dexidp/dex v2.45.0

on GitHub

Know Before Upgrade

• The major version of gomplate has been bumped to v5.0.0, which includes breaking changes. Here is the full list.
• There are two known CVEs in the gomplate binary - CVE-2025-68121 and CVE-2026-25934. gomplate is only used for preprocessing configuration files and is optional. Once the CVEs are fixed upstream, the version of gomplate in the dex image will be updated accordingly.
• The ContinueOnConnectorFailure feature flag is now enabled by default. To disable it, use the following environment variable: DEX_CONTINUE_ON_CONNECTOR_FAILURE=false.
• Pre-release versions of dex now use pseudo-versioning for identifying releases. Unreleased versions will follow the pattern v2.minor+1.0-yyyymmdd-commithash.

What's Changed

Exciting New Features 🎉

• Add support to PKCE in OIDC connector by @johnvan7 in #3777
• Add Vault signer for JWT by @nabokihms in #4512
• Support groups and preferred_username for static passwords by @Jabejixo in #4456
• Add name and email_verified fields for static passwords by @Jabejixo in #4526

Enhancements 🚀

• Example app pkce by @nabokihms in #4284
• Only wrap IPv6 addresses in brackets by @rene-dekker in #4388
• Update distroless base image to debian13 by @loosebazooka in #4453
• Hide internal server error details from users by @Jabejixo in #4457
• Gitlab support custom rootCAData by @Jabejixo in #4496
• Enable ContinueOnConnectorFailure feature flag by @manojVivek in #4495
• Extend example configs for idEnv and public by @cardoe in #4443
• Add unprivileged user setup in Dockerfile by @nabokihms in #4517
• Add conformance tests for Vault signer integration by @nabokihms in #4520
• Add CRD handling behavior and configuration options by @nabokihms in #4543
• Enhance git-version script to generate pseudo-versions by @nabokihms in #4553
• Validate redirect URIs and safely append parameters by @nabokihms in #4559
• Refactor example-app with a new config by @nabokihms in #4569
• Implement device code flow in example-app by @nabokihms in #4570

Bug Fixes 🐛

• Do not wrap Kubernetes Address in brackets by @nabokihms in #4363
• Device callback URL needs to handle a / by @cardoe in #4448
• Suppress deprecation warning for userAttr when not set by @nabokihms in #4539
• Use correct id value for label by @loganripplinger in #4541
• Respond with forbidden if failed to authenticate by @aljoshare in #4200

Dependency Updates ⬆️

• build(deps): bump github.com/dexidp/dex/api/v2 from 2.3.0 to 2.4.0 in /examples by @dependabot[bot] in #4299
• build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #4304
• build(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @dependabot[bot] in #4305
• build(deps): bump golang from 1.25.0-alpine3.22 to 1.25.1-alpine3.22 by @dependabot[bot] in #4307
• build(deps): bump distroless/static-debian12 from a9f88e0 to e8a4044 by @dependabot[bot] in #4313
• build(deps): bump oras-project/setup-oras from 1.2.3 to 1.2.4 by @dependabot[bot] in #4314
• build(deps): bump github/codeql-action from 3.29.11 to 3.30.3 by @dependabot[bot] in #4320
• build(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #4324
• build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @dependabot[bot] in #4302
• build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 by @dependabot[bot] in #4309
• build(deps): bump tonistiigi/xx from 1.6.1 to 1.7.0 by @dependabot[bot] in #4317
• build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 by @dependabot[bot] in #4310
• build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 in /examples by @dependabot[bot] in #4311
• build(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @dependabot[bot] in #4339
• build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 by @dependabot[bot] in #4335
• build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0 by @dependabot[bot] in #4334
• build(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by @dependabot[bot] in #4332
• build(deps): bump golang from 1.25.1-alpine3.22 to 1.25.3-alpine3.22 by @dependabot[bot] in #4368
• build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.1 by @dependabot[bot] in #4366
• build(deps): bump github/codeql-action from 3.30.4 to 4.30.8 by @dependabot[bot] in #4365
• build(deps): bump google.golang.org/api from 0.248.0 to 0.252.0 by @dependabot[bot] in #4360
• build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 in /examples by @dependabot[bot] in #4357
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #4350
• build(deps): bump docker/login-action from 3.5.0 to 3.6.0 by @dependabot[bot] in #4348
• build(deps): bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #4338
• build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4333
• build(deps): bump alpine from 3.22.1 to 3.22.2 by @dependabot[bot] in #4361
• build(deps): bump github.com/coreos/go-oidc/v3 from 3.15.0 to 3.16.0 in /examples by @dependabot[bot] in #4354
• build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 by @dependabot[bot] in #4355
• build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 in /examples by @dependabot[bot] in #4362
• build(deps): bump github/codeql-action from 4.30.8 to 4.31.2 by @dependabot[bot] in #4398
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #4395
• build(deps): bump anchore/sbom-action from 0.20.6 to 0.20.9 by @dependabot[bot] in #4393
• build(deps): bump tonistiigi/xx from 1.7.0 to 1.8.0 by @dependabot[bot] in #4386
• build(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #4376
• build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 in /api/v2 by @dependabot[bot] in #4356
• build(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 by @dependabot[bot] in #4380
• build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 by @dependabot[bot] in #4374
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.2 to 4.1.3 by @dependabot[bot] in #4373
• build(deps): bump golang from 20ee0b6 to aee43c3 by @dependabot[bot] in #4371
• build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 in /examples by @dependabot[bot] in #4300
• build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #4375
• build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 in /api/v2 by @dependabot[bot] in #4352
• build(deps): bump tonistiigi/xx from 1.8.0 to 1.9.0 by @dependabot[bot] in #4430
• build(deps): bump distroless/static-debian12 from e8a4044 to 2b7c93f by @dependabot[bot] in #4427
• build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #4419
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @dependabot[bot] in #4414
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #4411
• build(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4405
• build(deps): bump docker/metadata-action from 5.8.0 to 5.9.0 by @dependabot[bot] in #4402
• build(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by @dependabot[bot] in #4399
• build(deps): bump alpine from 3.22.2 to 3.23.0 by @dependabot[bot] in #4425
• build(deps): bump golang from 1.25.3-alpine3.22 to 1.25.5-alpine3.22 by @dependabot[bot] in #4424
• build(deps): bump google.golang.org/api from 0.252.0 to 0.256.0 by @dependabot[bot] in #4413
• build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 by @dependabot[bot] in #4409
• build(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 by @dependabot[bot] in #4412
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.11 to 3.4.12 by @dependabot[bot] in #4401
• build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.34.0 in /examples by @dependabot[bot] in #4431
• build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /examples by @dependabot[bot] in #4417
• build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /api/v2 by @dependabot[bot] in #4416
• build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 in /examples by @dependabot[bot] in #4426
• build(deps): bump alpine from 3.23.0 to 3.23.2 by @dependabot[bot] in #4455
• build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /examples by @dependabot[bot] in #4460
• build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 by @dependabot[bot] in #4449
• build(deps): bump github/codeql-action from 4.31.3 to 4.31.7 by @dependabot[bot] in #4440
• build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @dependabot[bot] in #4439
• build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 by @dependabot[bot] in #4438
• build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @dependabot[bot] in #4437
• build(deps): bump anchore/sbom-action from 0.20.9 to 0.20.11 by @dependabot[bot] in #4435
• build(deps): bump docker/metadata-action from 5.9.0 to 5.10.0 by @dependabot[bot] in #4434
• build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @dependabot[bot] in #4433
• build(deps): bump github.com/coreos/go-oidc/v3 from 3.14.1 to 3.17.0 by @dependabot[bot] in #4441
• build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 in /api/v2 by @dependabot[bot] in #4450
• build(deps): bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 in /examples by @dependabot[bot] in #4420
• build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4436
• build(deps): bump golang from 1.25.5-alpine3.22 to 1.25.6-alpine3.22 by @dependabot[bot] in #4481
• build(deps): bump distroless/static-debian13 from b5b9fd0 to f9f84bd by @dependabot[bot] in #4468
• build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #4476
• build(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #4472
• build(deps): bump github.com/mattn/go-sqlite3 from 1.14.32 to 1.14.33 by @dependabot[bot] in #4474
• build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @dependabot[bot] in #4475
• build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 by @dependabot[bot] in #4469
• build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #4477
• build(deps): bump actions/cache from 4.3.0 to 5.0.1 by @dependabot[bot] in #4473
• build(deps): bump github/codeql-action from 4.31.7 to 4.31.10 by @dependabot[bot] in #4470
• build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @dependabot[bot] in #4471
• build(deps): bump google.golang.org/api from 0.257.0 to 0.259.0 by @dependabot[bot] in #4478
• build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /api/v2 by @dependabot[bot] in #4459
• build(deps): bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #4484
• build(deps): bump golang from d9c983d to ad295fc by @dependabot[bot] in #4493
• build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 by @dependabot[bot] in #4485
• build(deps): bump anchore/sbom-action from 0.20.11 to 0.22.0 by @dependabot[bot] in #4487
• build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #4489
• build(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @dependabot[bot] in #4492
• build(deps): bump google.golang.org/api from 0.260.0 to 0.263.0 by @dependabot[bot] in #4494
• build(deps): bump github.com/lib/pq from 1.10.9 to 1.11.1 by @dependabot[bot] in #4505
• build(deps): bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #4504
• build(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by @dependabot[bot] in #4502
• build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @dependabot[bot] in #4501
• build(deps): bump anchore/sbom-action from 0.22.0 to 0.22.1 by @dependabot[bot] in #4499
• build(deps): bump alpine from 3.23.2 to 3.23.3 by @dependabot[bot] in #4498
• build(deps): bump google.golang.org/api from 0.263.0 to 0.265.0 by @dependabot[bot] in #4508
• build(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4503
• build(deps): bump golang from 1.25.6-alpine3.22 to 1.25.7-alpine3.22 by @dependabot[bot] in #4514
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 by @dependabot[bot] in #4515
• build(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @dependabot[bot] in #4509
• build(deps): bump anchore/sbom-action from 0.22.1 to 0.22.2 by @dependabot[bot] in #4510
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 in /examples by @dependabot[bot] in #4516
• build(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #4518
• build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0 by @dependabot[bot] in #4519
• build(deps): bump google.golang.org/api from 0.265.0 to 0.266.0 by @dependabot[bot] in #4523
• build(deps): bump docker/build-push-action from 6.18.0 to 6.19.1 by @dependabot[bot] in #4530
• build(deps): bump golang from 1.25.7-alpine3.22 to 1.26.0-alpine3.22 by @dependabot[bot] in #4522
• build(deps): bump github.com/mattn/go-sqlite3 from 1.14.33 to 1.14.34 by @dependabot[bot] in #4524
• build(deps): bump github.com/lib/pq from 1.11.1 to 1.11.2 by @dependabot[bot] in #4525
• build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 in /examples by @dependabot[bot] in #4537
• build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 by @dependabot[bot] in #4534
• build(deps): bump docker/build-push-action from 6.19.1 to 6.19.2 by @dependabot[bot] in #4535
• build(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @dependabot[bot] in #4533
• build(deps): bump distroless/static-debian13 from f9f84bd to 01e550f by @dependabot[bot] in #4546
• build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 in /examples by @dependabot[bot] in #4551
• build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 by @dependabot[bot] in #4549
• build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4548
• build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #4547
• build(deps): update gRPC to v1.79.1 and other dependencies by @nabokihms in #4554
• build(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by @dependabot[bot] in #4557
• build(deps): bump google.golang.org/api from 0.266.0 to 0.267.0 by @dependabot[bot] in #4558
• build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #4562
• build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #4563
• build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @dependabot[bot] in #4574
• build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @dependabot[bot] in #4573

Other Changes

• Add Terrakube to Adopters by @shurup in #4316

New Contributors

• @Zash made their first contribution in #4327
• @rene-dekker made their first contribution in #4388
• @loosebazooka made their first contribution in #4453
• @Jabejixo made their first contribution in #4456
• @loganripplinger made their first contribution in #4541
• @johnvan7 made their first contribution in #3777
• @aljoshare made their first contribution in #4200

Full Changelog: v2.44.0...v2.45.0