Auth0 Appliance Release Notes

Get the latest updates in Auth0

See old releases

2018-09-12: Auth0 16999.145

Fixed

  • Appliance

    Feature flags are now propagated to Auth0 Dashboard

  • Appliance

    Fixed a bug on anomaly detection.


2018-09-12: Auth0 16257.142

Fixed

  • Appliance

    Fixed a bug on anomaly detection.


2018-09-11: Auth0 16999.137

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection

  • Appliance

    Fixed possible HTML injection with email providers in the dashboard.

  • Appliance

    Fixed auth0-start failures due to missing trustproxy package.

  • Appliance

    Fixed warning in auth0-configuration due to puppet syntax issue.

  • Appliance

    Fix auth0-start feature flag in API2 including API2 FF.

  • Appliance

    Fix an issue on use of vulnerable 'Buffer' constructor that allowed an attacker to leak auth0-server memory.

  • Appliance

    Update auth0-docs to use its own client for authentication instead of using the dashboards cookie and session.

  • Appliance

    Update public services to use node 8.11.3 or 6.14.3 to patch the node June 12th vulnerability.

  • Appliance

    Removing the in-place default limits for import user worker to support partial configuration and to use its own defaults.

  • Appliance

    Update nginx configuration to assign domain name hashbucket size to 128 as default.

  • Appliance

    Force Webtask runtime to use node 8 and take away the ability to use node 4.

  • Appliance

    Set the fix_states feature flag to true by default.

  • Appliance

    Set the default value of current_user_user_id_link_allowed flag to false.

  • Appliance

    Update GeoIP database to latest (2018-08-28).

  • Appliance

    Allowing feature flags UI to set flags for API2.

  • Appliance

    Set the default password_length_option default to false

  • Appliance

    Enable the Unified MFA API by default

  • Appliance

    Updated Webtask runtime to only use Node 8 for Rules, Extensions, Database Scripts, and Hooks. Effective this release, Node 4 will not be an option.

  • Appliance

    Fixed failures when configuring nodes caused by missing trustproxy package.

  • Appliance

    Fixed a warning that occurred when configuring nodes due to usage of a deprecated feature.

  • Appliance

    Changed authentication mechanism used to access documentation site. This required adding an application to the Root Tenant Authority, which should not be removed.

  • Appliance

    Updated the public services to use the latest Node LTS versions used by the services (8.11.3 and 6.14.3).

  • Appliance

    Improved support for partial configuration of the import users work limits.

  • Appliance

    Implemented a fix for state validation issues that caused failures when using multiple tabs. This was fixed in a previous version, but the fix required opting in.

  • Appliance

    Disabled the ability to perform account linking with id_token.

  • Appliance

    Updated the GeoIP database to the 2018-08-28 dataset.

  • Appliance

    Updated the feature flag configuration screen to allow modification of Management API v2 feature flags.

  • Appliance

    Enabled the Multi-Factor Authentication API by default. This feature was available in the previous version but required opting in.

  • Appliance

    Updated to the latest version of Webtask as of 2018-08-30.

  • Appliance

    Added a description to the SAMLP configuration option signingCert to align with description found on the documentation website.

  • Appliance

    Fixed typos in Allowed Logout URLs and Allowed Origins (CORS) help block.

  • Appliance

    Allowed refresh tokens to be issued to third-party clients.

  • Appliance

    Remove the database volume from the base AMI and allow configuration management automation to configure it.

  • Appliance

    Update the Multi-Factor Authentication templates to use the latest version of the Multi-Factor Authentication widget.

  • Appliance

    Updated the 10K most commonly used passwords link in the dashboard.

  • Appliance

    Fixed an unhandled exception when finding the necessary MFA authenticator.

  • Appliance

    Added additional debugging information when an SMS fails to send.

  • Appliance

    Prevented potentially sensitive information from being logged: cookie header, location header, referer header, and redirect_uri.

  • Appliance

    Added validation during the dev code exchange to ensure the client was the same client that initiated the transaction.

  • Appliance

    Allowed idle_session_timeout and session_timeout to be managed by the tenant as a configuration.

  • Appliance

    Added GDPR consent to the documentation website layout.

  • Appliance

    Added 2FA email tenant log types.

  • Appliance

    Prevented the complete invitation URL for invitation emails from being logged.

  • Appliance

    Added additional protections against NoSQL injection attempts.

  • Appliance

    Updated the consent dialog to use scope descriptions.

  • Appliance

    Allowed PATCHing credential attributes for email providers.

  • Appliance

    Added a new property to the reset email template to optionally include or exclude email from the redirect URL.

  • Appliance

    Improved error messaging and logs for GET /users Management API v2 endpoint.

  • Appliance

    Fixed a duplicate reserved name causing some schema validation failures on various Management API v2 endpoints.

  • Appliance

    Fixed the documentation page from intermittently preventing am opt-in pane from disappearing after it had been dismissed.

  • Appliance

    Prevented opt-in pane from displaying on the documentation page when the screen size is less than 1200 pixels.

  • Appliance

    Fixed an error when decoding expiration of API tokens.

  • Appliance

    Fixed the validation to prevent max token_lifetime from exceeding 2592000 instead of 99999999999 which is invalid.

  • Appliance

    Added the client.logo_uri in consent state introspection.

  • Appliance

    Fixed the Evernote social connection.

  • Appliance

    Fixed an issue where /userinfo endpoint would intermittently return a user’s app_metadata as the metadata property.

  • Appliance

    Removed a static file called server.html that contained an XSS vulnerability.

  • Appliance

    Reinstated SAML debug mode to show original_profile.

  • Appliance

    Created a tenant log event to track usage of GET /users search with v1 unless coming from the dashboard.

  • Appliance

    Fixed a display issue with client_id on framed quickstarts.

  • Appliance

    Allowed underscores for URLs in the Allowed Web Origins field.

  • Appliance

    Allowed session settings to be set in the dashboard.

  • Appliance

    Fixed the SSO Integrations screen so that it lists out only the SSO Integration connections to resolve issues with pagination.

  • Appliance

    Adjusted default message for Try Blocked Account email template.

  • Appliance

    Updated password reset template with latest password reset widget.


2018-09-07: Auth0 16793.140

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection

  • Appliance

    Fixed a memory leak issue.

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection

  • Appliance

    Fixed a memory leak issue.


2018-09-07: Auth0 16257.138

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection.

  • Appliance

    Fixed a memory leak issue.

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection.

  • Appliance

    Fixed a memory leak issue.


2018-08-17: Auth0 16793.128

Fixed

  • Appliance

    Removed the Update from Package feature from the configuration API and screens.

  • Appliance

    Reduced the amount of data that is fetched from the Configuration API.

  • Appliance

    Changed the way we calculate usage statistics to count by tenant.

  • Appliance

    Fixed an issue Window Live connection preventing users from selecting a different account.

  • Appliance

    Updated the puppet configuration process to pull packages over HTTPS instead of HTTP.


2018-08-17: Auth0 16257.132

Fixed

  • Appliance

    Removed the Update from Package feature from the configuration API and screens.

  • Appliance

    Reduced the amount of data that is fetched from the Configuration API.

  • Appliance

    Changed the way we calculate usage statistics to count by tenant.

  • Appliance

    Fixed an issue Window Live connection preventing users from selecting a different account.

  • Appliance

    Updated the puppet configuration process to pull packages over HTTPS instead of HTTP.

  • Appliance

    Updated the GeoIP database with the latest version.

  • Appliance

    Fixed the Grafana and Instrumentation UI preventing users from logging in.

  • Appliance

    Removed restriction of login-dev as a tenant name.

  • Appliance

    Fixed a bug in the Elasticsearch preventing nodes from being removed.

  • Appliance

    Fixed a bug preventing refresh tokens from being used with 3rd party clients.


2018-08-09: Auth0 16793.125

Fixed

  • Appliance

    Fixed a bug that caused an issue with the dashboard loosing the refresh token grant when using 3rd party clients.

  • Appliance

    GeoIP database updated.

  • Appliance

    Webtasks Modules updated to its latest version.

  • Appliance

    The import users worker now supports the ability to set a partial configuration and use its own defaults.


2018-07-19: Auth0 16257.104

Fixed

  • Appliance

    Modified the setup scripts for adding an application node to the cluster so that it does not depend soley on a0-1.

  • Appliance

    Prevents root access to the node through the TTY interface (VMWare only).

  • Appliance

    Updating Docker to include latest patches and fixes.

  • Appliance

    Remove client secret from URL to prevent information exposure through server log files.

  • Appliance

    Fix a bug that makes session fail to keep the list of clients involved on a transaction.


2018-07-02: Auth0 16257.94

Fixed

  • Appliance

    Fix a bug that cause some enviroments to fail when webtask domains are not defined.


2018-06-26: Auth0 16257.92

Feature

  • Appliance

    Adds the ability of enable/disable features through Feature Flags on the configuration page.

Fixed

  • Appliance

    Fixes a a bug that prevent users to properly configure user import limits.

  • Appliance

    Fixes a possible SSRF vulnerability when using federated clients.


2018-06-08: Auth0 16257.89

Fixed

  • Appliance

    Fixes an SSO issue with account linking where the session context may be set to the wrong user during the transaction and subsequent transactions will fail, typically with a login required error or ‘Unable to construct sso user’.


2018-05-31: Auth0 16257.88

New

  • Appliance

    Updates Auth0 public services to Node 6 and 8 following EOL of Node 4.

  • Appliance

    Auth0 extensibility points will now support Node 8. After updating, existing appliance Hooks, Rules, Webtasks, and Database Action Scripts must be reviewed to ensure they are compatible with node 8

  • Appliance

    The login page is shown when the user associated with a session is not found.