Know Before Upgrade
- The major version of
gomplatehas been bumped to v5.0.0, which includes breaking changes. Here is the full list. - There are two known CVEs in the
gomplatebinary -CVE-2025-68121andCVE-2026-25934.gomplateis only used for preprocessing configuration files and is optional. Once the CVEs are fixed upstream, the version of gomplate in the dex image will be updated accordingly. - The
ContinueOnConnectorFailurefeature flag is now enabled by default. To disable it, use the following environment variable:DEX_CONTINUE_ON_CONNECTOR_FAILURE=false. - Pre-release versions of dex now use pseudo-versioning for identifying releases. Unreleased versions will follow the pattern
v2.minor+1.0-yyyymmdd-commithash.
What's Changed
Exciting New Features 🎉
- Add support to PKCE in OIDC connector by @johnvan7 in #3777
- Add Vault signer for JWT by @nabokihms in #4512
- Support groups and preferred_username for static passwords by @Jabejixo in #4456
- Add name and email_verified fields for static passwords by @Jabejixo in #4526
Enhancements 🚀
- Example app pkce by @nabokihms in #4284
- Only wrap IPv6 addresses in brackets by @rene-dekker in #4388
- Update distroless base image to debian13 by @loosebazooka in #4453
- Hide internal server error details from users by @Jabejixo in #4457
- Gitlab support custom rootCAData by @Jabejixo in #4496
- Enable
ContinueOnConnectorFailurefeature flag by @manojVivek in #4495 - Extend example configs for idEnv and public by @cardoe in #4443
- Add unprivileged user setup in Dockerfile by @nabokihms in #4517
- Add conformance tests for Vault signer integration by @nabokihms in #4520
- Add CRD handling behavior and configuration options by @nabokihms in #4543
- Enhance git-version script to generate pseudo-versions by @nabokihms in #4553
- Validate redirect URIs and safely append parameters by @nabokihms in #4559
- Refactor example-app with a new config by @nabokihms in #4569
- Implement device code flow in example-app by @nabokihms in #4570
Bug Fixes 🐛
- Do not wrap Kubernetes Address in brackets by @nabokihms in #4363
- Device callback URL needs to handle a / by @cardoe in #4448
- Suppress deprecation warning for userAttr when not set by @nabokihms in #4539
- Use correct id value for label by @loganripplinger in #4541
- Respond with forbidden if failed to authenticate by @aljoshare in #4200
Dependency Updates ⬆️
- build(deps): bump github.com/dexidp/dex/api/v2 from 2.3.0 to 2.4.0 in /examples by @dependabot[bot] in #4299
- build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #4304
- build(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @dependabot[bot] in #4305
- build(deps): bump golang from 1.25.0-alpine3.22 to 1.25.1-alpine3.22 by @dependabot[bot] in #4307
- build(deps): bump distroless/static-debian12 from
a9f88e0toe8a4044by @dependabot[bot] in #4313 - build(deps): bump oras-project/setup-oras from 1.2.3 to 1.2.4 by @dependabot[bot] in #4314
- build(deps): bump github/codeql-action from 3.29.11 to 3.30.3 by @dependabot[bot] in #4320
- build(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #4324
- build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @dependabot[bot] in #4302
- build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 by @dependabot[bot] in #4309
- build(deps): bump tonistiigi/xx from 1.6.1 to 1.7.0 by @dependabot[bot] in #4317
- build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 by @dependabot[bot] in #4310
- build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 in /examples by @dependabot[bot] in #4311
- build(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @dependabot[bot] in #4339
- build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 by @dependabot[bot] in #4335
- build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0 by @dependabot[bot] in #4334
- build(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by @dependabot[bot] in #4332
- build(deps): bump golang from 1.25.1-alpine3.22 to 1.25.3-alpine3.22 by @dependabot[bot] in #4368
- build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.1 by @dependabot[bot] in #4366
- build(deps): bump github/codeql-action from 3.30.4 to 4.30.8 by @dependabot[bot] in #4365
- build(deps): bump google.golang.org/api from 0.248.0 to 0.252.0 by @dependabot[bot] in #4360
- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 in /examples by @dependabot[bot] in #4357
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #4350
- build(deps): bump docker/login-action from 3.5.0 to 3.6.0 by @dependabot[bot] in #4348
- build(deps): bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #4338
- build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4333
- build(deps): bump alpine from 3.22.1 to 3.22.2 by @dependabot[bot] in #4361
- build(deps): bump github.com/coreos/go-oidc/v3 from 3.15.0 to 3.16.0 in /examples by @dependabot[bot] in #4354
- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 by @dependabot[bot] in #4355
- build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 in /examples by @dependabot[bot] in #4362
- build(deps): bump github/codeql-action from 4.30.8 to 4.31.2 by @dependabot[bot] in #4398
- build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #4395
- build(deps): bump anchore/sbom-action from 0.20.6 to 0.20.9 by @dependabot[bot] in #4393
- build(deps): bump tonistiigi/xx from 1.7.0 to 1.8.0 by @dependabot[bot] in #4386
- build(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #4376
- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.76.0 in /api/v2 by @dependabot[bot] in #4356
- build(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 by @dependabot[bot] in #4380
- build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 by @dependabot[bot] in #4374
- build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.2 to 4.1.3 by @dependabot[bot] in #4373
- build(deps): bump golang from
20ee0b6toaee43c3by @dependabot[bot] in #4371 - build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 in /examples by @dependabot[bot] in #4300
- build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 by @dependabot[bot] in #4375
- build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 in /api/v2 by @dependabot[bot] in #4352
- build(deps): bump tonistiigi/xx from 1.8.0 to 1.9.0 by @dependabot[bot] in #4430
- build(deps): bump distroless/static-debian12 from
e8a4044to2b7c93fby @dependabot[bot] in #4427 - build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #4419
- build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @dependabot[bot] in #4414
- build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #4411
- build(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4405
- build(deps): bump docker/metadata-action from 5.8.0 to 5.9.0 by @dependabot[bot] in #4402
- build(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by @dependabot[bot] in #4399
- build(deps): bump alpine from 3.22.2 to 3.23.0 by @dependabot[bot] in #4425
- build(deps): bump golang from 1.25.3-alpine3.22 to 1.25.5-alpine3.22 by @dependabot[bot] in #4424
- build(deps): bump google.golang.org/api from 0.252.0 to 0.256.0 by @dependabot[bot] in #4413
- build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 by @dependabot[bot] in #4409
- build(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 by @dependabot[bot] in #4412
- build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.11 to 3.4.12 by @dependabot[bot] in #4401
- build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.34.0 in /examples by @dependabot[bot] in #4431
- build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /examples by @dependabot[bot] in #4417
- build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /api/v2 by @dependabot[bot] in #4416
- build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 in /examples by @dependabot[bot] in #4426
- build(deps): bump alpine from 3.23.0 to 3.23.2 by @dependabot[bot] in #4455
- build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /examples by @dependabot[bot] in #4460
- build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 by @dependabot[bot] in #4449
- build(deps): bump github/codeql-action from 4.31.3 to 4.31.7 by @dependabot[bot] in #4440
- build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @dependabot[bot] in #4439
- build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 by @dependabot[bot] in #4438
- build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @dependabot[bot] in #4437
- build(deps): bump anchore/sbom-action from 0.20.9 to 0.20.11 by @dependabot[bot] in #4435
- build(deps): bump docker/metadata-action from 5.9.0 to 5.10.0 by @dependabot[bot] in #4434
- build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @dependabot[bot] in #4433
- build(deps): bump github.com/coreos/go-oidc/v3 from 3.14.1 to 3.17.0 by @dependabot[bot] in #4441
- build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 in /api/v2 by @dependabot[bot] in #4450
- build(deps): bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 in /examples by @dependabot[bot] in #4420
- build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4436
- build(deps): bump golang from 1.25.5-alpine3.22 to 1.25.6-alpine3.22 by @dependabot[bot] in #4481
- build(deps): bump distroless/static-debian13 from
b5b9fd0tof9f84bdby @dependabot[bot] in #4468 - build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #4476
- build(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #4472
- build(deps): bump github.com/mattn/go-sqlite3 from 1.14.32 to 1.14.33 by @dependabot[bot] in #4474
- build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @dependabot[bot] in #4475
- build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 by @dependabot[bot] in #4469
- build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #4477
- build(deps): bump actions/cache from 4.3.0 to 5.0.1 by @dependabot[bot] in #4473
- build(deps): bump github/codeql-action from 4.31.7 to 4.31.10 by @dependabot[bot] in #4470
- build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @dependabot[bot] in #4471
- build(deps): bump google.golang.org/api from 0.257.0 to 0.259.0 by @dependabot[bot] in #4478
- build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /api/v2 by @dependabot[bot] in #4459
- build(deps): bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #4484
- build(deps): bump golang from
d9c983dtoad295fcby @dependabot[bot] in #4493 - build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 by @dependabot[bot] in #4485
- build(deps): bump anchore/sbom-action from 0.20.11 to 0.22.0 by @dependabot[bot] in #4487
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #4489
- build(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @dependabot[bot] in #4492
- build(deps): bump google.golang.org/api from 0.260.0 to 0.263.0 by @dependabot[bot] in #4494
- build(deps): bump github.com/lib/pq from 1.10.9 to 1.11.1 by @dependabot[bot] in #4505
- build(deps): bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #4504
- build(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by @dependabot[bot] in #4502
- build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @dependabot[bot] in #4501
- build(deps): bump anchore/sbom-action from 0.22.0 to 0.22.1 by @dependabot[bot] in #4499
- build(deps): bump alpine from 3.23.2 to 3.23.3 by @dependabot[bot] in #4498
- build(deps): bump google.golang.org/api from 0.263.0 to 0.265.0 by @dependabot[bot] in #4508
- build(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4503
- build(deps): bump golang from 1.25.6-alpine3.22 to 1.25.7-alpine3.22 by @dependabot[bot] in #4514
- build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 by @dependabot[bot] in #4515
- build(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @dependabot[bot] in #4509
- build(deps): bump anchore/sbom-action from 0.22.1 to 0.22.2 by @dependabot[bot] in #4510
- build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 in /examples by @dependabot[bot] in #4516
- build(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #4518
- build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0 by @dependabot[bot] in #4519
- build(deps): bump google.golang.org/api from 0.265.0 to 0.266.0 by @dependabot[bot] in #4523
- build(deps): bump docker/build-push-action from 6.18.0 to 6.19.1 by @dependabot[bot] in #4530
- build(deps): bump golang from 1.25.7-alpine3.22 to 1.26.0-alpine3.22 by @dependabot[bot] in #4522
- build(deps): bump github.com/mattn/go-sqlite3 from 1.14.33 to 1.14.34 by @dependabot[bot] in #4524
- build(deps): bump github.com/lib/pq from 1.11.1 to 1.11.2 by @dependabot[bot] in #4525
- build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 in /examples by @dependabot[bot] in #4537
- build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 by @dependabot[bot] in #4534
- build(deps): bump docker/build-push-action from 6.19.1 to 6.19.2 by @dependabot[bot] in #4535
- build(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @dependabot[bot] in #4533
- build(deps): bump distroless/static-debian13 from
f9f84bdto01e550fby @dependabot[bot] in #4546 - build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 in /examples by @dependabot[bot] in #4551
- build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 by @dependabot[bot] in #4549
- build(deps): bump the etcd group with 2 updates by @dependabot[bot] in #4548
- build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #4547
- build(deps): update gRPC to v1.79.1 and other dependencies by @nabokihms in #4554
- build(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by @dependabot[bot] in #4557
- build(deps): bump google.golang.org/api from 0.266.0 to 0.267.0 by @dependabot[bot] in #4558
- build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #4562
- build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #4563
- build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @dependabot[bot] in #4574
- build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @dependabot[bot] in #4573
Other Changes
New Contributors
- @Zash made their first contribution in #4327
- @rene-dekker made their first contribution in #4388
- @loosebazooka made their first contribution in #4453
- @Jabejixo made their first contribution in #4456
- @loganripplinger made their first contribution in #4541
- @johnvan7 made their first contribution in #3777
- @aljoshare made their first contribution in #4200
Full Changelog: v2.44.0...v2.45.0