v1.1.0

Ory Kratos v1.1 is the most complete, most scalable, and most secure open-source identity server on the planet, and we are thrilled to announce its release! This release comes with over 270 commits and an incredible amount of new features and capabilities!

Don't forget to leave a GitHub star and check out our other open source projects while you're here :)

• Phone Verification & 2FA with SMS: Enhance convenient security with phone verification and two-factor authentication (2FA) via SMS, integrating easily with SMS gateways like Twilio. This feature not only adds a convenient layer of security but also offers a straightforward method for user verification, increasing your trust in user accounts.
• Translations & Internationalization: Ory Kratos now supports multiple languages, making it accessible to a global audience. This improvement enhances the user experience by providing a localized interface, ensuring users interact with the system in their preferred language.
• Native Support for Sign in with Google and Apple on Android/iOS: Get more sign-ups with native support for "Sign in with Google" and "Sign in with Apple" on mobile platforms. Great user experience matters!
• Account Linking: Simplify user management with new features that facilitate account linking. If a user registers with a password and later signs in with a social account sharing the same email, new screens make account linking straightforward, enhancing user convenience and reducing support inquiries.
• Passwordless "Magic Code": Introduce a passwordless login method with "Magic Code," which sends a one-time code to the user's email for sign-up and login. This method can also serve as a fallback when users forget their password or their social login is unavailable, streamlining the login process and improving user accessibility.
• Session to JWT Conversion: Convert an Ory Session Cookie or Ory Session Token into a JSON Web Token (JWT), providing more flexibility in handling sessions and integrating with other systems. This feature allows for seamless authentication and authorization processes across different platforms and services.

Note: To ensure a seamless upgrade experience with minimal impact, some of these features are gated behind the feature_flags config parameter, allowing controlled deployment and testing.

• Better reliability when sending out emails across different providers.
• Streamlining the HTTP API and improving related SDK methods.
• Better performance when calling the whoami API endpoint, updating identities, and listing identities.
• The performance of listing identities has significantly improved with the introduction of keyset pagination. Page pagination is still available but will be fully deprecated soon.
• Ability to list multiple identities in a batch call.
• Passkeys and WebAuthn now support multiple origins, useful when working with subdomains.
• The logout flow now redirects the user back to the return_to parameter set in the API call.
• When updating their settings, the user was sometimes incorrectly asked to confirm the changes by providing their password. This issue has now been fixed.
• When signing up with an account that already exists, the user will be shown a hint helping them sign in to their existing account.
• CORS configuration can now be hot-reloaded.
• The integration with Ory OAuth2 / Ory Hydra has improved for logout, login session management, verification, and recovery flows.
• A new passwordless method has been added: "Magic code". It sends a one-time code to the user's email during sign-up and log-in. This method can additionally be used as a fallback login method when the user forgets their password.
• Integration with social sign-in has improved, and it is now possible to use the email verified status from the social sign-in provider.
• Ory Elements and the default Ory Account Experience are now internationalized with translations.
• It is now possible to convert an Ory Session Cookie or Ory Session Token into a JSON Web Token.
• Recovery on native apps has improved significantly and no longer requires the user to switch to a browser for the recovery step.
• Administrators can now find users by their identifiers with fuzzy search - this feature is still in preview.
• Importing HMAC-hashed passwords is now possible.
• Webhooks can now update identity admin metadata.
• New screens have been added to make account linking possible when a user has registered with a password and later tries signing in with a social account sharing the same email.
• Ability to revoke all sessions of a user when they change their password.
• Webhooks are now available for all login, registration, and login methods, including Passkeys, TOTP, and others.
• The login screen now longer shows “ID” for the primary identifier, but instead extracts the correct label - for example, “Email” or “Username” from the Identity Schema.
• Login hints help users with guidance when they are unable to sign in (wrong social sign-in provider) but have an active account.
• Phone numbers can now be verified via an SMS gateway like Twilio.
• SMS OTP is now a two-factor option.

The following features have been shipped exclusively to Ory Network for this version:

• B2B SSO allows your customers to connect their LDAP / Okta / AD / … to your login. Ory selects the correct login provider based on the user’s email domain.
• Significantly better API performance for expensive API operations by specifying the desired consistency (strong, eventual).
• Finding users effortlessly with our new fuzzy search for credential identifiers available for the Identity List API.

Ory Kratos 1.1 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.1 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Ory Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers enterprise support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.
We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in no particular order: moose115, K3das, sidartha, efesler, BrandonNoad ,Saancreed, jpogorzelski, dreksx, martinloesethjensen, cpoyatos1, misamu, tristankenney, nxy7, anhnmt

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.
Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory <https://github.com/ory/scoop.git>
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth login

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \
  --replace '/identity/default_schema_id="preset://username"' \
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \
  --format yaml

ory open account-experience registration

Breaking Changes

Pagination parameters for the list identities CLI command have changed from arguments to flags --page-token and page-size:

- kratos list identities 1 100
+ kratos list identities --page-size 100 --page-token ...

Furthermore, the JSON / JSON pretty output of list identities has changed:

-[
-  { "id": "..." },
-  { /* ... */ },
-  // ...
-]
...

v1.0.0

We are thrilled to announce Ory Kratos v1.0, the powerful Identity, User Management, and Authentication system! With this major update, Ory Kratos brings a host of enhancements and fixes that greatly improve the user experience and overall performance.

Ory Kratos 1.0 is stable and robust

Several compelling reasons led to label Ory Kratos as a major release and graduated project: Ory Identities on Ory Network, powered by Ory Kratos, has been serving production traffic for well over a year, flawlessly. Ory Kratos is successfully processing over 100 million API requests daily and has about 100 million Docker Pulls. We have maintained stability within the Ory Kratos APIs for nearly two years, demonstrating their robustness and reliability. No breaking changes mean that developers can trust the stability of Ory Kratos in production.

Notable changes

Ory Kratos 1.0 introduces a variety of new features while focusing on stability, robustness, and improved performance. Major enhancements include support for social login and single-sign-on via OpenID connect in native apps, emails sent through HTTP rather than SMTP, and full compatibility with Ory Hydra v2.2.0. Users will also find multi-region support in the Ory Network for broader geographic reach, improved export functionality for all credential types, and enhanced session management with the introduction of the "provider ID" parameter. Other additions comprise distroless images for leaner resource utilization and faster deployment and support for the Lark OIDC provider.

New features and full multi-region support in Ory Network

Significant improvements and fixes accompany these new features. Enhanced OIDC flows now include the ability to forward prompt upstream parameters, offering developers increased flexibility and customization options. The logout flow also supports the return_to parameter, facilitating more flexible redirection post-user logout. Performance has been a key focus, with Ory Kratos 1.0 now capable of handling hundreds of millions of active users monthly. Critical bug fixes have been applied to prevent users from being redirected to incorrect destinations, ensuring smoother authentication and authorization. Additionally, there's more support for legacy systems via implemented crypt(3) hashers and a fix for metadata patching has been deployed to ensure consistent user metadata management. For a detailed view of all changes, refer to the changelog on GitHub. Feedback and support are, as always, greatly appreciated.

Support options for Ory Kratos 1.0

Ory Kratos 1.0 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.0 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers dedicated support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.

A Shoutout to the Ory Community

We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in alphabetical order: borisroman, ci42, CNLHC, David-Wobrock, giautm, IchordeDionysos, indietyp, jossbnd, kralicky, PhakornKiong, sunakan, steverusso

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.

Give it a go

Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory https://github.com/ory/scoop.git
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \\
  --replace '/identity/default_schema_id="preset://username"' \\
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \\
  --format yaml

ory open account-experience registration

Bug Fixes

• Ability to patch metadata even if it is null (#3304) (3c04d8f)

• Accept OIDC login request in browser+JSON login flow (#3271) (ad54093):

  • fix: OIDC login in browser JSON flow

  • test: add test for OIDC+JSON continuity cookie

• Add error checking when creating verification code (#3328) (7182eca)

• Add missing SessionIssued event for api flows (#3348) (adf78e0):

  • fix: missing SessionIssued event for api flows
  • chore: add SessionIssued event to post registration hook
  • chore: format
  • chore: move sessionissued event to persister

• Bump quickstart version (#3257) (6db70a8)

• Cypress TOTP test (eac908c)

• Do not require items to be unique (#3349) (17be30d)

• Don't assume the login challenge to be a UUID (#3317) (3172862):

  For compatibility with ory/hydra#3515, which
  now encodes the whole flow in the login challenge, we cannot further
  assume that the challenge is a UUID.

• e2e: Install kratos-selfservice-ui-node peer deps (#3354) (ce20063)

• Identity list pagination (#3325) (9d3ef0d):

  Resolves a pesky issue that would skip the last page.

• IdentityCreated event (#3314) (78e31cb)

• Incorrect override in identity hydrate (#3368) (eaa3f3c)

• Increase size for request url (#3366) (10713cc)

• Minor refactorings in package hash (#3186) (831fb19)

• Missing id for login event (#3315) (b6b80a3)

• Properly normalize uppercase mail addresses (4984e0f):

  Fixes #3187
  Fixes #3289

• Provide index hint in QueryForCredentials (#3329) (4ba530e):

  • fix: provide index hint in QueryForCredentials

  • feat: remove customizable join pr...

v0.13.0

We’re excited to announce the release of Ory Kratos v0.13.0! This update brings many enhancements and fixes, improving the user experience and overall performance. In general, Ory Kratos is reaching complete API stability and we're adding some missing features next, paving the road to v1.0.

Ory Kratos serves over 500M users monthly in various companies, and is the backbone of the Ory Network (the best, cheapest, easiest way to run Ory).

Here are the highlights:

• We’ve added new social sign-in options with Patreon OIDC and LinkedIn providers, making it even easier for your users to register and log in. Furthermore, we’ve introduced a new admin API that allows you to remove specific 2nd factor credentials, giving you more control over your user accounts.
• Performance has been a key focus in this release. We’ve optimized the whoami calls, parallelized the getIdentity and getSession calls, and made asynchronous webhooks fully async. These improvements will result in faster response times and a smoother experience for your users. Additionally, we’ve implemented better tracing to help you diagnose and resolve issues more effectively.
• We’ve also made several updates to the webhook system. A new response.parse configuration has been introduced, allowing you to update identity data during registration. This includes admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses. Please note that can_interrupt is now deprecated in favor of response.parse.
• Lastly, we’ve made several important fixes, such as resolving the wrong message ID on resend code buttons, implementing the offline scope as Google expects, and improving the OIDC flow on duplicate account registration. We’ve also added the ability to configure whether the system should notify unknown recipients when attempting to recover an account or verify an address, enhancing security with “anti-account-enumeration measures.”

We hope you enjoy these new features and improvements in Ory Kratos v0.13.0! All features are already live on the Ory Network - the simplest, fastest and most scalable way to run Ory.

Please note that the v0.12.0 release was skipped due to CI issues.

Head over to the changelog at https://github.com/ory/kratos/blob/master/CHANGELOG.md to read all the details. As always, we appreciate your feedback and support!

Breaking Changes

By default, Kratos no longer sends out these Emails. If you want to keep notifying unknown addresses (keep the current behavior), set selfservice.flows.recovery.notify_unknown_recipients to true for recovery, or selfservice.flows.verification.notify_unknown_recipients for verification flows.

Bug Fixes

• Access rules example (#3178) (a206772)

• Account experience redirects to verification page (#3195) (2e96d75)

• Account settings broken on OIDC removal (#3185) (61ae531), closes ory-corp/cloud#3514

• Add after_verification_return_to to sdk and api docs (#3097) (c70704c), closes #3096

• Add HydraLoginRequest on flow creation (#3152) (09312dd), closes #3108:

  The oauth2_login_request field was missing when initially creating the login flow.

• Add missing code discriminator in updateVerificationFlow (#3213) (21576be)

• Add missing index (#3181) (756bed4)

• Add mutex to test SMTP server setup/teardown (20c2359)

• Avoid unchecked casts from IdentityPool to PrivilegedIdentityPool (71d35dd)

• Correctly apply patches to identity metadata (#3103) (1193a56), closes #2950

• Do not omit last page on identity list (#3169) (f95f48a)

• Don't return 500 if active strategy is disabled (#3197) (3a734c2)

• Don't reuse ports in courier/SMTP tests (#3156) (e260fcf)

• Don't treat missing session as error in tracing (290d28a)

• Error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218) (b1bdcd3)

• Handle upstream errors in patreon provider (#3032) (39fa31f)

• Identity.CopyWithoutCredentials (989c99d)

• Implement offline scope in the way google expects (#3088) (39043d4)

• Improve webhook resilience (#3200) (0a05d99):

  • fix: improve webhook logging
  • chore: bump x
  • feat: decouple context in PostRegistrationPostPersist hook

• Invalid SQL syntax in ListIdentities (#3202) (162ab9b):

  PostgresQL does not support ... WHERE x IN ( ) with an empty argument list.

• Issuer missing from netid claims (#3080) (dec7cbc):

  The NetID provider omits the issuer claim in the userinfo response. To resolve this issue, the ID token returned by NetID is now validated and its sub and iss values are used.

• Lint errors and unused code (ae49ef0)

• Make async webhooks fully async (#3111) (342bfb0)

• Make session AAL satisfaction check resilient against a nil identity in the session (5ab1a56):

  Also fix tracing.

• Missing issuer regression in OIDC (#3220) (52f0740):

  Closes #3182
  Closes #3040

• Nolint comment (93e6501)

• Only return one result set for credentials_identifier (#3107) (59f35d1), closes #3105

• Orphaned webhook spans (a7f9414)

• Re-use existing CSRF token in verification flows (#3188) (08a3447):

  • fix: re-use existing CSRF token in verification flows

  • chore: fix if/else

• Reduce SQL tracing noise (1650426)

• Remove http.Redirect from show_verification_ui hook (#3238) (054705b)

• Remove network omit flag (#3066) (c629b72)

• Report correct errors for json schema validation (#3085) (9477ea4):

  • Implemented the translation of jsonschema.ValidationError to errors codes documented here
  • Added missing error codes for relevant schema errors

    Validation	Name	ID
    maxLength	Er...

v0.11.1

• Fixed several bugs to improve overall stability.
• Optimized performance for faster load times and smoother operation.
• Improved tracing capabilities for better debugging and issue resolution.

We are constantly working to improve Ory Kratos and this release is no exception. Thank you for using Ory and please let us know if you have any feedback or encounter any issues.

Breaking Changes

The /admin/courier/messages endpoint now uses keysetpagination instead.

Bug Fixes

• Add missing indexes (#2973) (bbb3995)

• Add missing indexes for identity delete (#2952) (dc311f9):

  This significantly improves the performance of identity deletes.

• Cors headers not added to the response #2922 (#2934) (1ed6839)

• Dont reset to false (#2965) (ae8ad7b)

• Flaky test now stable (4e5dcd0)

• Listing sessions query (#2958) (3e06c99), closes #2930

• Missing index on courier list count (#3002) (3b50711)

• Pin geckodriver version to bypass GitHub API quota (#2972) (585cb9e)

• Quickstart demos (#2940) (a7720b2)

• Remove duplicate query in GetIdentity (#2987) (33b01bb)

• Remove unused x-session-cookie parameter (#2983) (56b5c26):

  This patch removes the undocumented and experimental X-Session-Cookie header from the /sessions/whoami endpoint.

• Resilient social sign in (#3011) (ca35b45)

• Respect return_to URL parameter in registration flow when the user is already registered (#2957) (3462ce1)

• Set accept header for GitLab (#2998) (e892113)

• Set config at the start (e58bc6e)

• Spurious cancelation of async webhooks, better tracing (#2969) (72de640):

  Previously, async webhooks (response.ignore=true) would be canceled
  early once the incoming Kratos request was served and it's associated
  context released. We now dissociate the cancellation of async hooks
  from the normal request processing flow.

• TOTP internal context after saving settings (#2960) (8b647b1), closes #2680

• Update pquerna/otp to fix TOTP URL encoding (#2951) (7248636):

  v1.4.0 fixes generating TOTP URLs. Query params now use %20 instead of +
  to encode spaces. + was not correctly interpreted by some Android
  authenticator apps, and would show up in the issuer name, e.g. "My+Issuer"
  instead of "My Issuer".

• Update year (d77e2cf)

• Webhook tracing instrumentation+memory leak (f0044a3)

Code Generation

• Pin v0.11.1 release commit (41595c5)

Documentation

• Improve api headline (#2989) (fc2787b)

Features

• Add client IP to span events (7ce3a74)

• Add NID to logs in courier (#2956) (b407aa9)

• Improve error message when no session is found (#2988) (7ad2b97)

• Improve tracing (#2992) (04d0280)

• Remove duplicate queries from whoami calls (#2995) (b50a222), closes #2402:

  Introduces an expand API to the identity persister which greatly improves whoami performance.

• Require verification on login (#2927) (efb8ae8)

• Store errors of courier message (#2914) (fc7aa86)

Tests

• Improve parallelization (e8e8ce5)
• Regenerate csrf if verification flow expired (#2455) (7025081)
• Update integrity snapshots (#3000) (6d26e5c)

Changelog

• 727439c autogen(docs): generate and bump docs
• b3b6f88 autogen(docs): regenerate and update changelog
• d8d47c9 autogen(docs): regenerate and update changelog
• ac05259 autogen(docs): regenerate and update changelog
• d8a2cbd autogen(docs): regenerate and update changelog
• a3096c7 autogen(docs): regenerate and update changelog
• e11ba52 autogen(docs): regenerate and update changelog
• 4e1d470 autogen(docs): regenerate and update changelog
• 0b109cd autogen(docs): regenerate and update changelog
• 97e9356 autogen(docs): regenerate and update changelog
• 5917258 autogen(docs): regenerate and update changelog
• d895a26 autogen(docs): regenerate and update changelog
• b6bd3f4 autogen(docs): regenerate and update changelog
• 8fbb1bb autogen(docs): regenerate and update changelog
• 8bb3f2a autogen(docs): regenerate and update changelog
• 83131fc autogen(docs): regenerate and update changelog
• 935d115 autogen(docs): regenerate and update changelog
• 94e01a9 autogen(docs): regenerate and update changelog
• c52425e autogen(docs): regenerate and update changelog
• 6fddfbf autogen(docs): regenerate and update changelog
• 03b3c29 autogen(docs): regenerate and update changelog
• 6134150 autogen(docs): regenerate and update changelog
• ce72501 autogen(openapi): regenerate swagger spec and internal client
• bef1a6c autogen: add v0.11.0 to version.schema.json
• 41595c5 autogen: pin v0.11.1 release commit
• 2f9b001 chore: add missing security annotations to admin handlers (#2937)
• 561e568 chore: cleanup test (#2964)
• 20da533 chore: pin nancy (#2977)
• 131b8c5 chore: update repository templates to ory/meta@a1264fa
• ab1abee ci: fix dockle action
• fc2787b docs: improve api headline (#2989)
• b407aa9 feat: add NID to logs in courier (#2956)
• 7ce3a74 feat: add client IP to span events
• 7ad2b97 feat: improve error message when no session is found (#2988)
• 04d0280 feat: improve tracing (#2992)
• b50a222 feat: remove duplicate queries from whoami calls (#2995)
• efb8ae8 feat: require verification on login (#2927)
• fc7aa86 feat: store errors of courier message (#2914)
• 8b647b1 fix: TOTP internal context after saving settings (#2960)
• bbb3995 fix: add missing indexes (#2973)
• dc311f9 fix: add missing indexes for identity delete (#2952)
• 1ed6839 fix: cors headers not added to the response #2922 (#2934)
• ae8ad7b fix: dont reset to false (#2965)
• 4e5dcd0 fix: flaky test now stable
• 3e06c99 fix: listing sessions query (#2958)
• 3b50711 fix: missing index on courier list count (#3002)
• 585cb9e fix: pin geckodriver version to bypass GitHub API quota (#2972)
• a7720b2 fix: quickstart demos (#2940)
• 33b01bb fix: remove duplicate query in GetIdentity (#2987)
• 56b5c26 fix: remove unused x-session-cookie parameter (#2983)
• ca35b45 fix: resilient social sign in (#3011)
• 3462ce1 fix: respect return_to URL parameter in registration flow when the user is already re...

v0.11.0

The 2022 winter release of Ory Kratos is here, and we are extremely excited to share with you some of the highlights included:

• Ory Kratos now supports verification and recovery codes, which replace are now the default strategy and should be used instead of magic links.
• Import of MD5-hashed passwords is now supported.
• Ory Kratos can now act as the login app for the Ory Hydra Consent & Login Flow using the oauth2_provider.url configuration value.
• Ory Kratos' SDK is now released as version 1. Learn more in the upgrade guide.
• New APIs are available to manage Ory Sessions.
• Ory Sessions now contain device information.
• Added all claims to the Social Sign-In data mapper as well as the option to customize admin and public metadata.
• Add webhooks that can block the request, useful to do some additional validation.
• Add asynchronous webhooks which do not block the request.
• A CLI helper to clean up stale data.

Please read the changelog carefully to identify changes which might affect you. Always test upgrading with a copy of your production system before applying the upgrade in production.

Breaking Changes

This patch changes the behavior of the recovery flow. It introduces a new strategy for account recovery that sends out short "one-time passwords" (code) that a user can use to prove ownership of their account and recovery access to it. This PR also updates the default recovery strategy to code.

This patch invalidates recovery flows initiated using the Admin API. Please re-generate any admin-generated recovery flows and tokens.

This is a breaking change, as it removes the courier.message_ttl config key and replaces it with a counter courier.message_retries.

Closes #402
Closes #1598

SDK Method getJsonSchema was renamed to getIdentitySchema.

Bug Fixes

• Active attribute based off IsActive checks (#2901) (bcbf68e)

• Add issuerURL for apple id (#2565) (2aeb0a2):

  No issuer url was specified when using the Apple ID provider,
  this forced usersers to manually enter it in the provider config.

  This PR adds the Apple ID issuer url to the provider simplifying the setup.

• Add missing go.mod to docker build (7c4964e)

• Add support for verified Graph API calls for facebook oidc provider (#2547) (1ba7c66)

• Admin recovery CSRF & duplicate form elements (#2846) (de80b7f)

• Bump docker image (#2594) (071c885)

• Bump graceful to deal with http header timeouts (9ce2d26)

• Cache migration status (#2631) (9020738):

  See ory-corp/cloud#2691

• Check return code of ms graphapi /me request. (#2647) (3f490a3)

• cli: Dry up code (#2572) (d1b6b40)

• Codecov (#2879) (e446c5a)

• Correct name of span on recovery code deletion (#2823) (44f775f)

• Correctly calculate expired_at timestamp for FlowExpired errors (#2836) (ddde43e)

• Debugging Docker setup (#2616) (aaabe75)

• Disappearing title label on verification and recovery flow (#2613) (29aa3b6), closes #2591

• Distinguish credential types properly when collecting identifiers (#2873) (705f7b1)

• Do not crash process on invalid smtp url (#2890) (c5d3ebc):

  Closes ory-corp/cloud#3321

• Do not double-commit webhooks on registration (#2888) (88e75d9)

• Do not invalidate recovery addr on update (#2699) (1689bb9)

• docker: Add missing dependencies (#2643) (c589520)

• docker: Update images (b5f80c1)

• Duplicate messages in recovery flow (#2592) (43fcc51)

• Express e2e tests for new account experience (#2708) (84ea0cf)

• Format (0934def)

• Format check stage in the CI (#2737) (bbe4463)

• Gosec false positives (e3e7ed0)

• Identity sessions list response includes pagination headers (#2763) (0c2efa2), closes #2762

• identity: Migrate identity_addresses to lower case (#2517) (c058e23), closes #2426

• Ignore commata in HIBP response (0856bd7)

• Ignore CSRF for session extension on public route (866b472)

• Ignore error explicitly (772d596)

• Improve migration status speed (#2637) (a2e3c41)

• Include flow id in use recovery token query (#2679) (d56586b):

  This PR adds the selfservice_recovery_flow_id to the query used when "using" a token in the recovery flow.

  This PR also adds a new enum field for identity_recovery_tokens to distinguish the two flows: admin versus self-service recovery.

• Include metadata_admin in admin identity list response (#2791) (aa698e0), closes #2711

• Incorrect swagger annotation for getSession (#2891) (797ea68)

• lint: Fixed lint error causing ci failures (4aab5e0)

• Make courier.TemplateType an enum (#2875) (65aeb0a)

• Make hydra consistently localhost (70211a1)

• Make ID field in VerifiableAddress struct optional (#2507) (0844b47), closes #2506

• Make servicelocator explicit (4f841da)

• Make swagger/openapi go 1.19 compatible (fec6772)

• Mark gosec false positives (13eaddb)

• Metadata should not be required ([05afd68](05afd68381abe58c5e7cdd51cb...

v0.10.1

Re-release the SDK.

Bug Fixes

• Bump ory cli (12ceae0)

Code Generation

• Pin v0.10.1 release commit (ab16580)

Changelog

• 290dbd7 autogen(docs): generate and bump docs
• 0290986 autogen(docs): regenerate and update changelog
• fb2ddf3 autogen(docs): regenerate and update changelog
• 94c620d autogen: add v0.10.0 to version.schema.json
• ab16580 autogen: pin v0.10.1 release commit
• 12ceae0 fix: bump ory cli

Artifacts can be verified with cosign using this public key.

v0.10.0

We achieved a major milestone - Ory Kratos is out of alpha! Ory Kratos had no major changes in the APIs for the last months and feel confident that no large breaking changes will need to be introduced in the near future.

This release focuses on quality-of-live improvements, resolves several bugs, irons out developer experience issues, and introduces session renew capabilities!

Breaking Changes

Please be aware that the SDK method signatures for submitSelfServiceRecoveryFlow, submitSelfServiceRegistrationFlow, submitSelfServiceLoginFlow, submitSelfServiceSettingsFlow, submitSelfServiceVerificationFlow might have changed in your SDK.

This patch moves several CLI command to comply with the Ory CLI command structure:

- ory identities get ...
+ ory get identity ...

- ory identities delete ...
+ ory delete identity ...

- ory identities import ...
+ ory import identity ...

- ory identities list ...
+ ory list identities ...

- ory identities validate ...
+ ory validate identity ...

- ory jsonnet format ...
+ ory format jsonnet ...

- ory jsonnet lint ...
+ ory lint jsonnet ...

This patch moves several CLI command to comply with the Ory CLI command structure:

- ory identities get ...
+ ory get identity ...

- ory identities delete ...
+ ory delete identity ...

- ory identities import ...
+ ory import identity ...

- ory identities list ...
+ ory list identities ...

- ory identities validate ...
+ ory validate identity ...

- ory jsonnet format ...
+ ory format jsonnet ...

- ory jsonnet lint ...
+ ory lint jsonnet ...

Bug Fixes

• Add flow id when return_to is passed to the verification (#2482) (c2b1c23)

• Add indices for slow queries (e0cdbc9)

• Add legacy session value (ecfd052), closes #2398

• auth0: Created_at workaround (#2492) (52a965d), closes #2485

• Avoid excessive memory allocations in HIBP cache (#2389) (ee2d410), closes #2354

• Change SQLite database mode to 0600 (#2344) (0e5d3b7):

  The default mode is 0644, which is allows broader access than necessary.

• Compile issues from merge conflict (#2419) (85a90c8)

• Correct location (b249aaa)

• courier: Add ability to specify backoff (#2349) (bf970f3)

• Do not expose debug in a response when a schema is not found (#2348) (aee2b1e)

• Do not fail release if no changes needed (114c93e)

• Dockerfile: Use existing builder base image (#2390) (37de25a)

• Embed schema (b797bba)

• Get user first name and last name from Apple (#2331) (4779909)

• Improve error reporting from OpenAPI (8a1009b)

• Improve performance of identity schema call (af28de2)

• Internal Server Error on Empty PUT /identities/id body (#2417) (5a50231)

• Load return_to and append to errors (#2333) (5efe4a3), closes #2275 #2279 #2285

• Make delete formattable (0005f35)

• Mark body as required (#2479) (c9ae117)

• New issue templates (b9ad684)

• Openapi regression (#2465) (37a3369)

• Quickstart docker-compose (#2490) (9717762), closes #2488

• Refresh is always false when session exists (d3436d7), closes #2341

• Remove required legacy field (#2410) (638d45c)

• Remove wrong templates (4fe2d25)

• Reorder transactions (78ca4c6)

• Resolve index naming issues (d5550b5)

• Resolve MySQL index issues (50bdba9)

• Resolve otelx panics (6613a02)

• sdk: Improved OpenAPI specifications for UI nodes (#2375) (a42a0f7), closes #2357

• Serve.admin.request_log.disable_for_health behaviour (#2399) (0a381fa)

• sql: Add additional join argument to resolve MySQL query issue (854e5cb), closes #2262

• Unreliable HIBP caching strategy (#2468) (93bf1e2)

• Use path instead of filepath to join http route paths (16b1244), closes #2292

• Use JOIN instead of iterative queries (0998cfb), closes #2402

• Use pointer of string for PasswordIdentifier in example code (#2421) (61f12e7)

• Use predictable SQLite in memory DSNs (#2415) (51a13f7), closes #2059

Code Generation

• Pin v0.10.0 release commit (87e0de7)

Code Refactoring

• Deprecate fizz renderer (5277668)
• Move CLI commands to match Ory CLI structure (d11a9a9)
• Move CLI commands to match Ory CLI structure (73910a3)

Documentation

• Add docs about change in default schema (#2447) (5093cd4)
• Remove notice importing credentials not possible (#2418) (b80ed69)

Features

• Add certificate based authentication for smtp client (#2351) (7200037)
• Add ID to the recovery error when already logged in (#2483) (29e4a51)
• Add localName to smtp config (#2445) (27336b6), closes [#2425...

v0.9.0-alpha.3

Resolves an issue in the quickstart.

Breaking Changes

Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page.

Closes ory-corp/cloud#2173

Co-authored-by: aeneasr 3372410+aeneasr@users.noreply.github.com

Bug Fixes

• Accept recovery link from authenticated users (#2195) (0fa64dd):

  When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies.

• Quickstart (73b461c):

  Closes #2339

• Resolve issue where CF cookies would mingle with CSRF detection in API flows (011219a)

• Typo in error message (#2332) (b075a5b)

• Update v0.9.0-alpha.2 config schema path (#2328) (55705c7)

• version schema: Require version or fall back to latest (52c9824)

Code Generation

• Pin v0.9.0-alpha.3 release commit (32e36d4)

Documentation

• Add missing error codes (b854bb8)
• Clarify 410 error for api payloads (2c7ac3b)

Changelog

• b966803 autogen(docs): generate and bump docs
• 4183a48 autogen(docs): regenerate and update changelog
• 88ea06a autogen(docs): regenerate and update changelog
• 97bb638 autogen(docs): regenerate and update changelog
• 8e2f3b2 autogen(docs): regenerate and update changelog
• 61998f9 autogen(docs): regenerate and update changelog
• 22cb081 autogen(openapi): regenerate swagger spec and internal client
• 994aef6 autogen: add v0.9.0-alpha.2 to version.schema.json
• 32e36d4 autogen: pin v0.9.0-alpha.3 release commit
• c53a9e2 chore: remove codedoc
• b854bb8 docs: add missing error codes
• 2c7ac3b docs: clarify 410 error for api payloads
• 52c9824 fix(version schema): require version or fall back to latest
• 0fa64dd fix: accept recovery link from authenticated users (#2195)
• 73b461c fix: quickstart
• 011219a fix: resolve issue where CF cookies would mingle with CSRF detection in API flows
• b075a5b fix: typo in error message (#2332)
• 55705c7 fix: update v0.9.0-alpha.2 config schema path (#2328)

Artifacts can be verified with cosign using this public key.

v0.9.0-alpha.2

Resolves an issue in the SDK release pipeline.

Bug Fixes

• Swag location (5b51bfb)

Code Generation

• Pin v0.9.0-alpha.2 release commit (f5501cf)

Changelog

• 21614d8 autogen(docs): regenerate and update changelog
• f5501cf autogen: pin v0.9.0-alpha.2 release commit
• 90b354a chore: force run
• 5b51bfb fix: swag location

Artifacts can be verified with cosign using this public key.

v0.9.0-alpha.1

Ory Kratos v0.9 is here! We're extremely happy to announce that the new release is out and once again it's been made even better thanks to the incredible contributions from our awesome community. <3

Enjoy!

Here's an overview of things you can expect from the v0.9 release:

1. We introduced 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud. The configuration works the same across all modes of operation and deployment!
2. Passwordless login with WebAuthn is now available! Authentication with YubiKeys, TouchID, FaceID, Microsoft Hello, and other WebAuthn-supported methods is now available. The refactored infrastructure lays a foundation for more passwordless flows to come.
3. All the docs are now available in a single repo. Go to the ory/docs repository to find docs for all Ory projects.
4. You can now load custom email templates that'll make your essential messaging like project invitations or password recovery emails look slick.
5. We've laid the foundation for adding SMS-dependant flows.
6. Security is always a top priority. We've made changes and updates such as CSP nonces, SSRF defenses, session invalidation hooks, and more.
7. Kratos now gracefully handles cookie errors.
8. Password policies are now configurable.
9. Added configuration to control the flow of webhooks. Now you can cancel flows & run them in the background.
10. You can import identities along with their credentials (password, social sign-in connections, WebAuthn, ...).
11. Infra: we migrated all of our CIs from CircleCI to GitHub Actions.
12. We moved the admin API from / to admin. This is a breaking change. Please read the explanation and proceed with caution!
13. Bugfix: fixed a bug in the handling of secrets. This is a breaking change. Please read the explanation and proceed with caution!
14. Bugfix: several bugs in different self-service flows are no more.

As you can see, this release introduces breaking changes. We tried to keep the HTTP API as backward-compatible as possible by introducing HTTP redirects and other measures, but this update requires you to take extra care. Make sure you've read the release notes and understand the risk before updating.

You must apply SQL migrations for this release. Make sure to create backup before you start!

Breaking Changes

Configuration key selfservice.whitelisted_return_urls has been renamed to allowed_return_urls.

All endpoints at the Admin API are now exposed at /admin/. For example, endpoint https://kratos:4434/identities is now exposed at https://kratos:4434/admin/identities. This change makes it easier to configure reverse proxies and API Gateways. Additionally, it introduces 1:1 compatibility between Ory Cloud's APIs and self-hosted Ory Kratos. Please note that nothing has changed in terms of the port. To make the migration less painful, we have set up redirects from the old endpoints to the new /admin endpoints, so your APIs, SDKs, and clients should continue working as they were working before. This change is marked as a breaking change as it touches many endpoints and might be confusing when encountering the redirect for the first time.

If you are using two or more secrets for the secrets.session, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

The password_identifier form field of the password login strategy has been renamed to identifier to make compatibility with passwordless flows possible. Field name password_identifier will still be accepted. Please note that the UI node for displaying the "username" / "email" field has this name="identifier" going forward. Additionally, the traits of the password strategy are no longer within group password but instead in group profile going forward!

The following OpenID Connect configuration keys have been renamed to better explain their purpose:

- private_key_id
+ apple_private_key_id

- private_key
+ apple_private_key

- team_id
+ apple_team_id

- tenant
+ microsoft_tenant

A major issue has been lingering in the configuration for a while. What happens to your identities when you update a schema? The answer was, it depends on the change. If the change is incompatible, some things might break!

To resolve this problem we changed the way you define schemas. Instead of having a global default_schema_url which developers used to update their schema, you now need to define the default_schema_id which must reference schema ID in your config. To update your existing configuration, check out the patch example below:

identity:
-  default_schema_url: file://stub/identity.schema.json
+  default_schema_id: default
+  schemas:
+  - id: default
+    url: file://stub/identity.schema.json

Ideally, you would version your schema and update the default_schema_id with every change to the new version:

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v0
      url: file://path/to/user_v0.json
    - id: user_v1
      url: file://path/to/user_v1.json

This patch removes the ability to use domain aliases, an obscure feature rarely used that had several issues and inconsistencies.

Bug Fixes

• Add identity_id index to identity_verifiable_addresses table (#2147) (86fd942):

  The verifiable addresses are loaded eagerly into the identity. When that happens, the identity_verifiable_addresses table is queried by nid and identity_id. This index should greatly improve performance, especially of the /sessions/whoami endpoint.

• Add ability to resume continuity sessions from several cookies (#2131) (8b87bdb), closes #2016 #1786

• Add CourierConfig to default registry (#2243) (2e1fba3)

• Add DispatchMessage to interface (df2ca7a)

• Add hiring notice to README (#2074) (0c1e816)

• Add missing enum (#2223) (4b7d7d0):

  Closes ory/sdk#147

• Add missing version tag in quickstart.yml (#2110) (1d281ea)

• Add output-dir input to cli-next (#2230) (1eb3f18)

• Added malformed config test (5a3c9c1)

• Adjust scan configuration (#2140) (8506fcf), closes #2083

• Admin endpoint /schemas not redirecting to public endpoint (#2133) (413833f), closes #2084

• Appropriately pass context around (#2241) (668f6b2):

  Closes ory/network#56

• Base redirect URL decoding (acdefa7)

• Base64 encode identity schema URLs (ad44e4d):

  Previously, identity schema IDs with special characters could lead to broken URLs. This patch introduces a change where identity schema IDs are base64 encoded to address this issue. Schema IDs that are not base64 encoded will continue working.

• Broken links API spec (e1e7516)

• Choose correct CSRF cookie when multiple are set (633076b), closes ory/kratos#2121 ory-corp/cloud#1786:

  Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store.

• Cloud config issue (135b29c)

• continuity: Properly reset cookies that became invalid (8e4b4fb), closes #2121 ory-corp/cloud#1786:

  Resolves several reports related to incorrect handling of invalid continuity issues.

• continuity: Remove cookie on any error (428ac03)

• Correct recovery hook ([c7682a8](c7682a8fd97fdac87d59d3e7fb...