Orchestrator build release notes

Orchestrator build release notes

For older release notes, see the release notes archive.

v0.110.0

2025-04-22

New features

Logging enhancements

  • Logs in the CreateHeader service extension have been updated to include traceID, sessionID, and service attributes.

  • API service extensions can now leverage a newly exposed function that allows for retrieving a logger from the context of a request. The log.WithRequest function can be used to ensure logs include the traceID and sessionID attributes. For more information, refer to the API examples.

ℹ️
Customers running API service extensions must update their service extensions to use the new function ONLY if they want to their logs to include traceID and sessionID. Strata advises customers to first test this new orchestrator release against their existing API service extensions in a lab or lower environment to ensure their service extensions continue to operate normally. For more information, refer to Serve Service Extension.

Resolved issues

This release resolves an issue in which orchestrator telemetry data was being sent to the Maverics Console even though telemetry was disabled. This issue was introduced in v0.107.0 and only impacts customers that are using Maverics Console.

v0.109.0

2025-04-16

New features

Logging enhancements

Logs in the following identity services have been updated to include traceID and service attributes:

  • 1Kosmos
  • PingFederate
  • SAML
  • Windows Client Authenticator (WCA)
  • WSO2

API service extension logs have been updated to include traceID, service, seName, seFuncName, and seChecksum attributes.

Resolved issues

  • This release resolves an issue in which re-authentications triggered by session expiry would fail with an OIDC identity provider using PKCE.

v0.108.0

2025-04-14

New features

Orchestrator v0.108.0 adds improvements to observability, including HTTP access logs, contextual logging, tracing, and standard telemetry. These changes provide more detailed logs for better insight into transactions from all areas of the orchestrator including service extensions.

HTTP access logging

All HTTP requests and responses are now optionally logged. Access logs are logged at debug level by default. Currently, access logs can be enabled/disabled in the orchestrator config. Access logging can be enabled/disabled from the user interface in a forthcoming update to Maverics Console. For more info, please see the reference docs.

Logging

The logger now includes a traceID attribute in log messages that can be used to trace requests through the system. Additionally, logs now include the service key to help clearly identify the source of logs. For service extensions, the seName, seFuncName, and seChecksum keys are also now included.

Security enhancements

v0.107.0

2025-03-26

  • Internal enhancements and improvements.

v0.106.1

2025-03-25

Resolved issues

*go-redis has been updated to v9.7.3 to resolve CVE-2025-29923. Strata recommends all customers using the Redis cache upgrade to this latest version of orchestrator to resolve this issue.

  • Internal enhancements and improvements.

v0.106.0

2025-03-19

New features

  • Orchestrator logs can now be filtered to suppress or reduce specific log messages. For more information, see Filters.
⚠️
Use log filters with caution. Strata advises to only enable log filters if absolutely necessary. There is the possibility of inadvertently suppressing critical security logs. In addition, log filters can negatively impact orchestrator performance.
  • DPoP Nonces can be disabled optionally. By default, when DPoP is enabled, the DPoP Nonce is also enabled. However, if desired you can now disable the DPoP nonce. The Orchestrator will be able to issue and validate DPoP-bound tokens without requiring the nonce. For more info, see the docs.
⚠️
Strata advises against disabling the DPoP Nonce. Disabling the DPoP Nonce increases the risk of being subject to replay attacks. The DPoP nonce ensures the maximum age of the DPoP proof and prevents an attacker from minting DPoP proofs in the future.

  • As part support for the OAuth Hybrid flow, support for the response_mode request parameter has been added. For more information, please see the spec.

  • The LDAP Connector now supports logout. Query parameters are preserved as part of the logout flow in order to ensure a seamless integration when single logout (SLO) is also used.

Resolved issues

  • Resolved an issue where the OIDC Provider did not return standard grants as part of the well-known response. After this fix, the grant_types_supported that are returned align with standard OAuth grants as per section 1.3 of the RFC.

v0.102.0

2025-03-04

Shipped support for the OAuth Hybrid Flow in orchestrator to grant OIDC applications access to an ID token while maintaining secure retrieval of access tokens and refresh tokens. As part of this implementation, orchestrator includes supports for the Implicit Grant Type (deprecated) as it is required to be combined with the Authorization Code flow in order to facilitate the Hybrid Flow.

ℹ️
Strata does NOT recommend using the Implicit flow. For more information, see our OIDC Provider doc

v0.101.4, v0.101.5, v0.102.1

2025-03-03

The following libraries have been updated to resolve discovered vulnerabilities:

v0.101.2

2025-02-28

Resolved an issue to allow the introspection response to succeed for access tokens for nested claims.

v0.101.1

2025-02-28

The golang crypto library in the orchestrator has been updated to version 0.35.0 to resolve CVE-2025-22869.

v0.100.0, v0.101.0

2025-02-27

Shipped support for silent OIDC authentication in the Auth0 Connector, as well as support for a custom error page. This allows for a silent auth to Auth0 with the authentication request returning prompt=none. This can help facilitate bi-directional SSO use cases. Strata will bring this functionality to more IDPs in the near future.

v0.99.1

2025-02-24

Resolved an issue to allow reload to work successfully when an end session endpoint for an OIDC provider is defined.

v0.99.0

2025-02-24

The go-redis package in the orchestrator has been updated to version 9.7.1.

v0.97.0

2025-02-19

The build architecture of the macOS download artifact has been updated from AMD to ARM.

v0.96.0

2025-02-21

Added support for multiple secret paths in HashiCorp Vault secret provider

The orchestrator integration with HashiCorp Vault now supports multiple secret paths from the same secrets engine. If needed as part of your user flows, you can define secret paths for multiple secrets in the orchestrator configuration. For more details, see Secrets Management: HashiCorp Vault.

⚠️

As part of this update, secret names cannot contain any forward slashes (/).

If you are currently using HashiCorp Vault as a secrets provider and your secret names include slashes, Strata advises you to remove the slashes or change the secret name before upgrading your orchestrator to v0.96.0.

Failing to do so might result in a connection failure to your Vault instance. To remediate this, change your secret name to remove slashes then restart orchestrator.

v0.94.0

2025-02-13

Orchestrator has been upgraded to Go v1.23.

Noteworthy changes include:

  • 3DES cipher suites are removed from the default list of secure ciphers that the Orchestrator uses. If required, these ciphers can be reenabled by using the enabledCiphers TLS config.
  • net/http Cookie implementation no longer strips double quotes from cookies when storing. This should not impact existing service extensions, but Strata is performing a further investigation to verify behaviours remain consistent.

For more information, see Go 1.23 Release Notes.

v0.93.0

2025-02-13

  • Browser based client apps now have access to DPoP-Nonce response headers.

v0.91.0

2025-02-10

  • The OIDC Provider now requires DPoP nonce validation.

v0.90.0

2025-01-31

  • When a previously issued access token is DPoP bound, DPoP proof and its corresponding access token are now validated at the userinfo endpoint.

v0.89.0

2025-01-31

  • Internal enhancements and improvements.
  • Maverics now supports DPoP bound refresh tokens.

v0.88.2

2025-01-29

  • A bug causing attribute providers to break in proxy apps was fixed.

v0.88.1

2025-01-29

  • Internal Only release: enhancements and improvements.

v0.88.0

2025-01-28

  • Maverics now supports opaque access tokens when using DPoP.

v0.80.0

2025-01-22

  • We have updated the metadata endpoint to return DPoP signing algorithms for OIDC providers.

v0.79.0

2025-01-22

  • Maverics now supports DPoP sender-bound access tokens for OIDC providers.
Maverics console release notesRelease notes archive