v1.6.7

Breaking changes

• Scalable user searching: We’ve made some improvements to enhance the scalability of our system to better support increased usage. These changes allow us to handle increased demand more efficiently, ensuring a smoother experience for all our customers.
  As part of this update, there may be a delay (up to 100ms) in accessing newly written or updated user data from the search user endpoints. If you have any questions, feel free to reach out!

Enhancements

• User tenant API: We added an option to fetch a specific user's tenant(s) information from an active session. Using the new MyTenants function, you can query a current user's sessions' tenants details. See the example in the SDK's README.
• Tenant created time: We added the tenant's creation time when loading the tenant (both in Load and LoadAll functions).

Bug fixes

• Public key fetch mix: In some rare conditions, after performing a JWK rotation, there might be a race condition on getting the proper public key. We attended it quickly and fixed the gap. Thanks to a fellow Descoper for bringing this one to our attention!

v1.6.6

Enhancements

• Force refresh of OAuth/OIDC provider token: Current refresh of provider token is based on its expiration time. There are some cases in which the provider doesn't return the expiration, and for that we aded the forceRefresh parameter when using the GetProviderTokenWithOptions function - to force refreshing the provider token.
• Access key descriptions and permitted IPs list: Access key descriptions can now be set - both from the console as well as the SDK. This also applies for permitted IPs (the source IP that is used by the access key upon request) - which supports both single IP addresses as well as CIDRs.
• Application sign-out URL: We've added an option to configure a specific application sign-out URL using the logoutRedirectUrl param in SAML related functions. This is useful when Descope is your IdP, and you want to sign a user out of Descope when they sign out from their SP.
• User interaction override: With the forceAuthentication flag in applications, you can force end user to interact in a specific way with Descope (as IdP), regardless of the SP's settings.
• Project tags: Projects now have a Tags attribute - a list of strings that can be used to distinguish your projects. Those can be updated using the UpdateTags command.
• Generate SSO configuration link: We've recently added an option in the console to send a link that triggers the SSO configuration flow. We've completed this feature by supporting it also via SDK using the GenerateSSOConfigurationLink command. An example can be found in the SDK's README.

Bug fixes

• Access key expiration ignored at exchange: We had a problematic behavior where in some edge cases - the access key exchange would happen and exchange a key to a time that's past its expiration definition. This was fixed now, thank you to our customers for bringing this one to our attention!

v1.6.5

Breaking changes

• Option to automatically delete related users/access keys when deleting their associated tenant: We've added an option to handle auto-deletion of 'orphaned' users and access keys when their last tenant is deleted. When deleting a tenant, you can use the new cascade flag to indicate that if part of the tenant's users/access keys are left with no tenant association - they will also be deleted from the project.
  Please notice that this change breaks compilation, due to the new parameter added.

Enhancements

• nOTP authentication method: As published in our changelog - we've added a new authentication method named nOTP, which can now be used directly via the Go SDK! Read all about it in the SDK's README.
• TOTP seed migration: When batch importing users into Descope, you can specify collecting their TOTP seed as part of the migration. If provided in the data, that seed will now be associated with the user and the next authentication will be seamless.
• List projects: With the ListProjects function, you can get a list of all projects in a specified company.
• Patch user: The new Patch command allows you to update a user's properties - but only those that have been provided in the request (without running over other data that currently exists on the user).

v1.6.4

Breaking changes

• Total count of users search: We've enhanced the SearchAll Users function to also return the total number of records found. Example can be found in the SDK's README.
  Please notice that this change breaks compilation, since it now returns another parameter in the response.

Enhancements

• Custom audit events: We've added the function CreateEvent to our Audit object, that allows you to generate your own custom audit events. You can also create your custom audit event to provide different data than that provided by Descope.
• Enhanced audit record: Each audit log will now include the performer's User ID (Actor ID) as well as the the severity of the event (Type).
• Logout user via token: A new function named LogoutWithToken has been added, to allow logging a user out using a refresh token.
• PHPass hashes import support: We now support importing users with passwords that have been hashed using PHPass.
• Claim validation using current tenant: If the dct ('Descope Current Tenant') claim is configured, authorization related functions for fetching and validation such as GetMatchedTenantPermissions will take that tenant into consideration.

v1.6.3

Breaking changes

• Project management renames: We've renamed project data to 'snapshot' - and made the related functions clearer this way:
  • projectExport > projectExportSnapshot
  • projectImport > projectImportSnapshot
  • projectImportValidate > projectValidateSnapshot
• managementcli's new home: We opened a dedicated repo for management CLI - https://github.com/descope/descopecli - so we removed any leftovers from this SDK. Check it out, and don't forget to star it! ⭐

Enhancements

• Update User's OAuth login ID: With the OAuth.UpdateUser function, you can mimic the existing flow action step to update your user's login IDs with their authenticated OAuth account.
• Custom claims for access keys: You can define custom claims that will be added upon creation or exchange of access key tokens. See our example on how to use it in the exchange process in our README.
• Search over roles: We've added a new Search function roles, to allow easy searching over them. This function works both for project level roles as well as tenant level roles (depending on the used filter).
• Importing secrets as part of project import: Project import now allows providing missing secrets out of band to allow importing new entities such as connectors' or OAuth providers' credentials into a project.
• Project import validations: Using the ValidateSnapshot function, you can project data by performing an import dry run and reporting any validation failures or missing data. It's recommended to perform this check right before actually importing a project to minimize failures.
• Template options: In case you need to pass an external value from your systems to Descope, so that it appears in an email or SMS template - use the TemplateOptions object to specify those. Read more on this feature in our documentation.
• OTP via voice: In addition to sending OTP via SMS or email - we now support a third delivery method - voice call, with the MethodVoice const.
• ReBAC relationship checker: We added a new function WhatCanTargetAccessWithRelation to check what resources a user has access, per the application's ReBAC schema. Search is recursive.

Bug fixes

• Tenant param in passwords should be optional: We changed password management related functions to have the tenantID param optional and not required.

v1.6.1

Breaking changes

• Support multiple domains for tenant: There's an option to automatically associated a user to a tenant based on the user's email domain. Sometimes the same tenant can 'accept' multiple domains - so that's supported now!
  Please notice that this breaks compilation - considering this value is now an array and not a string.
• CloneProject response removed: We understood that the project information that currently returned in the CloneProject function is redundant, and that it should be removed (and if it's needed - the ExportProject function will do).
  This change breaks compilation - since there's no response from the function now.
• Support PBKDF2 encoding: Some systems encode passwords with the PBKDF2 hashing mechanism, so we added support for importing those hashes into Descope using the InviteBatch function. See the example in the SDK's README.
  Notice that this update does break compilation.
• Use external information in email/text message templates: Just like custom flow inputs, you can now provide custom template inputs that can be added to the email/text message template upon runtime. For example, you can choose to pass the user's IP into the template, to present upon verification.
  Considering the various functions involved (such as SignUp) include another parameter - compilation will break.

Enhancements

• 😮 Tenant SSO - supporting SAML and OIDC: We've recently expanded our tenant SSO support to both SAML and OIDC configurations, so we created a set of generic SSO commands that replace the existing SAML ones.
  Using the dedicated SSOSAMLSettings, SSOSAMLSettingsByMetadata and SSOOIDCSettings objects, along with their matching functions, you can define a tenant's SSO configuration settings.
  This also means that dedicated SAML authentication commands are now deprecated, and we encourage you to update your code to use the new commands:
  • SAML.ExchangeToken >> SSO.ExchangeToken
  • SAML.Start >> SSO.Start
  • GetSettings >> LoadSettings
  • ConfigureSettings >> ConfigureSAMLSettings
  • ConfigureMetadata >> ConfigureSAMLSettingsByMetadata
• Applications management: Applications, also known as SSO Applications, are used to integrate with an application using SAML or OIDC. Under the SSOApplication object, you can find an option to create, load, update and delete applications in a specific project. Find out more about applications in our documentation.
• Associate an application to a user: You can decide to associate one or more application to a user, thus controlling which of your users has access to those apps. If the user doesn't have access - no JWT will be generated and the authentication to that application will fail.
• Tenant level settings: We've exposed some session management configurations, as well as password policy configurations, to be set on the tenant's level. Just like the console support - we also configuration of those tenant level settings via the SDK.
• Delete a flow: Using the DeleteFlows function, you can delete one or more flows.
• Free search and sorting in users: Two new parameters were added to the SearchAll users function: text will allow searching any text value in all user attributes; sort will allow sorting the returned values alphabetically by attribute name.
• Get recent changes in Authz schema definition: We added the GetModified authz function, to be able to understand which new targets and resources were created or updated since a certain time.

Bug fixes

• Expose missing functionalities when testing users: The MethodEmbedded parameter and the loginOptions function were not exposed for usage when using test users, so we fixed it.
• README fixes: Some updates to the README were made to clarify some of the explanations there.

v1.6.0

Breaking changes

• Certificate verification configuration: We've externalized the certificate verification configuration, so that the Descoper can decide whether to verify the server certificate or not. The CertificateVerify parameter has 3 modes: CertificateVerifyAutomatic (default - skip only when base URL is overridden, like when setting to localhost or using a port), CertificateVerifyAlways and CertificateVerifyNever.
  Please notice that this will break your application in case it uses a non-valid TLS certificate, and so migration should be tested carefully.
• Support context: Added the ability to work with context, in all authentication methods and management functions.
  Please notice that this breaks compilation of all the related functions.
• Appending user login IDs: We've added the option to assign multiple login IDs to a user, using the AdditionalLoginIDs attribute, upon creation and/or invitation of the user.
  Please notice that this breaks compilation of the following user functions: Create, CreateTestUser, Invite.

Enhancements

• First, middle and last names of a user: We added system attributes for first (GivenName), middle (MiddleName) and last (FamilyName) of a user.
• Delete a project: Added the Delete function for projects.
• Check roles or permissions of a user: Check if the user has at least one of the roles in a provided list, using the GetMatchedRoles function. This also applies for checking permissions (GetMatchedPermissions), and also for checking the existence on a project level and a specific tenant level (GetMatchedTenantRoles , GetMatchedTenantPermissions).
• Set the user's roles: We now support the option to set an existing user's roles. Instead of fetching existing roles, removing all of them and adding new ones 'from scratch' - use the SetRoles user function.
• Delete a user by its userId: Support to delete a user by its userId property, using the new DeleteByUserID function.
• Remove a user's passkey login IDs: Using the userRemoveAllPasskeys management function, the Descoper can decide to remove all passkeys associated with a specific user.

v1.5.7

Enhancements

• ReBAC support: Descope now supports an advanced and more elaborate concept of authorization, known as ReBAC. ReBAC, Relation-Based Access Control, allows defining the user's permissions based on its relationship to various objects, using a directed graph of connections between them. Read more in our README.
• Search users by email or phone: We enabled the option to search over the user email and phone attributes - regardless if those are used as Login IDs or not.
• Know if the user can authenticate using WebAuthn or Password: In the userResponse object, you can now check whether the user can authenticate using Passkeys (WebAuthn) or Passwords.
• Search over tenants: Using the searchAll tenants command, you can now search for all tenants based on their attribute values, such as name, self-provisioning domains, custom attributes and more.
• Logout all user sessions: Descopers can now decide to terminate a specific user's sessions across existing devices, using the management SDK. You can do so by providing the user's Login ID (LogoutUserByUserID) or their User ID (LogoutUser).
• Batch invitations: Using the new InviteBatch command, you can sent invitations to multiple users at once.
• Cloning a project: Projects can be programmatically cloned using the new clone project command. Note that this action is supported for pro and enterprise licensed customers.
• Tenant selection: When a user has multiple associated tenants, it is important to know and control the context that they are currently in. For that, we've added the option to set the user's current tenant using the SelectTenantWithRequest command.
• README enhancements: Making our README more informative and full of examples for better explainability!

v1.5.6

Breaking changes

• Password Replace return value: We're now returning the JWT's response in the ReplaceUserPassword function, so that the session and refresh JWTs can be utilized (for example, in flows). This information will be returned as an AuthenticationInfo object.
  Please notice that this breaks compilation of the function.

Enhancements

• Setting email and phone verification status upon creation: When creating a new user, you can now control whether the email and/or phone of that user are verified or not.
• Setting the Invitation URL via SDK: Using the new InviteOptions object, you can define a specific invitation URL when inviting a new user, that will override the default invitation URL set in your project's settings.
• New error type: ErrTokenExpiredByLoggedOut: This error will return in case the token is expired because the user has already logged out previously.
• README enhancements: Making our README more informative and full of examples for better explainability!

v1.5.5

Enhancements

• Embedded links: We now support the option of generating an embedded link. Using the GenerateEmbeddedLink function, the Descoper can now generate a link that contains a user's token, thus requiring only verification to finalize the authentication.
  ⚠️ Please notice that this feature needs to be turned on in the console, as it's considered an advanced feature that requires extra planning and attention when used. Make sure only permitted personnel use it, and that it is audited appropriately in the relevant places.
• Search by user status: We've added the option to search over user statuses using the SearchAll function.