Boundary CHANGELOG

Canonical reference for changes, improvements, and bugfixes for Boundary.

0.21.3 (2026/04/28)

New and Improved

• Added support for IBM Passport Advantage Online licensing. You can now use PAO to enable Boundary Enterprise.
• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)
• Updated internal dependencies.

Security

• Resolved a vulnerability (CVE-2026-7776) that could lead to a denial-of-service condition during TLS handshakes. For more information, refer to Boundary Workers Vulnerable to Denial of Service During TLS Handshake.
• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

0.21.2 (2026/04/06)

New and Improved

• cli: Added optional flags -sort-by and -sort-direction to boundary search. These flags can be used to control sorting when searching the client cache and the resource is sessions or targets. (PR)
• The client cache search API now supports the sort_by and sort_direction query parameters when searching sessions or targets. (PR)

0.21.1 (2026/02/10)

Security

• Go version bumped to 1.25.7 to address CVE-2025-61730 (PR)
• Go Cryptography dependency update to address CVE-2025-58181 and CVE-2025-47914 (PR)

0.21.0 (2025/12/11)

New and Improved

• Vault LDAP has been added as a credential provider (PR)
• Added support for host key verification when connecting to an SSH target by providing a known_hosts file. (PR)
• Added new credential type for password. (PR)
• ui: Optimized loading of table filters and improved table search support (PR)
• cli: boundary connect will close unused sessions when there is no longer a connection being actively proxied. This behavior can be modified via the -inactive-timeout=<duration> command-line argument (PR)
• cli: boundary connect redis can now consume password credentials (PR)
• AWS KMS credential handling now allows the use of shared credential files. Additionally, the default profile is now included in the credential chain by default if it exists. (PR)

Bug fixes

• ui: Show username for OIDC auth method in user menu (PR)
• boundary connect rdp no longer opens a new window for each call on mac. (PR)
• Removed the error log during RDP basic settings exchange: When you connect to an RDP target using the built-in Windows Remote Desktop Connection app. (PR)

0.20.3 (2026/04/30)

New and Improved

• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)

Security

• Resolved a vulnerability (CVE-2026-7776) that could lead to a denial-of-service condition during TLS handshakes. For more information, refer to Boundary Workers Vulnerable to Denial of Service During TLS Handshake.
• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

0.20.2 (2026/02/10)

Security

• Go version bumped to 1.25.7 to address CVE-2025-61730 (PR)
• Go Cryptography dependency update to address CVE-2025-58181 and CVE-2025-47914 (PR)

0.20.1 (2025/11/03)

New and Improved

• Added a complete IBM Key Protect wrapper implementation with configuration options and KMS client integration (PR)

0.20.0 (2025/09/25)

New and Improved

• Update cap/ldap pkg to latest version to address possible concurreny issue (PR)
• Added support for RDP targets and RDP credential injection for connecting to Windows machines. RDP credential injection supports both NTLM and Kerberos authentication.
• Added new credential type for username, password, and domain credentials.
• cli: Added boundary connect mysql command for connecting to MySQL targets. This new helper command allows users to authorize sessions against MySQL targets and automatically invoke a MySQL client with the appropriate connection parameters and credentials.
• cli: Added boundary connect mongo command for connecting to MongoDB targets. This new helper command allows users to authorize sessions against MongoDB targets and automatically invoke a MongoDB client with the appropriate connection parameters and credentials.
• Adds support to parse User-Agent headers and emit them in telemetry events (PR).
• cli: Added boundary connect cassandra command for connecting to Cassandra targets. This new helper command allows users to authorize sessions against Cassandra targets and automatically invoke a Cassandra client with the appropriate connection parameters and credentials. Currently only username/password credentials are automatically attached.
• cli: Added boundary connect redis command for connecting to Redis targets. This new helper command allows users to authorize sessions against Redis targets and automatically invoke a Redis client with the appropriate connection parameters and credentials. Currently only username/password credentials are automatically attached.
• ui: Improved load times for resource tables with search and filtering capabilities by replacing indexeddb for local data storage with sqlite (WASM) and OPFS (PR)

Bug fixes

• ui: Fixed rendering bug where header for the Host details page rendered multiple times (PR)
• ui: Fixed bug where worker tags could not be removed when creating a new worker (PR)

Deprecations/Changes

• Modified parsing logic for various IP/host/address fields across Boundary. Notably, for some fields, Boundary previously required bracket-enclosed IPv6 addresses (eg: [::1]). With this change, if the provided address is just an IPv6 literal, enclosing the address in brackets is not valid. Additionally, an input address containing an IPv6 literal may be modified by Boundary to conform with RFC 5952. (PR)

0.19.5 (2026/04/30)

New and Improved

• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)

Security

• Resolved a vulnerability (CVE-2026-7776) that could lead to a denial-of-service condition during TLS handshakes. For more information, refer to Boundary Workers Vulnerable to Denial of Service During TLS Handshake.
• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

0.19.4 (2026/02/10)

Security

• Go version bumped to 1.25.7 to address CVE-2025-61730 (PR)
• Go Cryptography dependency update to address CVE-2025-58181 and CVE-2025-47914 (PR)

0.19.3 (2025/07/10)

New and Improved

• cli: Added boundary connect mysql command for connecting to MySQL targets. This new helper command allows users to authorize sessions against MySQL targets and automatically invoke a MySQL client with the appropriate connection parameters and credentials.

• Adds support to parse User-Agent headers and emit them in telemetry events (PR).

• Improved grants system performance by refactoring the IAM data model. In the previous version, Boundary always fetches all grants and grant scopes of a user to perform permissions checks. This refactor allows Boundary to only fetch the grants and grant scopes that are relevant to the current request, significantly improving performance for users with large numbers of roles and grant scopes. (PR)

• ui: Sorting functionality added to aliases, groups, roles, scopes, targets, session recordings, sessions, users, auth methods, credential stores, and host catalogs resource tables. (PR)

Bug fixes

• Fixed the children grant scope not behaving properly with list-resolvable-aliases (PR) (PR)
• Fixed issue 5003 where resource ID grants were prioritized over ids=* grants, causing grants to be overly restrictive under some circumstances. (PR)

Deprecations/Changes

• Modified parsing logic for various IP/host/address fields across Boundary. Notably, for some fields, Boundary previously required bracket-enclosed IPv6 addresses (eg: [::1]). With this change, if the provided address is just an IPv6 literal, enclosing the address in brackets is not valid. Additionally, an input address containing an IPv6 literal may be modified by Boundary to conform with RFC 5952. (PR)

• Redundant grant scopes are no longer allowed. For example, if an org scope inherits a grant from the global scope, you cannot apply the same grant directly to the org scope. Passing the -repair flag to the boundary database migrate command will find and remove any redundant grant scopes in the database. (PR)

0.19.2 (2025/05/08)

New and Improved

• ui: Populate subject for OIDC account name displays. (PR).
• ui: Improved performance when initially fetching large sets of resources. (PR).
• ui: Improved search & filtering behavior when using search field. (PR).

Bug fixes

• Fixed an issue in the worker where closing an SSH channel failed to exit a loop, which would cause a massive spike in CPU usage over time. This change only affects Enterprise.
• ui: Fix an issue where the user could not change the key_type of a Vault SSH Certificate credential library. (PR).

0.19.1 (2025/03/04)

New and Improved

• Adds support for Azure Virtual Machine Scale Sets in the Azure plugin (PR).

0.19.0 (2025/02/10)

New and Improved

• Introduces soft-delete for users within the client cache. (PR).

• GCP dynamic host catalog: Add dynamic host catalog support for discovering GCP Compute Engine VM Instances. (PR).

• The worker domain has been refactored to create clear domain functions for worker operations, improve readability and maintainability of worker queries, and improve DB performance. (PR).

• Adds support for dual-stack networking for AWS operations. (PR)

  • Note: As a consequence of updating AWS SDK dependencies to enable dual-stack support, this Boundary release may consume more memory. From our testing, the increase seems to be around 1.6x, however this may vary depending on your deployment architecture.

• The worker <-> controller communications have been refactored to improve performance and reliability at large scale. Workers older than v0.19.0 will remain supported until the release of v0.20.0, in accordance with our worker/controller compatiblity policy.

• Add concurrency limit on the password hashing of all password auth methods. (PR).

  This avoids bursty memory and CPU use during concurrent password auth method authentication attempts. The number of concurrent hashing operations can be set with the new concurrent_password_hash_workers configuration value in the controller stanza, or the new BOUNDARY_CONTROLLER_CONCURRENT_PASSWORD_HASH_WORKERS environment variable. The default limit is 1.

• ui: Improve worker filter workflow for targets, vault credential-stores, and storage-buckets. (PR).

Bug fixes

• Fix bug in applying BOUNDARY_MAX_RETRIES for boundary cli. Previously setting this environment variable would result in a max retries of 2, regardless of the value set. (PR).
• Fix bug in parsing IPv6 addresses. Previously setting a target address or the initial upstream address in the config file would result in a malformed value. (PR).
• Fix an issue where, when starting a session, the connection limit always displays 0. (PR).
• Fix bug which caused the children keyword not to apply the appropriate permissions for a number of resources. (PR).
• Fix bug where database transactions were not using the correct reader & writer functions and context. (PR).
• Remove unnecessary subquery from alias refresh (PR).

Security

• Go Networking dependency update to address CVE-2024-45338 and GO-2024-3333 ([PR])(https://github.com/hashicorp/boundary/pull/5405).
• Go Cryptography dependency update to address CVE-2024-45337 (PR).

0.18.3 (2025/02/10) (Enterprise only)

Bug fixes

• Fix bug where database transactions were not using the correct reader & writer functions and context. (PR).
• Remove unnecessary subquery from alias refresh (PR).

Security

• Go Networking dependency update to address CVE-2024-45338 and GO-2024-3333 ([PR])(https://github.com/hashicorp/boundary/pull/5406).
• Go Cryptography dependency update to address CVE-2024-45337 (PR).

0.17.4 (2025/02/10) (Enterprise only)

Bug fixes

• Fix bug where database transactions were not using the correct reader & writer functions and context. (PR).
• Remove unnecessary subquery from alias refresh (PR).

Security

• Go Networking dependency update to address CVE-2024-45338 and GO-2024-3333 ([PR])(https://github.com/hashicorp/boundary/pull/5528).
• Go Cryptography dependency update to address CVE-2024-45337 (PR).

0.18.2 (2024/12/12)

Bug fixes

• Fixed an issue where session recordings would fail when large numbers of sessions were created around the same time. (PR)
• Fixed an issue where the controller would incorrectly handle HTTP requests and stop prematurely. (PR)

0.17.3 (2024/12/12)

Bug fixes

• Fixed an issue where session recordings would fail when large numbers of sessions were created around the same time. (PR)
• Fixed an issue where the controller would incorrectly handle HTTP requests and stop prematurely. (PR)

0.18.1 (2024/11/21)

New and Improved

• Delete terminated sessions in batches to avoid long running jobs. (PR)

Bug fixes

• Fix an issue where users would lose access to managed groups if there are more than 10,000 managed groups in the auth method used. (PR)
• Fix an issue where only the first 10,000 members of a managed group are returned when getting the managed group, and a similar issue where only the first 10,000 managed groups an account is part of is included when getting the account. (PR)

0.18.0 (2024/10/01)

New and Improved

• Add support for dynamic host catalog plugins running in Boundary workers: Boundary plugins that handle dynamic host catalog operations (such as the AWS and Azure plugins) can now run on workers. (PR)

• Dynamic host catalogs worker filter support (Enterprise and HCP Boundary only): Operators can now set a worker filter when creating a dynamic host catalog. When set, all of the plugin requests will be sent to the matching worker for processing. (PR)

• AWS dynamic host catalogs AssumeRole authentication support: Operators can now set-up AWS dynamic host catalogs using Amazon's AssumeRole authentication paradigm by providing a valid Role ARN when creating the host catalog. (PR and PR)

• Improved MinIO storage plugin compatibility with other services by dropping the checksum headers in PutObject. (PR)

• ui: Add UI support for searching and pagination of aliases. (PR)

• ui: Add UI support for filtering and pagination of session recordings. (PR)

• ui: Improve multi-scope grants select/deselect process. (PR)

Bug Fixes

• Prevented a data-race in Boundary's event logging system. (PR)

• Update Storage Bucket type icon in Target view. (PR)

• Allow user to retry with authentication is pending with OIDC. (PR)

Deprecations/Changes

• Remove deprecated controllers field from the worker config, which was deprecated in 0.9.0 for initial_upstreams(PR)

0.17.2 (2024/09/25)

New and Improved

• Improve performance of grants query by reducing the number of rows that need to be returned. (PR)
• Add several indexes to database tables to improve performance of cascading deletes/updates to session tables. (PR)
• Reorder indexes on several join tables to improve performance of grants query. (PR)
• Make client cache sqlite database persistent between restarts of the client cache daemon. (PR)
• Improve client cache performance by adding indexes, limiting results, and insuring only one refresh is running at a time for a given user and resource. (PR)
• Add pagination support to client API and use pagination when caching resources in client cache. (PR and (PR

Bug Fixes

• The Go API properly uses the passed in value for WithRecursive and WithSkipCurlOutput instead of always setting to true regardless of the passed-in value. (PR)

0.17.1 (2024/08/21)

New and Improved

• Add GetDownstreamWorkersTimeout config option which represents the period of time (as a duration) timeout for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal. (PR)

Bug Fixes

• Fixed issue where storage policies were not deleted when scopes are deleted (PR)
• Contains Bug Fixes from 0.16.3

Security

• Contains Security Fixes from 0.16.3

0.16.3 (2024/08/21)

New and Improved

• Add GetDownstreamWorkersTimeout config option which represents the period of time (as a duration) timeout for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal. (PR)

Bug Fixes

• Minio large file support: Disable multipart uploads via minio to fix an issue where the file checksum is set incorrectly on each part of the upload, causing it to fail. This change fixes file uploads larger than 16MB and limits upload sizes to 5GB. (PR) and (PR)
• Resolved an issue where session authorization was returning a 401 if the alias is non-existent or the alias does not resolve to anything. A 404 status code is now returned. (PR))

Security

• curl (enterprise): The curl binary is no longer included in the published Docker container images for Boundary Enterprise to address the CVE-2024-7264 vulnerability. CVE-2024-7264

0.17.0 (2024/07/17)

New and Improved

• SBC (Storage Bucket Credential): This release introduces, SBC, a resource that represents credentials for authentication and authorization with an external object store. There are two SBC types, managed secret and environmental. (PR), (PR) and (PR)
  • SBC State: This release introduces, SBC State, which represents the ability for a worker to perform a specific action using the storage bucket. SBC permission types (write, read, & delete) represent an action that is required for the storage bucket to do as a routine task on an external object store. Each permission type has a permission state (ok, error, unknown).
  • SBC Worker Filtering: For protocol aware workers that require interaction with an external storage service, the workers will be filtered by the SBC state depending on the action and permission required.
• ui: Add multiple grant scope support for roles (PR)
• ui: Add API tags support for workers and improve worker filtering for targets (PR)
• Updated grpc to 1.61.1(PR)

Bug Fixes

0.16.2 (2024/06/10)

New and Improved

• Updated Minio plugin to allow for potential use with other S3-compatible storage providers. (PR) and (PR)

Bug Fixes

• Fixed a bug where a worker credential rotation request suceeded on the controller but the response to the worker was lost. This resulted in the controller using a separate set of credentials than the worker, causing the worker to be unable to connect to the controller. The fix implements the new nodeenrollment library NodeIdLoader interface, which ensures that on store, if worker NodeInformation has a previous key set, the worker will check and correct its stored credential set to match. LodeNodeInformation was also updated to fix a bug where in this split credential scenario, the current credential key was assumed to be the incoming worker key, which caused the wrong key information to be populated for the key id. (PR)

New and Improved

• Allow descriptions to contain newlines and other whitespace (PR)
• Listed roles contain grant scope ID information (PR)

Deprecations/Changes

• The grant_scope_id field on roles, which was deprecated in 0.15.0, has been removed. (PR)

0.16.1 (2024/05/30)

New and Improved

• The observation tag was added to session recording and storage bucket proto messages for telemetry purposes. If you enable telemetry and observation events, Boundary will now collect data about session recording and storage buckets. (PR) and (PR)

Deprecations/Changes

• The boundary daemon command has been deprecated in favor of the new boundary cache command. The behavior remains the same. The boundary search command is unchanged. (PR)
• The include_terminated field in the list sessions request will be removed in an upcoming release. After the deprecation process is complete and the field is removed terminated sessions will be returned in all list session responses unless filtered out using the filter field. (PR)

Bug Fixes

• Fix a dead lock issue where the controller could get stuck with all of its available database connections being stuck in idle in transaction. If a controller is configured to have a max_open_connections, and was under sufficient load in the form of requests from workers interacting with sessions, like in the form of authorizing new session connections, the controller could get stuck after consuming all of the database connections, leaving them in the idle in transaction state. This was due to a combination of issues, including the lack of a request timeout for worker to controller grpc requests, and the session repository attempting to use a separate database connection to retrieve a kms.Wrapper after already starting a database transaction. The fixes move these kms operations outside of the transaction and set a max request duration for the grpc requests based on the cluster's listener configuration. (PR and PR)
• LDAP account attribute maps. Account attribute maps have been supported since the introduction of LDAP authentication, however a bug was present where we wouldn't take those into account upon authenticating (when receiving the information from the LDAP server). This is now resolved (PR).

0.16.0 (2024/04/30)

New and Improved

• Target aliases have been added: You can now create an alias for a target. In most situations where you would use a target id, you can now instead use the alias value. Create an alias with boundary aliases create target -value example.boundary -destination-id ttcp_1234567890 and connect to a target using an alias using boundary connect example.boundary
• Worker local storage state: Self managed workers that are configured to be used for session recordings will report the state of the its disk space. To learn more about this new feature, refer to the documentation.
• MinIO storage plugin: You can now create a storage bucket that allows Boundary to interoperate with a MinIO cluster for Session Recording storage. This includes some added functionality such as credential rotation and credential management. To learn more about the plugin, refer to the readme. Note: Due to a library incompatibility, this release is not yet compatible with the netbsd operating system. Please refer to the following documentation to learn how to create a storage bucket.
• ui: Add UI support for filtering and pagination (PR)
• ui: Add UI support for MinIO (Enterprise and HCP Boundary only) (PR)

Added dependency

• postgres citext dependency added to enable aliases to be globally unique in a case insensitive way.

0.15.4 (2024/04/09)

Security

• Go version bumped to 1.22.2 to address CVE-2023-45288

0.15.3 (2024/03/21)

Bug Fixes

• Fix a nil pointer error in the client cache daemon when a refresh was forced performing a boundary search. (PR)
• workers: Workers connecting over high latency connections, or to controllers with high latency between the controller and the database, could time out and throw errors that may not have been recoverable if it was during initial registration (PR)
• Resolved an issue introduced in 0.14 where, after successfully deleting an AWS S3 Storage Bucket with credential rotation enabled, Boundary could not delete the associated IAM Access Key resource

New and Improved

• templating: A new templating function coalesce can be used to match a template against multiple possible values, returning the first non-empty value. As an example, this can be used in a credential library to allow a username value that might be comprised of a name or login name depending on the auth method, e.g. {{ coalesce .Account.Name .Account.LoginName}} (PR))

0.15.2 (2024/03/11)

Bug Fixes

• Go version bump 1.21.8 to address (CVE-2024-24783, CVE-2023-45290, CVE-2023-45289, CVE-2024-24785, CVE-2024-24784)

• Protobuf Go update to address CVE-2024-24786

0.15.1 (2024/02/28)

Bug Fixes

• cli: Update proxy listener to not close when the number of connections left for the session is zero. The listener will refuse new connections when the number of connections left is zero but existing connections will be active. This fixes a CLI client issue where sessions with max connection count configured were closed when the number of connections left hit 0. (Issue, (PR))
• Fix issue where the websocket connection was throwing closing errors during the session teardown. (PR)

New and Improved

• feat: support added for tracking and reporting monthly active users for the purpose of billing. It adds a new API endpoint, /v1/billing:monthly-active-users and new cli command, boundary billing monthly-active-users that can be used to view the monthly active user counts.

0.15.0 (2024/01/30)

Deprecations/Changes

• Per the note in Boundary 0.13.0, the previous kms worker method has been removed. Since 0.13.0, unless the use_deprecated_kms_auth_method value was set on the worker config, the new kms mechanism was already being used; this is simply no longer an available option.
• Per the notes in Boundary 0.12.0 and 0.14.0, it is now an error if an address on a host or target contains a port. As of this release, this restriction also affects existing addresses (not just creation/updating via the API) so any existing addresses containing a port will not be able to be used as part of a target's session authorization call.
• The grant_scope_id field on roles is now deprecated in favor of the multiple grant scope support.
• Per the note in Boundary 0.13.1, the id field in grants has changed to ids which allows multiple ids to be included; existing grants submitted to Boundary will continue to work, but grants using "id" can no longer be added to or set on a role.
• All list endpoints except workers now return the first 1000 items instead of all items if no parameters are provided. The number of items returned can be configured through the new controller configuration value max_page_size. The Admin UI, CLI and api package automatically paginate results.

New and Improved

• Multiple grant scopes in roles: Roles now support multiple grant scopes, along with the special values this, children (global/org only) to apply to all direct children of a scope, and descendants (global only) to apply to all descendants of a scope. These use the new actions add-grant-scopes, set-grant-scopes, and remove-grant-scopes on roles. For now the grant_scope_id field on roles will continue to be able to be set, which will set a single grant scope, but this capability is now deprecated.
• Policies (Enterprise and HCP Boundary only): This release introduces Policies, a Boundary resource that represents a Governance Policy to enforce. The first implementation targets Storage Policies, which enables administrators to automate the process of retention and deletion of Session Recordings, ensuring that they're only retaining data that is explicitly required from a security/compliance perspective.
  • ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings. (PR)
• New generic commands read, update, and delete have been added. These allow operating on resources by directly specifying the ID of the resource as the next parameter (e.g. boundary update ttcp_1234567890). Subtypes do not need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed through to the type-specific subcommand. Once the ID has been entered, autocomplete is also supported. (PR)
• The key_id parameter within SSH Certificate Credential Libraries now accepts the use of templated parameters (PR)
• List endpoint pagination: All list endpoints except workers now support pagination.
  • api: All list endpoints except workers have added support for pagination. The api package automatically paginates until the end of the results. The new `WithListToken`` option can be used to request a list of updated and deleted resources relative to the last result received.
  • config: add new controller field max_page_size for controlling the default and max size of pages when paginating through results.
• New command search has been added allowing quick searching of targets or sessions. It utilizes a client side cache also added in this release. The client side cache starts itself automatically in the background when successfully executing any command that communicates with a Boundary controller. To disable the client cache from starting automatically set the environment variable or pass the flag when running a command that may start it. Commands , , , and were added to help manage the cache. The cache does not currently work with Boundary instances that require the use of client side certs.

0.14.3 (2023/12/12)

New and Improved

• Added the ability to enforce rate limits on the Controller API. This version enables rate limits by default. For details on the default rate limits, how to configure rate limits, and how to disable rate limiting see the noted PR. (PR)
• Add support for OIDC prompts. Using prompts, the Relying Party (RP) can customize the authentication and authorization flow to suit their specific needs and improve the user experience. [OIDC Authentication request] (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) server. (PR)

Bug Fixes

• Update go-kms-wrapping/extras/kms dependency to allow external wrappers without a key id to be used within a KMS config stanza. Note: this fix allows GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0. (PR)

• Two Vault client settings were not being properly used when constructing a Vault client. (PR)

  The TLS Skip Verify setting was only being set if a CA Cert was also configured. This fix sets the TLS Skip Verify when configured regardless of other settings.

  The TLS Server Name setting was never being set. Bad programmers. This fix now sets it on the Vault client if the Vault Credential Store has been configured to use a value for this setting.