dex

This is a minor release of dex with the following Changes since v2.0.0:

Features:

• Support for leveled logging (#677).
• Add error HTML templates with error description (#742).
• Add 'make revendor' and tests to catch incorrect glide usage (#756).
• Update refresh tokens instead of deleting and creating another (#757).
• Updated go-oidc package (#765).

Bug Fixes:

• Fix postgres timezone handling. Prior to this release Postgres users did not save any timezone data. We have fixed this issue in this release but it is no longer backward compatible. More details at (#749).
• Enable groupSearch to be empty in connector/ldap (#759).
• Fixes for the implicit and hybrid flow (#766, #775).

This is a patch release of v2.0 to backport bug fixes onto v2.0.1.

Bug fixes:

• Fix refresh tokens with Kubernetes for LDAP and GitHub (https://github.com/coreos/dex/pull/767)

Changes since v2.0.0

Features:

• Updated go-oidc package (#765).
• Add 'make revendor' and tests to catch incorrect glide usage (#756).
• Add error HTML templates with error description (#742).

Bugs:

• Enable groupSearch to be empty in connector/ldap (#759).
• fix postgres timezone handling(#749).

This is a major release of dex and represents a complete rewrite of the project. The new version has significantly simplified dex's deployment and management story while rethinking and slimming down the implementation.

A full writeup of changes can be found here: https://github.com/coreos/dex/blob/master/Documentation/v2.md

Though v1.0.0 was never tagged, this branch is such a significant departure from previous development that it seems appropriate to call it a v2.

For an overview of v2 changes refer to the upstream docs: https://github.com/coreos/dex/blob/master/Documentation/v2.md

Changes since beta.2

Documentation:

• Updated Kubernetes deployment examples (#684)
• LDAP docs are now clearer about using port 636 for LDAP Secured (#708)
• Various minor, documentation fixes (#703, #704, #709)

Features:

• gRPC call for listing passwords (#695)
• LDAP connector can query full DN's even when they're not present as attributes (#698)
• LDAP now uses methods provided by gopkg.in/ldap for escaping usernames (#701)
• LDAP and GitHub connectors now re-query upstream identity provider when refreshing a token (#702)
• Experimental theme support added for internal CoreOS use while we explore general solutions (#711, #717)
• Example app uses a non-empty state to help validate that providers correctly respect state (#713)
• Switched OpenID Connect client to use new coreos/go-oidc changes (#696, #715)

Bugs:

• Return "groups" in "supported_scopes" (#697)
• Server test flakes fixed (#700)

For an overview of v2 changes refer to the upstream docs: https://github.com/coreos/dex/blob/master/Documentation/v2.md

Changes since beta.1

Documentation:

• Getting started guide added (#674)
• Logos added (#674)
• Various doc fixes (#688, #680, #676)

Bug fixes:

• LDAP Connector now always sets tls.Config.ServerName (#689)

Features:

• gRCP version call added (#683)
• Config validation now ensures connectors have an ID (#686)
• Docker container now ships with openssl for internal health checkers when dex is using HTTPS (#685)

Changes since alpha.5

For an overview of v2 changes refer to the upstream docs: https://github.com/coreos/dex/blob/master/Documentation/v2.md

Documentation:

• Add docs on gRPC API (#652)
• Add docs on changes from dex v1 to v2 (#664)

Bug fixes:

• Fixed Postgres transaction level (#654)
• Logging in with a bad username no longer returns a 500 (#658)
• Fixed another case of the server using nano seconds instead of seconds (#671)

Features:

• Conformance tests added for concurrent updates (#654)
• API endpoints for creating and updating "local" passwords (#649)
• API supports client auth (#661)
• Build with go 1.7.3 instead of 1.7.1 (#666)
• Switched yaml parser (#667)
• LDAP connector accepts base64 encoded CA literal in config (#668)
• Expose expiry settings in config (#665)
• Debug flag on example-app (#670)
• Accept raw bcrypt values for staticPasswords (#667, #669)

Updates since alpha.4

Features:

• Minor improvements to the kubernetes storage
  • Allow arbitrary client IDs (#642)
  • Don't use KUBECONFIG environment variable (#638)
  • Guess current context if there's only one context (#634)
  • Reduce noise for expected "bad" status codes (#629)
  • Guess namespace for in cluster clients using service account token (#626)
• Config can read values from environment (#627)
• Reworked and expanded LDAP connector (#624)
• All callback based connectors now share a callback endpoint (#638)

Bug fixes:

• Fix cache-control header using nano-seconds value instead of seconds (#637)

This is a minor patch release.

Changes since last release:

• revert #579 addressing button styling
• fix root cause of button UI problem with a CSS class

Changes since last release:

• Deprecate --email-from flag and clean up email config options (#487)
• Add "groups" scope to return list of groups in claims, LDAP only supported implementation (#510)
• Dex can no be used at a relative path (#520, #521, #522, #558)
• Fix API for bearer tokens with multiple audiences (#531)
• Set display name when registering a user (#537)
• Added UAA connector (#542)
• Added refresh token rotation, aka refresh tokens can only be used once (#540)
• Added option to use client credentials against worker API (#529)
• Token response now includes mandatory "expires_in" field (#575)

This is a minor point release

Features since v0.5.0

• Reduced ID Token size by using smaller JWK Key IDs (#490)
• Cleaned up LDAP connector (#483)
• Return 409 status code in API when resources already exist (#494, #496)

Features:

• Enable automatic registration for non-local login (#463)
• Cross-client refresh tokens through the "authorized party" claim (#465, #426)
• "public" clients which can use oob flows (#471)
• Clients ID and secrets may now be specified in the bootstrapping API (#479)

Bug fixes:

• Dex now works when backed by Azure AD (#466)

Deprecated:

• Removed APIs which only use client_id and client_secret. Use admin API for this functionality. (#468)

This release consists of a bunch of minor bug fixes, and example and doc tweaks.

Features

• None!

Bugs Fixed

• remove outdated godep hack, since we use glide now (#417)
• example app uses passed redirect instead of hard-coded one (#420)
• Fix examples/README.md doc (#421)
• Fix kubernetes example (#422)
• git-version creates valid docker tags if dirty (#425)
• Update to latest go-oidc to fix JWT parse issues (#430)

Misc

• Better testing for Token end point (#409)
• Update Kubernetes examples to use 1.2 features (#414, #424)
• Refactoring of client repo to allow for custom Client fields (#411)
• Split up build-docker-push into build, push (#434)
• Use go 1.6.2 for docker build. (#433)

Features

• LDAP connector added (#178)
• Dynamic client registration (#267)
• dexctl can read connectors from stdin (#277)
• Generated API docs added to repo (#285)
• dex now uses sqlite for --no-db mode and tests (does not add general sqlite support) (#304)
• New API endpoint for resending an invite email (#331)
• example app's default flags now work with --no-db mode (#333)

Bugs Fixed

• API status codes now differentiate between unauthenticated and unauthorized requests (#280)
• dex now uses 302 for redirects rather than 307 (#288)
• Emails now use case insensitive comparison (#339)
• When consuming OAuth2 credentials through basic auth, dex now correctly expects URL escaped values (#357)

Migration Note:

Duplicate Emails

The former use of case insensitive comparison for emails may have resulted in duplicate emails in the dex database for some instances.

For this release, dex will refuse to migrate the database if it detects duplicated emails in the authd_user table. In this case admins must resolve this by editing the table manually, dropping the rows they feel appropriate.

Admins who wish to delete duplicate emails in their database but don’t care which row is preserved can run the following SQL command:

DELETE FROM authd_user
WHERE id IN (SELECT id
    FROM (SELECT id,
        ROW_NUMBER() OVER (partition BY LOWER(email) ORDER BY id) AS rnum
        FROM authd_user) t
    WHERE t.rnum > 1);

This is a minor point release to update dex's automated build process from Go version 1.5.2 to 1.5.3 which fixes a bug that impacts RSA private keys. See the write up by the Go team here.

This release is primarily for users who pull dex from quay.io and updates that image to use dex binaries built with Go 1.5.3.

Features

• Better command line error message when secrets have bad length (#259)

Security fixes

• Update Go version in TravisCI from 1.5.2 to 1.5.3 for tests and Docker image builds (#269).

This is a minor point release to include a critical bug fix to 0.2.1

Features

• Better help messages for dexctl (#249)
• Better error messages when remote ID already exists (#246)

Bugs Fixed

• Add DB migration to allow storing 2048 bit RSA keys (CRITICAL FIX) (#250)
• Fix redirect when user logs in through a different connector (#242)