DreamFactory announces the general availability of version 7.4.0, a significant release that positions the platform at the forefront of AI-ready enterprise API infrastructure. This release introduces native Model Context Protocol (MCP) server capabilities, enabling seamless integration between AI applications and enterprise data sources. Additionally, v7.4.0 delivers substantial improvements to Azure AD/Entra ID authentication, critical security patches, and enhanced database connector functionality.
DreamFactory 7.4.0 addresses three strategic priorities for enterprise API teams: AI readiness, identity management simplification, and security hardening. The new MCP Server package enables organizations to expose their existing DreamFactory APIs to AI agents and large language models without additional development. Enhanced Azure AD integration automates role assignment based on Entra ID group membership, reducing administrative overhead. Multiple security vulnerabilities have been patched, including SQL injection and XSS attack vectors, ensuring DreamFactory deployments meet stringent enterprise security requirements.
The most significant addition in DreamFactory 7.4.0 is the new df-mcp-server package (v1.0.0), which implements the Model Context Protocol specification. MCP has emerged as a standard interface for connecting AI applications—including large language models, AI agents, and copilot systems—to external data sources and tools.
Organizations running DreamFactory can now expose their existing REST APIs to AI applications without writing custom integration code. This capability enables several high-value use cases:
The MCP Server integration includes support for custom login pages, allowing organizations to maintain consistent authentication experiences across human and AI-driven access patterns.
DreamFactory 7.4.0 introduces automatic mapping between Microsoft Entra ID (formerly Azure Active Directory) groups and DreamFactory roles. This feature significantly reduces the administrative burden of managing API access permissions in Azure-centric environments.
Organizations using Microsoft Entra ID as their identity provider can now manage DreamFactory API permissions entirely through their existing Azure AD group structure. This eliminates the need for duplicate permission management across systems and ensures that employee role changes propagate automatically to API access controls.
DreamFactory 7.4.0 includes multiple security patches addressing vulnerabilities identified through internal security reviews and responsible disclosure processes.
| Vulnerability | Severity | Description |
|---|---|---|
| PTT-2025-032 | Critical | Security vulnerability patched across df-core and df-system packages |
| SQL Injection (RBAC) | High | Replaced string concatenation with parameterized queries in role-based service filtering; added input validation for service IDs |
| XSS Prevention | Medium | Server-side input validation for service labels (max 80 characters) and descriptions (max 255 characters); HTML tag stripping implemented |
| Private Key Validation | Medium | Added validation checks for private key files to prevent security misconfigurations |
Recommendation: All DreamFactory users should upgrade to version 7.4.0 to receive these security patches. Organizations running DreamFactory in production environments should prioritize this update.
Beyond Azure AD group mapping, DreamFactory 7.4.0 includes several authentication improvements that expand integration options for enterprise identity scenarios.
Full support for the OAuth 2.0 Client Credentials grant type with Microsoft Entra ID enables machine-to-machine authentication scenarios. This is essential for:
Client credentials authentication now supports session tokens, providing more flexible token management for service accounts and automated systems.
A new toggle in OAuth configuration allows administrators to control whether new user accounts are automatically created during SSO login. This provides finer control over user provisioning workflows and prevents unauthorized account creation in environments with strict user management policies.
Improved handling of NOT NULL constraints ensures reliable operation when using PostgreSQL as the DreamFactory system database, expanding deployment options for organizations standardized on PostgreSQL.
A new toggle in Oracle database service configuration allows full decimal type support for null or unassigned integer types. This aligns DreamFactory's behavior with Oracle's native defaults, improving compatibility for applications that depend on Oracle's specific numeric handling.
The AWS connector (covering DynamoDB and S3) now supports virtual relationships. This feature enables developers to define cross-table relationships without requiring foreign keys in the underlying data store—particularly valuable for NoSQL databases where traditional relational constraints don't exist.
Resolved an issue where the virtual foreign key slider in the schema tab was not functioning correctly when creating new virtual fields. This fix ensures consistent behavior in the database schema management interface.
The API documentation interface now filters visible services based on the authenticated user's roles and permissions. Users see only the APIs they have access to, reducing confusion and improving the developer experience in multi-tenant or role-restricted environments.
Fixed parameter handling in IIS deployments where the parameters key was incorrectly interpreted as an HTTP verb. This resolves issues for organizations running DreamFactory on Windows Server with Internet Information Services.
The HTTP and Remote Web Service connectors have been refactored with improved curl support, providing better error handling and connection management for external API integrations.
The GelfLogger class has been refactored to support PHP's Stringable interface, ensuring compatibility with modern PHP logging patterns and frameworks.
| Package | Previous Version | New Version |
|---|---|---|
| df-admin-interface | 1.5.x | 1.6.0 |
| df-apidoc | 0.8.0 | 0.8.3 |
| df-aws | 0.19.x | 0.20.0 |
| df-core | 1.0.9 | 1.0.12 |
| df-mcp-server | — | 1.0.0 (new) |
| df-oauth | 0.18.x | 0.19.0 |
| df-rws | 0.18.1 | 0.18.2 |
| df-system | 0.6.2 | 0.6.3 |
DreamFactory 7.4.0 is a non-breaking upgrade from previous 7.x versions. Standard upgrade procedures apply:
Organizations using Azure AD authentication should review the new group-to-role mapping feature to determine if it can simplify their current permission management workflows.
DreamFactory 7.4.0 reinforces the platform's position as an enterprise-grade API generation and management solution. Key differentiators include: