v2.31.0

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.31.0

What's Changed

• Bump Dex image to v2.30.0 for Kubernetes deployment example by @rdimitrov in #2232
• Update Go to 1.17 by @sagikazarmark in #2247
• refactor: move from io/ioutil to io and os package by @Juneezee in #2278
• feat: Add MySQL ent-based storage driver by @nabokihms in #2272
• chore: fix ioutil lint error after merging MySQL ent storage by @nabokihms in #2282
• Add parametrization of grant type supported in discovery endpoint by @ariary in #2265
• Resolves #2111 Option to fetch transitive group membership by @snuggie12 in #2268
• Return valid JWT access token from password grant by @enj in #2234
• fix: do not update offlinesession lastUsed field if refresh token was not updated by @nabokihms in #2300
• fix web static file path slash error for win platform by @copperyp in #2305
• Update grpc by @sagikazarmark in #2321
• ci: fix container image permissions by @sagikazarmark in #2329
• feat: print dex version in the logs by @iam-veeramalla in #2337
• OAuth connector by @xtremerui in #1630
• fix: return invalid_grant error on claiming token of another client by @nabokihms in #2344
• chore: warning about deprecated LDAP groupSearch fields by @nabokihms in #2026
• Add Nix environment by @sagikazarmark in #2324
• Update dependencies in the examples package by @sagikazarmark in #2372
• add sigstore to ADOPTERS.md by @bobcallaway in #2374
• Add claimMapping enforcement by @Happy2C0de in #2233
• ci: run trivy scan on container image by @sagikazarmark in #2387
• chore: update gomplate by @sagikazarmark in #2388
• chore: update golangci-lint download script by @nabokihms in #2394
• [fix] Replace /teams API w/ /workspaces endpoints by @rahulchheda in #2390
• ci: add Docker cache to speed builds up by @sagikazarmark in #2400
• distroless: Dockerfile works with distroless base image by @ankeesler in #2378
• Update dependencies by @sagikazarmark in #2404
• Update API package by @sagikazarmark in #2405

Dependency updates

• build(deps): bump entgo.io/ent from 0.8.0 to 0.9.0 by @dependabot in #2226
• build(deps): bump golang from 1.16.6-alpine3.13 to 1.16.7-alpine3.13 by @dependabot in #2225
• build(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 by @dependabot in #2227
• build(deps): bump google.golang.org/api from 0.52.0 to 0.53.0 by @dependabot in #2235
• build(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 by @dependabot in #2236
• build(deps): bump alpine from 3.14.0 to 3.14.1 by @dependabot in #2229
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.3.0 to 3.4.0 by @dependabot in #2239
• build(deps): bump google.golang.org/api from 0.53.0 to 0.54.0 by @dependabot in #2241
• build(deps): bump github.com/AppsFlyer/go-sundheit from 0.4.0 to 0.5.0 by @dependabot in #2240
• build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 in /api/v2 by @dependabot in #2243
• build(deps): bump google.golang.org/grpc from 1.36.1 to 1.40.0 in /api/v2 by @dependabot in #2242
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.0 to 3.4.1 by @dependabot in #2246
• build(deps): bump entgo.io/ent from 0.9.0 to 0.9.1 by @dependabot in #2249
• build(deps): bump alpine from 3.14.1 to 3.14.2 by @dependabot in #2258
• build(deps): bump google.golang.org/api from 0.54.0 to 0.55.0 by @dependabot in #2259
• build(deps): bump google.golang.org/api from 0.55.0 to 0.56.0 by @dependabot in #2262
• build(deps): bump github.com/lib/pq from 1.10.2 to 1.10.3 by @dependabot in #2263
• build(deps): bump github.com/russellhaering/goxmldsig from 1.1.0 to 1.1.1 by @dependabot in #2270
• build(deps): bump golang from 1.17.0-alpine3.14 to 1.17.1-alpine3.14 by @dependabot in #2269
• build(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 by @dependabot in #2277
• build(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in #2279
• build(deps): bump golang from 1.17.1-alpine3.14 to 1.17.2-alpine3.14 by @dependabot in #2292
• build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.0 to 3.5.1 by @dependabot in #2298
• build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.0 to 3.5.1 by @dependabot in #2299
• build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 by @dependabot in #2285
• build(deps): bump github.com/mattn/go-sqlite3 from 1.14.8 to 1.14.9 by @dependabot in #2302
• build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 in /api/v2 by @dependabot in #2286
• build(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 by @dependabot in #2287
• build(deps): bump google.golang.org/api from 0.58.0 to 0.59.0 by @dependabot in #2303
• build(deps): bump google.golang.org/api from 0.59.0 to 0.60.0 by @dependabot in #2308
• build(deps): bump golang from 1.17.2-alpine3.14 to 1.17.3-alpine3.14 by @dependabot in #2317
• build(deps): bump github.com/lib/pq from 1.10.3 to 1.10.4 by @dependabot in #2320
• build(deps): bump alpine from 3.14.2 to 3.14.3 by @dependabot in #2325
• build(deps): bump alpine from 3.14.3 to 3.15.0 by @dependabot in #2336
• build(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 by @dependabot in #2341
• build(deps): bump golang from 1.17.3-alpine3.14 to 1.17.4-alpine3.14 by @dependabot in #2345
• build(deps): bump google.golang.org/api from 0.61.0 to 0.62.0 by @dependabot in #2348
• build(deps): bump golang from 1.17.4-alpine3.14 to 1.17.5-alpine3.14 by @dependabot in #2349
• build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 by @dependabot in #2354
• build(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 by @dependabot in #2353
• build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 by @dependabot in #2355
• build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 in /api/v2 by @dependabot in #2356
• build(deps): bump github.com/mattn/go-sqlite3 from 1.14.9 to 1.14.10 by @dependabot in #2362
• build(deps): bump golang from 1.17.5-alpine3.14 to 1.17.6-alpine3.14 by @dependabot in #2363
• build(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 by @dependabot in #2364
• build(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 by @dependabot in #2368
• build(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 by @dependabot in #2380
• build(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 by @dependabot in #2384
• build(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 in /api/v2 by @dependabot in #2385
• build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.1 to 3.5.2 by @dependabot in #2395
• build(deps): bump aquasecurity/trivy-action from 0.2.1 to 0.2.2 by @dependabot in #2398
• build(deps): bump google.golang.org/api from 0.65.0 to 0.67.0 by @dependabot in #2399
• build(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 by @dependabot in #2393

New Contributors

• @rdimitrov made their first contribution in #2232
• @Juneezee made their first contribution in #2278
• @ariary made their first contribution in #2265
• @snuggie12 made their first contrib...

v2.30.3

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.3

Bugfixes:

• Bitbucket Cloud connector: replace /teams API w/ /workspaces
  (#2390, @rahulchheda)

  Note: Deprecated /teams endpoints were deleted by Atlassian, which broke the Bitbucket Cloud connector. Thus anyone using authentication through Bitbucket Cloud should upgrade Dex to the >= v2.30.3 version.

v2.30.2

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.2

This version is identical to v2.30.1.

We had some issues with CI when tagging v2.30.1 and tried tagging one more time. Ultimately, it turned out to be a permission issue. After fixing that both builds completed successfully.

v2.30.1

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.1

Security:

• Upgrade alpine (#2327, @sagikazarmark)

v2.30.0

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.30.0

Features:

• Improve auth flow error handling (#1862, @tkleczek)
• Create CRDs as apiextensions.k8s.io/v1 (#2025, @nabokihms)
• Read a namespace from the file for the Kubernetes storage client (#2092, @nabokihms)
• Update token periodically if Dex is running in a Kubernetes cluster (#2112, @nabokihms)

Bugfixes:

• Fix refreshing tokens that obtained with the password grant type (#2199, @hensur)
• Use only one sqlite3 connection to avoid the "database is locked" error (#2212, @salmanisd)

Minor changes:

• Add the ent-based postgres storage (#2121, @nabokihms)
• Demonstrate use of the htpasswd for the bCrypt hashing in static passwords (#2218, @jglick)

Dependencies:

• github.com/spf13/cobra 1.1.3 -> 1.2.1
• google.golang.org/grpc 1.38.0 -> 1.39.0
• google.golang.org/api 0.49.0 -> 0.52.0
• Build golang docker image 1.16.5-alpine3.13 -> 1.16.6-alpine3.13

v2.29.0

The official container image for this release can be pulled from

ghcr.io/dexidp/dex:v2.29.0

Features:

• Add sprig v3 functions to web templates (#2152, @nabokihms)
• Add ent-based sqlite3 storage (#1906, @nabokihms)
• Support setting the prompt type for the Microsoft connector (#1912, @ricky26)
• Embed web assets (#2054, @sagikazarmark)

Bugfixes:

• Defer creation of auth request (#1865, @al45tair)
• Use /token endpoint to get tokens with device flow (#2010, @nabokihms)
• Fix MySQL connection to use the provided port (#2100, @sagikazarmark)

Security:

• Use constant time comparison for client secret verification (#1861, @xtremerui)

Minor changes:

• Dependency upgrades
• Tons of small fixes and changes

Find more details in the v2.29.0 milestone.

Many thanks to everyone who contributed to this release!

v2.28.1

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.1

Bugfixes:

• Fix gomplate on ARM (#2053, @sagikazarmark)

v2.28.0

The official docker release for this release can be pulled from

ghcr.io/dexidp/dex:v2.28.0

Features:

• Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (#1773, @HEllRZA)
• Allow configuration of returned auth proxy header (#1839, @seuf)
• Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (#1902, @heidemn-faro)
• Added the possibility to activate lowercase for UPN-Strings (#1888, @VF-mbrauer)
• Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (#1948, @nabokihms)
• Add gomplate to the docker image (#1893, @nabokihms)
• Graceful shutdown (#1963, @nabokihms)
• Allow public clients created with API to have no client_secret (#1871, @spohner)

Bugfixes:

• Fix the etcd PKCE AuthCode deserialization (#1908, @bnu0)
• Fix garbage collection logging of device codes and device request (#1918, @nabokihms)
• Discovery endpoint contains updated claims and auth methods (#1951, @nabokihms)
• Return invalid_grant error if auth code is invalid or expired (#1952, @nabokihms)
• Return an error to auth requests with the "request" parameter (#1956, @nabokihms)

Minor changes:

• Change default themes to light/dark (#1858, @nabokihms)
• Various developer experience improvements
• Dependency upgrades
• Tons of small fixes and changes

v2.27.0

Action Required

This security release addresses the following advisory: GHSA-m9hp-7r99-94h5

Dex users should immediately update to v2.27.0.

Assets

The official container images for this release can be pulled from:

• dexidp/dex:v2.27.0
• ghcr.io/dexidp/dex:v2.27.0

Make sure to always use an image with a version tag.

Changelog since v2.26.0

• connector/saml: Validate XML roundtrip data before processing request

• Build the sqlite storage backend via build tag so Dex can compile when cgo is disabled

• Update image versions

  • golang:1.15.6-alpine3.12
  • postgres:10.15
  • gcr.io/etcd-development/etcd:v3.4.9

• Copy module dependencies to Docker image for CVE scanning / dependency analysis

Maintenance

• MAINTAINERS: @srenatus is now Emeritus

• README.md: Use maintainers list for reporting security issues

• .github: Add release notes block to pull request template

• Fully automate dev setup with Gitpod

  Implements a fully-automated development setup using Gitpod.io, an
  online IDE for GitHub and GitLab that enables Dev-Environments-As-Code.
  This makes it easy for anyone to get a ready-to-code workspace for any branch,
  issue or pull request almost instantly with a single click.

• Enable CodeQL for the Dex repository

• docs: Fixup broken links

Dependencies

Added

• github.com/mattermost/xml-roundtrip-validator: 1a8688a
• gopkg.in/yaml.v3: 9f266ea

Changed

• github.com/jonboulle/clockwork: v0.1.0 → v0.2.0
• github.com/pkg/errors: v0.8.1 → v0.9.1
• github.com/russellhaering/goxmldsig: 7acd5e4 → v1.1.0
• github.com/stretchr/testify: v1.4.0 → v1.6.1

Removed

Nothing has changed.

v2.26.0

The official docker release for this release can be pulled from

dexidp/dex:v2.26.0
ghcr.io/dexidp/dex:v2.26.0

⚠️ As of this release the latest Docker image tag will always point to master. ⚠️
Make sure to always use an image with a version tag.

Features:

• Add constructor for static key strategy (#1802, @xtremerui)
• Add team groups support to bitbucket connector (#1688, @nabokihms)
• Allow Authorization header when doing CORS (#1819, @al45tair)
• Retry Kubernetes update requests (#1847, @nabokihms)
• PKCE support (#1784, @HEllRZA)
• Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost (#1822, @heidemn-faro)
• Architecture support for arm/arm64/amd64 docker images (#1781, @xunholy)

Bugfixes:

• Abort connector login if connector was already set (#1708, @tkleczek)
• Fix templates which asset path points to external URL (#1690, @nabokihms)
• Replace deprecated teams endpoint in bitbucket connector (#1812, @nabokihms)
• Log errors from login during password grant (#1830, @al45tair)
• Handle Kubernetes API conflicts properly for signing keys (#1835, @nabokihms)

Minor changes:

• Drop unnecessary else statement (#1769, @batara666)
• Update Go to 1.15 (#1806, @sagikazarmark)
• Minor CI fixes (#1815, #1856, @sagikazarmark)
• Minor linter changes (#1837, #1845, @nabokihms)
• Reduce image size without apk cache (#1836, @lcostea)
• Minor linter changes (#1853, @sagikazarmark)
• Add issue and PR templates (#1852, @nabokihms)