- MCP Proxy: Harden implementation
- MCP Proxy: Proxy inbound client info when initializing session with upstream server
- MCP Proxy: Add networking configurations with reasonable defaults
- Security: Resolved CVE-2025-64702
- MCP Provider: Add namespacing for tools
- MCP Proxy: Expose streamable MCP Proxy app config
- MCP Provider: Remove default tools
- OIDC Connector: Use contextual logger when handling callback errors
- MCP Proxy: Add base proxy functionality
- Service Extensions: Fix ROPC initiated from within LDAP Provider SEs bug
- MCP Proxy: Add inbound and outbound authorization to tool calls
- MCP Provider: Update streamable MCP server and client to use custom Orchestrator logger
- MCP Provider: Make the MCP Provider server name configurable
- MCP Proxy: Add support for custom client TLS configurations
- MCP Provider: Add support for delegated token exchange to bridge apps
- OIDC Provider: Add support for X-Maverics-Oauth-Access-Token-Lifetime
- MCP Provider: Add per-tool access token lifetime configuration
- Security: Resolved CVE-2025-47914 and CVE-2025-58181
- OIDC Provider: Remove inherited audience in token exchange grant
- OIDC Provider: Add support for delegated token exchange
- OIDC Provider: Clean up logs made by session-less access token generation
- OIDC Provider: Add evaluation of access token minting policies to implicit/hybrid grants
- OIDC Provider: Add access token minting policies to ROPC grant
- Security: Resolved CVE-2025-47913
- OIDC Provider: Populate access token minting policy fields
- LDAP Provider: Add ability to determine the bound DN in Service Extensions
- OIDC Provider: Add access token minting policies to authorization code grant
- Config Bundle: Handle filesystem error and prevent panic
- OIDC Provider: Add access policy evaluation to refresh_token grant
Internal improvements and maintenance updates.
- OIDC Provider: Handle authorization requests when made via POST
- MCP Provider: Add initial MCP proxy app config structure
- OIDC Provider: Add support for custom access token minting policies
- Cache: Add ability to disable key-prefixes on cache entries
- config: Ensure that multiple env vars are read in separately via json
- MCP Provider: Support inlined OpenAPI specs for MCP Bridge apps
- OIDC Provider: Support custom scopes with ROPC grant
- OIDC Provider: Preserve backwards-compatibility with unrecognized cu…
- OIDC Provider: Enable custom scopes for the authorization_code grant type
- MCP Provider: Enable graceful shutdown of MCP clients via HTTP BaseContext
- OIDC Provider: Add support for custom scopes with the client_credentials grant
- OIDC Provider: Add support for custom scopes with the refresh_token grant
- OIDC Provider: Add support for custom scopes with the implict and hybrid grant types
- OPA: Update input schema for Rego policies
- MCP Provider: Add reload capability
- Security: Resolved CVE-2025-59530
- OIDC Provider: Add access policies to token exchange grant
- FIPS: Build a FIPS compliant version of the Debian package
- MCP Bridge: Add support for loading OPA policies from the filesystem
- OIDC Provider: Add custom scopes to token exchange grant
- MCP Provider: Add support for token exchange to bridge apps
- OPA: Setup OPA to be used across multiple Orchestrator components
- MCP Provider: Add support for loading OpenAPI files using relative paths
- FIPS: Build FIPS version of the RPM package
- FIPS: Build FIPS compliant version of the maverics docker image
- Config: Merge TLS settings from environment variables with Maverics config
- MCP Provider: Separate inbound and outbound authorization in support of token exchange
- Connectors: Add token exchange to OIDC connector
- Config: Merge TLS settings with Windows environment variables
- MCP Provider: Enhance observability and context around policy decisions
- MCP Provider: Add ability to make policy decisions based on the source IP address
- MCP Provider: Add base MCP docs for provider and bridge apps
- MCP Broker: Improve documentation
- MCP Provider: Use context bound logger in bearer token middleware
- Security: Fix mTLS security issue by starting with an empty cert pool when constructing ‘ClientCAs’ used in TLS configs
- OIDC Provider: Add option to configure refresh token lifetime
- MCP Bridge: Add basic Rego authorization policy
Resolved Issues
- Fixed an issue that prevented the Orchestrator from starting when loading configuration bundles larger than 1 MB from a GitHub repository.
New Features
- Service Extensions: Expose functions from the secp256k1 pkg to Service Extensions Resolved Issues
- OIDCProvider: Support token revocation from
client_credentialsgrant - Config: Allow float when setting TLS Min Version
Resolved Issues
OIDC Provider
This release resolves an issue with the end-session endpoint not supporting POST requests. As per the spec, both GET and POST requests are now supported.This release also resolves an issue with how redirect URIs are matched. The matching logic has been updated to not consider query params when validating the requested redirect URI against the pre-defined set of allowed redirect URIs.
New FeaturesOIDC applications
OIDC apps now support defining allowed origins and allowed credentials for CORS requests. For more information, please see the CORS documentation.
New FeaturesCloud Configuration Storage Providers
Blob Storage in Azure Gov Cloud cloud can now be defined as a configuration storage provider. For more information, read the docs.Secrets Providers
Key Vault in Azure Gov Cloud can now be defined as a secret provider. The entraIDHost query parameter as part of the MAVERICS_SECRET_PROVIDER environment variable connection string. For more information, please see the Azure Key Vault docs.OIDC Provider
The OIDC provider can now optionally correlate back-channel requests with the resource owner’s session. This can help you trace backchannel token requests to the resource owner. For more information, please see OIDC Provider Session Correlation.OIDC applications
OIDC apps now support the insecureSkipPKCE option. This field can be used to bypass using PKCE when using the Authorization Code grant type for public clients.ATTENTION:
Per OAuth 2.0 Security Best Current Practice, public clients MUST use PKCE when using the Authorization Code grant type. The insecureSkipPKCE option should only be used for legacy apps that are unable to use PKCE. Avoid using this configuration unless absolutely necessary.
New Features
Connectors
The offline access feature found on OIDC connectors now ensures revoked ID token claims do not remain on the user’s session. This change bolsters security by guaranteeing claims removed at the IDP do not remain on a user’s session after a successful refresh request.Resolved Issues
Connectors
SAML connectors now set the Maverics session cookie as part of SAML login flows. This fix ensures sticky session configurations that use application cookie persistence will continue to operate as expected.OIDC Provider
The OIDC Provider now removes whitespace around redirect URLs.
New Features
Connectors
The OIDC and Azure connectors now support silently refreshing a resource owner’s ID token and access token without user interaction. For more information, please see the docs.OIDC Apps
This release adds basic support for the token exchange grant (RFC 8693). Future releases will include additional functionality for the handling of custom scopes and for defining advanced access policies. For more information, please see the docs.
New Features
Applications
All application types now support aggregating authorization policy rules with different logical operators. This feature enables the creation of advances policies. For more information, please see the application docs.Security enhancements
Patched security and performance related issues. Contact your account representative for a detailed overview.
New features
Session Management
This release introduces revamped session management in order to improve security, enhance performance, and to enable pluggable backing data stores. For more information, read the docs: https://developer.strata.io/orchestrator/configuration/globalsettings/sessions-user-state/Resolved Issues
- Resolved CVE-2025-49140 and CVE-2025-49140
New Features
OIDC Applications
OIDC applications can now be configured to use a default redirect URL. This option can be used for applications that are unable to set the
redirect_uri parameter on the authorization request. For more information, see the docs
ATTENTION: Per the OIDC RFC, the redirect_uri is a required parameter. The allowDefaultRedirectURI option should only be used for apps that are unable to provide a redirect URI. Strata recommends to avoid using this configuration unless absolutely necessary.New Features
SAML Provider
The SAML Provider now has the ability to load the signing certificate and key from the filesystem. For more details, please see the docs.Service Extensions
Service extensions can now leverage the
IsAvailable method on the idfabric.IdentityProvider interface. This feature enables service extensions to determine whether a given IDP is available. For more info, please see the docs.Resolved Issues
OIDC Apps
This change adds the missing at_hash and c_hash claims to ID token during hybrid and implicit flows. These claims were previously missing and are required by the RFC.Service Extensions
When calling Login with a nil HTTP request or response writer a runtime panic will no longer occur.New Features
Support for ROPC login option in Azure and Continuity identity services
The Azure and Continuity identity services have been updated to support authentication via the Resource Owner Password Credentials (ROPC) grant. Service extensions can leverage the
WithGrantTypeROPC login option to specify an ROPC flow for authenticating a user. This flow is typically used for legacy applications that require a username and password to authenticate the user directly.
For more information, please see the docs.New FeaturesSupport for ROPC login option in OIDC identity service
Service extensions can now leverage a new login option that enables authentication via the Resource Owner Password Credentials (ROPC) grant. The
WithGrantTypeROPC function specifies the ROPC flow for authenticating a user. This flow is typically used for legacy applications that require a username and password to authenticate the user directly. For more information, please see the docs.
NOTE: Strata does not recommend using the ROPC flow for public facing applications. The OAuth 2.1 spec suggests a more secure flow, such as Authorization Code (with PKCE).
For more information, see https://pkg.go.dev/github.com/strata-io/[email protected]/idfabric#WithGrantTypeROPCNew FeaturesSupport for multiple SAML entity IDs
This release introduces support for defining multiple entity IDs on a SAML app. This functionality is compatible with both SP-initiated logins and IDP-initiated logins. For more information, please see the docs.
New Features
HYPR
The HYPR connector now exposes a dynamic link and QR fallback code that can be used in custom login page templates. These fields serve as backup mechanisms for when scanning the QR code via the HYPR app fails. For more info, please see the docs.
New Features
OIDC Apps
OIDC apps now support PKCE for public clients. This functionality enables applications that cannot securely store client credentials to interact with the Orchestrator as an OIDC Provider. For more information, please reference the documentation.
New Features
Config Parsing
This release introduces strict configuration validation. Any unknown fields, misspellings, or unrecognized keys will cause an immediate validation failure. These changes are intended to ensure configuration correctness and eliminate silently ignored errors that may lead to unexpected behavior.Breaking Changes
Orchestrator v2025.05.1 removes many long-deprecated features. All removed features have a migration path to a supported substitute feature set. For more information, please reference the deprecation advisory notice issued in November 2024
New featuresUse Authorization Service Extension and Conditional Policies for authorization
This release introduces the ability to use the IsAuthorized service extension and authorization rules together. This allows more granular control of user authorization to protected resources. This feature is supported on SAML, OIDC, and Proxy apps.
Note: Both the authorization service extension and the authorization rules must be validated as true to grant a user access. If either validates as false, the user is denied access.
For more details see Authorization.Custom Unauthorized Page for SAML Apps
SAML apps now support an error page for unauthorized users. Custom unauthorized pages for SAML apps will be configurable from the user interface in an upcoming release of the Maverics Console.
New featuresSupport for custom query parameter in Entra ID (OIDC) and generic OIDC identity services
Orchestrator now supports routing a custom query parameter to a declared Entra ID or OIDC IDP via service extension. Orchestrator passes the query parameter which then gets captured by the browser.
Service extensions should be updated per the Go documentation for idfabric: https://pkg.go.dev/github.com/strata-io/[email protected]/idfabricField ordering of orchestrator logs
Readability of orchestrator logs can be improved by enabling
fieldOrdering (optional). fieldOrdering organizes the fields in the log output, setting values in the following order: ts , level, service, traceID, sessionID, and msg.
Please note that enabling fieldOrdering will impact orchestrator performance. If performance must remain optimal, Strata recommends leaving this option disabled. For more information, see Logging.New featuresOrchestrator heartbeat
The Orchestrator now includes a heartbeat. This lightweight service logs runtime details at a configurable time interval. Enabled by default, the heartbeat service prints a log message containing the orchestrator ID, orchestrator version, orchestrator config version, as well as CPU count, usage, and total memory. By default, the heartbeat service logs at the info level.The heartbeat service is part of the Health configuration block. It will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Heartbeat.Access logs enabled by default
HTTP access logs are now enabled by default. This change is meant to provide customers with greater insight into how requests flow through the system and can be used to confirm that all requests result in a corresponding response.By default, access logs are logged at the debug level. If desired, access logs can be disabled via the orchestrator config. Access logs will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Access Logs.LDAP custom login page and localization
Orchestrator v0.111.0 introduces support for an optional custom login page when using LDAP as an IDP. By defining
customLogin in the orchestrator configuration, the orchestrator delivers a custom HTML page stored in the filesystem.In addition, the custom login page now supports standards-based language localization (BCP 47). By default, the localization selection is driven from the Accept-Language header, but can be customized to meet deployment specific needs.LDAP custom login and localization will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Custom Login.New featuresLogging enhancements
-
Logs in the
CreateHeaderservice extension have been updated to includetraceID,sessionID, andserviceattributes. -
API service extensions can now leverage a newly exposed function that allows for retrieving a logger from the context of a request. The
log.WithRequestfunction can be used to ensure logs include thetraceIDandsessionIDattributes. For more information, refer to the API examples. INFO Customers running API service extensions must update their service extensions to use the new function ONLY if they want to their logs to includetraceIDandsessionID. Strata advises customers to first test this new orchestrator release against their existing API service extensions in a lab or lower environment to ensure their service extensions continue to operate normally. For more information, refer to Serve Service Extension.
New featuresLogging enhancements
Logs in the following identity services have been updated to include
traceID and service attributes:- 1Kosmos
- HYPR
- PingFederate
- SAML
- Windows Client Authenticator (WCA)
- WSO2
traceID, service, ‘seName’, ‘seFuncName’, and ‘seChecksum’ attributes.Resolved issues- This release resolves an issue in which re-authentications triggered by session expiry would fail when an OIDC identity provider using PKCE.
- APIs: Enhance API SE logger with attributes by (#2879)
- Connectors: Use contextual logger in PingFederate connector (#2873)
- Connectors: Use contextual logger in SAML connector (#2876)
- Connectors: Use contextual logger in 1Kosmos connector (#2872)
- Connectors: Use contextual logger in WSO2 connector (#2877)
- Connectors: Use contextual logger in HYPR connector (#2869)
- Connectors: Use contextual logger in WCA connector (#2875)
- Session: Resolved issue causing newly Set attributes to have an expiry in the past (#2878)
New Features
Orchestrator v0.108.0 adds improvements to observability, including HTTP access logs, contextual logging, tracing, and standard telemetry. These changes provide more detailed logs for better insight into transactions from all areas of the orchestrator including service extensions.HTTP Access Logging
All HTTP requests and responses are now optionally logged. Access logs are logged at debug level by default. Currently, access logs can be enabled/disabled in the orchestrator config. Access logging can be enabled/disabled from the user interface in a forthcoming update to Maverics Console. For more info, please see the reference docs.Logging
The logger now includes a
traceID attribute in log messages that can be used to trace requests through the system. Additionally, logs now include the service key to help clearly identify the source of logs. For service extensions, the seName, seFuncName, and seChecksum keys are also now included.Security enhancements- Security: Resolved CVE-2025-22872
Internal improvements and maintenance updates.
- Security: Resolved CVE-2025-29923
- Session v2: Fix Cache Store Configuration
- Dependencies: Resolved CVE-2025-22870
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- OIDC Provider: Expose config to disable the DPoP nonce
- Connectors: Preserve query parameters during LDAP logout
- OIDC Provider: Add customizable response_mode to implicit flow
Internal improvements and maintenance updates.
- Connector: Implement LDAP connector Logout method
- OIDC Provider: Correct ‘response_types_supported’ and ‘grant_types_supported’ attributes of well-known response
- disable jfrog and e2e for testing orchestrator release process change
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- OIDC Provider: Add implicit grant type
Internal improvements and maintenance updates.
- Security: Resolved CVE-2025-27144
Internal improvements and maintenance updates.
- OIDC Provider: Fix introspect endpoint not handling custom nested claims
- Security: Resolved CVE-2025-22869
- Connectors: Add support for error page to Auth0 connector
- Connectors: Add support for silent authentication to Auth0 connector
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- OIDC Provider: Ensure reload works successfully when the end session endpoint is defined
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Secret Provider: Add support for multiple secret paths in hashicorp vault secret provider
- Secret Provider: Load Hashicorp Vault secrets lazily
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- OIDC Provider: Expose DPoP-Nonce header to support CORS
- OIDC Provider: Harden DPoP implementation
Internal improvements and maintenance updates.
- OIDC Provider: Add support for dpop nonce validation
- Observability: Add new telemetry config format for metrics
Internal improvements and maintenance updates.
- OIDC Provider: Add support for dpop checking at userinfo endpoint
- OIDC Provider: Add support for DPoP bound refresh tokens
- Proxy Apps: Resolved attribute providers config not being respected
Internal improvements and maintenance updates.
- OIDC Provider: Add support opaque access tokens when using DPoP
- Security: Resolved CVE-2024-45339
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- OIDC Provider: Update metadata endpoint to return DPoP signing algorithms
- OIDC Provider: Add support for DPoP bound access tokens
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.