v2.7.0

Due to a bug in this release, we've removed the docker image from quay.io and recommend users upgrade directly to v2.7.1.

v2.6.1

This is a security release of dex that addresses flaws in API query parameters and groups scope handling logic in the GitHub connector.

Issue 1: Dex's GitHub API calls used a users' display name, instead of login name, and would fail.
Issue 2: Dex would not check whether a user was a member of groups in orgs/org if a client was not configured to communicate the groups scope to dex, regardless of whether orgs/org were populated in the clients' configuration file.

Users of the GitHub connector should update to this release immediately.

v2.6.0

This is a minor release of dex with the following changes since v2.5.0:

Features:

• Log high bcrypt costs and password hash timeouts (#1016)
• Filter by multiple GitHub organizations and teams, document caveats (#1013, #1019)
• Fetch GitHub private primary email addresses if no public email is available (#1018)
• LDAP and SAML query and configuration logging (#1021)

Bug Fixes:

• Fixed hosted domain support for Google OIDC (#1000)

v2.5.0

This is a minor release of dex with the following changes since v2.4.1:

Features:

• Bump golang version to 1.8.3 (#995, #994 )
• Google hosted domain support (#974)
• Updated docs (#989, #980, #972 )

Bug Fixes:

• Fix key rotation with multiple dex instances (#998)
• Avoid generating an invalid ID attribute in SAML's AuthenRequest element (#985)
• fix localhost redirect validation for public clients (#941)

v2.4.1

This is a security release of dex that addresses a vulnerability in the LDAP connector.

Issue: Dex does not protect against LDAP servers that allow unauthenticated binds (usually disabled by default), which means a user can login to dex without a password via LDAP.

Users of the LDAP connector should update to this release immediately if their LDAP servers supports unauthenticated bind.

v2.4.0

This is a minor release of dex with the following changes since v2.3.1:

Features:

• Promote the SAML connector from experimental to stable (#902, #898).
• Add support for login through GitHub Enterprise (#904).
• Add LDAP integration tests (#900).

Bug Fixes:

• SAML connector workflow bug fixes (#896, #893, #885).

v2.3.1

This is a security release of dex that address a vulnerability in SAML response processing. (#895)

Users of the experimental SAML connectors should update to this release immediately.

v2.3.0

This is a minor release of dex with the following changes since v2.2.0:

Features:

• Adding a gRPC client example (#812)
• Improve conformance tests (#854)
• Make static storages query real storages for some actions (#855)
• Expose oauth2.RegisterBrokenAuthHeaderProvider (#860)
• Update API version to 2 (#862)

Bug Fixes:

• Storage/kubernetes: fix hash initialization bug (#817)
• Fix conflict error detection in TRP creation (#823)
• Fix expiry detection for verification keys (#829)
• Add missing WHERE statement to refresh token update (#848)
• Validate InResponseTo SAML response field and make issuer optional (#869)
• Fix assertion fallback (#870)
• Connectors without a RefreshConnector should not error out (#872)
• Fix custom CA behavior in example-app (#875)

v2.2.5

This is a patch release of v2.2 to backport the following bug fix:

• Fix where statement in SQL query #848

v2.2.4

This is a patch release of v2.2 to backport the following bug fix:

• Fix incorrect expiry detection of validation keys #829