v1.0.0

版本发布时间: 2023-07-13 04:24:48

ory/kratos最新发布版本:v1.2.0(2024-06-05 19:02:56)

We are thrilled to announce Ory Kratos v1.0, the powerful Identity, User Management, and Authentication system! With this major update, Ory Kratos brings a host of enhancements and fixes that greatly improve the user experience and overall performance.

ory-kratos-v1

Ory Kratos 1.0 is stable and robust

Several compelling reasons led to label Ory Kratos as a major release and graduated project: Ory Identities on Ory Network, powered by Ory Kratos, has been serving production traffic for well over a year, flawlessly. Ory Kratos is successfully processing over 100 million API requests daily and has about 100 million Docker Pulls. We have maintained stability within the Ory Kratos APIs for nearly two years, demonstrating their robustness and reliability. No breaking changes mean that developers can trust the stability of Ory Kratos in production.

Notable changes

Ory Kratos 1.0 introduces a variety of new features while focusing on stability, robustness, and improved performance. Major enhancements include support for social login and single-sign-on via OpenID connect in native apps, emails sent through HTTP rather than SMTP, and full compatibility with Ory Hydra v2.2.0. Users will also find multi-region support in the Ory Network for broader geographic reach, improved export functionality for all credential types, and enhanced session management with the introduction of the "provider ID" parameter. Other additions comprise distroless images for leaner resource utilization and faster deployment and support for the Lark OIDC provider.

New features and full multi-region support in Ory Network

Significant improvements and fixes accompany these new features. Enhanced OIDC flows now include the ability to forward prompt upstream parameters, offering developers increased flexibility and customization options. The logout flow also supports the return_to parameter, facilitating more flexible redirection post-user logout. Performance has been a key focus, with Ory Kratos 1.0 now capable of handling hundreds of millions of active users monthly. Critical bug fixes have been applied to prevent users from being redirected to incorrect destinations, ensuring smoother authentication and authorization. Additionally, there's more support for legacy systems via implemented crypt(3) hashers and a fix for metadata patching has been deployed to ensure consistent user metadata management. For a detailed view of all changes, refer to the changelog on GitHub. Feedback and support are, as always, greatly appreciated.

Support options for Ory Kratos 1.0

Ory Kratos 1.0 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.0 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers dedicated support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.

A Shoutout to the Ory Community

We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in alphabetical order: borisroman, ci42, CNLHC, David-Wobrock, giautm, IchordeDionysos, indietyp, jossbnd, kralicky, PhakornKiong, sunakan, steverusso

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.

Give it a go

Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory https://github.com/ory/scoop.git
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \\
  --replace '/identity/default_schema_id="preset://username"' \\
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \\
  --format yaml

ory open account-experience registration

Bug Fixes

Ability to patch metadata even if it is null (#3304) (3c04d8f)
Accept OIDC login request in browser+JSON login flow (#3271) (ad54093):
- fix: OIDC login in browser JSON flow
- test: add test for OIDC+JSON continuity cookie
Add error checking when creating verification code (#3328) (7182eca)
Add missing SessionIssued event for api flows (#3348) (adf78e0):
- fix: missing SessionIssued event for api flows
- chore: add SessionIssued event to post registration hook
- chore: format
- chore: move sessionissued event to persister
Bump quickstart version (#3257) (6db70a8)
Cypress TOTP test (eac908c)
Do not require items to be unique (#3349) (17be30d)
Don't assume the login challenge to be a UUID (#3317) (3172862):

For compatibility with https://github.com/ory/hydra/pull/3515, which now encodes the whole flow in the login challenge, we cannot further assume that the challenge is a UUID.
e2e: Install kratos-selfservice-ui-node peer deps (#3354) (ce20063)
Identity list pagination (#3325) (9d3ef0d):

Resolves a pesky issue that would skip the last page.
IdentityCreated event (#3314) (78e31cb)
Incorrect override in identity hydrate (#3368) (eaa3f3c)
Increase size for request url (#3366) (10713cc)
Minor refactorings in package hash (#3186) (831fb19)
Missing id for login event (#3315) (b6b80a3)
Properly normalize uppercase mail addresses (4984e0f):

Fixes https://github.com/ory/kratos/issues/3187 Fixes https://github.com/ory/kratos/issues/3289
Provide index hint in QueryForCredentials (#3329) (4ba530e):
- fix: provide index hint in QueryForCredentials
- feat: remove customizable join predicate in QueryForCredentials
- chore: remove obsolete config tracer
Reduce lookups in whoami call (#3364) (5bb7b0c)
Reintroduce ExpandAll (#3369) (8f9bff5)
Remove codeball (aa29606)
Remove duplicate SessionIssued event (#3351) (b1e78ad)
Return HTTP 400 instead of 500 for bad query parameters (58258eb)
sdk: Add cookie for updateLogoutFlow (#3284) (95ed2b9):

Closes https://github.com/ory/sdk/issues/255
sdk: Update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347) (f3dee86)
Settings should persist return_to after required mfa login flow (#3263) (0ed1abd):
- fix: get settings should persist return_to when redirecting to aal2
- feat(e2e): verify return_to persists in recovery flows
- test: recovery strategy with mfa account
- test: code recovery return to persists to settings with aal2
- u
- fix: return to settings flow after mfa login
- fix(test): login handler
- fix: flow between settings and mfa
- fix: get settings endpoint should redirect to settings ui instead of to itself
- feat(test): preserve URL from various settings flows through login mfa flow
- chore: cleanup
- fix(e2e): recovery return to spa tests
- fix: e2e proxy
- fix: do not always redirect back to settings on mfa
- fix: new settings flow with required mfa shouldn't be added to login flow return_to unless it contains a return_to parameter
- fix(e2e): let test dynamically handle required_aal
- chore: cleanup unused code
- test: DoesSessionSatisfy with method options
- test: recovery strategy with aal2
String to enum for updateVerificationFlowWithLinkMethod Method (#3279) (34ff1d2), closes #2943
Update correct typo (#3281) (0fea75c):

The text for verification code input should be Verification code not Verify code.
Update README (#3363) (c426014)
Use RETURNING clause for batch create (#3293) (8ae8783)
Use the correct redirect_uri for linkedin social login (#3269) (27ccecc)
Webhook config parse for settings flow (#3305) (95ad94d)

Code Generation

Pin v1.0.0 release commit (41b7c51)

Documentation

Fix typo in readme (#3299) (b40544e)

Features

Add “provider id” parameter to kratos session (#3292) (387f5a2), closes #3283
Add distroless and static images (#3350) (1e65662)
Add return_to parameters to the createLogout handler (#3336) (08fed36):
- feat: add return_to parameters to the createLogout handler
- test: logout take over return_to from create to update
- test(e2e): logout return to
- test(e2e): logout return to
- test: logout return_to isnt applicable to react
Allow customization of JOIN predicate in QueryForCredentials (#3253) (8785166)
Emit events for login/logout and registration (#3235) (c784b7e)
Forward prompt upstream parameter during OIDC flow (#3276) (d290cb0), closes #2709
Implement crypt(3) hashers (#3303) (afe06db), closes #3291:

This PR implements md5crypt, sha256crypt, sha512crypt, which are considered legacy (like md5), but are used in legacy systems looking to convert to ory. They use the existing format of crypt(5) (which is compliant to PHC).
Improve event types and capture more events (#3297) (835fe13)
Lark OIDC provider (#2925) (f884dfb)
Return to oauth flow after switching from login to other flows (#3212) (a1fea6c):
- feat: return to oauth flow after switching from login to other flows
- feat(e2e): flows should have return_to set to hydra request_url
- u
- fix: override return_to URL on OAuth flows
- style: format
- fix: TestOAuth2Provider
- feat: config to opt into using OAuth request url as return_to
- chore: cleanup
- fix(e2e): oauth2 login flow switching to recovery
- feat(test): oauth2 login flow to recovery through oidc provider
- fix(e2e): oidc-provider registration
- chore: rename oauth2_provider.return_to_enabled to oauth2_provider.override_return_to
- style: format
- chore: nit config description
Sort sessions by authenticated_at (#3324) (46f92ff):

Closes https://github.com/ory/network/issues/295
Sqa metrics v2 (#3300) (98fe73f)
Support exporting of all credential types (#3290) (de6c857):

It's now possible to export all credential types (including passwords) when calling the getIdentity SDK method.
Support OIDC flows for native apps (#3216) (cb10609), closes #707:

Implements Social Sign In and OpenID Connect for native apps.

Tests

Run Playwright in CI (#3259) (342edec):
- run Playwright in CI
- add cleanup for session token exchangers
- fixup: ci
- fix: compatibility between OIDC+code and other flows
This improves the compatibility between OIDC+code and other flows such as TOTP, settings, password auth.
- Update persistence/sql/persister_cleanup_test.go
- fix: error handling with OIDC+Code
- fix: increase playwright timeout

Unclassified

@barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341) (28b7b04), closes #1030 #3341 #1030 #3008:

This change adds a new delivery method to the courier called mailer. Similar to SMS functionality it posts a templated Data model to a API endpoint. This API can then send emails via a CRM or any other mechanism that it wants.

Mailer still uses the existing email data models so any new email added will automatically be sent to the API/CRM as well.

Related issue(s)

Resolves https://github.com/ory/kratos/issues/2825

Changelog

28b7b04a @barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341)
9fd60ee0 autogen(docs): generate and bump docs
b1f18d90 autogen(docs): regenerate and update changelog
7c14f29f autogen(docs): regenerate and update changelog
34852042 autogen(docs): regenerate and update changelog
697be03a autogen(docs): regenerate and update changelog
daa0bef4 autogen(docs): regenerate and update changelog
d3f3be33 autogen(docs): regenerate and update changelog
9750278b autogen(docs): regenerate and update changelog
7f232bf4 autogen(docs): regenerate and update changelog
9b956939 autogen(docs): regenerate and update changelog
ba55f38f autogen(docs): regenerate and update changelog
c48f20e3 autogen(docs): regenerate and update changelog
1064b329 autogen(docs): regenerate and update changelog
1def4102 autogen(docs): regenerate and update changelog
45485c3c autogen(docs): regenerate and update changelog
b7192dc7 autogen(docs): regenerate and update changelog
b43c50cb autogen(docs): regenerate and update changelog
2f844ecd autogen(docs): regenerate and update changelog
567e5a7f autogen(docs): regenerate and update changelog
5535fcb7 autogen(docs): regenerate and update changelog
c842a69a autogen(docs): regenerate and update changelog
a4f74bc4 autogen(docs): regenerate and update changelog
071db1d3 autogen(docs): regenerate and update changelog
8d406b1b autogen(docs): regenerate and update changelog
f2bf296f autogen(docs): regenerate and update changelog
5f33b08b autogen(docs): regenerate and update changelog
61cb722a autogen(docs): regenerate and update changelog
0f3cf223 autogen(docs): regenerate and update changelog
8e760cab autogen(docs): regenerate and update changelog
868ea547 autogen(docs): regenerate and update changelog
9bb4d5c6 autogen(docs): regenerate and update changelog
a6d3d5b0 autogen(docs): regenerate and update changelog
4083e444 autogen(docs): regenerate and update changelog
ae22c7cd autogen(docs): regenerate and update changelog
6de1cb3b autogen(openapi): regenerate swagger spec and internal client
4b0deadc autogen(openapi): regenerate swagger spec and internal client
a439df76 autogen(openapi): regenerate swagger spec and internal client
0a6235da autogen(openapi): regenerate swagger spec and internal client
7291c89e autogen: add v0.13.0 to version.schema.json
b75313e1 autogen: pin v0.14.0-pre.0 release commit
41b7c51c autogen: pin v1.0.0 release commit
ad271d24 autogen: pin v1.0.0-pre.0 release commit
a17bcb88 chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#3242)
950b41a1 chore(deps): bump github.com/knadh/koanf to v2.0.1 (#3308)
a046778f chore: add launch config for VSCode (#3239)
22e8dafe chore: bump ory/x (#3319)
b2ecb107 chore: bump ory/x (#3338)
3469773b chore: fix typo (#3370)
6fe4dac2 chore: minor improvements around secure redirect helpers (#3240)
bcdcf45c chore: support in README (#3373)
ac96a969 chore: update security scanners (#3295)
b40544e4 docs: fix typo in readme (#3299)
1e65662c feat: add distroless and static images (#3350)
08fed369 feat: add return_to parameters to the createLogout handler (#3336)
387f5a27 feat: add “provider id” parameter to kratos session (#3292)
87851668 feat: allow customization of JOIN predicate in QueryForCredentials (#3253)
c784b7e7 feat: emit events for login/logout and registration (#3235)
d290cb05 feat: forward prompt upstream parameter during OIDC flow (#3276)
afe06db9 feat: implement crypt(3) hashers (#3303)
835fe13d feat: improve event types and capture more events (#3297)
f884dfba feat: lark OIDC provider (#2925)
a1fea6c3 feat: return to oauth flow after switching from login to other flows (#3212)
46f92ffe feat: sort sessions by authenticated_at (#3324)
98fe73fa feat: sqa metrics v2 (#3300)
cb106097 feat: support OIDC flows for native apps (#3216)
de6c8574 feat: support exporting of all credential types (#3290)
ce20063a fix(e2e): install kratos-selfservice-ui-node peer deps (#3354)
95ed2b94 fix(sdk): add cookie for updateLogoutFlow (#3284)
f3dee869 fix(sdk): update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347)
eac908c4 fix: Cypress TOTP test
78e31cb8 fix: IdentityCreated event (#3314)
3c04d8fb fix: ability to patch metadata even if it is null (#3304)
ad540930 fix: accept OIDC login request in browser+JSON login flow (#3271)
7182eca0 fix: add error checking when creating verification code (#3328)
adf78e09 fix: add missing SessionIssued event for api flows (#3348)
6db70a81 fix: bump quickstart version (#3257)
17be30dd fix: do not require items to be unique (#3349)
31728629 fix: don't assume the login challenge to be a UUID (#3317)
9d3ef0df fix: identity list pagination (#3325)
eaa3f3c1 fix: incorrect override in identity hydrate (#3368)
10713cc7 fix: increase size for request url (#3366)
831fb19e fix: minor refactorings in package hash (#3186)
b6b80a3a fix: missing id for login event (#3315)
4984e0fb fix: properly normalize uppercase mail addresses
4ba530ef fix: provide index hint in QueryForCredentials (#3329)
5bb7b0c8 fix: reduce lookups in whoami call (#3364)
8f9bff52 fix: reintroduce ExpandAll (#3369)
aa296067 fix: remove codeball
b1e78ad3 fix: remove duplicate SessionIssued event (#3351)
58258eba fix: return HTTP 400 instead of 500 for bad query parameters
0ed1abd3 fix: settings should persist return_to after required mfa login flow (#3263)
34ff1d29 fix: string to enum for updateVerificationFlowWithLinkMethod Method (#3279)
c4260140 fix: update README (#3363)
0fea75c4 fix: update correct typo (#3281)
8ae87839 fix: use RETURNING clause for batch create (#3293)
27ccecc1 fix: use the correct redirect_uri for linkedin social login (#3269)
95ad94d0 fix: webhook config parse for settings flow (#3305)
342edece test: run Playwright in CI (#3259)