Skip to content

v1.1.0

Compare
Choose a tag to compare
@ory-bot ory-bot released this 20 Feb 12:26
· 320 commits to master since this release
f47675b

Ory Kratos v1.1.0

Ory Kratos v1.1 is the most complete, most scalable, and most secure open-source identity server on the planet, and we are thrilled to announce its release! This release comes with over 270 commits and an incredible amount of new features and capabilities!

Don't forget to leave a GitHub star and check out our other open source projects while you're here :)

  • Phone Verification & 2FA with SMS: Enhance convenient security with phone verification and two-factor authentication (2FA) via SMS, integrating easily with SMS gateways like Twilio. This feature not only adds a convenient layer of security but also offers a straightforward method for user verification, increasing your trust in user accounts.
  • Translations & Internationalization: Ory Kratos now supports multiple languages, making it accessible to a global audience. This improvement enhances the user experience by providing a localized interface, ensuring users interact with the system in their preferred language.
  • Native Support for Sign in with Google and Apple on Android/iOS: Get more sign-ups with native support for "Sign in with Google" and "Sign in with Apple" on mobile platforms. Great user experience matters!
  • Account Linking: Simplify user management with new features that facilitate account linking. If a user registers with a password and later signs in with a social account sharing the same email, new screens make account linking straightforward, enhancing user convenience and reducing support inquiries.
  • Passwordless "Magic Code": Introduce a passwordless login method with "Magic Code," which sends a one-time code to the user's email for sign-up and login. This method can also serve as a fallback when users forget their password or their social login is unavailable, streamlining the login process and improving user accessibility.
  • Session to JWT Conversion: Convert an Ory Session Cookie or Ory Session Token into a JSON Web Token (JWT), providing more flexibility in handling sessions and integrating with other systems. This feature allows for seamless authentication and authorization processes across different platforms and services.

Note: To ensure a seamless upgrade experience with minimal impact, some of these features are gated behind the feature_flags config parameter, allowing controlled deployment and testing.

  • Better reliability when sending out emails across different providers.
  • Streamlining the HTTP API and improving related SDK methods.
  • Better performance when calling the whoami API endpoint, updating identities, and listing identities.
  • The performance of listing identities has significantly improved with the introduction of keyset pagination. Page pagination is still available but will be fully deprecated soon.
  • Ability to list multiple identities in a batch call.
  • Passkeys and WebAuthn now support multiple origins, useful when working with subdomains.
  • The logout flow now redirects the user back to the return_to parameter set in the API call.
  • When updating their settings, the user was sometimes incorrectly asked to confirm the changes by providing their password. This issue has now been fixed.
  • When signing up with an account that already exists, the user will be shown a hint helping them sign in to their existing account.
  • CORS configuration can now be hot-reloaded.
  • The integration with Ory OAuth2 / Ory Hydra has improved for logout, login session management, verification, and recovery flows.
  • A new passwordless method has been added: "Magic code". It sends a one-time code to the user's email during sign-up and log-in. This method can additionally be used as a fallback login method when the user forgets their password.
  • Integration with social sign-in has improved, and it is now possible to use the email verified status from the social sign-in provider.
  • Ory Elements and the default Ory Account Experience are now internationalized with translations.
  • It is now possible to convert an Ory Session Cookie or Ory Session Token into a JSON Web Token.
  • Recovery on native apps has improved significantly and no longer requires the user to switch to a browser for the recovery step.
  • Administrators can now find users by their identifiers with fuzzy search - this feature is still in preview.
  • Importing HMAC-hashed passwords is now possible.
  • Webhooks can now update identity admin metadata.
  • New screens have been added to make account linking possible when a user has registered with a password and later tries signing in with a social account sharing the same email.
  • Ability to revoke all sessions of a user when they change their password.
  • Webhooks are now available for all login, registration, and login methods, including Passkeys, TOTP, and others.
  • The login screen now longer shows “ID” for the primary identifier, but instead extracts the correct label - for example, “Email” or “Username” from the Identity Schema.
  • Login hints help users with guidance when they are unable to sign in (wrong social sign-in provider) but have an active account.
  • Phone numbers can now be verified via an SMS gateway like Twilio.
  • SMS OTP is now a two-factor option.

The following features have been shipped exclusively to Ory Network for this version:

  • B2B SSO allows your customers to connect their LDAP / Okta / AD / … to your login. Ory selects the correct login provider based on the user’s email domain.
  • Significantly better API performance for expensive API operations by specifying the desired consistency (strongeventual).
  • Finding users effortlessly with our new fuzzy search for credential identifiers available for the Identity List API.

Ory Kratos 1.1 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.1 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Ory Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers enterprise support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.
We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in no particular order: moose115K3dassidarthaefeslerBrandonNoad ,Saancreedjpogorzelskidreksxmartinloesethjensencpoyatos1misamutristankenneynxy7anhnmt

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.
Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory <https://github.com/ory/scoop.git>
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth login

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \
  --replace '/identity/default_schema_id="preset://username"' \
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \
  --format yaml

ory open account-experience registration

Breaking Changes

Pagination parameters for the list identities CLI command have changed from arguments to flags --page-token and page-size:

- kratos list identities 1 100
+ kratos list identities --page-size 100 --page-token ...

Furthermore, the JSON / JSON pretty output of list identities has changed:

-[
-  { "id": "..." },
-  { /* ... */ },
-  // ...
-]
+{
+  "identities": [
+    {"id": "..."},
+    { /* ... */ },
+    // ...
+  ],
+  "next_page_token": "..."
+}

Closes ory/sdk#284
Closes #3480

Bug Fixes

  • oidc does not require a method in the payload (#3564) (b299abc):

    • fix: oidc does not require a method in the payload

    • refactor: only update strategies order in test

    • chore: update audit messages and comments

  • Accept all 200 responses as OK in courier (#3401) (88237e2), closes #3399:

    • fix: accept all 200 responses as OK in courier
  • Accept login_challenge after verification (#3427) (6b02350):

    Part of ory/network#320

  • Add caching to Jsonnet snippet during session JWT tokenization (#3699) (1da8180)

  • Add consistency flag (#3733) (fd79950)

  • Add max-age to default cors headers (#3584) (c5b4aaa)

  • Add missing tracing & attributes in oidc strategy (#3429) (09bcb71)

  • Add return_to parameter to API spec of createRecoveryLinkForIdentity (#3711) (757a5e4)

  • Add value code to authentication method enum (#3546) (95dc7a2):

    • fix: add value code to authentication method enum

    • chore: generate sdk

  • Additional_id_token_audiences key in config schema (#3622) (9396bb0)

  • Adjust tracing verbosity (976cd0d)

  • Allow post recovery hooks to interrupt the flow (#3393) (6c1d2f1)

  • Allow updating admin metadata from webhook responses (#3569) (22f61f0)

  • Always return relative URLs in the Link header for pagination (fb229c9)

  • Auto migrate old accounts to use code credential (#3581) (569b14a)

  • Carry oauth2_login_challenge over to registration flow (#3419) (76241be):

    Fixes #3321

  • Change ListIdentities to keyset pagination (e16fed1)

  • Change shebangs and makefile from /bin/bash to /usr/bin/env bash (#3597) (1343bbb):

    • makefile fix

    • shebangs changed to /usr/bin/env bash

    Signed-off-by: nxy7 [email protected]

  • Check whoami aal before accepting hydra login request (#3669) (a2f79c3)

  • Code method on registration and 2fa (#3481) (7aa2e29)

  • Consider OIDC registration flows errored with duplicate credential to be completed by strategy (#3525) (3e3c789):

    Returning anything else here may cause Kratos to respond with two concatenated JSON objects: new login flow with actual error message as the first one and a very confusing '500, aborted registration hook execution' as the second one.

  • Csrf token regenerate on browser flows (#3706) (e4908db), closes #3705

  • Data race in test (ab6dc31)

  • Do not encode full config in multiple places (#3500) (57a3273)

  • Do not generate CSRF token for api flows (#3704) (d93570d)

  • Do not initialize parts of the registry in parallel (#3534) (ff177db)

  • Don't list org SSOs in settings (#3637) (6c7068c)

  • Don't require code credential for MFA flows (#3753) (40ed809)

  • Don't require session for OIDC verification (#3443) (e08f831)

  • Don't return 500 on conflict for POST /admin/identities (#3437) (1429949)

  • Don't return nil if code is invalid (#3662) (df8ec2b):

    • fix: don't return nil if code is invalid

    • chore: add test

  • Error handling on identity import (#3520) (83bfb2d):

    When importing identities without any traits, or with malformed traits, 500s are returned. This improves the error handling and messaging.

  • False-positives for requiring re-authentication on update (#3421) (ce8139f)

  • Http courier using should use lower case json (#3740) (84149c4)

  • Identity list pagination in CLI command and SDK (#3482) (1e8b1ae):

    Adds correct pagination parameters to the SDK methods for listing identities and sessions.

  • Ignore CSRF middleware on Apple OIDC callback (309c506)

  • Ignore more cloudflare cookies (#3499) (f124ab5)

  • Improved SSRF protection (#3629) (6d08576):

    This also improves tracing in the OIDC strategy.

  • Incorrect login accept challenge (#3658) (b5dede3)

  • Incorrect sdk generator path (#3488) (ed996c0)

  • Incorrect SMTP error handling (#3636) (ee138ec)

  • Incorrect swagger spec for filter parameter (#3684) (2c1470a), closes #3676 #3675

  • Increase connection-level timeouts and shutdown timeouts (#3570) (200b413):

    The admin API is generally expected to require longer timeouts, for example during bulk identity import.

  • Issue session after verification after registration with OIDC SSO (#3467) (a28b523)

  • Lint (e8740c3)

  • Lower-case recovery & verification emails on import (#3571) (e2ac9ff):

    Emails that contained upper-case characters would be overwritten by the identity schema extension runner, because there all emails are lower-cased.

  • Mark identity as optional in session struct (#3463) (7ae02ba), closes #3461:

    The identity is not always available in the session struct, for example when AAL2 is required.

  • Omit irrelevant OIDC providers in forced refresh login flows (#3608) (912dccd):

    Whenever an user is asked to reauthenticate (e.g. because they wish to execute settings flow touching their credentials and their session is no longer privileged) they are asked to provide their credentials again. The forced-refresh login flow generated for such cases already excludes some strategies that are enabled in Kratos but cannot be used to authenticate as current identity, and for example the form presented to the user will not have a password field if the identity does not have a password credential.

    This, however, does not currently apply to OIDC providers; the user will always see the full set even if some of them can't be used to sign in as current identity. This change causes forced refresh login flows to also omit irrelevant OIDC providers in generated form in order to avoid confunding the user about which strategies/providers are valid and can actually be used to reauthenticate.

  • On verification required after registration, preserve return_to (#3589) (6a0a914):

    • fix: on verification required after registration, preserve return_to

    • test: return_to on verification flow

    • chore: refactor

  • Panic in recovery (#3639) (c25ddff)

  • Pass context (#3452) (c492bdc)

  • Properly normalize OIDC verified emails (#3450) (703b910)

  • Redirect to verification URL even if login_challenge is set (#3412) (cd9e6a0):

    Fixes ory/network#320

  • Reduce db lookups in whoami for aal check (#3372) (d814a48):

    Significantly improves performance by reducing the amount of queries we need to do when checking for the different AAL levels.

  • Registration code ui nodes group (#3505) (6220184):

    • fix: registration code ui nodes group

    • style: format

  • Registration should accept hydra login (#3592) (7a47827):

    • fix: registration should accept hydra login

    • fix: oauth2 registration flow with session

    • wip: registration oauth flow tests

    • wip: refactor oauth flows test

    • wip: refactor op_registration_test

    • wip: oauth provider registration test

    • wip: refactor oauth flows test

    • fix(test): oauth provider login

    • style: format

  • Registration with verification (#3451) (77c3196)

  • Reject obviously invalid email addresses from courier (8cb9e4c)

  • Remove earliest_possible_extend default in schema (#3464) (7e05b7d)

  • Remove duplicate message ID usage (#3468) (dfcbe22)

  • Remove requirement for smtp section (#3405) (59a3f14)

  • Remove slow queries from update identities (#3553) (d138abb)

  • Rename "phone" courier channel to "sms" (#3680) (eb8d1b9)

  • Respect gomail.SendError in mail queue (#3600) (9c608b9)

  • Respond with 422 when SPA identity requires AAL2 (#3572) (df18c09):

    If you submit a browser login flow with an Accept header of application/json, but the login flow requires AAL2, then there is no way for the code to know it needs to redirect the user to the 2FA page. Instead of responding with the Session in this scenario, this PR changes the behaviour to respond with a browser_location_change_required error (status 422) to indicate that the browser needs to open a specific URL, /self-service/login/browser?aal=aal2.

  • Return 400 bad request for invalid login challenge (#3404) (ca34e9b)

  • Return HTTP 400 if key unmarshal fails (#3594) (fdf4956):

    • fix: return HTTP 400 if key unmarshal fails

    • fix: apply reviewer's suggestion, prepare for bump

    • fix: follow up reviewer suggestion from ory/x

    • chore: bump ory/x

  • Schema test errors (#3528) (bee0341)

  • Set iss from userinfo claims if missing (#3744) (241a911)

  • Specify correct minimum versions in migratest (18b89ea)

  • Tracing context passing in /sessions/whoami (1254bf5)

  • Tracing improvements (c804cb2)

  • Type-assert all interfaces that WebHook implements (ffda1a0)

  • Ui node input attributes key added (#3561) (9eff0f3):

    • fix: ui node InputAttributes.Key added

    • fix: selfservice recovery flow add React unique key and numeric pattern

    • fix: remove React related key addition

    • test: update snapshot

  • Use ID label on login with multiple identifiers (#3657) (be907db)

  • Use org ID from session if available in login flow (#3545) (1b3647c)

  • Use provider label in link message (#3661) (fa5ec93)

  • Use registry client for schema loading (#3471) (3a57726)

  • Using first name as last name (#3556) (df80377)

  • Wrong continue_with enum declaration (#3522) (4c34c24)

Code Generation

  • Pin v1.1.0 release commit (f47675b)

Documentation

Features

  • Add ability to convert session to JWT when calling whoami (#3472) (57b7bb8), closes #2487:

    This patch adds a query parameter tokenize_as to /session/whoami which encodes the session to a JWT. It is possible to customize the JWT claims by using a JsonNet template, and furthermore change the expiry of the token.

    The tokenize feature supports multiple templates, which makes it easy to use the resulting JWT in a variety of use cases.

  • Add event (#3524) (75031e6)

  • Add GetID member functions to RecoveryAddress and Credentials (#3474) (085d500)

  • Add ID Token sign in with Google Android/iOS SDK (#3515) (055ed92)

  • Add OpenTelemetry span for password hash comparison (#3383) (e3fcf0c)

  • Add request URL to email and SMS templates (bf5f8c3)

  • Add sms verification for phone numbers (#3649) (e3a3c4f)

  • Add support for recovery on native flows (#3273) (e363889)

  • Add WebhookSucceeded event (aa8c936)

  • Added various new text messages (ea91483):

    To improve i18n and message customization, we added a bunch of new messages. Integrations that do message customization should probably handle those new message codes:

    • 1010014
    • 1010015
    • 1040005
    • 1040006
    • 1070012
    • 1070013
    • 4000028
    • 4000029
    • 4000030
    • 4000031
    • 4000032
    • 4000033
    • 4000034
    • 4000035
    • 4000036
    • 4010007
    • 4010008
    • 4040002
    • 4040003

    Additionally, these messages got more context:

    • 1050014
    • 1050018
    • 1070002
    • 4000001
    • 4000003
    • 4000004
    • 4000017
    • 4000018
    • 4000019
    • 4000020
    • 4000021
    • 4000022
    • 4000023
    • 4000024
    • 4000025
    • 4000026
    • 4010001
    • 4040001
    • 4050001
    • 4060005
    • 4070005
    • 5000001
  • Allow additional id token audiences (#3616) (0fa648d)

  • Allow extra migrations in NewPersister (96c1ff7)

  • Allow fuzzy-search on credential identifiers (#3526) (2cb3ea2):

    This PR adds the ability to search for sub-strings and similar strings in credential identifiers.

    Note that the postgres and CRDB migrations create special indexes useful for this feature. To use online schema changes with cockroach, we recommend to manually copy the index definition and run it before applying migrations. The migration will then be a no-op.

    If you run on mysql (or sqlite), no special index is created. If desired, you can create such an index manually, and it would be highly appreciated if you could contribute its definition.

    This feature is a preview and will change in behavior! Similarity search is not expected to return deterministic results but are useful for humans.

  • Allow importing hmac hashed passwords (#3544) (0a0e1f7), closes #2422:

    The basic format is $hmac-<hashfunction>$<base64 encoded hash>$<base64 encoded key>:

    # password = test; key=key; hash function=sha
    $hmac-sha1$NjcxZjU0Y2UwYzU0MGY3OGZmZTFlMjZkY2Y5YzJhMDQ3YWVhNGZkYQ==$a2V5
    
  • Allow marking OIDC provider-verified addresses as verified during registration (#3448) (e7b33a1), closes #3445 #3424 #1057:

    This feature allows marking emails provided by social sign in providers as verified.

  • Batch list identities (#3598) (8ad54f1), closes #2448:

    This change allows to filter GET /admin/identities by ID with the following syntax:

    /admin/identities?ids=id1&ids=id2&ids=id3
    
  • changelog: Add support for native recovery (#3624) (492808c):

    Adds the ability to complete the recovery flow properly on API flows. This PR also streamlines the behavior for SPA flows to not return 422 errors anymore. To enable this new behavior, set the features.use_continue_with_transitions flag in the config to true.

    See also #3273

  • Claims from userinfo endpoint (#3718) (90bdc61):

    • feat: claims from userinfo endpoint

    • chore: update libraries

    • test: improve coverage

  • Emit error details when we find stray cookies in an API flow (#3496) (df74339)

  • Eventually consistency API controls (#3558) (00cf11c):

    Adds a feature used in Ory Network which enables trading faster reads for slightly stale data.

    This feature depends on Cockroach functionality and configuration, and is not possible for MySQL or PostgreSQL.

  • Extend Microsoft Graph API capabilities (#3609) (4a7bcc9):

    This change queries for all user information available with the User.Read scope
    during OIDC, and populates the RawClaims field.

  • Extract identifier label for login from default identity schema (#3645) (180828e)

  • Fine-grained hooks for all available flow methods (#3519) (a37f6bd):

    Adds fine-grained hook configurations to the post-settings flow for methods totp, webauthn, lookup_secret and the post-login flow for totp, lookup_secret, and code.

  • Hook to revoke sessions after password changed (#3514) (e6af6db), closes #3513:

    Currently, the Kratos system does not automatically log out or invalidate other active sessions when a user changes their password. This poses a significant security risk as it allows potentially unauthorized individuals to maintain access to the account even after the password has been updated.

    This PR provides the option to add the revoke_active_sessions hook to the actions sections of the selfservice settings.

  • Hot-reload CORS origins (#3423) (157d934)

  • Improve messages for easier i18n (#3457) (37f1657)

  • Improve performance by computing password hashes while validating (#3508) (a9786c5)

  • Improved webhook tracing (#3746) (9d7021d)

  • Jsonnet caching for OIDC claims mapper, webhooks, JWT session tokenizer (#3701) (1d26e09)

  • Link oidc credentials when login (#3563) (b784949), closes #2727 #3222:

    When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen.
    This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without
    switching to settings flow.

  • List by OIDC cred (#3721) (bff9c61)

  • Login with code on any credential type (#3549) (ceed7d5):

    Should be able to login with the code credential even if the user did not register on the code credential.
    Only identifier matching is done and validation based on the identity schema.

  • One-time code native flows (#3516) (9b0fee3)

  • Order sessions by created_at (#3696) (688111c)

  • Parametrize courier worker (#3601) (0e4be57):

    Allows one to parametrize how many messages the courier will fetch and how often it will fetch messages.

  • Passwordless browser login and registration via code to email (#3378) (eaaf375), closes #2029 ory-corp/cloud#3573:

    This feature adds passwordless email code login. When a user signs up, or signs in, a code is sent to their email address which they can use to complete the authentication process.

    This feature is currently only working for browser facing APIs.

  • Pooled process-isolated Jsonnet VM (9a52ddf)

  • Provide login hints when registration fails due to duplicate credentials/addresses (#3430) (8b28469):

    • feat: provide login hints when registration fails due to duplicate credentials or identifiers

    • feat: identify edge cases and write tests

    • chore: synchronize workspaces

    • feat: make login hints configurable

    • chore: synchronize workspaces

    • chore: synchronize workspaces

    • chore: synchronize workspaces

    • chore: synchronize workspaces

  • Support auth_type parameter (#3487) (fc30304):

    The Facebook OIDC provider supports an auth_type parameter that
    when set to "reauthenticate" will force the user to
    reauthenticate (similar to prompt=login for other Providers).

  • Support for B2B SSO (#3489) (0ec037a)

  • Support MFA via SMS (#3682) (1516cf6)

  • Support multiple origins for WebAuthN (#3380) (013f335):

    Users can now supply a list of origins for webauthn in the configuration.

  • Support native social sign using apple sdk (#3476) (f561013)

  • Transmit current session ID to Hydra when accepting the login (#3426) (610c76d):

    • chore: change react-native port to 19006

    • feat: transmit current session ID when accepting login

    • fix: upgrade hydra in tests

  • Webhook analytic events (9c8a25e)

Reverts

Tests

Unclassified

Changelog

  • 7c54c9f Revert "chore: simplify courier code (#3603)"
  • 549308d Revert "feat: extend Microsoft Graph API capabilities (#3609)" (#3717)
  • 8cc83bc Revert "fix: re-add exported symbols (#3611)"
  • e0327b0 autogen(docs): generate and bump docs
  • 7c0e02e autogen(docs): regenerate and update changelog
  • 32299d5 autogen(docs): regenerate and update changelog
  • 046aa9b autogen(docs): regenerate and update changelog
  • 8a0e496 autogen(docs): regenerate and update changelog
  • dbb3a7e autogen(docs): regenerate and update changelog
  • 043114b autogen(docs): regenerate and update changelog
  • 0d37eb3 autogen(docs): regenerate and update changelog
  • af55834 autogen(docs): regenerate and update changelog
  • e9ed14f autogen(docs): regenerate and update changelog
  • 34751a1 autogen(docs): regenerate and update changelog
  • 3d6927c autogen(docs): regenerate and update changelog
  • 6b91dc1 autogen(docs): regenerate and update changelog
  • 5fc88ba autogen(docs): regenerate and update changelog
  • 35a820b autogen(docs): regenerate and update changelog
  • 461ad52 autogen(docs): regenerate and update changelog
  • 4be5205 autogen(docs): regenerate and update changelog
  • 32d8306 autogen(docs): regenerate and update changelog
  • fc057a8 autogen(docs): regenerate and update changelog
  • 04bca63 autogen(docs): regenerate and update changelog
  • 13de64d autogen(docs): regenerate and update changelog
  • 8384f10 autogen(docs): regenerate and update changelog
  • 566d1ca autogen(docs): regenerate and update changelog
  • 988be61 autogen(docs): regenerate and update changelog
  • 048af1d autogen(docs): regenerate and update changelog
  • 53080b0 autogen(docs): regenerate and update changelog
  • 89928c8 autogen(docs): regenerate and update changelog
  • 4f8ea02 autogen(docs): regenerate and update changelog
  • 0e45e87 autogen(docs): regenerate and update changelog
  • 4b7fd0d autogen(docs): regenerate and update changelog
  • f1493c8 autogen(docs): regenerate and update changelog
  • dd5a9f3 autogen(docs): regenerate and update changelog
  • ce6b11a autogen(docs): regenerate and update changelog
  • 4eaf6c8 autogen(docs): regenerate and update changelog
  • 60e9a36 autogen(docs): regenerate and update changelog
  • 7b63379 autogen(docs): regenerate and update changelog
  • 96dba50 autogen(docs): regenerate and update changelog
  • afed81d autogen(docs): regenerate and update changelog
  • 1792dc6 autogen(docs): regenerate and update changelog
  • 7939bd3 autogen(docs): regenerate and update changelog
  • aa123f7 autogen(docs): regenerate and update changelog
  • f633959 autogen(docs): regenerate and update changelog
  • a0f2420 autogen(docs): regenerate and update changelog
  • 03d3f47 autogen(docs): regenerate and update changelog
  • 159c131 autogen(docs): regenerate and update changelog
  • 3735f1c autogen(docs): regenerate and update changelog
  • 57e2195 autogen(docs): regenerate and update changelog
  • 55560a1 autogen(docs): regenerate and update changelog
  • 6fe8657 autogen(docs): regenerate and update changelog
  • f303c1d autogen(docs): regenerate and update changelog
  • 4ce179a autogen(docs): regenerate and update changelog
  • aa0c36c autogen(docs): regenerate and update changelog
  • 985474c autogen(docs): regenerate and update changelog
  • c251cb2 autogen(docs): regenerate and update changelog
  • 9f5982b autogen(docs): regenerate and update changelog
  • bafc47d autogen(docs): regenerate and update changelog
  • 699e5d5 autogen(docs): regenerate and update changelog
  • 69b43b7 autogen(docs): regenerate and update changelog
  • dffcdef autogen(docs): regenerate and update changelog
  • d21e167 autogen(docs): regenerate and update changelog
  • 3b75f37 autogen(docs): regenerate and update changelog
  • 0c5ea9b autogen(docs): regenerate and update changelog
  • ec85751 autogen(docs): regenerate and update changelog
  • 06c27f4 autogen(docs): regenerate and update changelog
  • 44f1e70 autogen(docs): regenerate and update changelog
  • 3860705 autogen(docs): regenerate and update changelog
  • ed08606 autogen(docs): regenerate and update changelog
  • 3df0d77 autogen(docs): regenerate and update changelog
  • 58bd38f autogen(docs): regenerate and update changelog
  • af7d1af autogen(docs): regenerate and update changelog
  • 8150bdb autogen(docs): regenerate and update changelog
  • 8a26136 autogen(docs): regenerate and update changelog
  • 0827ae5 autogen(docs): regenerate and update changelog
  • 52c7d3b autogen(docs): regenerate and update changelog
  • 72bdeda autogen(docs): regenerate and update changelog
  • bbf874f autogen(docs): regenerate and update changelog
  • 2f5ba1f autogen(docs): regenerate and update changelog
  • 33fc930 autogen(docs): regenerate and update changelog
  • ecd557f autogen(docs): regenerate and update changelog
  • cfa3074 autogen(docs): regenerate and update changelog
  • 5a192f2 autogen(docs): regenerate and update changelog
  • 139a11c autogen(docs): regenerate and update changelog
  • 1a098b7 autogen(docs): regenerate and update changelog
  • 2474864 autogen(docs): regenerate and update changelog
  • 4364ba0 autogen(docs): regenerate and update changelog
  • f6fde34 autogen(docs): regenerate and update changelog
  • 318ea2c autogen(docs): regenerate and update changelog
  • 5c17c38 autogen(docs): regenerate and update changelog
  • e81e892 autogen(docs): regenerate and update changelog
  • 80402be autogen(docs): regenerate and update changelog
  • 6e565d1 autogen(openapi): regenerate swagger spec and internal client
  • c09e30c autogen(openapi): regenerate swagger spec and internal client
  • 5682127 autogen(openapi): regenerate swagger spec and internal client
  • 31f1a09 autogen(openapi): regenerate swagger spec and internal client
  • 0ac7578 autogen(openapi): regenerate swagger spec and internal client
  • c85d95f autogen(openapi): regenerate swagger spec and internal client
  • ee0af6c autogen(openapi): regenerate swagger spec and internal client
  • 9f80425 autogen(openapi): regenerate swagger spec and internal client
  • b1dc895 autogen(openapi): regenerate swagger spec and internal client
  • ade1a5a autogen(openapi): regenerate swagger spec and internal client
  • deeb165 autogen(openapi): regenerate swagger spec and internal client
  • efea4a4 autogen(openapi): regenerate swagger spec and internal client
  • 0b8ae74 autogen(openapi): regenerate swagger spec and internal client
  • 793a368 autogen(openapi): regenerate swagger spec and internal client
  • f12f622 autogen(openapi): regenerate swagger spec and internal client
  • 28826f5 autogen(openapi): regenerate swagger spec and internal client
  • 86ad5e1 autogen: add v1.0.0 to version.schema.json
  • f47675b autogen: pin v1.1.0 release commit
  • 1c3eeb7 autogen: pin v1.1.0-pre.0 release commit
  • 6cf7fc5 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#3634)
  • f082f16 chore(deps): bump github.com/lestrrat-go/jwx from 1.2.26 to 1.2.28 (#3710)
  • ec42f2f chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#3666)
  • 525554d chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#3573)
  • ea1f721 chore(deps): bump semver from 5.7.1 to 5.7.2 in /test/e2e/proxy (#3377)
  • f323b3d chore: add hperl as codeowner (#3433)
  • f7c6767 chore: add missing tracing in manager_cookie.go (#3615)
  • 8bb0d1d chore: add more tracing around webhooks (#3441)
  • e8b92c1 chore: add more tracing to post-flow hooks (#3566)
  • 47d5eb1 chore: allow node 18 (#3492)
  • 21ab031 chore: bump openapi-generator (#3686)
  • 31faa2b chore: bump to Go 1.21
  • a639e56 chore: fix email address in courier log line (#3585)
  • 843a215 chore: fix github.com/bxcodec/faker/v3 is deprecated (#3607)
  • 7ae1271 chore: ignore CVE-2023-4806 (#3532)
  • b2b231e chore: improve tracing on recovery and verification (#3586)
  • e1fb8bf chore: move test helpers from package x to package testhelpers
  • fe4ac43 chore: pretty print allowed redirect URLs in error (#3660)
  • bb25276 chore: remove comment (#3442)
  • 316cd4a chore: simplify courier code (#3603)
  • 0ec3a9a chore: synchronize workspaces
  • 0941bdb chore: unify and improve message context (#3462)
  • dda19e8 chore: update Dockerfile-alpine (#3453)
  • e3bfa10 chore: update Ory Hydra SDK (#3729)
  • 30ba71e chore: update docker base images (#3521)
  • ae8cbdc chore: update opentelemetry (#3672)
  • c749052 chore: update repository templates to ory/meta@ac80097
  • 3a07af4 chore: update repository templates to ory/meta@af28aff
  • 1d43d22 chore: upgrade github.com/opencontainers/runc to v1.1.12 (#3732)
  • 44aa74f chore: upgrade ory/x to v0.0.589 (#3509)
  • 3ddff78 chore: use hosted httpbin in e2e tests (#3422)
  • 39b0c3c docs: add example for allowed_return_urls to include wildcard url (#3533)
  • 4b881ca docs: improve enum handling and completeness (#3714)
  • d4d26e6 docs: remove experimental warnings (#3406)
  • 8ca3adc docs: update link to hashed password formats (#3484)
  • 492808c feat(changelog): add support for native recovery (#3624)
  • 085d500 feat: add GetID member functions to RecoveryAddress and Credentials (#3474)
  • 055ed92 feat: add ID Token sign in with Google Android/iOS SDK (#3515)
  • e3fcf0c feat: add OpenTelemetry span for password hash comparison (#3383)
  • aa8c936 feat: add WebhookSucceeded event
  • 57b7bb8 feat: add ability to convert session to JWT when calling whoami (#3472)
  • 75031e6 feat: add event (#3524)
  • bf5f8c3 feat: add request URL to email and SMS templates
  • e3a3c4f feat: add sms verification for phone numbers (#3649)
  • e363889 feat: add support for recovery on native flows (#3273)
  • ea91483 feat: added various new text messages
  • 0fa648d feat: allow additional id token audiences (#3616)
  • 96c1ff7 feat: allow extra migrations in NewPersister
  • 2cb3ea2 feat: allow fuzzy-search on credential identifiers (#3526)
  • 0a0e1f7 feat: allow importing hmac hashed passwords (#3544)
  • e7b33a1 feat: allow marking OIDC provider-verified addresses as verified during registration (#3448)
  • 8ad54f1 feat: batch list identities (#3598)
  • 90bdc61 feat: claims from userinfo endpoint (#3718)
  • df74339 feat: emit error details when we find stray cookies in an API flow (#3496)
  • 00cf11c feat: eventually consistency API controls (#3558)
  • 4a7bcc9 feat: extend Microsoft Graph API capabilities (#3609)
  • 180828e feat: extract identifier label for login from default identity schema (#3645)
  • a37f6bd feat: fine-grained hooks for all available flow methods (#3519)
  • e6af6db feat: hook to revoke sessions after password changed (#3514)
  • 157d934 feat: hot-reload CORS origins (#3423)
  • 37f1657 feat: improve messages for easier i18n (#3457)
  • a9786c5 feat: improve performance by computing password hashes while validating (#3508)
  • 9d7021d feat: improved webhook tracing (#3746)
  • 1d26e09 feat: jsonnet caching for OIDC claims mapper, webhooks, JWT session tokenizer (#3701)
  • b784949 feat: link oidc credentials when login (#3563)
  • bff9c61 feat: list by OIDC cred (#3721)
  • ceed7d5 feat: login with code on any credential type (#3549)
  • 9b0fee3 feat: one-time code native flows (#3516)
  • 688111c feat: order sessions by created_at (#3696)
  • 0e4be57 feat: parametrize courier worker (#3601)
  • eaaf375 feat: passwordless browser login and registration via code to email (#3378)
  • 9a52ddf feat: pooled process-isolated Jsonnet VM
  • 8b28469 feat: provide login hints when registration fails due to duplicate credentials/addresses (#3430)
  • 1516cf6 feat: support MFA via SMS (#3682)
  • fc30304 feat: support auth_type parameter (#3487)
  • 0ec037a feat: support for B2B SSO (#3489)
  • 013f335 feat: support multiple origins for WebAuthN (#3380)
  • f561013 feat: support native social sign using apple sdk (#3476)
  • 610c76d feat: transmit current session ID to Hydra when accepting the login (#3426)
  • 9c8a25e feat: webhook analytic events
  • b299abc fix: oidc does not require a method in the payload (#3564)
  • 88237e2 fix: accept all 200 responses as OK in courier (#3401)
  • 6b02350 fix: accept login_challenge after verification (#3427)
  • 1da8180 fix: add caching to Jsonnet snippet during session JWT tokenization (#3699)
  • fd79950 fix: add consistency flag (#3733)
  • c5b4aaa fix: add max-age to default cors headers (#3584)
  • 09bcb71 fix: add missing tracing & attributes in oidc strategy (#3429)
  • 757a5e4 fix: add return_to parameter to API spec of createRecoveryLinkForIdentity (#3711)
  • 95dc7a2 fix: add value code to authentication method enum (#3546)
  • 9396bb0 fix: additional_id_token_audiences key in config schema (#3622)
  • 976cd0d fix: adjust tracing verbosity
  • 6c1d2f1 fix: allow post recovery hooks to interrupt the flow (#3393)
  • 22f61f0 fix: allow updating admin metadata from webhook responses (#3569)
  • fb229c9 fix: always return relative URLs in the Link header for pagination
  • 569b14a fix: auto migrate old accounts to use code credential (#3581)
  • 76241be fix: carry oauth2_login_challenge over to registration flow (#3419)
  • e16fed1 fix: change ListIdentities to keyset pagination
  • 1343bbb fix: change shebangs and makefile from /bin/bash to /usr/bin/env bash (#3597)
  • a2f79c3 fix: check whoami aal before accepting hydra login request (#3669)
  • 7aa2e29 fix: code method on registration and 2fa (#3481)
  • 3e3c789 fix: consider OIDC registration flows errored with duplicate credential to be completed by strategy (#3525)
  • e4908db fix: csrf token regenerate on browser flows (#3706)
  • ab6dc31 fix: data race in test
  • 57a3273 fix: do not encode full config in multiple places (#3500)
  • d93570d fix: do not generate CSRF token for api flows (#3704)
  • ff177db fix: do not initialize parts of the registry in parallel (#3534)
  • 6c7068c fix: don't list org SSOs in settings (#3637)
  • 40ed809 fix: don't require code credential for MFA flows (#3753)
  • e08f831 fix: don't require session for OIDC verification (#3443)
  • 1429949 fix: don't return 500 on conflict for POST /admin/identities (#3437)
  • df8ec2b fix: don't return nil if code is invalid (#3662)
  • 83bfb2d fix: error handling on identity import (#3520)
  • ce8139f fix: false-positives for requiring re-authentication on update (#3421)
  • 84149c4 fix: http courier using should use lower case json (#3740)
  • 1e8b1ae fix: identity list pagination in CLI command and SDK (#3482)
  • 309c506 fix: ignore CSRF middleware on Apple OIDC callback
  • f124ab5 fix: ignore more cloudflare cookies (#3499)
  • 6d08576 fix: improved SSRF protection (#3629)
  • ee138ec fix: incorrect SMTP error handling (#3636)
  • b5dede3 fix: incorrect login accept challenge (#3658)
  • ed996c0 fix: incorrect sdk generator path (#3488)
  • 2c1470a fix: incorrect swagger spec for filter parameter (#3684)
  • 200b413 fix: increase connection-level timeouts and shutdown timeouts (#3570)
  • a28b523 fix: issue session after verification after registration with OIDC SSO (#3467)
  • e8740c3 fix: lint
  • e2ac9ff fix: lower-case recovery & verification emails on import (#3571)
  • 7ae02ba fix: mark identity as optional in session struct (#3463)
  • 912dccd fix: omit irrelevant OIDC providers in forced refresh login flows (#3608)
  • 6a0a914 fix: on verification required after registration, preserve return_to (#3589)
  • c25ddff fix: panic in recovery (#3639)
  • c492bdc fix: pass context (#3452)
  • 703b910 fix: properly normalize OIDC verified emails (#3450)
  • 52639e6 fix: re-add exported symbols (#3611)
  • cd9e6a0 fix: redirect to verification URL even if login_challenge is set (#3412)
  • d814a48 fix: reduce db lookups in whoami for aal check (#3372)
  • 6220184 fix: registration code ui nodes group (#3505)
  • 7a47827 fix: registration should accept hydra login (#3592)
  • 77c3196 fix: registration with verification (#3451)
  • 8cb9e4c fix: reject obviously invalid email addresses from courier
  • 7e05b7d fix: remove earliest_possible_extend default in schema (#3464)
  • dfcbe22 fix: remove duplicate message ID usage (#3468)
  • 59a3f14 fix: remove requirement for smtp section (#3405)
  • d138abb fix: remove slow queries from update identities (#3553)
  • eb8d1b9 fix: rename "phone" courier channel to "sms" (#3680)
  • 9c608b9 fix: respect gomail.SendError in mail queue (#3600)
  • df18c09 fix: respond with 422 when SPA identity requires AAL2 (#3572)
  • ca34e9b fix: return 400 bad request for invalid login challenge (#3404)
  • fdf4956 fix: return HTTP 400 if key unmarshal fails (#3594)
  • bee0341 fix: schema test errors (#3528)
  • 241a911 fix: set iss from userinfo claims if missing (#3744)
  • 18b89ea fix: specify correct minimum versions in migratest
  • 1254bf5 fix: tracing context passing in /sessions/whoami
  • c804cb2 fix: tracing improvements
  • ffda1a0 fix: type-assert all interfaces that WebHook implements
  • 9eff0f3 fix: ui node input attributes key added (#3561)
  • be907db fix: use ID label on login with multiple identifiers (#3657)
  • 1b3647c fix: use org ID from session if available in login flow (#3545)
  • fa5ec93 fix: use provider label in link message (#3661)
  • 3a57726 fix: use registry client for schema loading (#3471)
  • df80377 fix: using first name as last name (#3556)
  • 4c34c24 fix: wrong continue_with enum declaration (#3522)
  • c348c12 test(e2e): logout return_to (#3418)
  • 67360cf test: add test for link + oidc challenge (#3720)
  • 70c8ddd test: fix cypress setup (#3527)
  • 70a6171 test: fix e2e failures and speed up e2e tests (#3483)
  • 12166b4 test: fix hydra tests on master (#3737)
  • 05de3a2 test: reduce logging in go tests (#3562)
  • 4206d26 test: resolve cypress issues (#3531)

Artifacts can be verified with cosign using this public key.