dex no longer attempts to create CRDs if they're already created (#1333, @songgithub)
• Updates to Kubernetes storage and RBAC docs (#1334, @tmatias)

Bug fixes:

• Fix golint build issues (#1317, #1329, @ericchiang)
• Fix Bitbucket documentation (#1316, @edtan)

The official docker release for this release is at

quay.io/dexidp/dex:v2.12.0

Features:

• New connector: Bitbucket Cloud (#1307, @edtan)
• Allow using the GitHub team slug instead of name (#1297, @tburko)
• Allow using a client TLS cert in the LDAP connector (#1278, @veily)

Bug fixes:

• Any non-cert (or accidentally invalid) data following a valid cert
  in the SAML connector configuration will now error out (#1305, @srenatus)

....and fixes to docs, as well as an upgrade of a dependency library
(go-jose v2.1.8, @fajran).

🎉 Thank you very much, all old and new contributors! 😉