Skip to main content

Release 2022.6

New features

  • Added OIDC well-known and JWKS URL in OAuth Source

    These fields can be used to automatically configure OAuth Sources based on the OpenID Connect Discovery Spec. Additionally, you can manually define a JWKS URL or raw JWKS data, and this can be used for Machine-to-machine authentication for OAuth2 Providers.

  • Notifications are no longer created by default

    Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.

  • MFA Validation threshold has been migrated to signed cookies

    Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.

  • Verification-only SMS Devices

    SMS authenticator stages can now be configured to hash the phone number. This is useful if you want to require your users to configure and confirm their phone numbers, without saving them in a readable-format.

  • The LDAP outpost would incorrectly return groupOfUniqueNames as a group class when the members where returned in a manner like groupOfNames requires. groupOfNames has been added as an objectClass for LDAP Groups, and groupOfUniqueNames will be removed in the next version.

  • Preview support for forward auth when using Envoy

Minor changes/fixes

  • api: migrate to openapi generator v6 (#2968)
  • api: update API browser to match admin UI and auto-switch theme
  • core: improve loading speed of flow background
  • ensure all viewsets have filter and search and add tests (#2946)
  • flows: fix re-imports of entries with identical PK re-creating objects
  • lifecycle: cleanup prometheus metrics, remove PII (#2972)
  • policies: fix incorrect bound_to count
  • providers/oauth2: add configuration error event when wrong redirect uri is used in token request
  • providers/oauth2: handle attribute errors when validation JWK contains private key
  • providers/oauth2: only set expiry on user when it was freshly created
  • providers/oauth2: regex-escape URLs when set to blank
  • root: Add docker-compose postgresql and redis healthchecks (#2958)
  • root: disable session_save_every_request as it causes race conditions
  • web/elements: fix top-right dialog close button not resetting form
  • web/elements: fix used_by refreshing for all elements when using DeleteBulkForm
  • web/user: fix static prompt fields being rendered with label
  • web/user: improve ux for restarting user settings flow

Fixed in 2022.6.2

  • *: make user logging more consistent
  • core: add additional filters to source viewset
  • core: add setting to open application launch URL in a new browser tab (#3037)
  • core: add slug to built-in source
  • events: fix error when attempting to create event with GeoIP City in context
  • providers/ldap: fix existing binder not being carried forward correctly
  • providers/oauth2: add JWKS URL to OAuth2ProviderSetupURLs
  • providers/proxy: use same redirect-save code for all modes
  • sources/oauth: fix twitter client missing basic auth
  • stages/authenticator_validate: fix error in passwordless webauthn
  • web/elements: add error handler when table fails to fetch objects

Fixed in 2022.6.3

  • core: fix migrations when creating bootstrap token
  • internal: dont sample gunicorn proxied requests
  • internal: fix routing to embedded outpost
  • internal: skip tracing for go healthcheck and metrics endpoints
  • lifecycle: run bootstrap tasks inline when using automated install
  • policies: consolidate log user and application
  • providers/oauth2: add test to ensure capitalised redirect_uri isn't changed
  • providers/oauth2: dont lowercase URL for token requests (#3114)
  • providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070)
  • providers/proxy: only send misconfiguration event once
  • root: ignore healthcheck routes in sentry tracing
  • stages/authenticator_validate: add webauthn tests (#3069)
  • web/admin: lint bound group under policies
  • web/admin: remove invalid requirement for usernames
  • web/elements: add spinner when loading dynamic routes
  • web/flows: add divider to identification stage for security key
  • web/flows: fix error when webauthn operations failed and user retries
  • web/flows: remove autofocus from password field of identifications stage


This release does not introduce any new requirements.


Download the docker-compose file for 2022.6 from here. Afterwards, simply run docker-compose up -d.


Update your values to use the new images:

tag: 2022.6.1