Auth0 Appliance - Old Releases

Get the latest updates in Auth0

Back to active releases

2018-09-19: Auth0 16793.146

Fixed

  • Appliance

    Fixed a bug on anomaly detection.


2018-09-07: Auth0 16793.140

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection

  • Appliance

    Fixed a memory leak issue.


2018-09-12: Auth0 16257.142

Fixed

  • Appliance

    Fixed a bug on anomaly detection.


2018-09-07: Auth0 16257.138

Fixed

  • Appliance

    Fixed error handling bug in the SMS Passwordless connection.

  • Appliance

    Fixed a memory leak issue.


2018-08-17: Auth0 16793.128

Fixed

  • Appliance

    Removed the Update from Package feature from the configuration API and screens.

  • Appliance

    Reduced the amount of data that is fetched from the Configuration API.

  • Appliance

    Changed the way we calculate usage statistics to count by tenant.

  • Appliance

    Fixed an issue Window Live connection preventing users from selecting a different account.

  • Appliance

    Updated the puppet configuration process to pull packages over HTTPS instead of HTTP.


2018-08-09: Auth0 16793.125

Fixed

  • Appliance

    Fixed a bug that caused an issue with the dashboard loosing the refresh token grant when using 3rd party clients.

  • Appliance

    GeoIP database updated.

  • Appliance

    Webtasks Modules updated to its latest version.

  • Appliance

    The import users worker now supports the ability to set a partial configuration and use its own defaults.


2018-08-17: Auth0 16257.132

Fixed

  • Appliance

    Removed the Update from Package feature from the configuration API and screens.

  • Appliance

    Reduced the amount of data that is fetched from the Configuration API.

  • Appliance

    Changed the way we calculate usage statistics to count by tenant.

  • Appliance

    Fixed an issue Window Live connection preventing users from selecting a different account.

  • Appliance

    Updated the puppet configuration process to pull packages over HTTPS instead of HTTP.

  • Appliance

    Updated the GeoIP database with the latest version.

  • Appliance

    Fixed the Grafana and Instrumentation UI preventing users from logging in.

  • Appliance

    Removed restriction of login-dev as a tenant name.

  • Appliance

    Fixed a bug in the Elasticsearch preventing nodes from being removed.

  • Appliance

    Fixed a bug preventing refresh tokens from being used with 3rd party clients.


2018-07-19: Auth0 16257.104

Fixed

  • Appliance

    Modified the setup scripts for adding an application node to the cluster so that it does not depend soley on a0-1.

  • Appliance

    Prevents root access to the node through the TTY interface (VMWare only).

  • Appliance

    Updating Docker to include latest patches and fixes.

  • Appliance

    Remove client secret from URL to prevent information exposure through server log files.

  • Appliance

    Fix a bug that makes session fail to keep the list of clients involved on a transaction.


2018-07-02: Auth0 16257.94

Fixed

  • Appliance

    Fix a bug that cause some enviroments to fail when webtask domains are not defined.


2018-06-26: Auth0 16257.92

Feature

  • Appliance

    Adds the ability of enable/disable features through Feature Flags on the configuration page.

Fixed

  • Appliance

    Fixes a a bug that prevent users to properly configure user import limits.

  • Appliance

    Fixes a possible SSRF vulnerability when using federated clients.


2018-06-08: Auth0 16257.89

Fixed

  • Appliance

    Fixes an SSO issue with account linking where the session context may be set to the wrong user during the transaction and subsequent transactions will fail, typically with a login required error or ‘Unable to construct sso user’.


2018-05-31: Auth0 16257.88

New

  • Appliance

    Updates Auth0 public services to Node 6 and 8 following EOL of Node 4.

  • Appliance

    Auth0 extensibility points will now support Node 8. After updating, existing appliance Hooks, Rules, Webtasks, and Database Action Scripts must be reviewed to ensure they are compatible with node 8

  • Appliance

    The login page is shown when the user associated with a session is not found.


2018-07-19: Auth0 15838.105

Fixed

  • Appliance

    Remove client secret from URL to prevent information exposure through server log files.

  • Appliance

    Updating Docker to include latest patches and fixes.

  • Appliance

    Fix an issue that exposes an SSRF vulnerability from our metrics dashboard.

  • Appliance

    Prevents root access to the node through the TTY interface (VMWare only).

  • Appliance

    Modified the setup scripts for adding an application node to the cluster so that it does not depend soley on a0-1.


2018-07-02: Auth0 15838.97

Fixed

  • Appliance

    Fixes a possible SSRF vulnerability when using federated clients.


2018-05-24: Auth0 15838.85

Fixed

  • Appliance

    Fixes an SSRF issue with the instrumentation dashboard endpoints.

  • Appliance

    Fixes problem with usage collection job that fails to terminate properly.


2018-05-18: Auth0 15838.75

Fixed

  • Appliance

    Includes successful cross-origin authentication logins to be included in the log count.


2018-05-10: Auth0 15838.43

Fixed

  • Appliance

    Fixes an issue for connections with multiple realms where requests are not handled properly if they do not map directly to a connection name.

  • Appliance

    Fixes the following issues in the dashboard:

    • creation of impersonation audits
    • enrolling MFA devices for the dashboard administrators
    • removing a user from the dashboard admin list
    • cleaning up resources when a tenant is removed

  • Appliance

    Fixes an XSS vulnerability found in the oauth2orize-fprm package used during /authorize transaction.

  • Appliance

    Fixes an issue with the device enrollment api and custom domains. This will use the alphabetically first configured domain for the public url returned.


2018-04-30: Auth0 15838.36

Fixed

  • Appliance

    Removes a section from logs that, in some scenarios, would result in tenant keys appearing in logs.

  • Appliance

    Added missing default flag that prevents users from changing passwords in appliance. This flag was intended to prevent the use of a new change password flow that should not be enabled in appliance.

  • Appliance

    Removes a call used in the webtask node 8 migrations that would lead to one failure an hour per tenant. This call would attempt to contact a node 8 cluster and was unable to do so, possibly resulting in that request encountering an authentication failure.


2018-04-24: Auth0 15838.35

Fixed

  • Appliance

    Fixes login for non-db connection on federated clients. This allows extensions to work with SAML identities.


2018-04-13: Auth0 15838.31

Fixed

  • Appliance

    Changed webtask healthcheck endpoint to /health/local for faster healthcheck resolution after configuration or update.

  • Appliance

    Remove mouseflow javascript from loading in the manage UI.

  • Appliance

    Docker network range can be configured at the db level to avoid conflict with environmental network ranges. This does not currently have a UI so would need to be configured by Auth0 support staff.

  • Appliance

    Unblock user links no longer produces a 404 as it now includes appropriate data for the link.

  • Appliance

    Manage status page is now disabled in appliance. This page was unused.

  • Appliance

    Added issuer for auth0-server in mfa api.

  • Appliance

    SANDBOX_TIMEOUT_IN_SECONDS is properly configured from the UI to the sandbox.

  • Appliance

    As part of Legacy Deprecation many controls were put in place to limit access to some APIs from the Hosted Pages. This fix uses the appliance-specific custom domains list to better support the new endpoints and custom domains.

New

  • Appliance

    A cron job has been added to periodically clean up orphaned docker volumes to avoid running volumes out of disk space.

  • Appliance

    Patches are now surfaced as point releases in the UI as of this release. New patched releases (<build_number>.<patch_number) are displayed on /configuration/#update page. This allows a number of changes to be applied in a similar fashion to regular releases. There may still some patches that require manual application.

  • Appliance

    Access to aws metadata from webtasks is disabled.

  • Appliance

    Active users calculation has been updated to match the approaches used in the cloud.

  • Appliance

    Added the ability to configure trusted proxies to support downstream trusted proxies in front of the appliance. This can be a set of ip addresses or ranges configured from the settings page.


2018-07-19: Auth0 14591.107

Fixed

  • Appliance

    Remove client secret from URL to prevent information exposure through server log files.

  • Appliance

    Modified the setup scripts for adding an application node to the cluster so that it does not depend soley on a0-1.

  • Appliance

    Prevents root access to the node through the TTY interface (VMWare only).

  • Appliance

    Fix an issue that exposes an SSRF vulnerability from our metrics dashboard.


2018-07-02: Auth0 14591.98

Fixed

  • Appliance

    Fixes a possible SSRF vulnerability when using federated clients.


2018-05-24: Auth0 14591.84

Fixed

  • Appliance

    Fixes an SSRF issue with the instrumentation dashboard endpoints.

  • Appliance

    Fixes problem with usage collection job that fails to terminate properly.


2018-05-16: Auth0 14591.74

Fixed

  • Appliance

    Includes successful cross-origin authentication logins to be included in the log count.


2018-05-10: Auth0 14591.40

Fixed

  • Appliance

    Fixes an issue for connections with multiple realms where requests are not handled properly if they do not map directly to a connection name.

  • Appliance

    Fixes an XSS vulnerability found in the oauth2orize-fprm package used during /authorize transaction.

  • Appliance

    Allows the embedded LDAP connector to remove specific LDAP attributes before calling the mapper script. This helps in scenarios that have a large number of attributes with a large amount of data. This must be configured at the environment level by an MSE.

  • Appliance

    Fixes an issue with the device enrollment api and custom domains. This will use the alphabetically first configured domain for the public url returned.


2018-04-24: Auth0 14591.34

Fixed

  • Appliance

    Fix XSS vulnerability on OAuth2 - Web Message Response Mode.


2018-04-19: Auth0 14591.33

Fixed

  • Appliance

    As part of Legacy Deprecation many controls were put in place to limit access to some APIs from the Hosted Pages. This fix uses the appliance-specific custom domains list to better support the new endpoints and custom domains.

  • Appliance

    Whitelisted passwordless/start so legacy lock API won't affect it


2018-04-13: Auth0 14591.30

Fixed

  • Appliance

    Fixed an issue where the adldap connector service would not be available due to a failure in log rotation.


2018-04-04: Auth0 14591.29

Fixed

  • Appliance

    Fix an issue affecting users of legacy endpoints when certain requests headers are missing.

  • Appliance

    Fixed an issue unblocking users from a link that resulted in a 404.


2018-03-28: Auth0 14591.28

Feature

  • Appliance

    Added the ability to configure trusted proxies to support downstream trusted proxies in front of the appliance. This can be a set of ip addresses or ranges.

  • Appliance

    Added the ability to prevent a number of cross-site scripting attacks based on provided browser information.


2018-03-19: Auth0 14591.22

Fixed

  • Appliance

    Fixes an issue where the sandbox timeout value was not properly set.

  • Appliance

    Restores the ability of the WS-Trust metadata exchange endpoint to return additional XSD files that was breaking some customers.

  • Appliance

    Fixes an issue with constraining the length of rules-config values to 255 characters, by removing the constraint.

  • Appliance

    Restores CORS in the following endpoints when Legacy API is disabled:

    • oauth/token
    • oauth/ro
    • oauth/access_token
    • /delegation

  • Appliance

    This allows extensions to continue to work as expected when legacy Lock APIs ae disabled. This is protected by the redirect_improved_pipeline feature-flag that, when enabled, redirects any request made to /i/oauth/authorize to /authorize.

  • Appliance

    Periodically clean unused docker volumes to ensure they do not fill up drive space.

  • Appliance

    Fixes an issue that prevents custom SNS configurations with MFA.

  • Appliance

    Updated the HAPI dependency for core services due to security vulnerability.

  • Appliance

    Fixes an issue in the reverse proxy configuration to allow MFA and custom domains in appliance to work together properly.

  • Appliance

    Fixes a security issue with linking user accounts. This fix properly verifies permissions when linking user accounts. It can be disabled with the flags current_user_user_id_link_allowed and legacy_id_token_jwt_link_with_allowed if customers need time to fix any clients calling the current api's without proper permissions.

  • Appliance

    Fixed CORS issue on various endpoints and issues that prevented WSFed and SAML add-ons to stop working when disabling the Legacy Lock API.

  • Appliance

    This patches fixes an error that causes an exception during login that can terminate authentication services. The users will only see the generic error page (Ooops!...). All transactions in process will be canceled.

  • Appliance

    This patch fixes an issue that forced the use of Elasticsearch v5 for all tenants.

  • Appliance

    The /tokeninfo is currently under the enable_legacy_lock_api flag and prevents this being called if the Legacy APIs are disabled when migrating off. This patch removes it from the Legacy Lock API and creates a new flag allow_legacy_tokeninfo_endpoint.

  • Appliance

    This patch disables the manage status patch that displays internal setup information.

  • Appliance

    This patch fixes an issue that prevents the ability to save an email template for passwordless auth.

  • Appliance

    This patch fixes an issue where v14951 fails on some api2 endpoints with error Payload validation error: 'Additional properties not allowed: allow_legacy_delegation_grant_types.

  • Appliance

    Logrotate rule for auth0-adldap has a typo that prevents logs to being rotated potentially causing the log drive to be entirely consumed.


2017-12-20: Auth0 14591

Added

  • Appliance

    This release includes support for migrating to the new Lock 11. You can find more in the migration guide https://auth0.com/docs/libraries/lock/v11/migration-guide.

  • Appliance

    The appliance now supports the ability to apply configuration and future updates to nodes in sequential order. This will reduce downtime as only one node is reconfigured or updated while other nodes continue to server requests.

Fixed

  • Appliance

    The webtask sandbox dedicated domain is now added to the list of resolvable domain names from within a webtask sandbox.

  • Appliance

    Fixed an issue where the images-extra package was not updated if the kernel was updated when security updates were applied.

  • Appliance

    Returned cache-control headers were updated to ensure sensitive data would not be cached on the local browser.

  • Appliance

    The switch-tenant UI choice is enabled even if the 'Add New Accounts' option is disabled as long as are multiple active tenants.

  • Appliance

    Fixed an issue in 6-node clusters where nodes not configured to run Elastcisearch were attempting to configure logs and log rotation for Elasticsearch and failing.

  • Appliance

    Fixed an issue in a GeoHA setup with Elasticsearch, nodes may not be configured to use correct, local Elasticsearch cluster.

  • Appliance

    Fixed an issue in the NGINX configuration that allowed bypassing restricted access to the /login page in manage when using Basic Authentication with a port number in the Host Header.

  • Appliance

    Elasticsearch indexes are now recreated with the proper number of replicas during the initial setup or, in a GeoHA setup, when re-indexes occurs in the non-primary region.


2017-10-20: Auth0 13896

Fixed

  • Appliance

    The instrumentation value auth0_http_requests_replied is now summarized properly in the 1week statistics for Instrumentation.

  • Appliance

    Instrumentation will properly disabled when configured to do so.

  • Appliance

    Secrets used to communicate with MFA components are now properly rotated on initial appliance setup.

  • Appliance

    The component monitoring Elasticsearch zones in an appliance GeoHA setup no longer leaks connections and eventually restarts.

New

  • Appliance

    The Monthly-Active-User intermediate database storage is now retained and synchronzied betweed nodes calculating MAU to avoid the need to recreate this database.

  • Appliance

    Configuration time should be faster for some configurations due to not restarting components of the webtask rule execution sandbox. This will also make restart times faster for any reboots.


2017-09-14: Auth0 13451

Added

  • Appliance

    Webtask components have been updated to 23.3.9

  • Appliance

    Webtask may now be configured on a dedicated domain. This mirrors how the cloud handles webtask domains and enables safely using extensions in shared-tenant environments. This will require setting up new DNS entries for the new domain and valid, trusted certificates.

  • Appliance

    auth0-stats now reports total internal users in the stats it collects. Note: This will eventually be seen in Support Center.

  • Appliance

    auth0-stats is updated to consider internal users when calculating Monthly Active Users (MAU). Note: This requires a CSE to set the internal user domain properly.

Fixed

  • Appliance

    Updates initiated from the UI appear to be delayed by 1 minute. The attempt to upload stats was not shutting down cleanly and causing a delay in starting the update. Stats are now given 10 seconds to upload at the start of an update.

  • Appliance

    Collecting environment settings during update no longer causes auth0-start to abort update.

  • Appliance

    auth0-start no longer increases CPU eventualy during service checks when Elasticsearch is installed

  • Appliance

    Sensitive data backups no longer will include auth db.


2017-08-16: Auth0 13130

Added

  • Appliance

    Tenant logs can now be offloaded to an external endpoint over TCP/HTTP. This can support many endpoints that supprt this, including logstash and Splunk. If using TLS/HTTPS it does require a valid certificate on the receiving service.

  • Appliance

    The local appliance domain is now reachable within auth0-sandbox containers. This eliminates the need to make the appliance domain endpoints resolvable and reachable by public DNS.

Fixed

  • Appliance

    Many Auth0 extensions were fixed to add a login flow for access to extension information. This means that extensions will not work without webtask being deployed in a full-trust model. This model is not recommended for multi-tenant applications of the appliance. The extensions affected are:

    • auth0-delegated-administration-extension
    • auth0-logs-to-logstash
    • auth0-logs-to-papertrail
    • auth0-logs-to-loggly
    • auth0-logs-to-sumologic
    • auth0-delegated-admin-extension-nlg
    • auth0-logs-to-azure-blob-storage
    • auth0-logs-to-splunk
    • auth0-gitlab-deploy
    • auth0-logs-to-application-insights
    • auth0-github-deploy
    • auth0-visualstudio-deploy
    • auth0-bitbucket-deploy
    • auth0-box-platform-extension

  • Appliance

    Database backups done through the CLI are now done in quiet mode to avoid over-filling the response buffer (and prematurely terminating the backup job).

  • Appliance

    Daily stats for the last 7 days now appears in the dashboard correctly.

  • Appliance

    Auth0-sandbox webtask containers no longer log within the container, which could potentially consume more disk space than necessary since logs are kept elsewhere.


2017-07-01: Auth0 12628

Added

  • Appliance

    Legacy grant types are deprecated. New tenants and clients do not support these grant types by default, but they can be enabled. See this https://auth0.com/docs/clients/client-grant-types for more details on grant types.

  • Appliance

    The appliance now supports Multi-Factor Authentication with SMS and Push Notifications. Mobile clients can be built with the Guardian SDK that will work with the appliance. The appliance does not support the Auth0-branded Guardian client. See https://auth0.com/docs/multifactor-authentication for using and configuration Multi-Factor Authentication.

  • Appliance

    The grafana dashboard can now be configured to use an alternate client for authentication besides the Auth0 client. This can help in scenarios where you want to expose instrumentation to other users in test environments.

  • Appliance

    Limitd buckets no longer require the entire configuration to be specified in the limitd configuration page. Only buckets that are different from the system default need to be specified.

  • Appliance

    Limitd buckets can be specifically removed (i.e. unlimited) via configuration.

Fixed

  • Appliance

    Instrumentation, if enabled, now includes jitter during its collection process to avoid spiking the CPU during collection periods

  • Appliance

    telegraf and influxdb now do proper log rotation.

  • Appliance

    Certification uploads should now correctly trigger a change if either the key or the pem change.

  • Appliance

    Dashboard admin invites will always go out with the configured default email as the send-from address. This could potentially break Dashboard Admin invite flows if there is no configured default send-from email address.


2017-05-01: Auth0 11638

Added

  • Appliance

    New event types are added to the statistics calculation in calculating active users.

  • Appliance

    Support for GeoHA with Elasticsearch. This allows user search via Elasticsearch to be used in GeoHA environments.

  • Appliance

    Old webtask images are now automatically removed after an appliance update. Webtask keep the current images plus the one for one release prior, all others will be removed.

  • Appliance

    Webtask components have been updated to the latest as of release time. While largely internal, it will allow the appliance to keep pace with the latest extensions.

  • Appliance

    Sensitive data is now required to be exported separately and stored seprately from standard backups. This keeps a better separation between keys and data. Both sets of backups are needed in order to succesfully complete restoration. Senstivie data is backuped up via the a0cli command line just like database backups.

  • Appliance

    Users can now be exported via the a0cli for a limited set of whitelisted fields.

Fixed

  • Appliance

    Logrotation added for elasticsearch. This should make sure logs are kept to a reasonable size, if Elasticsearch is enabled. The last 4 log files are retained.

  • Appliance

    Nginx is now properly configured wtih the default server_names_hash_bucket size on initial installs.

  • Appliance

    New version of limitd is available that addresses some memory leaks.

  • Appliance

    Minimum master databases are now set properly for Elasticsearch on initial setup. This affects how many failed nodes ES requires to be available to maintain a writeable cluster.

  • Appliance

    Logrotation added for influxdb and telegraph. This should make sure logs are kept to a reasonable size, if instrumentation is enabled. The last 5 log files are retained.

  • Appliance

    A sandbox error is no longer displayed in the manage UI if a sandbox other than auth0-sandbox is enabled.


2017-03-21: Auth0 11112

Added

  • Appliance

    Webtask Editor is now available in appliance. This allow you to edit webtask right from a web page. See https://webtask.io/docs/editor for more details on the editor.

  • Appliance

    Hooks Feature is now available in appliance. This allows you to plug in code on specific events. See https://auth0.com/docs/hooks for more details.

  • Appliance

    Webtask components have been updated. While mostly internal, this will allow the appliance to keep pace with the latest extensions.

  • Appliance

    Longer server name lengths can be accomodated in nginx via configuration.

Fixed

  • Appliance

    SSO timeout setting now applies users API endpoint.

  • Appliance

    Grafana no longer restricts users by domain name.

  • Appliance

    Mongo2es service properly stops and does not uninstall when transitioning to or from Elasticsearch.


2017-02-20: Auth0 10755

Added

  • Appliance

    From configuration, can enable tenant verification prior to creation of tenant log collections.

  • Appliance

    Mongo client updated to 3.2 and added scripts to update the mongo database to 3.2

  • Appliance

    Usage calculations have now been updated to include breakdown per tenant per client per conneciton per strategy per month.

  • Appliance

    The new authentication pipeline is now included. Please verify major auth flows before moving it to production.

  • Appliance

    Webtask runtime components have been updated to 18.3.2

Fixed

  • Appliance

    auth0-server no longer logs sensitive data on failed requests

  • Appliance

    Sandbox parameters should be properly created if missing for a tenant

  • Appliance

    Users modified/updated via the Users api are now properly forwarded to ElasticSearch, if enabled.


2017-01-16: Auth0 10258

Added

  • Appliance

    Elasticsearch Preview is now available to some customers as a limited release.

  • Appliance

    Webtask domain must now be setup as part of initial appliance node setup.

  • Appliance

    Webtask runtime components have been updated to 17.3.5

  • Appliance

    Use of the user search hint and user search timeout can now be modified if needed

  • Appliance

    API2 CPU and Memory limits can now be set, like for other services.

Fixed

  • Appliance

    The default smtp address is used for emails from 2nd level brute force notifications.

  • Appliance

    The default redirect url can now be configure

  • Appliance

    Auth0 Docs use the correct client secret so will now show up.

  • Appliance

    Logs should not be truncated during configuration updates.

  • Appliance

    Webtask configuration overrides are now properly merged with standard default values.

  • Appliance

    auth0-stats no longer hands on single-replica instances

  • Appliance

    apt-mirror.it.auth0.com is now access via https instead of http.


2016-11-23: Auth0 9632

Added

  • Appliance

    Webtask on the appliance is now upgraded to version 14.5.1.

  • Appliance

    Webtask endpoints added to healthchecks for Appliance.

  • Appliance

    Appliance will no longer forward arbitrary fwd. parameters for authentication requests.

  • Appliance

    Add-as-arbiter scripts have been extended to support two-arbiter configurations

  • Appliance

    Fixed a mis-match in per_page limits on user searches.

  • Appliance

    api v1 has been split from auth0-server to run from a separate service, auth0-api1.

  • Appliance

    Encryption and hashing keys are rotated during initial appliance setup when set-as-first is run.

  • Appliance

    Instrumentation metrics can now be sent to a DataDog endpoint by providing a DataDog API Key in configuration.

  • Appliance

    Azure WAAD thumbprints are now automatically updated nightly from one of the appliance nodes.

Fixed

  • Appliance

    During re-configuration, webtask should be restarted only when necessary.

  • Appliance

    Internet connectivity healthcheck moved from ping to HTTP HEAD request

  • Appliance

    Ensure dhcpclient is stopped when switching networking from dynamic to static

  • Appliance

    The multifactor auth link now links to #/multifactor instead of #/guardian

  • Appliance

    The appliance can be setup to us proxies on initial install and during updates.


2016-10-13: Auth0 8986

Added

  • Appliance

    You can now add trusted certificates to the cert store on the appliance. This helps for certain situations, like the use of a transparent proxy.

  • Appliance

    Per node instrumentation is now available. Instrumentation provides historical data and a UX for the node that shows system metrics, database metrics, and transaction rates. Detailed instrumentation for 24 hours is retained, and down-sampled metrics are available for 7 days.

  • Appliance

    You can configure log retention in the dashboard. The log retention period applies to all tenants, and defaults to 30 days. Performance can be adversely affected by setting this beyond 30 days. Please consult your CSE.

  • Appliance

    You can disable http for authenticated health checks in the management dashboard. By default both http and https are allowed, with the http interface intended for use on isolated networks. If you aren't on an isolated network or only want to allow https, then you can disable http.

  • Appliance

    The docker repository can now use port 443 instead of port 5000 for getting updates. In some environments using a non-standard port was problematic.

  • Appliance

    Added a posture check to the configuration process. This ensures that the services came up correctly after configuration, and that all configuration has completed running.

  • Appliance

    Extensions are now supported. You must have configured webtasks (auth0-sandbox mode) for extensions to work, and a certificate issued by a public certificate authority. A few extensions from the public cloud do not work on the appliance, and you will not see those extensions in the extensions gallery.

Changed

  • Appliance

    Improved CLI scriptability by always returning 0 on success, and 1 on failure. Also standardized output for commands, and error handling. The CLI also now automatically updates to the metadata version for the cluster release.

Fixed

  • Appliance

    The client credentials authentication flow no longer depends upon webtasks.

  • Appliance

    Appliance tenants are now created as premium customers.

  • Appliance

    When using proxy protocol (typically AWS), tenant logs fail when auth0-sandbox is configured (webtasks).

  • Appliance

    The consistency checks at startup for tty1 (auth0-start) forced an application update sometimes when first adding a node to an operating cluster. These checks now only warn.

  • Appliance

    The update process sometimes failed when both configuration and app updates are indicated. The app update is applied first, and it may in some circumstances apply invalid settings, causing a failure. Now configuration updates are always applied before application updates.


2016-09-01: Auth0 8293

Added

  • Appliance

    Customers can disable TLS for SMTP. Normally Auth0 servers negotation TlS with SMTP servers using START_TLS. In some cases customers want to actively disable the use of TLS. You can now force TLS off for SMTP.

Changed

  • Appliance

    Performance fixes and enhancements.

Fixed

  • Appliance

    Filtering of patch releases done improperly, resulting in update to the latest version rather than selected version in some cases.


2016-08-08: Auth0 7941

Added

  • Appliance

    A connectivity command can now be ran against an instance in the cluster using the CLI to verify connecting on a ip address and port for each node.

  • Appliance

    A nslookup command can now be ran against an instance in the cluster using the CLI to verify dns setup for each node.

  • Appliance

    CSE can now adjust the maximum memory for several processes that can vary under load to match the profiles being used by the customer.

  • Appliance

    An additional fix was made to backup decompression logic.

Changed

  • Appliance

    Open logout redirects are now disabled by default on new appliances. Logout redirects must be white listed.

  • Appliance

    Webtasks are now enabled by default on new installations for rule execution.


2016-07-27: Auth0 7760

Added

  • Appliance

    Added a default from email address. If a template does not specify a from address then this address is used. Additionally there is an option to send dashboard administrator invitations from the default email address rather than the inviting administrator. This helps customers using transactional email services where they must white list from email addresses.

  • Appliance

    Added the ability to turn off MX record checking for email recipients. In some cases customers use domains that do not have MX records for emails.

  • Appliance

    Improved diagnostics and troubleshooting view by adding RabbitMQ to service checks and showing each cluster node application version in the node view. RabbitMQ is responsible for queuing emails, and if it stops email will not be sent. This check now shows the status in the dashboard and also at the healthcheck endpoint.

  • Appliance

    Bulk user import now works on the appliance. Customers that have to import a large number of users can use the apiv2 mechanism for bulk user import.

  • Appliance

    Information on response times for different authentication stages are now written to the logs. This helps customers understand where bottlenecks are occurring if logins are slow.

Fixed

  • Appliance

    Increased keep-alive timeout to 100 seconds. Some technologies like .NET use a 100 second timeout limit, and the previous setting of 60 seconds could cause issues.

  • Appliance

    The CLI would fail if an invalid key was specified for a user in the management dashboard. This fixes provides a clearer message and performs key checking.

  • Appliance

    Fixed an issue with invalid compression on large backups.


2016-06-17: Auth0 7247

Added

  • Appliance

    Support for SSL offloading is now available. You can now configure the appliance to accept http. Your load balancer needs to provide a X-Forwarded-Proto header with this feature. The operational environment is responsible for ensuring http access is locked down to the load balancer.

  • Dashboard

    The management dashboard can now use a different SSL certificate than the tenant authentication domains. With this feature you could for example run your authentication endpoints on externally facing domains while using an internal domain for the dashboard.

  • Search

    Search queries for users and transaction logs can execute on a secondary database instance. This reduces the load on the primary database node, ensuring that authentication transactions are not affected by expensive search queries in high load environments.

  • Stats

    Auth0 now periodically collects aggregate statistics from appliance clusters. Customers can request a dump of the statistics collected.

Fixed

  • Appliance

    The apiv1 user search endpoint caches results of a count operation for 5 minutes. The number of users should be considered an approximate count when doing search operations using apiv1.

  • Management API

    For queries that return a large number of results, the apiv2 user search endpoint will not return a count if a time limit for counting matching users is exceeded. Doing overall count queries, or count queries for a connection are efficient and will return results even when there are millions of users.


2016-05-28: Auth0 6975

Changed

  • Appliance

    Performance of the management dashboard and user search improved. User search functionality is reduced as part of the performance improvement. You can now only sort users by email when doing a filtered search, and you can no longer sort by name or login count.


2016-05-20: Auth0 6868

Added

  • Appliance

    The CLI backup capability has been enhanced. You now will designate a specific instance for backup from the CLI. This ensures a backup does not degrade your normal cluster operations during the process. Additionally you must now have a dedicated backup volume on the designated backup instance. This ensures that a backup will not fill up volumes used for normal operations.

  • Appliance

    A CSE can now configure an appliance cluster to distribute load over more cores to support scale up as an alternative to scale out. Some types of authentications require expensive cryptographic operations where scale up may be a more desirable approach.

  • Appliance

    Services are now periodically checked and restarted by an independent process. Typically services do restart automatically, although in some unusual rapid failure modes a service may stop running. The monitoring service checks periodically for this condition and start any services that have failed their normal automatic restart. This additional monitoring function is off by default.

Deprecated

  • Appliance

    In this release a JSONP endpoint used for SSO has been disabled. This endpoint supported browsers before IE9. This exposes some potential vulnerabilities due to the weakness in the JSON protocol. A setting was also added that allows a customer to overrride the JSON disable on a per-tenant basis.


2016-05-02: Auth0 6576

Added

  • Appliance

    The VMWare image (OVA) now supports compatibility level 10. If you have an older version of ESX, we can still provide an OVA with compatibility level 8.

  • Appliance

    Added the ability to re-assign IP addresses for other cluster nodes using the command line interface. When a cluster is moved to a new network, then the nodes need to be provided with the ip addresses of the other nodes in order to re-establish the cluster. With the re-ip command, you can modify a node configuration for the ip addresses of the other nodes in the cluster.

  • Appliance

    Rate limiting is a feature that is now available on the appliance. Rate limiting uses a token bucket approach to limit the rates on various services such as user logins and API invocations. The feature helps prevent against brute force attacks.

  • Server

    Added logout returnTo URL validation. If the returnTo URL is not in the Allowed Logout URLs list, the request will be rejected. See the docs for more information.


2016-03-23: Auth0 5970

Added

  • Appliance

    From the dashboard you can now test connectivity from an appliance instance to an IP address or DNS name and port. This enables you to see if low level connectivity exists between the appliance and other services like smtp or dns.

  • Appliance

    You can now programmatically query healthcheck endpoints (/health/status/) on CPU, memory, disk, services, network, internet, email, database and replica status. The service will return a 204 return code if OK, and a 520 return code if it is failing. If it is queried too frequently you may also get a 429 (Too Many Requests). You need to provide an API key (generated in the dashboard) in order to access these metrics.

  • Appliance

    Added Profile Mapper for the integrated AD-LDAP appliance functionality so you can map attributes coming from your AD-LDAP source to the users Auth0 profile.

  • Appliance

    New command line interface for interacting with nodes in the appliance.

    This is a beta release. The tool lets administrators automate tasks for the appliance and address specific nodes in the cluster. The beta release provides a commands to:

    • ping - Test connectivity to a server. Responds with pong, which confirms the end to end network and security connectivity are in place.
    • create-key - The CLI performs privileged operations, so a public/private key pair are used. You register the public key on the cluster through the dashboard. You can have multiple clients.
    • backup-start - This starts a backup on a cluster instance. If a backup already exists, it will be overwritten.
    • backup-status - Poll appliance for completion status
    • backup-retrieve - Retrieve a backup from the appliance so that you can store it off.

    Right now restores are performed manually working with a CSE if required.

  • Dashboard / Management API

    Users can now specify a list of URLs that are valid to redirect to after logging out from Auth0. The update can be done either from the Dashboard or using the Management API.

  • Enterprise Connections

    Added new ext_nested_groups option to waad connection strategy. When both ext_groups and ext_nested_groups are enabled we return all the groups that the user is a member of instead of only returning the ones that the user is direct member (for more information see this MSDN article)

  • Management API

    The device-credentials endpoint now supports basic authentication to perform GET, POST, and DELETE requests.

  • Management API

    Users can query logs using the Management API v2.

    You can use the new logs endpoints to query logs. This is the new recommended way to query logs. The API v1 logs endpoints will still be functional. See more info in the docs.

Changed

  • Appliance

    Application and setting updates now provide clearer log output.

    Application updates also apply system updates, and apply configuration after update to ensure the appliance is in a consistent state. Application updates at apt-mirror.it.auth0.com which resolves to a small number of IP addresses to whitelist during update. System updates can be overridden to always come from the central mirror using a setting override in the dashboard (mirror url).

    In the future the use of the central mirror will be included automatically for a release into the application update pipeline.

  • Appliance

    The Management Dashboard can be configured to run on a different port than 443. This way the manage dashboard will not be accessible with other services and can be blocked from external access.

  • Auth0 Lock v9

    The flow to reset a password has been updated.

    In this new flow, users enter their username or email address and receive an email with instructions to choose a new password. The old flow which required users to enter their new password and then confirm the change via email is still available but has been deprecated: it is no longer available for new tenants and existing tenants are recommended to disable it.


2016-02-17: Auth0 5590

Added

  • Appliance

    Appliance Configuration has its own landing page. Unauthorized users are redirected to the Dashboard

  • Appliance

    The Management API supports the query ("q") parameter when searching for users

  • Appliance

    Enabled appliance update through a proxy

  • Appliance

    Replica set Health check status available in the Configuration section

  • Appliance

    Added the ability to configure a cluster from the tty1 interface

  • Logout

    Full support for SAMLP logout

  • Users

    Support to handle base64 encoded secret in the SMS provider

Changed

  • Appliance

    Settings page reorganized in logical sections. Federated Logout setting available; if is enabled

  • Appliance

    Moved AD/LDAP connection under the configuration section.

  • Errors

    If a ticket throws an error use the tenant's custom error page (if available)

  • Login-page

    New look & feel for the Password change form and Email verification page

Fixed

  • Api

    In API (v1), profileData is returned for linked identities

  • Dashboard

    Modify User details to not disclose access tokens from IDPs

  • Social-connections

    /authorize endpoint now accepts auth_type parameter for use with Facebook


2016-01-26: Auth0 5394

Added

  • Api

    User status endpoint: GET /api/v2/user-blocks/{id}, DELETE /api/v2/user-blocks/{id}

  • Appliance

    Added support for custom domains https://github.com/auth0/auth0-users/pull/406

  • Appliance

    Possibility to remove an application node under Configuration section

  • Appliance

    Notifications to point to Activity section when it's required

  • Appliance

    Activity section for the appliance which will display the logs for any

  • Appliance

    Ability to reboot instance from dashboard

  • Dashboard

    Change your SAML configuration rule under SAML category

  • Dashboard

    Ability to provide password after mail is sent via a password change link in the body of the mail.

  • Dashboard

    Give the possibility to unblock a user that was automatically blocked by brute force

  • Oauth2

    Use the tenant logo in the authorize consent popup

Changed

  • Dashboard

    Account Settings: when changing from custom error page to generic error page a confirmation dialog is displayed

  • Oidc

    Adds additional claims to /userinfo in OIDC strict mode. If profile scope was granted: given_name, family_name, nickname, picture, gender and locale. If email scope was granted: email and email_verified.

  • Users

    Login screen to Lock 8.1

Fixed

  • Dashboard

    URL to documentation page on some enterprise connections


2015-12-15: Auth0 4975

Added

  • Appliance

    Appliance administrators are now able to select a specific version of Auth0 to update from the tty0

  • Appliance

    You can create custom login domains per tenant from Dashboard

  • Dashboard

    You can configure Mobile settings for iOS and Android from the Apps section

  • Dashboard

    From the General tab within Account Settings, you can configure the "Oops" page for unhandled errors

  • Dashboard

    Passwordless connections are shown in the Third Party Apps section

  • Dashboard

    New switch to enable/disable cache for AD/LDAP connections

  • Dashboard

    Users from a custom agreement with Auth0 are able to create accounts that depends on a parent account

Changed

  • Api

    For /i/authorize endpoint, skips user consent if the user has previously granted it

Fixed

  • Dashboard

    For database connections, when enabling "Use my own database" it automatically disables "Import Users to Auth0" option


2015-11-21: Auth0 4605

Added

  • Api

    /userinfo accepts JWT-encoded access tokens, in addition to existing opaque access tokens

  • Appliance

    Added ability to refresh Health Check records in the Configuration | Troubleshoot tab

  • Appliance

    Added reporting memory available in addition to memory free

  • Appliance

    Added a new console option to display if the instance meets the minimum requirements

  • Dashboard

    Easier access to the built-in webtask account through a new sidebar menu

  • Errors

    New "Oops" page (for unhandled errors) that can be customized for your account

  • Users

    Added the ability to turn off credentials (password hashes) caching for AD/LDAP connections

Changed

  • Appliance

    Improved configuration navigation menu and section

  • Billing

    Users can now checkout a free plan without billing or credit card information

  • Dashboard

    Revamped the UI of the Applications Quick Start section

  • Mfa

    Updated the look and feel for Google Authenticator

  • Oauth2

    Disabled query response mode for implicit authorization request. This only applies to the new pipeline for oauth2/i/authorize

  • Pricing

    New pricing model under the subscription section. Additionally, added the ability to create different account subscriptions on sign-up.

  • Sms

    Updated sms connection to support liquid syntax

  • Social-connections:google

    Return error if audience is not allowed with google access token (this only applies to native mobile use cases)

Fixed

  • Dashboard

    Dwolla and Shopify social connector toggles are now fixed

  • Dashboard

    Fixed dashboard admin applications list not showing for invited users

  • Mfa

    Fixed a bug when the client has RS256 as JWT alg

  • Users

    Fix to support changing email and email_verified for any user identity (not just the main one)

  • Users

    Fixed issue for database connections that caused import users script to not create users when signups were disabled


2015-10-23: Auth0 4341

Fixed

  • On-prem

    Fixes to the appliance update process


2015-10-22: Auth0 4323

Added

  • Saml

    Added SAML signout protocol support

  • Sms

    Added support for multi language SMS templates


2015-10-20: Auth0 4295

Added

  • Api2

    API now supports changing phone_number, phone_number_verified and verify_phone_number when using the PATCH Users endpoint

  • Dashboard

    Display app_metadata.name or user_metadata.name on user profile when available

  • General

    Allowed administrators to disable signup for passwordless

  • On-prem

    Added ability to create diagnostics package in the Configuration screen > Troubleshoot tab for appliance

  • On-prem

    Added version pick list for appliance update

  • Users-search

    Added ability to search users by phone_number

Changed

  • Ad-connector

    Improved error messages when the password expires or when the password change is required

  • Database-connections

    For passwordless emails, HTML+Liquid is the default selected syntax

Docs

Fixed

  • Certificates

    Updated x509 library to support Mac OS X El Capitan

  • On-prem

    Fixed issue when going from multitenant to single tenant

  • Users-search

    Improved the Users search by email

Security

  • General

    Enabled brute force protection by default for passwordless connections and prevent opt out


2015-09-29: Auth0 4013

Added

  • Dashboard

    Dashboard log entries will now include user's IP address

  • Dashboard

    Added ability to edit user's email address in Users screen actions

  • Docs

    Added and refactored documentation on User Profile and Tokens

  • Docs

    Added Nginx API Quickstart.

  • Docs

    Added documentation for android/iOS on how to add whitelist of mobile client IDs for Google authentication for native applications

  • Docs

    Added Falcor API documentation

  • Emails

    liquid support for "Redirect To" url

  • Emails

    Added support for Liquid templates to Subject and From fields in email templates.

  • Emails

    Add support for liquid templates for "from" and "subject" fields in user emails

  • General

    WS-Fed protocol: add more error details in logs

  • Link-accounts

    Improve examples of how to obtain access_token for account linking

  • On-prem

    Improved health check implementation to show multiple appliance nodes

  • On-prem

    Added nodes tab to the appliance configuration page for better visibility.

  • On-prem

    Enable SSO and MFA session timeout configuration for appliance

  • On-prem

    Support multi tenancy enablement in the appliance dashboard

  • On-prem

    Improved display of healthcheck information for appliance

  • On-prem

    UI to manage SSO and MFA session

  • Passwordless

    Add support for passwordless authentication

  • Sso

    Expose clients for a session in the context object so you know which applications a user has logged into

Changed

  • Rules

    Allow a rule to be saved even if it contains an error

Fixed

  • Ad-connector

    Fixed issue with selection of signing key for LDAP connections

  • Api2

    Fix issues with create user when an ID had been used before

  • Apps

    Fix parameter names expected for Layer addon

  • Dashboard

    Fixed issues with enterprise forms not properly updating samlp and fed metadata certs

  • Dashboard

    Fix validation of client IDs for connections to be less restrictive

  • Database-connections

    Fixed an issue with the user_id when "import users" option used with custom database connection.

  • Saml

    Include error information in POST of SAMLResponse StatusCode and StatusMessage fields instead of redirect with error description in query string.

  • Social-connections

    Improve error handling on twitter connections

  • Users-search

    Fix case where empty search parameter passed to User Search

Security

  • General

    Added HSTS header to HTTP responses.

  • Login-page

    Fix XSS in login page with authParams argument.


2015-08-31: Auth0 3615

Added

  • General

    Added support for attribute blacklist (field conn.options.non_persistent_attrs). Attributes blacklisted won’t be persisted in our databases for that connection.

  • Social-connections:twitter

    Added support for Twitter's force_login.

  • Wsfed

    Support for the wauth parameter has been added.


2015-08-28: Auth0 3601

Added

  • Docs

    Added Azure AD native tutorial.

  • Rules

    Added context.sso.with_auth0 and context.sso.with_dbconn attributes (see protocols section).

  • Social-connections:google-oauth2

    Support jwt for google-oauth2 added to POST /oauth/access_token

  • Social-connections:google-oauth2

    Added Allowed Mobile Client IDs setting: Enable restricting connection token audience.

Changed

  • Database-connections

    "Use my own database" (custom database) cannot be enabled for connections containing at least one user.

  • Reset-password

    Change password confirmation links can now only be used once.

Fixed

  • Api2

    PATCH /connections/:id: prevent changing db customization if the connection has users.

  • Api2

    Multiple performance improvements.

  • Connections

    Fixed connection update: custom options from connections were incorrectly removed.

  • Emails

    Added Liquid templating support.

  • Enterprise-connections:ip

    Fixed unhandled error validating ip range.

  • Popup

    Improved error descriptions.


2015-08-14: Auth0 3454

Added

  • Api2

    Added enabled_clients field to PATCH connections responses

  • Api2

    Improved error messages when changing password and deleting users of custom connections.

  • Configuration

    appliance Added timeout setting to the Auth0 Dashboard browser session. session timeout

  • Configuration

    appliance Improved the Auth0 Update UI. Added release notes of the version being downloaded (Online Update only). Added update events to Logs.

  • Custom-oauth

    Added support for predefined authParams and authParamsMap parameters.

  • Database-connections

    Added debug button to custom database connections.

  • Docs

    Added Office 365 provisioning doc

  • Logs

    Added delete user log events

  • Social-connections

    Added support for Untappd as a social connection.

  • Social-connections:facebook

    Improved connection error handling

  • Sso

    Added lastUsedUserID to /user/ssodata response

Changed

  • Keys

    Reading/writing signing keys is no longer allowed.

Fixed

  • Ad-ldap-connector

    Fixed AD/LDAP Connector status not being displayed.

  • Api2

    When duplicate name or client_id occurs patching a connection status code 409 is now returned.

  • Rules

    Added logic to prevent syntax errors in rules and database connection scripts

  • Sso

    SSO between different database connections is now forbidden.


2015-07-24: Auth0 3258

Added

  • Api2

    Added support for encrypted configuration to connections.

  • Api2

    Added support for JWT access tokens issued from Auth0 OAuth 2.0 endpoints

  • Docs

    Documented new events of Auth0 Lock

  • Docs

    Added documentation of tabs in AD/LDAP Connector Admin Console

  • Rules

    Differentiate errors from sandbox from user's script errors.

Changed

  • Api2

    Removed given_name, family_name, name, nickname and picture properties from POST /users. Extra fields in the root user object are not longer allowed.

  • Reset-password

    Replaced reset password bewits with tickets.

Fixed

  • Api2

    Linked users are now taken into account when calculating stats.

  • Api2

    POST /api/connections now returns enabled_clients field in the response body.

  • General

    Performance improvements for database logins.

  • Unlink

    Fixed unlinking users with the following ID format: {provider}|{connection}|{id}.


2015-07-17: Auth0 3191

Added

Changed

  • Api2

    Using azp to retrieve client info for POST users request.

  • Api2

    Deleting an user now returns 204 HTTP status code.

  • General

    Explicitly fail when using JWTs on Headers that are more than 512 bytes long (applies to every endpoint except /ro).

Fixed

  • Errors

    Improved error and log reporting.

  • General

    Multiple performance improvements

  • Impersonate

    Fixed impersonation flow to include all identity-specific fields

  • Login

    rules Improved error handling of rules errors during login.

  • Popup

    Fixed wildcards in subdomains on popup mode

Security

  • Reset-password

    Auth0 bewits are now encrypted

  • Security

    Patched against SSL Alternate Chains Certificate Forgery vulnerability.


2015-07-06: Auth0 3081

Added

Changed

  • Api2

    Removing personal info fields from user patch

  • Api2

    Don't allow changing password and email or email_verified in same request

  • Api2

    Set username for connection without requires_username is now prevented

Fixed

  • Account-linking

    Fixed link account when "sso with auth0" is enabled

  • Api2

    Fixed sort by connection when searching users

  • Login-page

    Fixed utf8 encoding issues

Security

  • Api2

    Fixed out-of-band write in utf8 decoder (v8 vulnerability)

  • Security

    Fixed Logjam vulnerability


2015-06-18: Auth0 2921

Added

  • Api2

    Added updated_at property to users.

  • Api2

    Added schema info for add-ons: Layer, AD RMS, MS CRM, Slack.

  • Dashboard

    Updated rule templates.

  • Database-connections

    Added delete script to custom database connections.

  • Docs

    Updated Auth0 Android documentation.

  • Docs

    Added disable animations in Lock section.

  • Docs

    Added documentation for SalesForce as IDP.

Changed

  • Api2

    GET /users methods now use include_fields instead of exclude_fields.

  • Api2

    Jobs when completed successfully return 200 HTTP status code.

  • General

    Tenant names are now limited to 64 characters.

  • Mfa

    Multifactor Authentication now is featured in a separate section.

Fixed

  • Dashboard

    performance Improved UI performance by fetching resources from CDN.

  • Database-connections

    Performance improvements for Auth0 connections.

  • General

    Fixed IE issues by Added P3P headers.

  • Rules

    Improved error messages when editing rules and deleting users.

  • Samlp

    Fixed multiple issues with samlp logout. (nameid has value only, no attribs)

  • Tenants

    Fixed tenant dropdown menu. (accounts with more than 10 tenants were not displayed correctly).

  • Users-search

    Improved user search indexing.


2015-05-29: Auth0 2783

Added

  • Api2

    Added error codes for every API v2 error.

  • Docs

    AD Connector: Added admin dashboard section.

  • Manage

    When creating an user, a custom made avatar with the initials is used if there is no gravatar picture associated with the email.

Changed

  • Api2

    Changed exclude_fields to include_fields for GET /client endpoints.

  • Api2

    Positive assertions to read/write clients jwtConfiguration.secretNotEncoded and custom_login_page_off.

  • Api2

    POST /identity takes connection_id not connection.

Fixed

  • Api2

    Fixed: Failure to delete an user from auth0 Database Connection resulted in a 500 HTTP Stauts code.

  • Api2

    If email is PATCHed to the same value, and email_verified is not set then email_verified is taken from previous value.


2015-05-22: Auth0 2666

Added

  • Addons

    Added Layer as an app addon

  • Api2

    Added error codes for endpoint logic.

  • Lock

    Updated the Auth0 Lock version appliance uses to 7.5

  • Samlp

    Improved SAMLP logout and added a samlp logout callback: use client.addons.samlp.logout.callback to set the HTTP POST url.

Changed

  • Api2

    Property options.scripts.fetchUserProfile is now mandatory for oauth1/2 connections

  • Api2

    Setting signing_keys client property can only be done on global clients.

  • Api2

    User POST or PATCH of email/password is no longer allowed for disabled connections.

  • Rules

    Now Auth0 API returns and accepts rules in the order they are applied.

Fixed

  • Docs

    Updated iOS, Swift and Objective C mobile documentation.

  • Login-page

    Updated login page template (solves CORS issues). Added polyfills for IE8/9.


2015-05-15: Auth0 2616

Added

Changed

  • Api2

    Response Status Codes: Changed 400: already exists to 409.

  • Api2

    Changed devices endpoints to device-credentials

Fixed

  • Billing

    Do not require state field when country does not have.

Security

  • Login-page

    Fixing XSS by introducing @@config@@ replacement. If you are using the default login page, you are not affected by this vulnerability and there is no action required on your behalf. Note: The previous way of substituting variables in custom login pages will be deprecated by June 8th. For more information contact us at open a support ticket.


2015-05-08: Auth0 2562

Added

  • Api2

    Added POST /api/v2/jobs/verification-email endpoint to send emails to users so they verify their email accounts by clicking a link

  • Custom-oauth

    Added logout for custom oauth1 and oauth2 strategies

  • Docs

    Added section about validating tokens to protocols

  • Logs

    Improved log details

  • Waad

    Add ability to override client id and client secret for Window Azure AD connections.

  • Waad

    Added UI to select protocol (wsfed vs. oidc) for Azure AD connections

Changed

  • Api2

    Ask for connection id instead of name in users bulk import

  • Api2

    Added user_tickets scope

  • Api2

    Moved tickets endpoints to root from /users/{id}/tickets/{type} to /tickets/{type}

  • Api2

    v2 ids are now limited to 16 alphanumeric characters.

  • Waad

    Now OpenID Connect is used by default (before it was WsFed)

Fixed

  • Logs

    Fix log detail description which was shown as object Object.


2015-05-01: Auth0 2516

Added

Changed

  • Logs

    Logs are no longer displayed exclusively to owners.

  • Rules

    Added warning when attempting to overwrite a secure key/value pair.

Fixed

  • Apps

    Fixed dashboard stuck when trying to access to a deleted app.

  • Db-connections

    Disabled toggle and show notice for importing users to Auth0 when custom database is not enabled.

  • Rules

    Fixed when creating a New Rule it can be saved without editing it.

  • Saml

    Added SAML metadata URL in advanced settings.

  • User-metadata

    Preventing saving metadata on invalid json.

  • Users

    Users without names or emails were not editable.

  • Users

    Fixed Users > New User dialog not showing on IE10.


2015-04-25: Auth0 2479

Added

Fixed

  • Manage

    Improved allowed callback URL validations.

  • Users

    Fixed pagination issues on users section. .


2015-04-18: Auth0 2425

Added


2015-04-10: Auth0 2359

Added

Changed

  • Api2

    Email for social users cannot be updated

Fixed

  • Dashboard

    Fixed: Invited users were not able to see custom database rules

  • Samlp

    Fixed certificate upload errors in SAMLP Connections

Security

  • Docs

    Fixed security issue with path browsing when downloading sample projects from docs.


2015-04-03: Auth0 2274

Added

  • Api2

    API Explorer for v2 redesigned

  • Certificates

    Added Certificate Rollover: Auth0 detects when certificates expire on IdPs. When that happens, we automatically update the certificates or, if that is not possible, we send an email to the tenant owners to make manually the change.

  • Database-connections

    Added flag to block accounts after a great number of failed attempts. The email "account blocked" email can be configured.

  • Docs

    Added docs on deployment models

  • Docs

    Added documentation on Email templates, Custom Email Flows and Using custom email providers

  • Email

    Added the ability to configure links TTL from email template

  • Logout

    Added APIv2 /logout endpoint

Fixed

  • Link-accounts

    Credentials are no longer removed when linking a profile


2015-03-27: Auth0 2223

Added

Fixed

  • Dashboard

    Fixed confirm leaving edit user when the details are saved.

  • Import

    Fixed email validation issue for emails with _


2015-03-20: Auth0 2190

Added

Changed

  • Email

    Images are no longer inlined when emails are sent

  • Metadata

    New forbidden metadata fields: user_metadata and app_metadata

Fixed

  • Api2

    Update S3 file when deleting or changing connections

  • Database-connection

    Custom database invalid script broke UI.

  • Database-connection

    Custom DB script timeout error are now visible.

  • Email

    Rejecting invalid emails in PUT /api/users/email

  • General

    Fixed issue with redirect when response_type is token

  • Salesforce

    Error handling improvements

  • Shopify

    Multiple Shopify fixes.

  • Sms

    Remove sms users when removing tenant

  • Sms

    Remove sms users for connection when connection is deleted

Security

  • Custom-login-page

    Fixing XSS in internalOptions field.

  • General

    Updated components to use jsonwebtoken to 4.2.0


2015-03-13: Auth0 2150

Added

Changed

  • Linkedin

    Linkedin emails were always verified

Fixed

  • Adfs

    Fixed page broken when submiting ADFS forms with an invalid file as cerificate

  • Api2

    Fixed issue that caused creation of users in connections that require username to fail (Added max length for connection name)

  • Dashboard

    Performance: reduced number of requests to load connections.

  • Pricing

    Fixed issue with Lock Auth0 badge footer not being hidden on paid accounts.


2015-03-06: Auth0 2086

Added

Changed

  • Dashboard

    Updated Lock versions in docs and dashboard

  • Waad

    Changed to use Open ID Connect instead of oauth2

Fixed

  • Error-reporting

    Fixed html entities escaping on reset and verify email endpoints when tenant or clientID were not found.

  • Performance

    Fixed DELETE /users query performance

  • Social-connections

    Fix for Firefox switchboard checkboxes in Social Connections

  • Wsfed

    Fixed missing clientID on WS-Fed endpoint


2015-02-28: Auth0 2051

Added

Fixed

  • Api

    Fixed PUT /users when payload does not have any properties

  • Api

    Use only global client for find user queries

  • Api2

    When calling /api/v2/clients the callback field was not returned

  • Dashboard

    Fixed broken Twilio doc link

  • Dashboard

    Fixed impersonated users flag

  • Dashboard

    Fixed sap addon settings

  • Dashboard

    Fixed signedUp check

  • Pricing

    Fixed pricing v3 cases

Security

  • General

    Removes SSLv3 support


2015-02-20: Auth0 1999

Added

  • Logs

    Added logging for success signups for non-database connections

Changed

  • Api2

    API Call PATCH /api/v2/users now returns updated user.

  • Samlp

    Parameter samlpOptions is now required to be a valid JSON object.

  • Waad

    Allow whr (Windows Home Realm) in the authParams

  • Waad

    Added wreply to Azure Active Directory connection

Fixed

  • Api

    In some conditions, DELETE /api/users/{user_id} was not removing the user correctly .

  • Billing

    Small fixes

  • Database-connections

    Fixed: Navigating to different connections and then changing the switch for one of them changes it for all the ones visited.

  • Login-page

    Login page parameters were only replaced on their first occurence. For instance if the login page contained: @@auth0Domain@@ @@auth0Domain@@ only the first placeholder was replaced: auth0.com @@auth0Domain@@.

  • Rules

    Error messages are now displayed correctly on fail

  • Rules

    Added geoip property to default context object (without a geoip property, some rules may breaks, for instance: https://github.com/auth0/rules/blob/master/rules/add-country.md)