Changelog

We’re bringing you a variety of updates today, with no particular theme, so let’s dive right in!

Enterprise SSO Role/Group Mappings

If your users are logging in with Enterprise SSO, they may want to specify a role (or roles) as part of the connection.

Your users (or their IT admin) can now easily manage roles for your product directly in their SAML provider (Okta, Azure/Entra, etc). Better yet, you don’t have to help them set it up - we’ve included instructions directly in all of the SAML set-up instructions.

Each IDP supports slightly different features, so these instructions are aware of the unique restrictions that each SAML provider has. It will sometimes suggest they use a role attribute and sometimes suggest they use a groups attribute instead.

User Management & Configuration Changes

We’ve made a few small changes to actions you can take in the dashboard:

• Accounts that have been locked for too many incorrect password attempts can now be unlocked via the Users section of the Dashboard
• You can now choose whether users should be able to update their own emails via the Signup / Login section of the Dashboard
• Public sign-ups can now be disabled on a per-environment basis via the Signup / Login section of the Dashboard

Everything else.

• We added support for 2 new SSO providers: Salesloft and Outreach
• We added a guide for migrating from Firebase
• We added a guide and reference documentation for our OAuth2 support
• Apple.com is no longer considered a personal domain
• [Node] We’ve deprecated our Cloudflare workers library in favor of our Node library. They were basically the same library, but the Node library now works in the CF worker environment.
• [Nextjs] Added getAuthInfoFromApiRouteRequest and getAuthInfoFromServerSideProps which return both the user and the accessToken
• [Nextjs] Added redirectToOrgSettingsPage and getOrgSettingsPageUrl
• [Nextjs] getCurrentUrl has been deprecated in favor of getCurrentPath

Two major updates today: the ability to add multiple roles per user, and Remix support!

Multiple Roles Per User

You can now configure your project to allow your users to have multiple roles. This can be very useful if your product has roles that don’t conform to the typical hierarchical role structure - for instance, a role that gives someone access to Billing, but nothing else.

You can learn more about multiple roles per user here.

Please note that if you enable this feature, you’ll need to update to the latest versions of our libraries.

Remix

We now officially integrate with Remix! One of things we love about Remix is it’s simplicity, and we’ve tried to emulate that in our integration as well.

For instance, here’s all you need to do to check a user’s role/permission within an organization:

export const loader = async ({ request, context }: LoaderFunctionArgs) => {
  const user = await auth.getUserOrRedirect(request, context);
  const org = user.getActiveOrg()
  
  // can also check org.isRole(...)
  if (org.hasPermission("analytics::view")) {
    return loadAnalytics(org.orgId)
  } else {
    return emptyAnalytics()
};

To get started with PropelAuth and Remix, check out the docs here.

Today's theme is making it easier to manage things: helping your users manage SAML connections, helping you manage the orgs your users are in, helping both you and your users manage which login methods are allowed for an organization.

New Features

SAML Generation Links

Oftentimes, the person responsible for setting up SAML at your customer's company doesn't actually need or want access to your product. Now you can create one-off links to send them so they can go through the SAML setup workflow without needing to create their own account.

Enterprise SSO-only support

If you already have auth in place with another provider you can now add SAML/Enterprise SSO support on top of it via PropelAuth. We have guides for Cognito, Firebase, and NextAuth. If you need assistance with any other system, reach out at support@propelauth.com.

Org Switching in SSR Frameworks

If you're currently using a server side rendering based framework, such as Next.js, it can be tricky to keep track of which organization your user is interacting with. We've added the concept of an active org, which allows you to keep track of an active org for a user on both the frontend and backend, and switch it as needed when they navigate through your product. Learn more here.

Login Method

You can now, optionally, get the user's login method via their access token. This can be used to do things like require that members of a certain organization can only log in via a particular method. This is available in all of the client libraries. Learn more here.

Library Updates

• [Next.js] RedirectToSignupOptions now includes signup query parameters
• [Next.js] Each redirect function now includes a returnToPath.
• [Next.js] getUserFromApiRouteRequest can optionally take in a forceRefresh
• [Go] Added additional filters to fetching users within an organization by role and orgName
• [Flask] Added helper functions like getOrgs() to the User object
• [FastAPI] [Flask] [DRF] Exposed validate_access_token_and_get_user from the underlying propelauth-py library

Welcome to our new changelog! If you're ever looking for more detail than we can pack into our announcement emails, this is the place to look.

New Features

SSO/SAML Login Flow

If the majority of your users are logging in via SAML instead of via password, you can now set up your login page to make that experience smoother. Users using SAML or password login methods will only need to enter their email address to get directed to the right login type.

Here’s what it looks like in the password case:

This can be configured via the Signup/Login page of the PropelAuth dashboard (note: we moved all SAML configuration there to make things a little easier to find).

Configurable API Key Expiration Times

You can now allow your users to set an expiration time when they generate personal or organization API keys through our hosted UIs. The times available to your users can be configured via the PropelAuth dashboard.

When your users create an API key, they'll be able to select one of these options.

Improvements

Revamped Create or Join Org Page

We heard you loud and clear: users were often creating organizations in cases where they should be joining them instead. To reduce this, we've updated the Create or Join Org page users see during their signup flow to highlight joining existing organizations:

Updated Look for Require 2FA

Honestly - no one complained about this one, but we weren't quite happy with the way the Require 2FA set up looked, so we gave it a bit of a makeover as well.

Roles & Permissions Usability Updates

We made a few changes to the Roles & Permissions pages to make it more obvious when you have unsaved changes. We also added some handy tags so it's easy to tell which roles are set as your Owner and Default.

Disconnect SAML Button

You can now disconnect SAML connections on behalf of your users via the PropelAuth dashboard.

Bug Fixes

• Fixed a bug where the Reset Password page had some incorrect styling
• Users that were manually added to an organization that requires SAML that have never logged in via SAML are now properly required to login via SAML
• When you delete the last user/organization on a page, it'll properly redirect you to the previous page. We're sorry about this one, it annoyed us too

• Feature We now support SSO via Xero, Quickbooks Online and Salesforce
• Feature There's now a UserClass in our JS/React libraries which provide useful helper functions like user.getOrg(orgId) or user.isRole(orgId, "Admin")
• Feature Added support for pkbdf2_sha512 hashes when migrating, for both the Django and passlib formats
• Improvement Single character usernames are now allowed
• Improvement Added Jakarta Sans font
• Bugfix Fixed a bug related to the ordering of User Properties in the dashboard

• Feature Added the option to switch domains for prod & staging environments
• Feature Added support for a generic SAML provider (as opposed to our existing SAML support which provides specific guides for Okta, Azure AD, etc)
• Improvement It's now easier to see whether your organizations have a SAML connection
• Bugfix Fixed some miscellaneous styling bugs on our hosted pages

• Feature All the redirect functions in JS/React libraries take in a URL to return the user to
• Feature You can now send emails from your own email provider instead of ours

• Feature We now support creating Internal Roles.
• Feature Session length can now be set per organization
• Feature Added the ability to allow your users to require 2FA for their organizations
• Feature propelauth-py updates include new helper functions for organizations and RBAC.
• Feature Made a variety of updates to our Rust crate, including adding the ability to invite users to organization and adding user properties to UserFromToken
• Improvement The Organization table on the PropelAuth dashboard can now be sorted by created at

• Release New hosted UIs! You can now create split screen UIs, gradient backgrounds, edit the fonts, and more!
• Feature Added links to popular email providers on screens where users have been sent a confirmation email. These links will make it easy to locate those emails in their inboxes.
• Feature If a user is redirected to the management pages, but they aren't logged in yet, they are properly redirected to the management pages after they login.
• Beta Added "Active Org" support to our Next.js library
• Beta Added Remix support

• Feature We now support adding users to a Waitlist, as well as onboarding them to your product when you're ready.
• Bugfix Fixed an issue where our password requirements on login were too strict, which didn't allow customers to migrate from less strict requirements.

• Release Released @propelauth/auth-proxy for use with Streamlit
• Feature fetch_users_in_org now has the ability to filter by role
• Feature Added the option to override the Back button on the hosted account pages
• Feature Added Posthog integration
• Improvement Increased the character limit on field names from 32 to 64

• Feature Added email confirmation flows for certain SAML providers
• Feature Organizations can now be queried by name via the API
• Feature Added the option to allow users to delete their own account

• Feature Our React library now supports User Signup Query Parameters.
• Feature Our Javascript library now supports User Signup Query Parameters
• Feature Added report for aggregate User Signup Query Parameters
• Feature Added report for Organization Growth

• Feature Charts are now available on the User Insights page - you can now see your signups, organizations created, active users and active organizations over time
• Feature User pages in the Dashboard now show a visualization of activity over time
• Feature Duo is now a supported SAML provider
• Feature You can now export your list of users to .csv via the Users page

• Feature The Users table can now be sorted by Last Active At
• Bugfix Fixed an issue where you could accidentally create two properties with the same name
• Bugfix You can no longer send an invalid role via the Invite Users API

• Feature Added User Insights, which includes churn and reengagement reports for users and organizations.
• Feature You can now set alerting when a user impersonation session is started.
• Improvement The metrics on the homepage now tell you how your numbers compare to the previous month.
• Improvement SAML permissions are now enabled for account owners by default.
• Improvement We now display expired invitations on the hosted pages, so users can easily see who they might need to reinvite.
• Bugfix Magic link icons on the login page now match the text color.

• Improvement Email invite expiration time has been increased to 5 days.
• Improvement Impersonating a user no longer updates their last active at time.
• Bugfix It is no longer possible to set a negative number in max users.
• Bugfix Fixed a bug where profile pictures were not always been set correctly during login with SSO.

• Feature We now send a webhook when a user logs out.
• Feature Post-login redirects have been added to all social login flows.

• Feature Emails can now be configured to send from a custom domain.
• Feature Metrics around sign up and activity numbers are now available on the PropelAuth dashboard.
• Improvement Our migration endpoint now supports PBKDF2 hashes (the default for Django).

• Feature Released a new version of our Next.js library that supports post-login redirects.

• Feature Our Node and Express libraries have been updated to include clearPassword and inviteUser.
• Improvement Additional arguments have been added to createOrg, updateOrgMetadata and updateUserMetadata in our Node and Express libraries.
• Feature Our Go library has been updated to include ClearPassword, Disable2FA, ChangeRole. and CreateOrgV2
• Improvement Additional arguments have been added to updateOrg in our Go library.
• Feature Our Rust library has been updated to include create_access_token, delete_org, and clear_password
• Improvement Additional arguments have been added to update_org and update_user_metadata in our Rust library.
• Improvement Added a force refresh option to getUserFromServerSideProps in our Next.js library
• Improvement Reduced the cases where Next.js middleware was necessary.
• Bugfix Fixed some issues in our Next.js library around logout

• Feature Settings pages have been added to both users and organizations in the dashboard. These pages include things like changing user emails and updating joining restrictions on organizations.
• Feature Our Python, Django, Flask and FastAPI libraries have been updated to include change_role, delete_org, invite_user.
• Feature We now support AWS AppSync. You can use your auth URL as an OIDC endpoint and then you can use your Access Tokens to make GraphQL requests.
• Improvement Additional arguments have been added to create_org, update_org, and update_user_metadata in the Python, Django, Flask and FastAPI libraries.
• Improvement The limit of permissions per role has increased from 50 to 100.
• Improvement The Hosted Pages sidebar has been updated to be more specific about which API key pages are being linked to.
• Improvement We updated our Magic Link/Passwordless functionality to handle cases where the links were being automatically clicked by both email providers and email protection services.
• Bugfix Fixed some issues where redirects weren't working when multiple tabs were open.

• Feature You can now add a user to an org during the user creation process in the dashboard.
• Improvement Org Search in the dashboard now supports org IDs in addition to names.
• Improvement We've increased limits around requests that can be made to us, so customers with large amounts of user properties or permissions will no longer see an error message when saving to the dashboard.

• Feature The Frontend Integration page on the PropelAuth dashboard can now take in any URL.
• Feature Added a copy button on the Users table in the PropelAuth dashboard.
• Feature Added mobile optimization to the recently refreshed hosted pages.
• Bugfix Fixed a bug that caused users to sometimes get redirected incorrectly after confirming their email.

• Feature Added webhooks for OrgSamlSetup and OrgSamlRemoved

• Feature Released improved versions of our Account & Org Management pages, as well as new customization options in the Dashboard.

• Feature We have released support for configurable User Properties. A set of properties is available out of the box, and users on paid plans can create custom properties. For more information, check out the docs.

• Feature Made a few changes to improve email deliverability, including updated email templates.
• Feature Added PCKE support for OAuth use cases.

• Release We have released official support for applications built with NextJS 13, including both the App Router and the Pages Router For more information, check out our guide
• Feature We've reorganized our documentation, and have added a new How To section, focused on specific needs and scenarios.
• Feature To the dashboard we've added new, more intuitive sections to your projects, and made various user experiences more streamlined and natural.

• Release We have released API Key Authentication! For more information, checkout our quickstart guide
• Feature Added new endpoints to enable and disable organization creation for specific users.
• Feature Added the ability to set maximum user limits in specific organizations.
• Bugfix No longer sending two "Org Created" webhooks in some cases when orgs were created.
• Bugfix Small fixes to the dashboard to improve the overall experience.

• Release We have released our Go Backend library! Find out more here
• Beta Currently we are running a beta program for customers interested in SSR support. For more information, please contact us at support@propelauth.com
• Feature Added more flexibility to our frontend integration location URLs.

• Feature We have released support for User Impersonation! Find out more here|

• Release New look to the dashboard with several user experience improvements.
• Feature We now provide another isolated development environment in the PropelAuth dashboard: Staging.
• Feature Added new front end configuration options to the dashboard.
• Feature We added the ability to name your API keys in the PropelAuth dashboard, as well as making them "ReadOnly"
• Feature You now have the ability to search for organizations by name in the dashboard.

• Feature New “metadata” fields have been added to the user and organization objects where you can assign JSON objects of customizable data.
• Feature We now provide access to email, name, and username on the JWT. Previously, to access this data you would need to make another external request to us.
• Beta Added user_id and org_id query options for API Authentication. Previously you would have to sort through all results at once.
• Release Recently underwent our annual penetration testing via 3rd party, and we passed. Find more here.
• Feature RedirectToSignup and RedirectToLogin now take in props for postSignupRedirectUrl and postLoginRedirectUrl

• Bugfix "Create Org" and "Join Org" now on the same page as separated functions. Previously, if you disabled the ability for users to create organizations, the “join org” functionality would be hidden as well. Users can now join organizations regardless of their ability to create one.
• Bugfix Changed the "disable public signups" option so that invited users can still create an account even if the feature is turned on. Previously this feature was blocking some users who were invited and choose to join through SSO, but this has been fixed.
• Bugfix Fixed Microsoft login issue. For users that didn’t have their first name or last name set in their Microsoft account, signing in with Microsoft was failing. This only affected users who enabled the “collect name on signup” feature. We’ve resolved this issue, and users can now sign in seamlessly with their Microsoft account, and if we cannot pull their first and last name from Microsoft, we prompt the user to provide it afterwards
• Bugfix Increased the acceptance time for confirmation emails to 5 days (previously it was only 2)
• Bugfix Made small styling fixes to our component library and hosted pages to improve the overall look and feel of the platform

• Feature Added an API to create access tokens for testing purposes. Previously, you would need to use our frontend libraries to get tokens, and the tokens were all short-lived. Now you can make an API call to get an access token for a specified user, with a custom expiration.
• Feature Added refreshAuthInfo to @propelauth/react so you can force refresh the auth information
• Feature Improved useAuthInfo so that you can now destructure without needing to check loading first
• Feature Added new redirect function redirectToSetupSAMLPage
• Feature For each redirect function (e.g. redirectToLoginPage), we now also provide a getter function to get the underlying URL (e.g. getLoginPageURL). This allows for more flexible usage.
• Bugfix Fixed issue with fetch_org in the Rust crate where it's return type was incorrect
• Bugfix Updating your email no longer sends a confirmation if you had "email confirmation not required" in that environment

• Release Released support for Chrome Extensions alongside Plasmo
• Beta Beta support for API authentication. You can generate API keys for your customers tied to either your users, your organizations, or both.
• Bugfix Fixed issue with propelauth-py which made it fail to build on some OS's
• Bugfix Fixed issue with Google login where it wasn't always updating the user object with their name

• Beta Beta release for our Component Library!
• Release Updated our example apps section with new examples and forkable git repos
• Feature Updated our libraries with a new optional boolean field askUserToUpdatePasswordOnLogin in all three of: createUser, migrateUser, and updatePassword. This forces the user to set/update their password.
• Feature You can now disable password authentication in the dashboard.
• Feature Added options for you to specify how long your users remain logged in and whether it's based on inactivity or just a fixed amount of time
• Feature Added deeper organization configuration options, like requiring all users to be in at least one org.

• Release Added backend support for Cloudflare Workers
• Feature Added support for Ngrok as a replacement for localhost in the test environment
• Feature Added organization settings in the hosted pages, enabling your users to toggle domain allow/denylists
• Bugfix Fixed a few styling issues in the hosted pages

• Release Added backend support for Rust with support for Axum and Actix.
• Feature Added APIs to make it easier to programmatically manage your users (managing/deleting orgs, updating user metadata, etc.)
• Feature Added a new webhook on user login.
• Bugfix Cleaned up the workflow around verifying a domain. You can now verify ownership via a TXT record on a special subdomain, instead of using the root domain.
• Beta User login duration can be configured now. You can either specify an absolute amount of time the user is logged in, or a period of inactivity, after which they will be logged out.

• Feature Usernames now support unicode characters.
• Feature Added AuthProviderForTest to our React library that's useful for testing (thanks to mykeels for the suggestion).
• Feature Added an option for copying user IDs out of the dashboard.
• Bugfix Updated copy on the default create org page

• Release Custom Roles & Permissions (RBAC) is live! This feature enables you to create custom roles and permissions. We also updated all our libraries to add advanced authorization with these roles and permissions.
• Feature Added the concept of an active organization (see getActiveOrgFn). For users in multiple organizations, this allows you to set the organization they are operating within and works with the roles and permissions update.
• Beta Added option to disable signups from personal email domains (e.g. gmail.com, yahoo.com, etc).

• Feature Added the ability to disable 2FA/MFA for your users either programmatically or through our dashboard
• Feature Added the ability to customize what you call "Organizations". This will automatically update all the hosted UIs and user facing error messages.
• Feature When logging a user in, you can specify where to redirect the user outside of the default redirect URL.
• Bugfix You can now create organizations even if the feature is disabled. This allows for a smoother process of migrating to organizations if you are already live.
• Beta Added more options to the concept of organizations. You can require that your users are in at least one organization, require that users must log in directly to their organization, and more. Reach out if you'd like to try this out.
• Beta Added more granular controls over which domains/subdomains can access authentication information. This includes creating staging environments that can be reached by localhost, having a small set of subdomains that are NOT allowed to check if a user is logged in (for vendors you might not trust), and more.

• Release Self-service SAML is live! This feature allows your customers to log in to your product using their existing identity provider, like Okta, Google, OneLogin, and more.
• Feature Added support for Azure AD to our list of SAML IDPs, including documentation for your customers
• Feature Added additional APIs for our backend libraries for enabling/disabling/deleting users. Also handles logging users out remotely.

• Feature Added new APIs for disabling, enabling, and deleting users. Disabling/Deleting a user will both log them out and prevent them from logging back in.
• Feature Added option for your users to test their SAML connections before enabling them.
• Feature Added new APIs for explicitly picking which organizations can login via SAML. This can also be done via the dashboard, or you can enable it globally for all organizations.
• Bugfix @propelauth/react library was re-rendering more than it needed to.
• Release Created demo site where you can experiment with different themes without needing to sign up.

• Release Release of our new hosted authentication pages. Includes more customizations, more themes, and more self-service options for your users.
• Feature Added new APIs for migrating users from an external system.
• Feature Added new APIs for manually managing organizations and RBAC.
• Feature Released v1.2.4 of @propelauth/javascript which prevents fetching auth information if we've fetched recently.
• Beta Added Okta and JumpCloud support within our SAML beta.

• Feature Our hosted authentication pages can now be embedded in your application via an iframe.
• Feature Added more options for you to manage your users directly in your dashboard, like resending confirmation emails or manually confirming the email.
• Feature Allow your users to revoke organization invitations and see invitations that expired.
• Feature You can now search directly for a user by ID (in the dashboard).
• Beta Added self-service wizards for existing IDPs within our SAML beta. This walks your users through the steps of setting up a SAML connection.

• Feature Allow subdomains of your application to also fetch authentication information. In other words, if you set https://example.com as your application URL, you can now set up additional authenticated applications at any subdomain like https://app.example.com.
• Feature Added option to disallow users from creating their own organizations. They can still manage the organization and invite new users, but it allows you to create and setup organizations on their behalf.
• Bugfix Added event_type to webhooks to make it easier to distinguish
• Bugfix Added additional options to verify your domain name
• Beta Added non-hierarchical roles (RBAC) support to our custom roles beta

• Release Added @propelauth/node library to support serverless use cases or frameworks that don't accept Express middleware.
• Feature Our backend libraries can now check org membership by name instead of just id, allowing for better subdomain-per-customer support.
• Feature You can now manage your user's organizations through our dashboard, instead of just programmatically.
• Bugfix Allow you to submit logos as SVGs.

If you have any questions about features or changes before July 15, 2022 please reach out at support@propelauth.com.