v0.9.0-alpha.3

Resolves an issue in the quickstart.

Breaking Changes

Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page.

Closes ory-corp/cloud#2173

Co-authored-by: aeneasr [email protected]

Bug Fixes

• Accept recovery link from authenticated users (#2195) (0fa64dd):

  When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies.

• Quickstart (73b461c):

  Closes #2339

• Resolve issue where CF cookies would mingle with CSRF detection in API flows (011219a)

• Typo in error message (#2332) (b075a5b)

• Update v0.9.0-alpha.2 config schema path (#2328) (55705c7)

• version schema: Require version or fall back to latest (52c9824)

Code Generation

• Pin v0.9.0-alpha.3 release commit (32e36d4)

Documentation

• Add missing error codes (b854bb8)
• Clarify 410 error for api payloads (2c7ac3b)

Changelog

• b966803 autogen(docs): generate and bump docs
• 4183a48 autogen(docs): regenerate and update changelog
• 88ea06a autogen(docs): regenerate and update changelog
• 97bb638 autogen(docs): regenerate and update changelog
• 8e2f3b2 autogen(docs): regenerate and update changelog
• 61998f9 autogen(docs): regenerate and update changelog
• 22cb081 autogen(openapi): regenerate swagger spec and internal client
• 994aef6 autogen: add v0.9.0-alpha.2 to version.schema.json
• 32e36d4 autogen: pin v0.9.0-alpha.3 release commit
• c53a9e2 chore: remove codedoc
• b854bb8 docs: add missing error codes
• 2c7ac3b docs: clarify 410 error for api payloads
• 52c9824 fix(version schema): require version or fall back to latest
• 0fa64dd fix: accept recovery link from authenticated users (#2195)
• 73b461c fix: quickstart
• 011219a fix: resolve issue where CF cookies would mingle with CSRF detection in API flows
• b075a5b fix: typo in error message (#2332)
• 55705c7 fix: update v0.9.0-alpha.2 config schema path (#2328)

Artifacts can be verified with cosign using this public key.

v0.9.0-alpha.2

Resolves an issue in the SDK release pipeline.

Bug Fixes

• Swag location (5b51bfb)

Code Generation

• Pin v0.9.0-alpha.2 release commit (f5501cf)

Changelog

• 21614d8 autogen(docs): regenerate and update changelog
• f5501cf autogen: pin v0.9.0-alpha.2 release commit
• 90b354a chore: force run
• 5b51bfb fix: swag location

Artifacts can be verified with cosign using this public key.

v0.9.0-alpha.1

Ory Kratos v0.9 is here! We're extremely happy to announce that the new release is out and once again it's been made even better thanks to the incredible contributions from our awesome community. <3

Enjoy!

Here's an overview of things you can expect from the v0.9 release:

1. We introduced 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud. The configuration works the same across all modes of operation and deployment!
2. Passwordless login with WebAuthn is now available! Authentication with YubiKeys, TouchID, FaceID, Microsoft Hello, and other WebAuthn-supported methods is now available. The refactored infrastructure lays a foundation for more passwordless flows to come.
3. All the docs are now available in a single repo. Go to the ory/docs repository to find docs for all Ory projects.
4. You can now load custom email templates that'll make your essential messaging like project invitations or password recovery emails look slick.
5. We've laid the foundation for adding SMS-dependant flows.
6. Security is always a top priority. We've made changes and updates such as CSP nonces, SSRF defenses, session invalidation hooks, and more.
7. Kratos now gracefully handles cookie errors.
8. Password policies are now configurable.
9. Added configuration to control the flow of webhooks. Now you can cancel flows & run them in the background.
10. You can import identities along with their credentials (password, social sign-in connections, WebAuthn, ...).
11. Infra: we migrated all of our CIs from CircleCI to GitHub Actions.
12. We moved the admin API from / to admin. This is a breaking change. Please read the explanation and proceed with caution!
13. Bugfix: fixed a bug in the handling of secrets. This is a breaking change. Please read the explanation and proceed with caution!
14. Bugfix: several bugs in different self-service flows are no more.

As you can see, this release introduces breaking changes. We tried to keep the HTTP API as backward-compatible as possible by introducing HTTP redirects and other measures, but this update requires you to take extra care. Make sure you've read the release notes and understand the risk before updating.

You must apply SQL migrations for this release. Make sure to create backup before you start!

Breaking Changes

Configuration key selfservice.whitelisted_return_urls has been renamed to allowed_return_urls.

All endpoints at the Admin API are now exposed at /admin/. For example, endpoint https://kratos:4434/identities is now exposed at https://kratos:4434/admin/identities. This change makes it easier to configure reverse proxies and API Gateways. Additionally, it introduces 1:1 compatibility between Ory Cloud's APIs and self-hosted Ory Kratos. Please note that nothing has changed in terms of the port. To make the migration less painful, we have set up redirects from the old endpoints to the new /admin endpoints, so your APIs, SDKs, and clients should continue working as they were working before. This change is marked as a breaking change as it touches many endpoints and might be confusing when encountering the redirect for the first time.

If you are using two or more secrets for the secrets.session, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

The password_identifier form field of the password login strategy has been renamed to identifier to make compatibility with passwordless flows possible. Field name password_identifier will still be accepted. Please note that the UI node for displaying the "username" / "email" field has this name="identifier" going forward. Additionally, the traits of the password strategy are no longer within group password but instead in group profile going forward!

The following OpenID Connect configuration keys have been renamed to better explain their purpose:

- private_key_id
+ apple_private_key_id

- private_key
+ apple_private_key

- team_id
+ apple_team_id

- tenant
+ microsoft_tenant

A major issue has been lingering in the configuration for a while. What happens to your identities when you update a schema? The answer was, it depends on the change. If the change is incompatible, some things might break!

To resolve this problem we changed the way you define schemas. Instead of having a global default_schema_url which developers used to update their schema, you now need to define the default_schema_id which must reference schema ID in your config. To update your existing configuration, check out the patch example below:

identity:
-  default_schema_url: file://stub/identity.schema.json
+  default_schema_id: default
+  schemas:
+  - id: default
+    url: file://stub/identity.schema.json

Ideally, you would version your schema and update the default_schema_id with every change to the new version:

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v0
      url: file://path/to/user_v0.json
    - id: user_v1
      url: file://path/to/user_v1.json

This patch removes the ability to use domain aliases, an obscure feature rarely used that had several issues and inconsistencies.

Bug Fixes

• Add identity_id index to identity_verifiable_addresses table (#2147) (86fd942):

  The verifiable addresses are loaded eagerly into the identity. When that happens, the identity_verifiable_addresses table is queried by nid and identity_id. This index should greatly improve performance, especially of the /sessions/whoami endpoint.

• Add ability to resume continuity sessions from several cookies (#2131) (8b87bdb), closes #2016 #1786

• Add CourierConfig to default registry (#2243) (2e1fba3)

• Add DispatchMessage to interface (df2ca7a)

• Add hiring notice to README (#2074) (0c1e816)

• Add missing enum (#2223) (4b7d7d0):

  Closes ory/sdk#147

• Add missing version tag in quickstart.yml (#2110) (1d281ea)

• Add output-dir input to cli-next (#2230) (1eb3f18)

• Added malformed config test (5a3c9c1)

• Adjust scan configuration (#2140) (8506fcf), closes #2083

• Admin endpoint /schemas not redirecting to public endpoint (#2133) (413833f), closes #2084

• Appropriately pass context around (#2241) (668f6b2):

  Closes ory/network#56

• Base redirect URL decoding (acdefa7)

• Base64 encode identity schema URLs (ad44e4d):

  Previously, identity schema IDs with special characters could lead to broken URLs. This patch introduces a change where identity schema IDs are base64 encoded to address this issue. Schema IDs that are not base64 encoded will continue working.

• Broken links API spec (e1e7516)

• Choose correct CSRF cookie when multiple are set (633076b), closes ory/kratos#2121 ory-corp/cloud#1786:

  Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store.

• Cloud config issue (135b29c)

• continuity: Properly reset cookies that became invalid (8e4b4fb), closes #2121 ory-corp/cloud#1786:

  Resolves several reports related to incorrect handling of invalid continuity issues.

• continuity: Remove cookie on any error (428ac03)

• Correct recovery hook ([c7682a8](c7682a8fd97fdac87d59d3e7fb...

v0.8.2-alpha.1

This release addresses further important security updates in the base Docker Images. We also resolved all issues related to ARM support on both Linux and macOS and fixed a bug that prevent the binary from compiling on FreeBSD.

This release also makes use of our new build architecture which means that the Docker Images names have changed. We removed the "scratch" images as we received frequent complaints about them. Additionally,
all Docker Images have now, per default, SQLite support built-in. If you are relying on the SQLite images, update your Docker Pull commands as follows:

- docker pull oryd/kratos:{version}-sqlite
+ docker pull oryd/kratos:{version}

Additionally, all passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

In v0.8.1-alpha.1 we failed to include all the exciting things that landed, so we'll cover them now!

1. Advanced E-Mail templating support with sprig - makes it possible to translate emails as well!
2. Support wildcards for allowing redirection targets.
3. Account Recovery initiated by the Admin API now works even if identities have no email address.

Enjoy this release!

Bug Fixes

• Add missing sample app paths to oathkeeper config (#2058) (a527db4):

  Add "welcome,registration,login,verification" and "**.png" to the paths oathkeeper forwards to self service ui.

• Add section on webauthn constraints (#2072) (23663b5)

• After release hooks (56c2e61)

• Dockerfile clean up (52420cc), closes #2070

• Goreleaser after hook (c763f2b)

• Goreleaser config (7099af2):

  See goreleaser/goreleaser#2762

• Release hook (90bd769)

Code Generation

• Pin v0.8.2-alpha.1 release commit (627f4a1)

Documentation

• Fix bodged release (032b23a)
• Quickstart update (#2060) (3387cf6), closes #2032 #1916

Changelog

• 718107b autogen(docs): generate and bump docs
• e961718 autogen(docs): generate and format documentation
• 32d4322 autogen(docs): generate and format documentation
• 4a0db11 autogen(docs): generate and format documentation
• 3cf12ae autogen(docs): generate and format documentation
• 5ad0565 autogen(docs): generate and format documentation
• 1cc0d4a autogen(docs): generate and format documentation
• 54c8c14 autogen(docs): generate and format documentation
• 8129425 autogen(docs): generate and format documentation
• b8ca5f6 autogen(docs): generate and format documentation
• 7507a58 autogen(docs): generate and format documentation
• 063e506 autogen(docs): generate and format documentation
• 4deae97 autogen(docs): generate and format documentation
• 457c996 autogen(docs): generate cli docs
• 3ae6677 autogen(docs): update milestone document
• 95477c2 autogen: pin v0.8.0-alpha.2.pre.1 release commit
• 942247c autogen: pin v0.8.0-alpha.2.pre.2 release commit
• 423f2f1 autogen: pin v0.8.0-alpha.2.pre.4 release commit
• 1f0519c autogen: pin v0.8.0-alpha.2.pre.5 release commit
• a53fe3b autogen: pin v0.8.0-alpha.2.pre.6 release commit
• 722fb73 autogen: pin v0.8.1-alpha.2.pre.0 release commit
• 7f160f6 autogen: pin v0.8.2-alpha.1 release commit
• 627f4a1 autogen: pin v0.8.2-alpha.1 release commit
• 02201c2 ci: fix docker ref
• 032b23a docs: fix bodged release
• 3387cf6 docs: quickstart update (#2060)
• a527db4 fix: add missing sample app paths to oathkeeper config (#2058)
• 23663b5 fix: add section on webauthn constraints (#2072)
• 56c2e61 fix: after release hooks
• 52420cc fix: dockerfile clean up
• c763f2b fix: goreleaser after hook
• 7099af2 fix: goreleaser config
• 90bd769 fix: release hook

Docker images

• docker pull oryd/kratos:v0.8.2-alpha.1
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.2

Artifacts can be verified with cosign using this public key.

v0.8.1-alpha.1

This maintenance release important security updates for the base Docker Images (e.g. Alpine). Additionally, several hiccups with the new ARM support have been resolved and the binaries are now downloadable for all major platforms. Please note that passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

Enjoy this release!

Breaking Changes

To celebrate this change, we cleaned up the ways you install Ory software, and will roll this out to all other projects soon:

There is now one central brew / bash curl repository:

-brew install ory/kratos/kratos
+brew install ory/tap/kratos

-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) kratos

Bug Fixes

• Add base64 to ReadSchema (#1918) (8c8815b), closes #1529

• Add error.id to invalid cookie/token settings flow (#1919) (73610d4), closes #1888

• Adds missing webauthn authentication method (#1914) (44892f3)

• Allow use of relative URLs in config (#1754) (5f73bb0), closes #1446

• Bodget docs commit (f9d2f82)

• Build docs on release (2cf137a)

• De-duplicate message IDs (#1973) (9d8e197)

• Do not use csrf for meta endpoints (#1927) (fd14798)

• Docs links (#2008) (8515e17)

• E2e test regression (#1937) (c9be009)

• Include text label for link email field (07a1dbb), closes #1909

• Panic on webhook with nil body (#1890) (4bf1825), closes #1885

• Paths (8c852c7)

• Require minimum length of 8 characters password (#2009) (bb5846e):

  Kratos follows NIST Digital Identity Guidelines - 5.1.1.2 Memorized Secret Verifiers and password policy says

  Passwords must have a minimum length of 8 characters and all characters (unicode, ASCII) must be allowed.

• Resolve freebsd build issue (#2004) (9c75fe9), closes #1645

• Revert tag (f1d7b9e), closes #1945

• Set dockerfile (c860b99)

• Skip docs publishing for pre releases (eb6d8cd)

• Speed up git clone (d3e4bde)

• Support complex lifespans (#2050) (0edbebe)

• Update docs after release (850be90)

• Update sdk orb (94e12e6)

• Use bcrypt for password hashing in example (a9196f2)

• Use new ory installation method (09cfc7e)

• Verification error code (#1967) (44411ab), closes #1956

Code Generation

• Pin v0.8.1-alpha.1 release commit (8247416)

Documentation

• Add Content-Type to recommended CORS allowed headers (#2015) (dd890ab)

• Add subdomain configuration in csrf page (#1896) (681750f):

  Add some instructions as to how kratos can be configured to work across subdomains.

• debug: Fix typo (#1976) (0647554)

• Fix incorrect tag (bbd2355), closes #2032 #2028

• Fixed date format example (#2038) (fc4703a)

• Improve text around bcrypt (#2037) (ba6981e)

• Levenshtein-Distance has been released (#2040) (393b6b3)

• Minor fixes (#2010) (12918db)

• Password-strength meter has been dropped (#2041) (9848fb3)

• Remove unintended characters in subdomain section in csrf page (#1897) (dfb9007)

• This has been done (#2045) (7e8c91a)

• Totp unlink image in 2fa docs (#1957) (7afb731)

• Update email template docs (#1960) (#1968) (b0f25a9)

• Webhooks have landed (#2035) (80e53eb)

Features

• Add alpine dockerfile (587eaee)

• Add new goreleaser build chain (#1932) (cf1714d):

  This patch adds full compatibility with ARM architectures, including Apple Silicon (M1). We additionally added cryptographically signed signatures verifiable using cosign for both binaries as well as docker images.

• Add quickstart mimicking hosted ui (813fb4c)

• Add x-total-count to paginated pages (b633ec3)

• Advanced e-mail templating support (#1859) (54b97b4), closes #834 #925

• Allow wildcard domains for redirect_to checks (#1528) (349cdcf), closes #943:

  Support wildcard domains in redirect_to checks.

• Buildkit with multi stage build (#2025) (57ab7f7)

• cmd: Add OIDC credential include (#2017) (1482844):

  With this change, t...

v0.8.0-alpha.3

Resolves issues in the quickstart.

Bug Fixes

• Resolve quickstart issues (#1900) (d047009):

  Closes #1899

Code Generation

• Pin v0.8.0-alpha.3 release commit (a307deb)

Changelog

273785a autogen(docs): generate and format documentation
928f656 autogen(docs): generate cli docs
639e841 autogen: add v0.8.0-alpha.2 to version.schema.json
a307deb autogen: pin v0.8.0-alpha.3 release commit
7e09146 autogen: pin v0.8.0-alpha.3 release commit
d047009 fix: resolve quickstart issues (#1900)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.8-sqlite
• docker pull oryd/kratos:v0.8.0-sqlite
• docker pull oryd/kratos:v0.8.0-alpha.3-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.0
• docker pull oryd/kratos:v0.8.0-alpha.3

v0.8.0-alpha.2

Resolves an issue in the SDK release pipeline.

Code Generation

• Pin v0.8.0-alpha.2 release commit (2178929)

Changelog

fb5a523 autogen(docs): generate and format documentation
833f14f autogen(docs): update milestone document
87923d0 autogen: add v0.8.0-alpha.1 to version.schema.json
2178929 autogen: pin v0.8.0-alpha.2 release commit
76403d8 ci: bump sdk orb

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.8-sqlite
• docker pull oryd/kratos:v0.8.0-sqlite
• docker pull oryd/kratos:v0.8.0-alpha.2-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.0
• docker pull oryd/kratos:v0.8.0-alpha.2

v0.8.0-alpha.1

We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament ...

v0.7.6-alpha.1

Resolves further issues in the SDK and release pipeline.

Code Generation

• Pin v0.7.6-alpha.1 release commit (8b0d1ee)

Changelog

9773455 autogen(docs): generate and format documentation
83062ec autogen: add v0.7.5-alpha.1 to version.schema.json
8b0d1ee autogen: pin v0.7.6-alpha.1 release commit

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.6-sqlite
• docker pull oryd/kratos:v0.7.6-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.6
• docker pull oryd/kratos:v0.7.6-alpha.1
• docker pull oryd/kratos:latest

v0.7.5-alpha.1

Primarily resolves issues in the SDK pipeline.

Code Generation

• Pin v0.7.5-alpha.1 release commit (3a741a5)

Changelog

b0929b0 autogen(docs): generate and format documentation
5d61834 autogen(docs): generate and format documentation
71dcfca autogen(docs): update milestone document
20edaaa autogen: add v0.7.4-alpha.1 to version.schema.json
3a741a5 autogen: pin v0.7.5-alpha.1 release commit
e612c97 chore: update docusaurus template
7d47d05 ci: add test runner for SDKs (#1732)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.5-sqlite
• docker pull oryd/kratos:v0.7.5-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.5
• docker pull oryd/kratos:v0.7.5-alpha.1
• docker pull oryd/kratos:latest