-
Add a policy callback to customize OIDC credential linking (#4302) (e2f878a)
-
Add a project revision field to set the maximum number of code submits (0e68c7e):
-
Add ability to send recovery code via sms (eb9d934):
-
Add allowed domains configuration for captcha (edb9e0c):
-
Add attributes to webhook events for better debugging (#4206) (00da05d)
-
Add captcha group to first-step registration (eca4ae9)
-
Add context param to policy (#4315) (261596b)
-
Add email domain matcher (#4373) (1c33c39)
-
Add explicit config flag for secure cookies (#4180) (2aabe12):
Adds a new config flag for session and all other cookies. Falls back to the previous behavior of using the dev mode to decide if the cookie should be secure or not.
-
Add external ID to identities (335a1e8):
-
Add failure reason to events (#4203) (afa7618)
-
Add HTML email support to HTTP channel (#4387) (fb8856e), closes #4350
-
Add Login with Amazon (6cb3e99):
-
Add LoginStarted and RegistrationStarted events (#4404) (7032fec), closes ory/docs#2144:
Changes:
- Add
LoginStarted and RegistrationStarted events along their
required attributes
- Sort all event attributes alphabetically
- Emit these events when a new login/registration flow is created,
after basic validation passed
- It is unclear yet how many of these events will be emitted, as such it
is suggested that in a first phase, they remain internal and are not yet
sent externally to avoid surprises (note: sometimes, these events can be
emitted without user action such as simply visiting/being redirected to
the sign-in page, etc)
Documentation PR:
-
Add migrate sql up|down|status (#4228) (e6fa520):
This patch adds the ability to execute down migrations using:
kratos migrate sql down -e --steps {num_of_steps}
Please read kratos migrate sql down --help carefully.
Going forward, please use the following commands
kratos migrate sql up ...
kratos migrate sql status ...
instead of the previous, now deprecated
kratos migrate sql ...
kratos migrate status ...
commands.
See https://github.com/ory-corp/cloud/issues/7350
-
Add new Division ui node attributes (235af52):
Division nodes may be used to hook dynamic scripts and are not actively used in the Ory Kratos open source.
-
Add new endpoint to tokenize JWT with a webhook (f7fa792):
-
Add oid as subject source for microsoft (#4171) (77beb4d), closes #4170:
In the case of Microsoft, using sub as an identifier can lead to problems. Because the use of OIDC at Microsoft is based on an app registration, the content of sub changes with every new app registration. Sub is therefore not uniquely related to the user. It is therefore not possible to transfer users from one app registration to another without further problems.
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
With the use of oid it is possible to identify a user by a unique id.
-
Add session in settings after hook (1b57fdf):
-
Add support for Line v2.1 OIDC provider (#4240) (729effd):
For OIDC Line Login, you only need to add id_token_key_type=JWK in the exchange step to issue
tokens in ES256 format.
https://github.com/ory/kratos/discussions/1116
-
Allow deleting password credentials (#4304) (f2212d4):
The admin API did not allow to delete passwords at all. The restriction is now lifted to only block deletion of the first-factor credential if it is the last one.
-
Allow extra go migrations in persister (#4183) (7bec935)
-
Allow listing identities by organization ID (#4115) (b4c453b)
-
Allow setting the org ID on creation (#4306) (bccd2fb)
-
Autoconfigure kratos-changefeed (b8bf4c7):
-
Bump CRDB, establish foreign key, (d76e70f):
-
Cache OIDC providers (#4222) (30485c4):
This change significantly reduces the number of requests to /.well-known/openid-configuration endpoints.
-
changelog-oel: Choose identity schema in self-service registration and login flows (53f4b9f):
-
changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (ce1bf9f):
-
changelog: Add a new feature flag for the Recovery V2 to ensure backwards-compatibility (d68736b):
-
changelog: Add CourierMessageAbandoned & CourierMessageDispatched events (dfed493):
-
changelog: Find-by and delete SAML credentials (0c80f61):
-
changelog: Migrate http router to stdlib router (48f5adb):
-
changelog: Reject new password same as old password when changing the password (a7f50ab):
-
Console UI for multiple identity schemas (1145cda):
-
Custom page token column extraction (c5cb85e):
-
Domain telemetry improvements (93345d7):
-
Drop unused indices post index migration (#4201) (1008639)
-
Emit admin recovery code event (#4230) (a7cdc3a)
-
Emit event on Jsonnet claims mapping error (#4394) (8caebdb):
We now emit an event containing the Jsonnet input and output in
anonymized form when mapping the claims in the OIDC flow fails.
-
Emit events on jsonnet failure when templating a jwt (#4409) (959ded5):
- Fix typo: parital -> partial
- Document with comments why an event is not emitted or not documented
- Emit
JsonnetMappingFailed events on jsonnet failure when templating
a jwt (see https://www.ory.sh/docs/identities/session-to-jwt-cors).
After review it seems we otherwise always emit events in all the right
places, except in this very case. Tested end-to-end manually with the
UI.
-
Emit oryWebAuthnInitialized event once webauthn is initialized (b4485f4):
-
Enable JSONNet templating for password migration hook (#4390) (b162897):
This enables JSONNet body templating for the password migration hook.
There is also a significant refactoring of some internals around webhook config handling.
-
Expose Ory-Error-Id HTTP header (f2b0cd5):
-
Fast add credential type lookups (#4177) (eeb1355)
-
Faster UpdateIdentity (4c2cfae):
-
Fewer DB loads when linking credentials, add tracing (2c5bb21)
-
Goreleaser (db10a68):
-
Gracefully handle failing password rehashing during login (#4235) (3905787):
This fixes an issue where we would successfully import long passwords (>72 chars), but fail when the user attempts to login with the correct password because we can't rehash it. In this case, we simply issue a warning to the logs, keep the old hash intact, and continue logging in the user.
-
hydra: Split up persister (910cf9c):
-
Improve domain telemetry for OSS (Hydra & Kratos) (86ab72a):
-
Improve identity import limits (#4378) (e38e812)
-
Improve kratos courier metrics and debug log message (c50ffcc):
-
Improve QueryForCredentials (#4181) (ca0d6a7)
-
Improve secondary indices for self service tables (#4179) (825aec2)
-
Improve verification required flows (#4407) (2014a40)
-
Improved events and identity recent activity (e47b858):
-
Improved tracing for courier (85a7071)
-
Index hint for CRDB when deleting identity credentials (#4276) (c703a33):
Ref https://support.cockroachlabs.com/hc/en-us/requests/25430
-
Jackson provider (#4242) (f18d1b2):
This adds a jackson provider to Kratos.
-
Load session only once when middleware is used (#4187) (234b6f2)
-
Monorepo (31f1894):
-
More extension points (#4272) (373a2e6):
This adds more extension points to the Kratos registry.
-
Move config testhelpers to ory/x (8d43aae):
-
Optimize identity-related secondary indices (#4182) (53874c1)
-
Passwordless SMS and expiry notice in code / link templates (#4104) (462cea9):
This feature allows Ory Kratos to use the SMS gateway for login and registration with code via SMS.
Additionally, the default email and sms templates have been updated. We now also expose ExpiresInMinutes / expires_in_minutes in the templates, making it easier to remind the user how long the code or link is valid for.
Closes https://github.com/ory/kratos/issues/1570
Closes https://github.com/ory/kratos/issues/3779
-
Recovery with any address including with a code via SMS (71844dd):
-
Refactor cmd/daemon (#4371) (7fe55d9)
-
Remove duplicate queries during settings flow and use better index hint for credentials lookup (#4193) (c33965e):
This patch reduces duplicate GetIdentity queries as part of submitting the settings flow, and improves an index to significantly reduce credential lookup.
For better debugging, more tracing ha been added to the settings module.
-
Remove more unused indices (#4186) (b294804)
-
Return field name in generated node text label (8c7a3dc):
-
Rework the OTP code submit count mechanism (#4251) (4ca4d79):
- feat: rework the OTP code submit count mechanism
Unlike what the previous comment suggested, incrementing and checking the submit count inside the
database transaction is not actually optimal peformance- or security-wise.
We now check atomically increment and check the submit count as the first part of the operation,
and abort as early as possible if we detect brute-forcing. This prevents a situation where the
check works only on certain transaction isolation levels.
-
Support android webauthn origins (#4155) (a82d288):
This patch adds the ability to verify Android APK origins used during WebAuthn/Passkey exchange.
Upgrades go-webauthn and includes fixes for Go 1.23 and workarounds for Swagger.
-
Support CRUD OIDC providers through the onboarding portal API (664fd1a):
-
Support importing more credentials (#4361) (9a6dadf):
Adds support to import SAML credentials. SAML connections are only
available in Ory Enterprise License / Ory Network.
-
Trace identity id in errors (772572c):
-
Update only necessary database columns in UpdateVerifiableAddress (#4292) (168a3f6):
This is an optimization to reduce database load.
When we specify exactly which columns changed, we should be able to
elide updates to the identity_verifiable_addresses_status_via_uq_idx (nid,via,value) index. Updating that index requires contacting remote
regions.
Also fixed a bug where we did not set the verified_at timestamp
correctly sometimes.
-
Use one transaction for /admin/recovery/code (#4225) (3e87e0c)
-
Use stdlib HTTP router in Kratos (acfa6ef):
-
Use vendored ory/x (a9ab800):
-
Webhook header allowlist configuration option (#4309) (871f5aa), closes #4290:
Adds a clients.web_hook.header_allowlist configuration option for
configuring the webhook header allowlist.