Auth0 Appliance Release Notes

Get the latest updates in Auth0

See old releases

2018-11-13: Auth0 1811.0 (17493.168)

Breaking

  • Disabled the Legacy Account Linking functionality by default.

Bug Fix

  • Fixed an uncaught exception during a SAML logout with a missing client.

  • Fixed the MFA API's deleting friendly_name, picture, picture_url, and guardian_mfa_page properties if they are not explicitly set in the when calling the PATCH /tenant/settings endpoint.

  • Handled an uncaught exception when performing a google-oauth2 flow when the Google certificate endpoint fails.

  • Fixed a slow memory leak when calling the /well-known/jwks.json and when auth0-server issues RS256 tokens.

  • Fixed the MFA and Guardian rule templates. Some of the rules templates were under the wrong category.

  • Fixed an issue causing an auth0-server worker to exit unexpectedly.

  • Handled uncaught exception that could result in emails getting lost silently.

  • Fixed an uncaught exception when a malformed template had the @@ @@ blocks improperly wrapped.

  • Fixed an issue with linked accounts that prevented changing the email address on a secondary identity.

  • Fixed an incorrect URL for API calls in the Management API docs when the user was not logged in.

Enhanced

  • Improved passwordless connection forms when not using custom email provider.

  • Added login-test-tenant to tenant blacklist to prevent new tenants from using this name.

  • Performance improvements to the /api/v2/users/{id} endpoint.

  • Changed SMTP Password input type from text to password in emails providers.

  • Added note that you need the toggle enabled for verification email template on Management API docs.

  • Improved Nginx logs and added log rotation.

  • Removed refresh_token from client credentials requests.

  • Confirmed MFA API authenticator when verifying Google Authenticator OTP.

  • Added improved deprecation logs API1.

  • Added an alert (similar to the alert for weak passwords in user creation) that will show errors generated from the API (such as those for weak passwords).

  • Updated MFA widget to allow the auto-advances Recovery Code if the first SMS enrollment code is invalid.

  • Allowed verification using guardian enrollments on /oauth/token with google-authenticator.

  • Added pagination to the tenants list on the configuration page to allow viewing more than 100 tenants.

  • Included client information to Management API when the request is performed by Auth0 services.

  • Added same user login limit to Resource Owner Password Credentials endpoint.

  • Improved the suggestion links to application on top bar search box.

  • Added the ability to trace the code calls process.exit.

  • Updated the Nodes view in the configuration dashboard so that it does not truncate long IP addresses.

  • Updated the Auth0 Appliance CLI's export user functionality to optionally include tenant name of each user.

  • Updated Elasticsearch tooling to avoid using persistent SSH credentials.

  • Updated Webtask images to latest as of October 16, 2018.

  • Updated GeoIP database to current as of November 6th.

  • Adjusted client/auth0_users timeouts to work with custom db connections.

  • Supported setting provider to any for MFA rules.

  • Used a refill rate of 1/min for change_password as default.

Feature

  • New Feature: Users can now specify client_metadata to the allowed values for GET /clients.

  • New Feature: Length based password policy.

Security

  • Preventing malicious requests from crashing auth0-server.

  • Fixes server-side request forgery (SSRF) vulnerability in the Dashboard.


2018-11-13: Auth0 1810.3 (17230.171)

Security

  • Fixes server-side request forgery (SSRF) vulnerability in the Dashboard.


2018-10-25: Auth0 1810.2 (17230.160)

Enhanced

  • Updated Webtask images to latest as of October 16, 2018 so that it contains scrypt module.


2018-10-11: Auth0 1810.1 (17230.158)

Enhanced

  • Adds robots.txt to the appliance hosted documentation site to avoid external indexing

  • For tenants with more than 100 applications we can now optionally allow manage to search all of these in the dashboard.


2018-10-09: Auth0 1810.0 (17230.157)

Breaking

  • Removed publish_actions permission from the facebook social connection and add note that some permissions require facebook app review.

  • Remove the Locations tab in the user profile on the dashboard.

  • Webtask CLI and Webtask Settings will be disabled for new tenants.

  • When calling the factors endpoint on the MFA API for a tenant that does not exist the response will be a 200 with an empty array instead of a 404.

Bug Fix

  • The user's account was not properly loaded into quick starts.

  • Updated the Evernote SDK to fix failures with the Evernote connection.

  • When a user was created with a user_id containing a special character the user's History view in the dashboard failed to load.

  • When sending the verification code using passwordless email the verification email contained Your Application instead of the application's name.

  • Fixed and issue where sessions object was not always cleared in docs.

  • Updated the default password change template to avoid special characters in the local part of the email to break page rendering.

  • When performing a force-update the Configuration UI will block new updates and prevents giving a false positive the update completed.

  • Fixed issue with receiving 500 errors when calling PATCH /connections and POST /clients with thousands of clients in the datastore.

  • Fixing the default placeholder text for hash bucket size from 64 to 128.

  • Fixing the tool tip info when setting up an AWS email provider (the Access Key and Region were inverted).

  • Fixed an issue where webtask does not properly cleanup after deleted containers leading to a slow disk leak.

  • Fixed a memory leak when calling the `/api/users/{user_id}/publickey} endpoint in Management API v1.

Enhanced

  • Update GeoIP database to current as of September 25, 2018

  • Created a dedicated worker process to handle calls to the /users endpoint to improve service reliability.

  • Emitting an internal event when using deprecated Management API v1.

  • Include DataDog tags (complete hostname reverse FQDN.name, company and root auth domain) required to setup instrumentation in all Auth0 Hosted appliances.

  • New version numbers YYMM.incrementor for appliance.

  • The DataDog timeout setting for Telegraf can now be configured in the Configuration UI.

  • The Linux kernel was upgraded to 4.4 on all of our base images (for new installs and nodes).

  • Updated Webtask images to latest as of October 1, 2018.

  • New Session format (enabled by default).

  • In rules the context object will contain connection details (connectionId, connectionOptions, connectionMetadata).

  • Performance enhancements when fetching tenant logs from Management API v2.

  • Expire the docs session upon usage of an expired token.

  • Updating the dashboard ui-framework version.

  • Changed the order of the tenant dropdown items to group closer those with similar meaning.

  • Refactored the authentication flow code used for authenticating users in docs.

  • Skip setting error response payload from an identity provider in tenant log when it's undefined.

  • Allow rule_config key names to contain special characters (@, *, :, and +).

Feature

  • Seamless SSO (enabled by default for new Tenants and end users can enable in existing tenants).

Security

  • Fixed indirect object reference vulnerability in Management API v1.


2018-11-13: Auth0 16999.173

Security

  • Fixes server-side request forgery (SSRF) vulnerability in the Dashboard.


2018-09-19: Auth0 16999.148

Fixed

  • Appliance

    Fixed a UI bug that affects certain users to set password policies.


2018-09-19: Auth0 16999.147

Fixed

  • Appliance

    Fixed a bug in the configuration page that prevents users to set ES Zones.


2018-09-12: Auth0 16999.145

Fixed

  • Appliance

    Feature flags are now propagated to Auth0 Dashboard

  • Appliance

    Fixed a bug on anomaly detection.


2018-09-11: Auth0 16999.137

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection

  • Appliance

    Fixed possible HTML injection with email providers in the dashboard.

  • Appliance

    Fixed auth0-start failures due to missing trustproxy package.

  • Appliance

    Fixed warning in auth0-configuration due to puppet syntax issue.

  • Appliance

    Fix auth0-start feature flag in API2 including API2 FF.

  • Appliance

    Fix an issue on use of vulnerable 'Buffer' constructor that allowed an attacker to leak auth0-server memory.

  • Appliance

    Update auth0-docs to use its own client for authentication instead of using the dashboards cookie and session.

  • Appliance

    Update public services to use node 8.11.3 or 6.14.3 to patch the node June 12th vulnerability.

  • Appliance

    Removing the in-place default limits for import user worker to support partial configuration and to use its own defaults.

  • Appliance

    Update nginx configuration to assign domain name hashbucket size to 128 as default.

  • Appliance

    Force Webtask runtime to use node 8 and take away the ability to use node 4.

  • Appliance

    Set the fix_states feature flag to true by default.

  • Appliance

    Set the default value of current_user_user_id_link_allowed flag to false.

  • Appliance

    Update GeoIP database to latest (2018-08-28).

  • Appliance

    Allowing feature flags UI to set flags for API2.

  • Appliance

    Set the default password_length_option default to false

  • Appliance

    Enable the Unified MFA API by default

  • Appliance

    Updated Webtask runtime to only use Node 8 for Rules, Extensions, Database Scripts, and Hooks. Effective this release, Node 4 will not be an option.

  • Appliance

    Fixed failures when configuring nodes caused by missing trustproxy package.

  • Appliance

    Fixed a warning that occurred when configuring nodes due to usage of a deprecated feature.

  • Appliance

    Changed authentication mechanism used to access documentation site. This required adding an application to the Root Tenant Authority, which should not be removed.

  • Appliance

    Updated the public services to use the latest Node LTS versions used by the services (8.11.3 and 6.14.3).

  • Appliance

    Improved support for partial configuration of the import users work limits.

  • Appliance

    Implemented a fix for state validation issues that caused failures when using multiple tabs. This was fixed in a previous version, but the fix required opting in.

  • Appliance

    Disabled the ability to perform account linking with id_token.

  • Appliance

    Updated the GeoIP database to the 2018-08-28 dataset.

  • Appliance

    Updated the feature flag configuration screen to allow modification of Management API v2 feature flags.

  • Appliance

    Enabled the Multi-Factor Authentication API by default. This feature was available in the previous version but required opting in.

  • Appliance

    Updated to the latest version of Webtask as of 2018-08-30.

  • Appliance

    Added a description to the SAMLP configuration option signingCert to align with description found on the documentation website.

  • Appliance

    Fixed typos in Allowed Logout URLs and Allowed Origins (CORS) help block.

  • Appliance

    Allowed refresh tokens to be issued to third-party clients.

  • Appliance

    Remove the database volume from the base AMI and allow configuration management automation to configure it.

  • Appliance

    Update the Multi-Factor Authentication templates to use the latest version of the Multi-Factor Authentication widget.

  • Appliance

    Updated the 10K most commonly used passwords link in the dashboard.

  • Appliance

    Fixed an unhandled exception when finding the necessary MFA authenticator.

  • Appliance

    Added additional debugging information when an SMS fails to send.

  • Appliance

    Prevented potentially sensitive information from being logged: cookie header, location header, referer header, and redirect_uri.

  • Appliance

    Added validation during the dev code exchange to ensure the client was the same client that initiated the transaction.

  • Appliance

    Allowed idle_session_timeout and session_timeout to be managed by the tenant as a configuration.

  • Appliance

    Added GDPR consent to the documentation website layout.

  • Appliance

    Added 2FA email tenant log types.

  • Appliance

    Prevented the complete invitation URL for invitation emails from being logged.

  • Appliance

    Added additional protections against NoSQL injection attempts.

  • Appliance

    Updated the consent dialog to use scope descriptions.

  • Appliance

    Allowed PATCHing credential attributes for email providers.

  • Appliance

    Added a new property to the reset email template to optionally include or exclude email from the redirect URL.

  • Appliance

    Improved error messaging and logs for GET /users Management API v2 endpoint.

  • Appliance

    Fixed a duplicate reserved name causing some schema validation failures on various Management API v2 endpoints.

  • Appliance

    Fixed the documentation page from intermittently preventing am opt-in pane from disappearing after it had been dismissed.

  • Appliance

    Prevented opt-in pane from displaying on the documentation page when the screen size is less than 1200 pixels.

  • Appliance

    Fixed an error when decoding expiration of API tokens.

  • Appliance

    Fixed the validation to prevent max token_lifetime from exceeding 2592000 instead of 99999999999 which is invalid.

  • Appliance

    Added the client.logo_uri in consent state introspection.

  • Appliance

    Fixed the Evernote social connection.

  • Appliance

    Fixed an issue where /userinfo endpoint would intermittently return a user’s app_metadata as the metadata property.

  • Appliance

    Removed a static file called server.html that contained an XSS vulnerability.

  • Appliance

    Reinstated SAML debug mode to show original_profile.

  • Appliance

    Created a tenant log event to track usage of GET /users search with v1 unless coming from the dashboard.

  • Appliance

    Fixed a display issue with client_id on framed quickstarts.

  • Appliance

    Allowed underscores for URLs in the Allowed Web Origins field.

  • Appliance

    Allowed session settings to be set in the dashboard.

  • Appliance

    Fixed the SSO Integrations screen so that it lists out only the SSO Integration connections to resolve issues with pagination.

  • Appliance

    Adjusted default message for Try Blocked Account email template.

  • Appliance

    Updated password reset template with latest password reset widget.