Orchestrator build release notes

Orchestrator build release notes

For older release notes, see the release notes archive.

v0.107.0

2025-03-26

  • Internal enhancements and improvements.

v0.106.1

2025-03-25

Resolved issues

*go-redis has been updated to v9.7.3 to resolve CVE-2025-29923. Strata recommends all customers using the Redis cache upgrade to this latest version of orchestrator to resolve this issue.

  • Internal enhancements and improvements.

v0.106.0

2025-03-19

New features

  • Orchestrator logs can now be filtered to suppress or reduce specific log messages. For more information, see Filters.
⚠️
Use log filters with caution. Strata advises to only enable log filters if absolutely necessary. There is the possibility of inadvertently suppressing critical security logs. In addition, log filters can negatively impact orchestrator performance.
  • DPoP Nonces can be disabled optionally. By default, when DPoP is enabled, the DPoP Nonce is also enabled. However, if desired you can now disable the DPoP nonce. The Orchestrator will be able to issue and validate DPoP-bound tokens without requiring the nonce. For more info, see the docs.
⚠️
Strata advises against disabling the DPoP Nonce. Disabling the DPoP Nonce increases the risk of being subject to replay attacks. The DPoP nonce ensures the maximum age of the DPoP proof and prevents an attacker from minting DPoP proofs in the future.

  • As part support for the OAuth Hybrid flow, support for the response_mode request parameter has been added. For more information, please see the spec.

  • The LDAP Connector now supports logout. Query parameters are preserved as part of the logout flow in order to ensure a seamless integration when single logout (SLO) is also used.

Resolved issues

  • Resolved an issue where the OIDC Provider did not return standard grants as part of the well-known response. After this fix, the grant_types_supported that are returned align with standard OAuth grants as per section 1.3 of the RFC.

v0.102.0

2025-03-04

Shipped support for the OAuth Hybrid Flow in orchestrator to grant OIDC applications access to an ID token while maintaining secure retrieval of access tokens and refresh tokens. As part of this implementation, orchestrator includes supports for the Implicit Grant Type (deprecated) as it is required to be combined with the Authorization Code flow in order to facilitate the Hybrid Flow.

ℹ️
Strata does NOT recommend using the Implicit flow. For more information, see our OIDC Provider doc

v0.101.4, v0.101.5, v0.102.1

2025-03-03

The following libraries have been updated to resolve discovered vulnerabilities:

v0.101.2

2025-02-28

Resolved an issue to allow the introspection response to succeed for access tokens for nested claims.

v0.101.1

2025-02-28

The golang crypto library in the orchestrator has been updated to version 0.35.0 to resolve CVE-2025-22869.

v0.100.0, v0.101.0

2025-02-27

Shipped support for silent OIDC authentication in the Auth0 Connector, as well as support for a custom error page. This allows for a silent auth to Auth0 with the authentication request returning prompt=none. This can help facilitate bi-directional SSO use cases. Strata will bring this functionality to more IDPs in the near future.

v0.99.1

2025-02-24

Resolved an issue to allow reload to work successfully when an end session endpoint for an OIDC provider is defined.

v0.99.0

2025-02-24

The go-redis package in the orchestrator has been updated to version 9.7.1.

v0.97.0

2025-02-19

The build architecture of the macOS download artifact has been updated from AMD to ARM.

v0.96.0

2025-02-21

Added support for multiple secret paths in HashiCorp Vault secret provider

The orchestrator integration with HashiCorp Vault now supports multiple secret paths from the same secrets engine. If needed as part of your user flows, you can define secret paths for multiple secrets in the orchestrator configuration. For more details, see Secrets Management: HashiCorp Vault.

⚠️

As part of this update, secret names cannot contain any forward slashes (/).

If you are currently using HashiCorp Vault as a secrets provider and your secret names include slashes, Strata advises you to remove the slashes or change the secret name before upgrading your orchestrator to v0.96.0.

Failing to do so might result in a connection failure to your Vault instance. To remediate this, change your secret name to remove slashes then restart orchestrator.

v0.94.0

2025-02-13

Orchestrator has been upgraded to Go v1.23.

Noteworthy changes include:

  • 3DES cipher suites are removed from the default list of secure ciphers that the Orchestrator uses. If required, these ciphers can be reenabled by using the enabledCiphers TLS config.
  • net/http Cookie implementation no longer strips double quotes from cookies when storing. This should not impact existing service extensions, but Strata is performing a further investigation to verify behaviours remain consistent.

For more information, see Go 1.23 Release Notes.

v0.93.0

2025-02-13

  • Browser based client apps now have access to DPoP-Nonce response headers.

v0.91.0

2025-02-10

  • The OIDC Provider now requires DPoP nonce validation.

v0.90.0

2025-01-31

  • When a previously issued access token is DPoP bound, DPoP proof and its corresponding access token are now validated at the userinfo endpoint.

v0.89.0

2025-01-31

  • Internal enhancements and improvements.
  • Maverics now supports DPoP bound refresh tokens.

v0.88.2

2025-01-29

  • A bug causing attribute providers to break in proxy apps was fixed.

v0.88.1

2025-01-29

  • Internal Only release: enhancements and improvements.

v0.88.0

2025-01-28

  • Maverics now supports opaque access tokens when using DPoP.

v0.80.0

2025-01-22

  • We have updated the metadata endpoint to return DPoP signing algorithms for OIDC providers.

v0.79.0

2025-01-22

  • Maverics now supports DPoP sender-bound access tokens for OIDC providers.
Maverics console release notesRelease notes archive