Ory Kratos Versions Save

We are thrilled to announce Ory Kratos v1.0, the powerful Identity, User Management, and Authentication system! With this major update, Ory Kratos brings a host of enhancements and fixes that greatly improve the user experience and overall performance.

Ory Kratos 1.0 is stable and robust

Several compelling reasons led to label Ory Kratos as a major release and graduated project: Ory Identities on Ory Network, powered by Ory Kratos, has been serving production traffic for well over a year, flawlessly. Ory Kratos is successfully processing over 100 million API requests daily and has about 100 million Docker Pulls. We have maintained stability within the Ory Kratos APIs for nearly two years, demonstrating their robustness and reliability. No breaking changes mean that developers can trust the stability of Ory Kratos in production.

Notable changes

Ory Kratos 1.0 introduces a variety of new features while focusing on stability, robustness, and improved performance. Major enhancements include support for social login and single-sign-on via OpenID connect in native apps, emails sent through HTTP rather than SMTP, and full compatibility with Ory Hydra v2.2.0. Users will also find multi-region support in the Ory Network for broader geographic reach, improved export functionality for all credential types, and enhanced session management with the introduction of the "provider ID" parameter. Other additions comprise distroless images for leaner resource utilization and faster deployment and support for the Lark OIDC provider.

New features and full multi-region support in Ory Network

Significant improvements and fixes accompany these new features. Enhanced OIDC flows now include the ability to forward prompt upstream parameters, offering developers increased flexibility and customization options. The logout flow also supports the return_to parameter, facilitating more flexible redirection post-user logout. Performance has been a key focus, with Ory Kratos 1.0 now capable of handling hundreds of millions of active users monthly. Critical bug fixes have been applied to prevent users from being redirected to incorrect destinations, ensuring smoother authentication and authorization. Additionally, there's more support for legacy systems via implemented crypt(3) hashers and a fix for metadata patching has been deployed to ensure consistent user metadata management. For a detailed view of all changes, refer to the changelog on GitHub. Feedback and support are, as always, greatly appreciated.

Support options for Ory Kratos 1.0

Ory Kratos 1.0 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.0 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers dedicated support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.

A Shoutout to the Ory Community

We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in alphabetical order: borisroman, ci42, CNLHC, David-Wobrock, giautm, IchordeDionysos, indietyp, jossbnd, kralicky, PhakornKiong, sunakan, steverusso

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.

Give it a go

Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory https://github.com/ory/scoop.git
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \\
  --replace '/identity/default_schema_id="preset://username"' \\
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \\
  --format yaml

ory open account-experience registration

Bug Fixes

• Ability to patch metadata even if it is null (#3304) (3c04d8f)

• Accept OIDC login request in browser+JSON login flow (#3271) (ad54093):

  • fix: OIDC login in browser JSON flow

  • test: add test for OIDC+JSON continuity cookie

• Add error checking when creating verification code (#3328) (7182eca)

• Add missing SessionIssued event for api flows (#3348) (adf78e0):

  • fix: missing SessionIssued event for api flows
  • chore: add SessionIssued event to post registration hook
  • chore: format
  • chore: move sessionissued event to persister

• Bump quickstart version (#3257) (6db70a8)

• Cypress TOTP test (eac908c)

• Do not require items to be unique (#3349) (17be30d)

• Don't assume the login challenge to be a UUID (#3317) (3172862):

  For compatibility with https://github.com/ory/hydra/pull/3515, which now encodes the whole flow in the login challenge, we cannot further assume that the challenge is a UUID.

• e2e: Install kratos-selfservice-ui-node peer deps (#3354) (ce20063)

• Identity list pagination (#3325) (9d3ef0d):

  Resolves a pesky issue that would skip the last page.

• IdentityCreated event (#3314) (78e31cb)

• Incorrect override in identity hydrate (#3368) (eaa3f3c)

• Increase size for request url (#3366) (10713cc)

• Minor refactorings in package hash (#3186) (831fb19)

• Missing id for login event (#3315) (b6b80a3)

• Properly normalize uppercase mail addresses (4984e0f):

  Fixes https://github.com/ory/kratos/issues/3187 Fixes https://github.com/ory/kratos/issues/3289

• Provide index hint in QueryForCredentials (#3329) (4ba530e):

  • fix: provide index hint in QueryForCredentials

  • feat: remove customizable join predicate in QueryForCredentials

  • chore: remove obsolete config tracer

• Reduce lookups in whoami call (#3364) (5bb7b0c)

• Reintroduce ExpandAll (#3369) (8f9bff5)

• Remove codeball (aa29606)

• Remove duplicate SessionIssued event (#3351) (b1e78ad)

• Return HTTP 400 instead of 500 for bad query parameters (58258eb)

• sdk: Add cookie for updateLogoutFlow (#3284) (95ed2b9):

  Closes https://github.com/ory/sdk/issues/255

• sdk: Update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347) (f3dee86)

• Settings should persist return_to after required mfa login flow (#3263) (0ed1abd):

  • fix: get settings should persist return_to when redirecting to aal2

  • feat(e2e): verify return_to persists in recovery flows

  • test: recovery strategy with mfa account

  • test: code recovery return to persists to settings with aal2

  • u

  • fix: return to settings flow after mfa login

  • fix(test): login handler

  • fix: flow between settings and mfa

  • fix: get settings endpoint should redirect to settings ui instead of to itself

  • feat(test): preserve URL from various settings flows through login mfa flow

  • chore: cleanup

  • fix(e2e): recovery return to spa tests

  • fix: e2e proxy

  • fix: do not always redirect back to settings on mfa

  • fix: new settings flow with required mfa shouldn't be added to login flow return_to unless it contains a return_to parameter

  • fix(e2e): let test dynamically handle required_aal

  • chore: cleanup unused code

  • test: DoesSessionSatisfy with method options

  • test: recovery strategy with aal2

• String to enum for updateVerificationFlowWithLinkMethod Method (#3279) (34ff1d2), closes #2943

• Update correct typo (#3281) (0fea75c):

  The text for verification code input should be Verification code not Verify code.

• Update README (#3363) (c426014)

• Use RETURNING clause for batch create (#3293) (8ae8783)

• Use the correct redirect_uri for linkedin social login (#3269) (27ccecc)

• Webhook config parse for settings flow (#3305) (95ad94d)

Code Generation

• Pin v1.0.0 release commit (41b7c51)

Documentation

• Fix typo in readme (#3299) (b40544e)

Features

• Add “provider id” parameter to kratos session (#3292) (387f5a2), closes #3283

• Add distroless and static images (#3350) (1e65662)

• Add return_to parameters to the createLogout handler (#3336) (08fed36):

  • feat: add return_to parameters to the createLogout handler

  • test: logout take over return_to from create to update

  • test(e2e): logout return to

  • test(e2e): logout return to

  • test: logout return_to isnt applicable to react

• Allow customization of JOIN predicate in QueryForCredentials (#3253) (8785166)

• Emit events for login/logout and registration (#3235) (c784b7e)

• Forward prompt upstream parameter during OIDC flow (#3276) (d290cb0), closes #2709

• Implement crypt(3) hashers (#3303) (afe06db), closes #3291:

  This PR implements md5crypt, sha256crypt, sha512crypt, which are considered legacy (like md5), but are used in legacy systems looking to convert to ory. They use the existing format of crypt(5) (which is compliant to PHC).

• Improve event types and capture more events (#3297) (835fe13)

• Lark OIDC provider (#2925) (f884dfb)

• Return to oauth flow after switching from login to other flows (#3212) (a1fea6c):

  • feat: return to oauth flow after switching from login to other flows

  • feat(e2e): flows should have return_to set to hydra request_url

  • u

  • fix: override return_to URL on OAuth flows

  • style: format

  • fix: TestOAuth2Provider

  • feat: config to opt into using OAuth request url as return_to

  • chore: cleanup

  • fix(e2e): oauth2 login flow switching to recovery

  • feat(test): oauth2 login flow to recovery through oidc provider

  • fix(e2e): oidc-provider registration

  • chore: rename oauth2_provider.return_to_enabled to oauth2_provider.override_return_to

  • style: format

  • chore: nit config description

• Sort sessions by authenticated_at (#3324) (46f92ff):

  Closes https://github.com/ory/network/issues/295

• Sqa metrics v2 (#3300) (98fe73f)

• Support exporting of all credential types (#3290) (de6c857):

  It's now possible to export all credential types (including passwords) when calling the getIdentity SDK method.

• Support OIDC flows for native apps (#3216) (cb10609), closes #707:

  Implements Social Sign In and OpenID Connect for native apps.

Tests

• Run Playwright in CI (#3259) (342edec):

  • run Playwright in CI

  • add cleanup for session token exchangers

  • fixup: ci

  • fix: compatibility between OIDC+code and other flows

  This improves the compatibility between OIDC+code and other flows such as TOTP, settings, password auth.

  • Update persistence/sql/persister_cleanup_test.go

  • fix: error handling with OIDC+Code

  • fix: increase playwright timeout

Unclassified

• @barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341) (28b7b04), closes #1030 #3341 #1030 #3008:

  This change adds a new delivery method to the courier called mailer. Similar to SMS functionality it posts a templated Data model to a API endpoint. This API can then send emails via a CRM or any other mechanism that it wants.

  Mailer still uses the existing email data models so any new email added will automatically be sent to the API/CRM as well.

  Related issue(s)

  Resolves https://github.com/ory/kratos/issues/2825

Changelog

• 28b7b04a @barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341)
• 9fd60ee0 autogen(docs): generate and bump docs
• b1f18d90 autogen(docs): regenerate and update changelog
• 7c14f29f autogen(docs): regenerate and update changelog
• 34852042 autogen(docs): regenerate and update changelog
• 697be03a autogen(docs): regenerate and update changelog
• daa0bef4 autogen(docs): regenerate and update changelog
• d3f3be33 autogen(docs): regenerate and update changelog
• 9750278b autogen(docs): regenerate and update changelog
• 7f232bf4 autogen(docs): regenerate and update changelog
• 9b956939 autogen(docs): regenerate and update changelog
• ba55f38f autogen(docs): regenerate and update changelog
• c48f20e3 autogen(docs): regenerate and update changelog
• 1064b329 autogen(docs): regenerate and update changelog
• 1def4102 autogen(docs): regenerate and update changelog
• 45485c3c autogen(docs): regenerate and update changelog
• b7192dc7 autogen(docs): regenerate and update changelog
• b43c50cb autogen(docs): regenerate and update changelog
• 2f844ecd autogen(docs): regenerate and update changelog
• 567e5a7f autogen(docs): regenerate and update changelog
• 5535fcb7 autogen(docs): regenerate and update changelog
• c842a69a autogen(docs): regenerate and update changelog
• a4f74bc4 autogen(docs): regenerate and update changelog
• 071db1d3 autogen(docs): regenerate and update changelog
• 8d406b1b autogen(docs): regenerate and update changelog
• f2bf296f autogen(docs): regenerate and update changelog
• 5f33b08b autogen(docs): regenerate and update changelog
• 61cb722a autogen(docs): regenerate and update changelog
• 0f3cf223 autogen(docs): regenerate and update changelog
• 8e760cab autogen(docs): regenerate and update changelog
• 868ea547 autogen(docs): regenerate and update changelog
• 9bb4d5c6 autogen(docs): regenerate and update changelog
• a6d3d5b0 autogen(docs): regenerate and update changelog
• 4083e444 autogen(docs): regenerate and update changelog
• ae22c7cd autogen(docs): regenerate and update changelog
• 6de1cb3b autogen(openapi): regenerate swagger spec and internal client
• 4b0deadc autogen(openapi): regenerate swagger spec and internal client
• a439df76 autogen(openapi): regenerate swagger spec and internal client
• 0a6235da autogen(openapi): regenerate swagger spec and internal client
• 7291c89e autogen: add v0.13.0 to version.schema.json
• b75313e1 autogen: pin v0.14.0-pre.0 release commit
• 41b7c51c autogen: pin v1.0.0 release commit
• ad271d24 autogen: pin v1.0.0-pre.0 release commit
• a17bcb88 chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#3242)
• 950b41a1 chore(deps): bump github.com/knadh/koanf to v2.0.1 (#3308)
• a046778f chore: add launch config for VSCode (#3239)
• 22e8dafe chore: bump ory/x (#3319)
• b2ecb107 chore: bump ory/x (#3338)
• 3469773b chore: fix typo (#3370)
• 6fe4dac2 chore: minor improvements around secure redirect helpers (#3240)
• bcdcf45c chore: support in README (#3373)
• ac96a969 chore: update security scanners (#3295)
• b40544e4 docs: fix typo in readme (#3299)
• 1e65662c feat: add distroless and static images (#3350)
• 08fed369 feat: add return_to parameters to the createLogout handler (#3336)
• 387f5a27 feat: add “provider id” parameter to kratos session (#3292)
• 87851668 feat: allow customization of JOIN predicate in QueryForCredentials (#3253)
• c784b7e7 feat: emit events for login/logout and registration (#3235)
• d290cb05 feat: forward prompt upstream parameter during OIDC flow (#3276)
• afe06db9 feat: implement crypt(3) hashers (#3303)
• 835fe13d feat: improve event types and capture more events (#3297)
• f884dfba feat: lark OIDC provider (#2925)
• a1fea6c3 feat: return to oauth flow after switching from login to other flows (#3212)
• 46f92ffe feat: sort sessions by authenticated_at (#3324)
• 98fe73fa feat: sqa metrics v2 (#3300)
• cb106097 feat: support OIDC flows for native apps (#3216)
• de6c8574 feat: support exporting of all credential types (#3290)
• ce20063a fix(e2e): install kratos-selfservice-ui-node peer deps (#3354)
• 95ed2b94 fix(sdk): add cookie for updateLogoutFlow (#3284)
• f3dee869 fix(sdk): update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347)
• eac908c4 fix: Cypress TOTP test
• 78e31cb8 fix: IdentityCreated event (#3314)
• 3c04d8fb fix: ability to patch metadata even if it is null (#3304)
• ad540930 fix: accept OIDC login request in browser+JSON login flow (#3271)
• 7182eca0 fix: add error checking when creating verification code (#3328)
• adf78e09 fix: add missing SessionIssued event for api flows (#3348)
• 6db70a81 fix: bump quickstart version (#3257)
• 17be30dd fix: do not require items to be unique (#3349)
• 31728629 fix: don't assume the login challenge to be a UUID (#3317)
• 9d3ef0df fix: identity list pagination (#3325)
• eaa3f3c1 fix: incorrect override in identity hydrate (#3368)
• 10713cc7 fix: increase size for request url (#3366)
• 831fb19e fix: minor refactorings in package hash (#3186)
• b6b80a3a fix: missing id for login event (#3315)
• 4984e0fb fix: properly normalize uppercase mail addresses
• 4ba530ef fix: provide index hint in QueryForCredentials (#3329)
• 5bb7b0c8 fix: reduce lookups in whoami call (#3364)
• 8f9bff52 fix: reintroduce ExpandAll (#3369)
• aa296067 fix: remove codeball
• b1e78ad3 fix: remove duplicate SessionIssued event (#3351)
• 58258eba fix: return HTTP 400 instead of 500 for bad query parameters
• 0ed1abd3 fix: settings should persist return_to after required mfa login flow (#3263)
• 34ff1d29 fix: string to enum for updateVerificationFlowWithLinkMethod Method (#3279)
• c4260140 fix: update README (#3363)
• 0fea75c4 fix: update correct typo (#3281)
• 8ae87839 fix: use RETURNING clause for batch create (#3293)
• 27ccecc1 fix: use the correct redirect_uri for linkedin social login (#3269)
• 95ad94d0 fix: webhook config parse for settings flow (#3305)
• 342edece test: run Playwright in CI (#3259)

Artifacts can be verified with cosign using this public key.

We’re excited to announce the release of Ory Kratos v0.13.0! This update brings many enhancements and fixes, improving the user experience and overall performance. In general, Ory Kratos is reaching complete API stability and we're adding some missing features next, paving the road to v1.0.

Ory Kratos serves over 500M users monthly in various companies, and is the backbone of the Ory Network (the best, cheapest, easiest way to run Ory).

Here are the highlights:

• We’ve added new social sign-in options with Patreon OIDC and LinkedIn providers, making it even easier for your users to register and log in. Furthermore, we’ve introduced a new admin API that allows you to remove specific 2nd factor credentials, giving you more control over your user accounts.
• Performance has been a key focus in this release. We’ve optimized the whoami calls, parallelized the getIdentity and getSession calls, and made asynchronous webhooks fully async. These improvements will result in faster response times and a smoother experience for your users. Additionally, we’ve implemented better tracing to help you diagnose and resolve issues more effectively.
• We’ve also made several updates to the webhook system. A new response.parse configuration has been introduced, allowing you to update identity data during registration. This includes admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses. Please note that can_interrupt is now deprecated in favor of response.parse.
• Lastly, we’ve made several important fixes, such as resolving the wrong message ID on resend code buttons, implementing the offline scope as Google expects, and improving the OIDC flow on duplicate account registration. We’ve also added the ability to configure whether the system should notify unknown recipients when attempting to recover an account or verify an address, enhancing security with “anti-account-enumeration measures.”

We hope you enjoy these new features and improvements in Ory Kratos v0.13.0! All features are already live on the Ory Network - the simplest, fastest and most scalable way to run Ory.

Please note that the v0.12.0 release was skipped due to CI issues.

Head over to the changelog at https://github.com/ory/kratos/blob/master/CHANGELOG.md to read all the details. As always, we appreciate your feedback and support!

Breaking Changes

By default, Kratos no longer sends out these Emails. If you want to keep notifying unknown addresses (keep the current behavior), set selfservice.flows.recovery.notify_unknown_recipients to true for recovery, or selfservice.flows.verification.notify_unknown_recipients for verification flows.

Bug Fixes

• Access rules example (#3178) (a206772)

• Account experience redirects to verification page (#3195) (2e96d75)

• Account settings broken on OIDC removal (#3185) (61ae531), closes ory-corp/cloud#3514

• Add after_verification_return_to to sdk and api docs (#3097) (c70704c), closes #3096

• Add HydraLoginRequest on flow creation (#3152) (09312dd), closes #3108:

  The oauth2_login_request field was missing when initially creating the login flow.

• Add missing code discriminator in updateVerificationFlow (#3213) (21576be)

• Add missing index (#3181) (756bed4)

• Add mutex to test SMTP server setup/teardown (20c2359)

• Avoid unchecked casts from IdentityPool to PrivilegedIdentityPool (71d35dd)

• Correctly apply patches to identity metadata (#3103) (1193a56), closes #2950

• Do not omit last page on identity list (#3169) (f95f48a)

• Don't return 500 if active strategy is disabled (#3197) (3a734c2)

• Don't reuse ports in courier/SMTP tests (#3156) (e260fcf)

• Don't treat missing session as error in tracing (290d28a)

• Error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218) (b1bdcd3)

• Handle upstream errors in patreon provider (#3032) (39fa31f)

• Identity.CopyWithoutCredentials (989c99d)

• Implement offline scope in the way google expects (#3088) (39043d4)

• Improve webhook resilience (#3200) (0a05d99):

  • fix: improve webhook logging
  • chore: bump x
  • feat: decouple context in PostRegistrationPostPersist hook

• Invalid SQL syntax in ListIdentities (#3202) (162ab9b):

  PostgresQL does not support ... WHERE x IN ( ) with an empty argument list.

• Issuer missing from netid claims (#3080) (dec7cbc):

  The NetID provider omits the issuer claim in the userinfo response. To resolve this issue, the ID token returned by NetID is now validated and its sub and iss values are used.

• Lint errors and unused code (ae49ef0)

• Make async webhooks fully async (#3111) (342bfb0)

• Make session AAL satisfaction check resilient against a nil identity in the session (5ab1a56):

  Also fix tracing.

• Missing issuer regression in OIDC (#3220) (52f0740):

  Closes https://github.com/ory/kratos/issues/3182 Closes https://github.com/ory/kratos/issues/3040

• Nolint comment (93e6501)

• Only return one result set for credentials_identifier (#3107) (59f35d1), closes #3105

• Orphaned webhook spans (a7f9414)

• Re-use existing CSRF token in verification flows (#3188) (08a3447):

  • fix: re-use existing CSRF token in verification flows

  • chore: fix if/else

• Reduce SQL tracing noise (1650426)

• Remove http.Redirect from show_verification_ui hook (#3238) (054705b)

• Remove network omit flag (#3066) (c629b72)

• Report correct errors for json schema validation (#3085) (9477ea4):

  • Implemented the translation of jsonschema.ValidationError to errors codes documented here
  • Added missing error codes for relevant schema errors

    Validation	Name	ID
    maxLength	ErrorValidationMaxLength	4000017
    minimum	ErrorValidationMinimum.	4000018
    exclusiveMinimum	ErrorValidationExclusiveMinimum	4000019
    maximum	ErrorValidationMaximum	4000020
    exclusiveMaximum	ErrorValidationExclusiveMaximum	4000021
    multipleOf	ErrorValidationMultipleOf	4000022
    maxItems	ErrorValidationMaxItems	4000023
    minItems	ErrorValidationMinItems	4000024
    uniqueItems	ErrorValidationUniqueItems	4000025
    type	ErrorValidationWrongType	4000026

  • Updated e2e tests to check these IDs explicitly

• Respect the after recovery return to URL from config (#3141) (3467fd3):

  Fixes https://github.com/ory-corp/cloud/issues/1405

• Set DB connection max idle time (8d4762c)

• Set proper maxAge for session cookies (#3209) (1180c05), closes #3208

• Sqa config values unified across projects (#3237) (523b93f)

• Test contract names (e9ac00b)

• Use correct names in WebAuthN dialogs (#3215) (3bc1ff0)

• Use type alias instead of type definition (#3148) (dba3803)

• Webhook tracing and missing defers (#3145) (46eb063)

• Wrong context in logout trace span (#3168) (b9ccccf)

Code Generation

• Pin v0.13.0 release commit (349d0ee)

Code Refactoring

• Identity persistence (#3101) (ceb5cc2)

Documentation

• Fix broken docs links and code example to get verification flow (#3170) (bdbddcc)
• Update security email (#3164) (9252f5a)

Features

• Add a new admin API to remove a specific 2nd factor credential (#2962) (44556a4), closes #2505

• Add API to batch insert identities (#3157) (829bda7), closes ory/network#266

• Add Inspect option to driver (8aa75e9)

• Add patreon oidc provider (#3021) (20ea29e)

• Add test to verify GetIdentityConfidential expands everything (#3217) (f088ccd)

• Add token prefixes to session and logout tokens (#3132) (8210cd0):

  This feature adds token prefixes to Ory session and logout tokens:

  • ory_st_: Ory session token prefix
  • ory_lt_: Logout token prefix

• Add upstream parameters to oidc provider (#3138) (b6b1679), closes #3127 #2069:

  This PR introduces the upstream OIDC query parameters login_hint and hd.

  To send additional upstream parameters the form can post this on a login, registration or settings link submit. For example the form below does an OIDC flow to Google. We can now add additional parameters such as login_hint and hd to the upstream request to Google login with a pre-filled email [email protected]:

  <form action="https://kratos/self-service/login?flow=">
    <input type="submit" name="provider" value="google" />
    <input
      type="hidden"
      name="upstream_parameters.login_hint"
      value="[email protected]"
    />
    <input type="hidden" name="upstream_parameters.hd" value="example.com" />
  </form>
  

• Allow importing (salted) SHA hashing algorithms (#2741) (132255e), closes #2422

• Allow passing transient data from registration to webhook (#3104) (4a3a076)

• Don't pre-generate UUIDs for transient objects (e17f307)

• Drop unused index (#3165) (852dea9)

• Even more tracing of hidden HTTP requests (9d8b1e2)

• Identity by identifier (#3077) (c288d4d)

• Improve tracing span naming in hooks (bf828d3)

• Improve webhook diagnostics (d4eb2f6)

• Improved oidc flow on duplicate account registration (#3151) (4d2fda4):

  This PR improves the OIDC registration flow when a duplicate account error happens.

  Currently the flow looks as follows:

  1. User registers with password (or other credentials)
  2. User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
  3. Kratos attempts a registration since the OIDC credentials do not exist
  4. (optional) User needs to add missing traits (e.g. full name) which could not be retrieved from the OIDC provider
  5. User gets a duplicate account error with a "Continue" button.
  6. After submitting the "Continue" button the flow continues again to the OIDC provider, back to Kratos and redirects to UI with duplicate error (Steps 3 to 5)

  Instead of causing a confusing redirect loop we should show the user the error with a fresh login flow (since the account exists). This also gives the user the option to do a recovery flow.

  1. User registers with password (or other credentials)
  2. User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
  3. Kratos attempts a registration since the OIDC credentials do not exist
  4. (optional) User needs to add missing traits
  5. User is returned to a Login flow with the duplication error

• Let DB generate ID for session devices (62402c7)

• Make notification to unknown recipients configurable (#3075) (1a5ead4), closes #2345 #2585:

  Added the ability to configure whether the system should notify unknown recipients, if some tries to recover their account or verify their address ("anti-account-enumeration measures").

• Make password validator (HIBP check) cancelable and add tracing (28f8914)

• Parallelize get identity and session calls (#3023) (6393519)

• Refactor credentials fetching (#3183) (590269f):

  This change revamps the way we fetch identity credentials. We no longer need most of the helper fields for gobuffalo/pop inside the Identity and Credentials structures, and we collect all the credentials in one joined query rather than using pop's EagerPreload functionality.

• Return hydra error messages (b3d037b)

• Return verification flow ID after registration flow (#3144) (eb854be), closes #2975

• Show "continue" screen after successful verification (#3090) (fb6b160), closes /github.com/ory-corp/cloud#3925 /github.com/ory/network#228:

  The link strategy for verification now shows a confirmation screen with a "continue" link after successful verification, aligning its behavior to the code strategy.

  Also fixes a bug, where the default_browser_return_url of the verification flow was not respected when using the code strategy.

• Social sign in via linkedin (#3079) (5de6bf4), closes #2856:

  Adds LinkedIn as a social sign in provider.

• Webhooks that update identities (2cbee3e), closes #2161:

  Introduces a new configuration response.parse in webhooks. This enables updating of identity data during registration, including admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses.

  Please note that can_interrupt is being deprecated in favor of response.parse.

Tests

• e2e: Fix compile errors in commands (#3179) (0002668)
• Parallelize several unit tests (#3081) (5403f86)

Unclassified

• Revert "fix: do not omit last page on identity list (#3169)" (#3184) (73b5f13), closes #3169 #3184:

  This reverts commit f95f48a79395b7b99c7482c0974bc5188e007cc0.

Changelog

• 73b5f139 Revert "fix: do not omit last page on identity list (#3169)" (#3184)
• af3f9e55 autogen(docs): generate and bump docs
• 9322677b autogen(docs): regenerate and update changelog
• f3123ec2 autogen(docs): regenerate and update changelog
• 59aa38a9 autogen(docs): regenerate and update changelog
• 5b88a993 autogen(docs): regenerate and update changelog
• 9c0b68c8 autogen(docs): regenerate and update changelog
• 4181fbc3 autogen(docs): regenerate and update changelog
• cca36f82 autogen(docs): regenerate and update changelog
• dbe3d839 autogen(docs): regenerate and update changelog
• acf92618 autogen(docs): regenerate and update changelog
• 586eaf9e autogen(docs): regenerate and update changelog
• 17f0de4c autogen(docs): regenerate and update changelog
• 59b1ce54 autogen(docs): regenerate and update changelog
• 9c3bfe3d autogen(docs): regenerate and update changelog
• db066b77 autogen(docs): regenerate and update changelog
• 5a78fd4b autogen(docs): regenerate and update changelog
• 5740b9d7 autogen(docs): regenerate and update changelog
• 6f908b9e autogen(docs): regenerate and update changelog
• ddea6410 autogen(docs): regenerate and update changelog
• bda6bc84 autogen(docs): regenerate and update changelog
• 74ae8523 autogen(docs): regenerate and update changelog
• 40ab76af autogen(docs): regenerate and update changelog
• 48a44693 autogen(docs): regenerate and update changelog
• 90977ca0 autogen(docs): regenerate and update changelog
• 033b19c0 autogen(docs): regenerate and update changelog
• debc487e autogen(docs): regenerate and update changelog
• 79c94d54 autogen(docs): regenerate and update changelog
• e916a748 autogen(docs): regenerate and update changelog
• a5421649 autogen(docs): regenerate and update changelog
• b87b7238 autogen(docs): regenerate and update changelog
• 17dd35d3 autogen(docs): regenerate and update changelog
• 411633d2 autogen(docs): regenerate and update changelog
• fd373835 autogen(docs): regenerate and update changelog
• b69981a2 autogen(docs): regenerate and update changelog
• d6ad787c autogen(docs): regenerate and update changelog
• b3370a54 autogen(docs): regenerate and update changelog
• 8c6e3a18 autogen(docs): regenerate and update changelog
• 3d07161a autogen(docs): regenerate and update changelog
• fb9add52 autogen(docs): regenerate and update changelog
• a49d7e65 autogen(docs): regenerate and update changelog
• bb12fe78 autogen(docs): regenerate and update changelog
• a5770367 autogen(docs): regenerate and update changelog
• 851abc12 autogen(docs): regenerate and update changelog
• 5535171e autogen(docs): regenerate and update changelog
• f9054087 autogen(docs): regenerate and update changelog
• 6d83dc98 autogen(docs): regenerate and update changelog
• 9d59fd71 autogen(docs): regenerate and update changelog
• ea6ad2a8 autogen(docs): regenerate and update changelog
• 601b7fc6 autogen(docs): regenerate and update changelog
• d2506508 autogen(docs): regenerate and update changelog
• 8396a551 autogen(docs): regenerate and update changelog
• ee1f02ec autogen(docs): regenerate and update changelog
• 022f0537 autogen(openapi): regenerate swagger spec and internal client
• 5e18b026 autogen(openapi): regenerate swagger spec and internal client
• 122f2a26 autogen(openapi): regenerate swagger spec and internal client
• f2960124 autogen: add v0.11.1 to version.schema.json
• 349d0ee1 autogen: pin v0.13.0 release commit
• 2e72c5b4 autogen: pin v0.13.0 release commit
• 9b512003 chore(ci): don't run pm workflow on forks (#3229)
• 0cc50c69 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3198)
• 2d489e70 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3120)
• 3b8f4266 chore: bump hydra to v2 (#3083)
• 03ef8bfe chore: bump ory/jsonschema/v3
• c15de85a chore: clarift documentation on code strategy payloads (#3228)
• e3eb39e1 chore: fix wrong message id on resend code button (#3067)
• 3bf6ec3d chore: one uuid library ought to be enough for everybody
• a4f8f3a4 chore: remove obsolete packages and dependencies
• ba1aecf0 chore: unset email and name after release hook (#3026)
• 8e87693f chore: update GHA versions (#3078)
• 0ba0bd6d chore: update ory/x (#3221)
• bdbddcce docs: fix broken docs links and code example to get verification flow (#3170)
• 9252f5a3 docs: update security email (#3164)
• 829bda70 feat: add API to batch insert identities (#3157)
• 8aa75e97 feat: add Inspect option to driver
• 44556a46 feat: add a new admin API to remove a specific 2nd factor credential (#2962)
• 20ea29e0 feat: add patreon oidc provider (#3021)
• f088ccdf feat: add test to verify GetIdentityConfidential expands everything (#3217)
• 8210cd09 feat: add token prefixes to session and logout tokens (#3132)
• b6b1679c feat: add upstream parameters to oidc provider (#3138)
• 132255ef feat: allow importing (salted) SHA hashing algorithms (#2741)
• 4a3a0765 feat: allow passing transient data from registration to webhook (#3104)
• e17f3077 feat: don't pre-generate UUIDs for transient objects
• 852dea90 feat: drop unused index (#3165)
• 9d8b1e22 feat: even more tracing of hidden HTTP requests
• c288d4d1 feat: identity by identifier (#3077)
• bf828d3f feat: improve tracing span naming in hooks
• d4eb2f6b feat: improve webhook diagnostics
• 4d2fda45 feat: improved oidc flow on duplicate account registration (#3151)
• 62402c7b feat: let DB generate ID for session devices
• 1a5ead43 feat: make notification to unknown recipients configurable (#3075)
• 28f8914b feat: make password validator (HIBP check) cancelable and add tracing
• 63935199 feat: parallelize get identity and session calls (#3023)
• 590269f9 feat: refactor credentials fetching (#3183)
• b3d037b3 feat: return hydra error messages
• eb854bec feat: return verification flow ID after registration flow (#3144)
• fb6b1600 feat: show "continue" screen after successful verification (#3090)
• 5de6bf46 feat: social sign in via linkedin (#3079)
• 2cbee3e8 feat: webhooks that update identities
• a206772d fix: access rules example (#3178)
• 2e96d75c fix: account experience redirects to verification page (#3195)
• 61ae531b fix: account settings broken on OIDC removal (#3185)
• 09312dd2 fix: add HydraLoginRequest on flow creation (#3152)
• c70704ce fix: add after_verification_return_to to sdk and api docs (#3097)
• 21576beb fix: add missing code discriminator in updateVerificationFlow (#3213)
• 756bed4d fix: add missing index (#3181)
• 20c23594 fix: add mutex to test SMTP server setup/teardown
• 71d35ddd fix: avoid unchecked casts from IdentityPool to PrivilegedIdentityPool
• 1193a568 fix: correctly apply patches to identity metadata (#3103)
• f95f48a7 fix: do not omit last page on identity list (#3169)
• 3a734c2d fix: don't return 500 if active strategy is disabled (#3197)
• e260fcf0 fix: don't reuse ports in courier/SMTP tests (#3156)
• 290d28ad fix: don't treat missing session as error in tracing
• b1bdcd32 fix: error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218)
• 39fa31f8 fix: handle upstream errors in patreon provider (#3032)
• 989c99d6 fix: identity.CopyWithoutCredentials
• 39043d45 fix: implement offline scope in the way google expects (#3088)
• 0a05d994 fix: improve webhook resilience (#3200)
• 162ab9b5 fix: invalid SQL syntax in ListIdentities (#3202)
• dec7cbc4 fix: issuer missing from netid claims (#3080)
• ae49ef04 fix: lint errors and unused code
• 342bfb03 fix: make async webhooks fully async (#3111)
• 5ab1a56c fix: make session AAL satisfaction check resilient against a nil identity in the session
• 52f07402 fix: missing issuer regression in OIDC (#3220)
• 93e6501c fix: nolint comment
• 59f35d11 fix: only return one result set for credentials_identifier (#3107)
• a7f94144 fix: orphaned webhook spans
• 08a34476 fix: re-use existing CSRF token in verification flows (#3188)
• 1650426a fix: reduce SQL tracing noise
• 054705b8 fix: remove http.Redirect from show_verification_ui hook (#3238)
• c629b72b fix: remove network omit flag (#3066)
• 9477ea4a fix: report correct errors for json schema validation (#3085)
• 3467fd3b fix: respect the after recovery return to URL from config (#3141)
• 8d4762c1 fix: set DB connection max idle time
• 1180c051 fix: set proper maxAge for session cookies (#3209)
• 523b93fd fix: sqa config values unified across projects (#3237)
• e9ac00b3 fix: test contract names
• 3bc1ff0e fix: use correct names in WebAuthN dialogs (#3215)
• dba38032 fix: use type alias instead of type definition (#3148)
• 46eb063f fix: webhook tracing and missing defers (#3145)
• b9ccccf0 fix: wrong context in logout trace span (#3168)
• ceb5cc2b refactor: identity persistence (#3101)
• 00026682 test(e2e): fix compile errors in commands (#3179)
• 5403f863 test: parallelize several unit tests (#3081)

Artifacts can be verified with cosign using this public key.

• Fixed several bugs to improve overall stability.
• Optimized performance for faster load times and smoother operation.
• Improved tracing capabilities for better debugging and issue resolution.

We are constantly working to improve Ory Kratos and this release is no exception. Thank you for using Ory and please let us know if you have any feedback or encounter any issues.

Breaking Changes

The /admin/courier/messages endpoint now uses keysetpagination instead.

Bug Fixes

• Add missing indexes (#2973) (bbb3995)

• Add missing indexes for identity delete (#2952) (dc311f9):

  This significantly improves the performance of identity deletes.

• Cors headers not added to the response #2922 (#2934) (1ed6839)

• Dont reset to false (#2965) (ae8ad7b)

• Flaky test now stable (4e5dcd0)

• Listing sessions query (#2958) (3e06c99), closes #2930

• Missing index on courier list count (#3002) (3b50711)

• Pin geckodriver version to bypass GitHub API quota (#2972) (585cb9e)

• Quickstart demos (#2940) (a7720b2)

• Remove duplicate query in GetIdentity (#2987) (33b01bb)

• Remove unused x-session-cookie parameter (#2983) (56b5c26):

  This patch removes the undocumented and experimental X-Session-Cookie header from the /sessions/whoami endpoint.

• Resilient social sign in (#3011) (ca35b45)

• Respect return_to URL parameter in registration flow when the user is already registered (#2957) (3462ce1)

• Set accept header for GitLab (#2998) (e892113)

• Set config at the start (e58bc6e)

• Spurious cancelation of async webhooks, better tracing (#2969) (72de640):

  Previously, async webhooks (response.ignore=true) would be canceled early once the incoming Kratos request was served and it's associated context released. We now dissociate the cancellation of async hooks from the normal request processing flow.

• TOTP internal context after saving settings (#2960) (8b647b1), closes #2680

• Update pquerna/otp to fix TOTP URL encoding (#2951) (7248636):

  v1.4.0 fixes generating TOTP URLs. Query params now use %20 instead of + to encode spaces. + was not correctly interpreted by some Android authenticator apps, and would show up in the issuer name, e.g. "My+Issuer" instead of "My Issuer".

• Update year (d77e2cf)

• Webhook tracing instrumentation+memory leak (f0044a3)

Code Generation

• Pin v0.11.1 release commit (41595c5)

Documentation

• Improve api headline (#2989) (fc2787b)

Features

• Add client IP to span events (7ce3a74)

• Add NID to logs in courier (#2956) (b407aa9)

• Improve error message when no session is found (#2988) (7ad2b97)

• Improve tracing (#2992) (04d0280)

• Remove duplicate queries from whoami calls (#2995) (b50a222), closes #2402:

  Introduces an expand API to the identity persister which greatly improves whoami performance.

• Require verification on login (#2927) (efb8ae8)

• Store errors of courier message (#2914) (fc7aa86)

Tests

• Improve parallelization (e8e8ce5)
• Regenerate csrf if verification flow expired (#2455) (7025081)
• Update integrity snapshots (#3000) (6d26e5c)

Changelog

• 727439c8 autogen(docs): generate and bump docs
• b3b6f88d autogen(docs): regenerate and update changelog
• d8d47c90 autogen(docs): regenerate and update changelog
• ac052595 autogen(docs): regenerate and update changelog
• d8a2cbd1 autogen(docs): regenerate and update changelog
• a3096c7b autogen(docs): regenerate and update changelog
• e11ba527 autogen(docs): regenerate and update changelog
• 4e1d4704 autogen(docs): regenerate and update changelog
• 0b109cd6 autogen(docs): regenerate and update changelog
• 97e9356a autogen(docs): regenerate and update changelog
• 59172586 autogen(docs): regenerate and update changelog
• d895a268 autogen(docs): regenerate and update changelog
• b6bd3f43 autogen(docs): regenerate and update changelog
• 8fbb1bba autogen(docs): regenerate and update changelog
• 8bb3f2a8 autogen(docs): regenerate and update changelog
• 83131fc2 autogen(docs): regenerate and update changelog
• 935d115c autogen(docs): regenerate and update changelog
• 94e01a92 autogen(docs): regenerate and update changelog
• c52425ed autogen(docs): regenerate and update changelog
• 6fddfbff autogen(docs): regenerate and update changelog
• 03b3c293 autogen(docs): regenerate and update changelog
• 6134150c autogen(docs): regenerate and update changelog
• ce725017 autogen(openapi): regenerate swagger spec and internal client
• bef1a6c2 autogen: add v0.11.0 to version.schema.json
• 41595c52 autogen: pin v0.11.1 release commit
• 2f9b001c chore: add missing security annotations to admin handlers (#2937)
• 561e5689 chore: cleanup test (#2964)
• 20da533b chore: pin nancy (#2977)
• 131b8c5f chore: update repository templates to https://github.com/ory/meta/commit/a1264fa887f73bb5ac92ceabe5b9b568d17d850d
• ab1abee4 ci: fix dockle action
• fc2787ba docs: improve api headline (#2989)
• b407aa94 feat: add NID to logs in courier (#2956)
• 7ce3a747 feat: add client IP to span events
• 7ad2b970 feat: improve error message when no session is found (#2988)
• 04d0280c feat: improve tracing (#2992)
• b50a2229 feat: remove duplicate queries from whoami calls (#2995)
• efb8ae89 feat: require verification on login (#2927)
• fc7aa865 feat: store errors of courier message (#2914)
• 8b647b1f fix: TOTP internal context after saving settings (#2960)
• bbb39957 fix: add missing indexes (#2973)
• dc311f9a fix: add missing indexes for identity delete (#2952)
• 1ed68393 fix: cors headers not added to the response #2922 (#2934)
• ae8ad7be fix: dont reset to false (#2965)
• 4e5dcd0d fix: flaky test now stable
• 3e06c991 fix: listing sessions query (#2958)
• 3b507110 fix: missing index on courier list count (#3002)
• 585cb9e7 fix: pin geckodriver version to bypass GitHub API quota (#2972)
• a7720b2b fix: quickstart demos (#2940)
• 33b01bbb fix: remove duplicate query in GetIdentity (#2987)
• 56b5c26e fix: remove unused x-session-cookie parameter (#2983)
• ca35b45a fix: resilient social sign in (#3011)
• 3462ce15 fix: respect return_to URL parameter in registration flow when the user is already registered (#2957)
• e892113c fix: set accept header for GitLab (#2998)
• e58bc6e9 fix: set config at the start
• 72de640b fix: spurious cancelation of async webhooks, better tracing (#2969)
• 72486368 fix: update pquerna/otp to fix TOTP URL encoding (#2951)
• d77e2cf5 fix: update year
• f0044a36 fix: webhook tracing instrumentation+memory leak
• e8e8ce5e test: improve parallelization
• 7025081b test: regenerate csrf if verification flow expired (#2455)
• 6d26e5c7 test: update integrity snapshots (#3000)

Artifacts can be verified with cosign using this public key.

Re-release the SDK.

Bug Fixes

• Bump ory cli (12ceae0)

Code Generation

• Pin v0.10.1 release commit (ab16580)

Changelog

• 290dbd7a autogen(docs): generate and bump docs
• 0290986e autogen(docs): regenerate and update changelog
• fb2ddf37 autogen(docs): regenerate and update changelog
• 94c620d2 autogen: add v0.10.0 to version.schema.json
• ab16580b autogen: pin v0.10.1 release commit
• 12ceae00 fix: bump ory cli

Artifacts can be verified with cosign using this public key.

We achieved a major milestone - Ory Kratos is out of alpha! Ory Kratos had no major changes in the APIs for the last months and feel confident that no large breaking changes will need to be introduced in the near future.

This release focuses on quality-of-live improvements, resolves several bugs, irons out developer experience issues, and introduces session renew capabilities!

Breaking Changes

Please be aware that the SDK method signatures for submitSelfServiceRecoveryFlow, submitSelfServiceRegistrationFlow, submitSelfServiceLoginFlow, submitSelfServiceSettingsFlow, submitSelfServiceVerificationFlow might have changed in your SDK.

This patch moves several CLI command to comply with the Ory CLI command structure:

- ory identities get ...
+ ory get identity ...

- ory identities delete ...
+ ory delete identity ...

- ory identities import ...
+ ory import identity ...

- ory identities list ...
+ ory list identities ...

- ory identities validate ...
+ ory validate identity ...

- ory jsonnet format ...
+ ory format jsonnet ...

- ory jsonnet lint ...
+ ory lint jsonnet ...

This patch moves several CLI command to comply with the Ory CLI command structure:

- ory identities get ...
+ ory get identity ...

- ory identities delete ...
+ ory delete identity ...

- ory identities import ...
+ ory import identity ...

- ory identities list ...
+ ory list identities ...

- ory identities validate ...
+ ory validate identity ...

- ory jsonnet format ...
+ ory format jsonnet ...

- ory jsonnet lint ...
+ ory lint jsonnet ...

Bug Fixes

• Add flow id when return_to is passed to the verification (#2482) (c2b1c23)

• Add indices for slow queries (e0cdbc9)

• Add legacy session value (ecfd052), closes #2398

• auth0: Created_at workaround (#2492) (52a965d), closes #2485

• Avoid excessive memory allocations in HIBP cache (#2389) (ee2d410), closes #2354

• Change SQLite database mode to 0600 (#2344) (0e5d3b7):

  The default mode is 0644, which is allows broader access than necessary.

• Compile issues from merge conflict (#2419) (85a90c8)

• Correct location (b249aaa)

• courier: Add ability to specify backoff (#2349) (bf970f3)

• Do not expose debug in a response when a schema is not found (#2348) (aee2b1e)

• Do not fail release if no changes needed (114c93e)

• Dockerfile: Use existing builder base image (#2390) (37de25a)

• Embed schema (b797bba)

• Get user first name and last name from Apple (#2331) (4779909)

• Improve error reporting from OpenAPI (8a1009b)

• Improve performance of identity schema call (af28de2)

• Internal Server Error on Empty PUT /identities/id body (#2417) (5a50231)

• Load return_to and append to errors (#2333) (5efe4a3), closes #2275 #2279 #2285

• Make delete formattable (0005f35)

• Mark body as required (#2479) (c9ae117)

• New issue templates (b9ad684)

• Openapi regression (#2465) (37a3369)

• Quickstart docker-compose (#2490) (9717762), closes #2488

• Refresh is always false when session exists (d3436d7), closes #2341

• Remove required legacy field (#2410) (638d45c)

• Remove wrong templates (4fe2d25)

• Reorder transactions (78ca4c6)

• Resolve index naming issues (d5550b5)

• Resolve MySQL index issues (50bdba9)

• Resolve otelx panics (6613a02)

• sdk: Improved OpenAPI specifications for UI nodes (#2375) (a42a0f7), closes #2357

• Serve.admin.request_log.disable_for_health behaviour (#2399) (0a381fa)

• sql: Add additional join argument to resolve MySQL query issue (854e5cb), closes #2262

• Unreliable HIBP caching strategy (#2468) (93bf1e2)

• Use path instead of filepath to join http route paths (16b1244), closes #2292

• Use JOIN instead of iterative queries (0998cfb), closes #2402

• Use pointer of string for PasswordIdentifier in example code (#2421) (61f12e7)

• Use predictable SQLite in memory DSNs (#2415) (51a13f7), closes #2059

Code Generation

• Pin v0.10.0 release commit (87e0de7)

Code Refactoring

• Deprecate fizz renderer (5277668)
• Move CLI commands to match Ory CLI structure (d11a9a9)
• Move CLI commands to match Ory CLI structure (73910a3)

Documentation

• Add docs about change in default schema (#2447) (5093cd4)
• Remove notice importing credentials not possible (#2418) (b80ed69)

Features

• Add certificate based authentication for smtp client (#2351) (7200037)

• Add ID to the recovery error when already logged in (#2483) (29e4a51)

• Add localName to smtp config (#2445) (27336b6), closes #2425

• Add render-schema script (a0c006e)

• Add session renew capabilities (#2146) (4348b86), closes #615

• Add support for netID provider (#2394) (ee7fc79)

• Add tracing to persister (391c54e)

• identity: Add admin and public metadata fields (562e340), closes #2388 #47:

  This patch adds two new keys to identities, metadata_public and metadata_admin that can be used to store additional metadata about identities in Ory.

• Read subject id from https://graph.microsoft.com/v1.0/me for microsoft (#2347) (852f24f):

  Adds the ability to read the OIDC subject ID from the https://graph.microsoft.com/v1.0/me endpoint. This introduces a new field subject_source to the OIDC configuration.

  Closes https://github.com/ory/kratos/pull/2153

• sdk: Add cookie headers to all form submissions (#2467) (9a969fd), closes #2003 #2454

• sdk: Add csrf cookie for login flow submission (#2454) (2bffee8)

• Support argon2i password (#2395) (8fdadf9)

• Switch to opentelemetry tracing (#2318) (121a4d3)

• tracing: Improved tracing for requests (#2475) (b90a558)

• Upgrade to Go 1.18 (725d202)

Tests

• Fix incorrect assertion (b5b1361)
• Resolve regressions (dd44593)

Unclassified

• BREAKING CHANGES: This patch group updates the tracing provider from OpenTracing to OpenTelemetry. Due to these changes, tracing providers Zipkin, DataDog, Elastic APM have been deactivated temporarily. The best way to re-add support for them is to make a pull request at https://github.com/ory/x/tree/master/otelx and check the status of https://github.com/ory/x/issues/499 (7165fa0):

  The configuration has not changed, and thus no changes to your system are required if you use Jaeger.

Changelog

• 7165fa04 BREAKING CHANGES: This patch group updates the tracing provider from OpenTracing to OpenTelemetry. Due to these changes, tracing providers Zipkin, DataDog, Elastic APM have been deactivated temporarily. The best way to re-add support for them is to make a pull request at https://github.com/ory/x/tree/master/otelx and check the status of https://github.com/ory/x/issues/499
• 895aa89d autogen(docs): generate and bump docs
• b682689d autogen(docs): regenerate and update changelog
• d942c5d5 autogen(docs): regenerate and update changelog
• 794c2fdc autogen(docs): regenerate and update changelog
• d9503202 autogen(docs): regenerate and update changelog
• b85c0e66 autogen(docs): regenerate and update changelog
• d1375ea8 autogen(docs): regenerate and update changelog
• e5055133 autogen(docs): regenerate and update changelog
• 9097a60e autogen(docs): regenerate and update changelog
• 1fbabc24 autogen(docs): regenerate and update changelog
• 2db93776 autogen(docs): regenerate and update changelog
• 744b84e0 autogen(docs): regenerate and update changelog
• 2c07b171 autogen(docs): regenerate and update changelog
• de776022 autogen(docs): regenerate and update changelog
• 51cdc341 autogen(docs): regenerate and update changelog
• 083e67f6 autogen(docs): regenerate and update changelog
• 8f29d45a autogen(docs): regenerate and update changelog
• d2b729a8 autogen(docs): regenerate and update changelog
• 7f87bca4 autogen(docs): regenerate and update changelog
• 5ed4ca47 autogen(docs): regenerate and update changelog
• 72c17ac9 autogen(docs): regenerate and update changelog
• ca1dab89 autogen(docs): regenerate and update changelog
• 77f5bbd6 autogen(docs): regenerate and update changelog
• 96bcba06 autogen(docs): regenerate and update changelog
• d8727cb6 autogen(docs): regenerate and update changelog
• d1f5748f autogen(docs): regenerate and update changelog
• 75d0826d autogen(docs): regenerate and update changelog
• e6b38c25 autogen(docs): regenerate and update changelog
• 9adbcc43 autogen(docs): regenerate and update changelog
• 2e26ddee autogen(openapi): regenerate swagger spec and internal client
• d3df7196 autogen(openapi): regenerate swagger spec and internal client
• a2009ff6 autogen(openapi): regenerate swagger spec and internal client
• 6735be56 autogen(openapi): regenerate swagger spec and internal client
• 7d66e5c1 autogen(openapi): regenerate swagger spec and internal client
• e0fc0dfe autogen(openapi): regenerate swagger spec and internal client
• db638cd3 autogen(openapi): regenerate swagger spec and internal client
• 9c9477a2 autogen: add v0.9.0-alpha.3 to version.schema.json
• 87e0de7a autogen: pin v0.10.0 release commit
• 1fea8021 autogen: pin v0.10.0-pre.0 release commit
• 1090a82b chore(deps): bump ory/x
• fe69e291 chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 in /test/e2e/proxy
• 18282475 chore(deps): bump minimist from 1.2.5 to 1.2.6
• f23ef2f6 chore(deps): bump minimist from 1.2.5 to 1.2.6 in /test/e2e
• 92c1a2f1 chore(deps): bump minimist from 1.2.5 to 1.2.6 in /test/e2e/proxy
• 16056034 chore: Fix typo in README (#2411)
• 1ff1d79f chore: add missing down migrations (#2476)
• e38ecbc8 chore: bump SQLite for better JSON support
• b5b4ba7c chore: bump alpine image version
• f04a58e0 chore: go mod tidy
• 10badccf chore: resolve lint and formatting issues
• 9519978c chore: update go mod
• 617949cb chore: update repository templates
• 37cb4ce1 ci: add codeball
• 5093cd47 docs: add docs about change in default schema (#2447)
• b80ed695 docs: remove notice importing credentials not possible (#2418)
• 562e340f feat(identity): add admin and public metadata fields
• 9a969fd9 feat(sdk): add cookie headers to all form submissions (#2467)
• 2bffee81 feat(sdk): add csrf cookie for login flow submission (#2454)
• b90a5582 feat(tracing): improved tracing for requests (#2475)
• 29e4a51c feat: add ID to the recovery error when already logged in (#2483)
• 72000375 feat: add certificate based authentication for smtp client (#2351)
• 27336b63 feat: add localName to smtp config (#2445)
• a0c006e4 feat: add render-schema script
• 4348b864 feat: add session renew capabilities (#2146)
• ee7fc79d feat: add support for netID provider (#2394)
• 391c54eb feat: add tracing to persister
• 852f24fb feat: read subject id from https://graph.microsoft.com/v1.0/me for microsoft (#2347)
• 8fdadf9d feat: support argon2i password (#2395)
• 121a4d3f feat: switch to opentelemetry tracing (#2318)
• 725d202e feat: upgrade to Go 1.18
• 37de25a5 fix(Dockerfile): use existing builder base image (#2390)
• 52a965dc fix(auth0): created_at workaround (#2492)
• bf970f32 fix(courier): add ability to specify backoff (#2349)
• a42a0f77 fix(sdk): improved OpenAPI specifications for UI nodes (#2375)
• 854e5cba fix(sql): add additional join argument to resolve MySQL query issue
• 5a50231b fix: Internal Server Error on Empty PUT /identities/id body (#2417)
• c2b1c230 fix: add flow id when return_to is passed to the verification (#2482)
• e0cdbc9a fix: add indices for slow queries
• ecfd0521 fix: add legacy session value
• ee2d4105 fix: avoid excessive memory allocations in HIBP cache (#2389)
• 0e5d3b77 fix: change SQLite database mode to 0600 (#2344)
• 85a90c89 fix: compile issues from merge conflict (#2419)
• b249aaad fix: correct location
• aee2b1ed fix: do not expose debug in a response when a schema is not found (#2348)
• 114c93eb fix: do not fail release if no changes needed
• b797bba5 fix: embed schema
• 47799098 fix: get user first name and last name from Apple (#2331)
• 8a1009b1 fix: improve error reporting from OpenAPI
• af28de26 fix: improve performance of identity schema call
• 5efe4a33 fix: load return_to and append to errors (#2333)
• 0005f357 fix: make delete formattable
• c9ae1175 fix: mark body as required (#2479)
• b9ad6843 fix: new issue templates
• 37a3369c fix: openapi regression (#2465)
• 97177629 fix: quickstart docker-compose (#2490)
• d3436d7f fix: refresh is always false when session exists
• 638d45ca fix: remove required legacy field (#2410)
• 4fe2d25d fix: remove wrong templates
• 78ca4c6c fix: reorder transactions
• 50bdba9f fix: resolve MySQL index issues
• d5550b5d fix: resolve index naming issues
• 6613a02b fix: resolve otelx panics
• 0a381fa3 fix: serve.admin.request_log.disable_for_health behaviour (#2399)
• 93bf1e2c fix: unreliable HIBP caching strategy (#2468)
• 0998cfb2 fix: use JOIN instead of iterative queries
• 16b12449 fix: use path instead of filepath to join http route paths Windows users were broken since #2292, as routes were registered with backslashes.
• 61f12e75 fix: use pointer of string for PasswordIdentifier in example code (#2421)
• 51a13f71 fix: use predictable SQLite in memory DSNs (#2415)
• 5277668b refactor: deprecate fizz renderer
• d11a9a9d refactor: move CLI commands to match Ory CLI structure
• 73910a32 refactor: move CLI commands to match Ory CLI structure
• b5b1361d test: fix incorrect assertion
• dd44593a test: resolve regressions

Artifacts can be verified with cosign using this public key.

Resolves an issue in the quickstart.

Breaking Changes

Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page.

Closes https://github.com/ory-corp/cloud/issues/2173

Co-authored-by: aeneasr [email protected]

Bug Fixes

• Accept recovery link from authenticated users (#2195) (0fa64dd):

  When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies.

• Quickstart (73b461c):

  Closes https://github.com/ory/kratos/issues/2339

• Resolve issue where CF cookies would mingle with CSRF detection in API flows (011219a)

• Typo in error message (#2332) (b075a5b)

• Update v0.9.0-alpha.2 config schema path (#2328) (55705c7)

• version schema: Require version or fall back to latest (52c9824)

Code Generation

• Pin v0.9.0-alpha.3 release commit (32e36d4)

Documentation

• Add missing error codes (b854bb8)
• Clarify 410 error for api payloads (2c7ac3b)

Changelog

• b9668032 autogen(docs): generate and bump docs
• 4183a48c autogen(docs): regenerate and update changelog
• 88ea06aa autogen(docs): regenerate and update changelog
• 97bb638c autogen(docs): regenerate and update changelog
• 8e2f3b2a autogen(docs): regenerate and update changelog
• 61998f9a autogen(docs): regenerate and update changelog
• 22cb0816 autogen(openapi): regenerate swagger spec and internal client
• 994aef69 autogen: add v0.9.0-alpha.2 to version.schema.json
• 32e36d4e autogen: pin v0.9.0-alpha.3 release commit
• c53a9e28 chore: remove codedoc
• b854bb8a docs: add missing error codes
• 2c7ac3b1 docs: clarify 410 error for api payloads
• 52c98247 fix(version schema): require version or fall back to latest
• 0fa64dd7 fix: accept recovery link from authenticated users (#2195)
• 73b461c6 fix: quickstart
• 011219a4 fix: resolve issue where CF cookies would mingle with CSRF detection in API flows
• b075a5b3 fix: typo in error message (#2332)
• 55705c7c fix: update v0.9.0-alpha.2 config schema path (#2328)

Artifacts can be verified with cosign using this public key.

Resolves an issue in the SDK release pipeline.

Bug Fixes

• Swag location (5b51bfb)

Code Generation

• Pin v0.9.0-alpha.2 release commit (f5501cf)

Changelog

• 21614d84 autogen(docs): regenerate and update changelog
• f5501cf5 autogen: pin v0.9.0-alpha.2 release commit
• 90b354ad chore: force run
• 5b51bfbb fix: swag location

Artifacts can be verified with cosign using this public key.