Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.
Ory Kratos v1.1 is the most complete, most scalable, and most secure open-source identity server on the planet, and we are thrilled to announce its release! This release comes with over 270 commits and an incredible amount of new features and capabilities!
Phone Verification & 2FA with SMS: Enhance convenient security with phone verification and two-factor authentication (2FA) via SMS, integrating easily with SMS gateways like Twilio. This feature not only adds a convenient layer of security but also offers a straightforward method for user verification, increasing your trust in user accounts.
Translations & Internationalization: Ory Kratos now supports multiple languages, making it accessible to a global audience. This improvement enhances the user experience by providing a localized interface, ensuring users interact with the system in their preferred language.
Native Support for Sign in with Google and Apple on Android/iOS: Get more sign-ups with native support for "Sign in with Google" and "Sign in with Apple" on mobile platforms. Great user experience matters!
Account Linking: Simplify user management with new features that facilitate account linking. If a user registers with a password and later signs in with a social account sharing the same email, new screens make account linking straightforward, enhancing user convenience and reducing support inquiries.
Passwordless "Magic Code": Introduce a passwordless login method with "Magic Code," which sends a one-time code to the user's email for sign-up and login. This method can also serve as a fallback when users forget their password or their social login is unavailable, streamlining the login process and improving user accessibility.
Session to JWT Conversion: Convert an Ory Session Cookie or Ory Session Token into a JSON Web Token (JWT), providing more flexibility in handling sessions and integrating with other systems. This feature allows for seamless authentication and authorization processes across different platforms and services.
Note: To ensure a seamless upgrade experience with minimal impact, some of these features are gated behind the feature_flags config parameter, allowing controlled deployment and testing.
Better reliability when sending out emails across different providers.
Streamlining the HTTP API and improving related SDK methods.
Better performance when calling the whoami API endpoint, updating identities, and listing identities.
The performance of listing identities has significantly improved with the introduction of keyset pagination. Page pagination is still available but will be fully deprecated soon.
Ability to list multiple identities in a batch call.
Passkeys and WebAuthn now support multiple origins, useful when working with subdomains.
The logout flow now redirects the user back to the return_to parameter set in the API call.
When updating their settings, the user was sometimes incorrectly asked to confirm the changes by providing their password. This issue has now been fixed.
When signing up with an account that already exists, the user will be shown a hint helping them sign in to their existing account.
CORS configuration can now be hot-reloaded.
The integration with Ory OAuth2 / Ory Hydra has improved for logout, login session management, verification, and recovery flows.
A new passwordless method has been added: "Magic code". It sends a one-time code to the user's email during sign-up and log-in. This method can additionally be used as a fallback login method when the user forgets their password.
Integration with social sign-in has improved, and it is now possible to use the email verified status from the social sign-in provider.
Ory Elements and the default Ory Account Experience are now internationalized with translations.
It is now possible to convert an Ory Session Cookie or Ory Session Token into a JSON Web Token.
Recovery on native apps has improved significantly and no longer requires the user to switch to a browser for the recovery step.
Administrators can now find users by their identifiers with fuzzy search - this feature is still in preview.
Importing HMAC-hashed passwords is now possible.
Webhooks can now update identity admin metadata.
New screens have been added to make account linking possible when a user has registered with a password and later tries signing in with a social account sharing the same email.
Ability to revoke all sessions of a user when they change their password.
Webhooks are now available for all login, registration, and login methods, including Passkeys, TOTP, and others.
The login screen now longer shows “ID” for the primary identifier, but instead extracts the correct label - for example, “Email” or “Username” from the Identity Schema.
Login hints help users with guidance when they are unable to sign in (wrong social sign-in provider) but have an active account.
The following features have been shipped exclusively to Ory Network for this version:
B2B SSO allows your customers to connect their LDAP / Okta / AD / … to your login. Ory selects the correct login provider based on the user’s email domain.
Finding users effortlessly with our new fuzzy search for credential identifiers available for the Identity List API.
Ory Kratos 1.1 is a major release that marks a significant milestone in our journey.
We sincerely hope that you find these new features and improvements in Ory Kratos 1.1 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Ory Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.
For organizations seeking to upgrade their self-hosted solution, Ory offers enterprise support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.
We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.
Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.
Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:
See https://github.com/ory/kratos/discussions/3388
Update link to hashed password formats (#3484) (8ca3adc)
Features
Add ability to convert session to JWT when calling whoami (#3472) (57b7bb8), closes #2487:
This patch adds a query parameter tokenize_as to /session/whoami which encodes the session to a JWT. It is possible to customize the JWT claims by using a JsonNet template, and furthermore change the expiry of the token.
The tokenize feature supports multiple templates, which makes it easy to use the resulting JWT in a variety of use cases.
Check whoami aal before accepting hydra login request (#3669) (a2f79c3)
Code method on registration and 2fa (#3481) (7aa2e29)
Consider OIDC registration flows errored with duplicate credential to be completed by strategy (#3525) (3e3c789):
Returning anything else here may cause Kratos to respond with two concatenated JSON objects: new login flow with actual error message as the first one and a very confusing '500, aborted registration hook execution' as the second one.
Csrf token regenerate on browser flows (#3706) (e4908db), closes #3705
Whenever an user is asked to reauthenticate (e.g. because they wish to execute settings flow touching their credentials and their session is no longer privileged) they are asked to provide their credentials again. The forced-refresh login flow generated for such cases already excludes some strategies that are enabled in Kratos but cannot be used to authenticate as current identity, and for example the form presented to the user will not have a password field if the identity does not have a password credential.
This, however, does not currently apply to OIDC providers; the user will always see the full set even if some of them can't be used to sign in as current identity. This change causes forced refresh login flows to also omit irrelevant OIDC providers in generated form in order to avoid confunding the user about which strategies/providers are valid and can actually be used to reauthenticate.
On verification required after registration, preserve return_to (#3589) (6a0a914):
fix: on verification required after registration, preserve return_to
Reject obviously invalid email addresses from courier (8cb9e4c)
Remove earliest_possible_extend default in schema (#3464) (7e05b7d)
Remove duplicate message ID usage (#3468) (dfcbe22)
Remove requirement for smtp section (#3405) (59a3f14)
Remove slow queries from update identities (#3553) (d138abb)
Rename "phone" courier channel to "sms" (#3680) (eb8d1b9)
Respect gomail.SendError in mail queue (#3600) (9c608b9)
Respond with 422 when SPA identity requires AAL2 (#3572) (df18c09):
If you submit a browser login flow with an Accept header of application/json, but the login flow requires AAL2, then there is no way for the code to know it needs to redirect the user to the 2FA page. Instead of responding with the Session in this scenario, this PR changes the behaviour to respond with a browser_location_change_required error (status 422) to indicate that the browser needs to open a specific URL, /self-service/login/browser?aal=aal2.
Return 400 bad request for invalid login challenge (#3404) (ca34e9b)
Return HTTP 400 if key unmarshal fails (#3594) (fdf4956):
fix: return HTTP 400 if key unmarshal fails
fix: apply reviewer's suggestion, prepare for bump
To improve i18n and message customization, we added a bunch of new messages. Integrations that do message customization should probably handle those new message codes:
1010014
1010015
1040005
1040006
1070012
1070013
4000028
4000029
4000030
4000031
4000032
4000033
4000034
4000035
4000036
4010007
4010008
4040002
4040003
Additionally, these messages got more context:
1050014
1050018
1070002
4000001
4000003
4000004
4000017
4000018
4000019
4000020
4000021
4000022
4000023
4000024
4000025
4000026
4010001
4040001
4050001
4060005
4070005
5000001
Allow additional id token audiences (#3616) (0fa648d)
Allow fuzzy-search on credential identifiers (#3526) (2cb3ea2):
This PR adds the ability to search for sub-strings and similar strings in credential identifiers.
Note that the postgres and CRDB migrations create special indexes useful for this feature. To use online schema changes with cockroach, we recommend to manually copy the index definition and run it before applying migrations. The migration will then be a no-op.
If you run on mysql (or sqlite), no special index is created. If desired, you can create such an index manually, and it would be highly appreciated if you could contribute its definition.
This feature is a preview and will change in behavior! Similarity search is not expected to return deterministic results but are useful for humans.
This change allows to filter GET /admin/identities by ID with the following syntax:
/admin/identities?ids=id1&ids=id2&ids=id3
changelog: Add support for native recovery (#3624) (492808c):
Adds the ability to complete the recovery flow properly on API flows. This PR also streamlines the behavior for SPA flows to not return 422 errors anymore. To enable this new behavior, set the features.use_continue_with_transitions flag in the config to true.
Emit error details when we find stray cookies in an API flow (#3496) (df74339)
Eventually consistency API controls (#3558) (00cf11c):
Adds a feature used in Ory Network which enables trading faster reads for slightly stale data.
This feature depends on Cockroach functionality and configuration, and is not possible for MySQL or PostgreSQL.
Extend Microsoft Graph API capabilities (#3609) (4a7bcc9):
This change queries for all user information available with the User.Read scope
during OIDC, and populates the RawClaims field.
Extract identifier label for login from default identity schema (#3645) (180828e)
Fine-grained hooks for all available flow methods (#3519) (a37f6bd):
Adds fine-grained hook configurations to the post-settings flow for methods totp, webauthn, lookup_secret and the post-login flow for totp, lookup_secret, and code.
Hook to revoke sessions after password changed (#3514) (e6af6db), closes #3513:
Currently, the Kratos system does not automatically log out or invalidate other active sessions when a user changes their password. This poses a significant security risk as it allows potentially unauthorized individuals to maintain access to the account even after the password has been updated.
This PR provides the option to add the revoke_active_sessions hook to the actions sections of the selfservice settings.
When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen.
This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without
switching to settings flow.
Login with code on any credential type (#3549) (ceed7d5):
Should be able to login with the code credential even if the user did not register on the code credential.
Only identifier matching is done and validation based on the identity schema.
This feature adds passwordless email code login. When a user signs up, or signs in, a code is sent to their email address which they can use to complete the authentication process.
This feature is currently only working for browser facing APIs.
The Facebook OIDC provider supports an auth_type parameter that
when set to "reauthenticate" will force the user to
reauthenticate (similar to prompt=login for other Providers).
