v1.1.0
版本发布时间: 2024-02-20 20:26:07
ory/kratos最新发布版本:v1.2.0(2024-06-05 19:02:56)
Ory Kratos v1.1 is the most complete, most scalable, and most secure open-source identity server on the planet, and we are thrilled to announce its release! This release comes with over 270 commits and an incredible amount of new features and capabilities!
Don't forget to leave a GitHub star and check out our other open source projects while you're here :)
- Phone Verification & 2FA with SMS: Enhance convenient security with phone verification and two-factor authentication (2FA) via SMS, integrating easily with SMS gateways like Twilio. This feature not only adds a convenient layer of security but also offers a straightforward method for user verification, increasing your trust in user accounts.
- Translations & Internationalization: Ory Kratos now supports multiple languages, making it accessible to a global audience. This improvement enhances the user experience by providing a localized interface, ensuring users interact with the system in their preferred language.
- Native Support for Sign in with Google and Apple on Android/iOS: Get more sign-ups with native support for "Sign in with Google" and "Sign in with Apple" on mobile platforms. Great user experience matters!
- Account Linking: Simplify user management with new features that facilitate account linking. If a user registers with a password and later signs in with a social account sharing the same email, new screens make account linking straightforward, enhancing user convenience and reducing support inquiries.
- Passwordless "Magic Code": Introduce a passwordless login method with "Magic Code," which sends a one-time code to the user's email for sign-up and login. This method can also serve as a fallback when users forget their password or their social login is unavailable, streamlining the login process and improving user accessibility.
- Session to JWT Conversion: Convert an Ory Session Cookie or Ory Session Token into a JSON Web Token (JWT), providing more flexibility in handling sessions and integrating with other systems. This feature allows for seamless authentication and authorization processes across different platforms and services.
Note: To ensure a seamless upgrade experience with minimal impact, some of these features are gated behind the feature_flags
config parameter, allowing controlled deployment and testing.
- Better reliability when sending out emails across different providers.
- Streamlining the HTTP API and improving related SDK methods.
- Better performance when calling the whoami API endpoint, updating identities, and listing identities.
- The performance of listing identities has significantly improved with the introduction of keyset pagination. Page pagination is still available but will be fully deprecated soon.
- Ability to list multiple identities in a batch call.
- Passkeys and WebAuthn now support multiple origins, useful when working with subdomains.
- The logout flow now redirects the user back to the
return_to
parameter set in the API call. - When updating their settings, the user was sometimes incorrectly asked to confirm the changes by providing their password. This issue has now been fixed.
- When signing up with an account that already exists, the user will be shown a hint helping them sign in to their existing account.
- CORS configuration can now be hot-reloaded.
- The integration with Ory OAuth2 / Ory Hydra has improved for logout, login session management, verification, and recovery flows.
- A new passwordless method has been added: "Magic code". It sends a one-time code to the user's email during sign-up and log-in. This method can additionally be used as a fallback login method when the user forgets their password.
- Integration with social sign-in has improved, and it is now possible to use the email verified status from the social sign-in provider.
- Ory Elements and the default Ory Account Experience are now internationalized with translations.
- It is now possible to convert an Ory Session Cookie or Ory Session Token into a JSON Web Token.
- Recovery on native apps has improved significantly and no longer requires the user to switch to a browser for the recovery step.
- Administrators can now find users by their identifiers with fuzzy search - this feature is still in preview.
- Importing HMAC-hashed passwords is now possible.
- Webhooks can now update identity admin metadata.
- New screens have been added to make account linking possible when a user has registered with a password and later tries signing in with a social account sharing the same email.
- Ability to revoke all sessions of a user when they change their password.
- Webhooks are now available for all login, registration, and login methods, including Passkeys, TOTP, and others.
- The login screen now longer shows “ID” for the primary identifier, but instead extracts the correct label - for example, “Email” or “Username” from the Identity Schema.
- Login hints help users with guidance when they are unable to sign in (wrong social sign-in provider) but have an active account.
- Phone numbers can now be verified via an SMS gateway like Twilio.
- SMS OTP is now a two-factor option.
The following features have been shipped exclusively to Ory Network for this version:
- B2B SSO allows your customers to connect their LDAP / Okta / AD / … to your login. Ory selects the correct login provider based on the user’s email domain.
-
Significantly better API performance for expensive API operations by specifying the desired consistency (
strong
,eventual
). - Finding users effortlessly with our new fuzzy search for credential identifiers available for the Identity List API.
Ory Kratos 1.1 is a major release that marks a significant milestone in our journey.
We sincerely hope that you find these new features and improvements in Ory Kratos 1.1 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Ory Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.
For organizations seeking to upgrade their self-hosted solution, Ory offers enterprise support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements. We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.
Contributors to this release in no particular order: moose115, K3das, sidartha, efesler, BrandonNoad ,Saancreed, jpogorzelski, dreksx, martinloesethjensen, cpoyatos1, misamu, tristankenney, nxy7, anhnmt
Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively. Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:
brew install ory/tap/cli
scoop bucket add ory <https://github.com/ory/scoop.git>
scoop install ory
bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/
ory auth login
ory create project --name "My first Kratos project"
ory open account-experience registration
ory patch identity-config \
--replace '/identity/default_schema_id="preset://username"' \
--replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \
--format yaml
ory open account-experience registration
Breaking Changes
Pagination parameters for the list identities
CLI command have changed from arguments to flags --page-token
and page-size
:
- kratos list identities 1 100
+ kratos list identities --page-size 100 --page-token ...
Furthermore, the JSON / JSON pretty output of list identities
has changed:
-[
- { "id": "..." },
- { /* ... */ },
- // ...
-]
+{
+ "identities": [
+ {"id": "..."},
+ { /* ... */ },
+ // ...
+ ],
+ "next_page_token": "..."
+}
Closes https://github.com/ory/sdk/issues/284 Closes https://github.com/ory/kratos/pull/3480
Bug Fixes
-
oidc
does not require a method in the payload (#3564) (b299abc):-
fix:
oidc
does not require a method in the payload -
refactor: only update strategies order in test
-
chore: update audit messages and comments
-
-
Accept all 200 responses as OK in courier (#3401) (88237e2), closes #3399:
- fix: accept all 200 responses as OK in courier
-
Accept login_challenge after verification (#3427) (6b02350):
-
Add caching to Jsonnet snippet during session JWT tokenization (#3699) (1da8180)
-
Add missing tracing & attributes in oidc strategy (#3429) (09bcb71)
-
Add return_to parameter to API spec of createRecoveryLinkForIdentity (#3711) (757a5e4)
-
Add value code to authentication method enum (#3546) (95dc7a2):
-
fix: add value code to authentication method enum
-
chore: generate sdk
-
-
Additional_id_token_audiences key in config schema (#3622) (9396bb0)
-
Adjust tracing verbosity (976cd0d)
-
Allow post recovery hooks to interrupt the flow (#3393) (6c1d2f1)
-
Allow updating admin metadata from webhook responses (#3569) (22f61f0)
-
Always return relative URLs in the Link header for pagination (fb229c9)
-
Auto migrate old accounts to use code credential (#3581) (569b14a)
-
Carry
oauth2_login_challenge
over to registration flow (#3419) (76241be): -
Change ListIdentities to keyset pagination (e16fed1)
-
Change shebangs and makefile from /bin/bash to /usr/bin/env bash (#3597) (1343bbb):
-
makefile fix
-
shebangs changed to /usr/bin/env bash
Signed-off-by: nxy7 lolnoxy@gmail.com
-
-
Check whoami aal before accepting hydra login request (#3669) (a2f79c3)
-
Consider OIDC registration flows errored with duplicate credential to be completed by strategy (#3525) (3e3c789):
Returning anything else here may cause Kratos to respond with two concatenated JSON objects: new login flow with actual error message as the first one and a very confusing '500, aborted registration hook execution' as the second one.
-
Csrf token regenerate on browser flows (#3706) (e4908db), closes #3705
-
Data race in test (ab6dc31)
-
Do not encode full config in multiple places (#3500) (57a3273)
-
Do not initialize parts of the registry in parallel (#3534) (ff177db)
-
Don't require code credential for MFA flows (#3753) (40ed809)
-
Don't require session for OIDC verification (#3443) (e08f831)
-
Don't return 500 on conflict for POST /admin/identities (#3437) (1429949)
-
Don't return nil if code is invalid (#3662) (df8ec2b):
-
fix: don't return nil if code is invalid
-
chore: add test
-
-
Error handling on identity import (#3520) (83bfb2d):
When importing identities without any traits, or with malformed traits, 500s are returned. This improves the error handling and messaging.
-
False-positives for requiring re-authentication on update (#3421) (ce8139f)
-
Http courier using should use lower case json (#3740) (84149c4)
-
Identity list pagination in CLI command and SDK (#3482) (1e8b1ae):
Adds correct pagination parameters to the SDK methods for listing identities and sessions.
-
Ignore CSRF middleware on Apple OIDC callback (309c506)
-
Improved SSRF protection (#3629) (6d08576):
This also improves tracing in the OIDC strategy.
-
Incorrect swagger spec for filter parameter (#3684) (2c1470a), closes #3676 #3675
-
Increase connection-level timeouts and shutdown timeouts (#3570) (200b413):
The admin API is generally expected to require longer timeouts, for example during bulk identity import.
-
Issue session after verification after registration with OIDC SSO (#3467) (a28b523)
-
Lint (e8740c3)
-
Lower-case recovery & verification emails on import (#3571) (e2ac9ff):
Emails that contained upper-case characters would be overwritten by the identity schema extension runner, because there all emails are lower-cased.
-
Mark identity as optional in session struct (#3463) (7ae02ba), closes #3461:
The identity is not always available in the session struct, for example when AAL2 is required.
-
Omit irrelevant OIDC providers in forced refresh login flows (#3608) (912dccd):
Whenever an user is asked to reauthenticate (e.g. because they wish to execute settings flow touching their credentials and their session is no longer privileged) they are asked to provide their credentials again. The forced-refresh login flow generated for such cases already excludes some strategies that are enabled in Kratos but cannot be used to authenticate as current identity, and for example the form presented to the user will not have a password field if the identity does not have a password credential.
This, however, does not currently apply to OIDC providers; the user will always see the full set even if some of them can't be used to sign in as current identity. This change causes forced refresh login flows to also omit irrelevant OIDC providers in generated form in order to avoid confunding the user about which strategies/providers are valid and can actually be used to reauthenticate.
-
On verification required after registration, preserve return_to (#3589) (6a0a914):
-
fix: on verification required after registration, preserve return_to
-
test: return_to on verification flow
-
chore: refactor
-
-
Redirect to verification URL even if login_challenge is set (#3412) (cd9e6a0):
-
Reduce db lookups in whoami for aal check (#3372) (d814a48):
Significantly improves performance by reducing the amount of queries we need to do when checking for the different AAL levels.
-
Registration code ui nodes group (#3505) (6220184):
-
fix: registration code ui nodes group
-
style: format
-
-
Registration should accept hydra login (#3592) (7a47827):
-
fix: registration should accept hydra login
-
fix: oauth2 registration flow with session
-
wip: registration oauth flow tests
-
wip: refactor oauth flows test
-
wip: refactor op_registration_test
-
wip: oauth provider registration test
-
wip: refactor oauth flows test
-
fix(test): oauth provider login
-
style: format
-
-
Reject obviously invalid email addresses from courier (8cb9e4c)
-
Remove
earliest_possible_extend
default in schema (#3464) (7e05b7d) -
Remove slow queries from update identities (#3553) (d138abb)
-
Respond with 422 when SPA identity requires AAL2 (#3572) (df18c09):
If you submit a browser login flow with an
Accept
header ofapplication/json
, but the login flow requires AAL2, then there is no way for the code to know it needs to redirect the user to the 2FA page. Instead of responding with theSession
in this scenario, this PR changes the behaviour to respond with abrowser_location_change_required
error (status422
) to indicate that the browser needs to open a specific URL, /self-service/login/browser?aal=aal2. -
Return 400 bad request for invalid login challenge (#3404) (ca34e9b)
-
Return HTTP 400 if key unmarshal fails (#3594) (fdf4956):
-
fix: return HTTP 400 if key unmarshal fails
-
fix: apply reviewer's suggestion, prepare for bump
-
fix: follow up reviewer suggestion from ory/x
-
chore: bump ory/x
-
-
Specify correct minimum versions in migratest (18b89ea)
-
Tracing context passing in /sessions/whoami (1254bf5)
-
Tracing improvements (c804cb2)
-
Type-assert all interfaces that WebHook implements (ffda1a0)
-
Ui node input attributes key added (#3561) (9eff0f3):
-
fix: ui node InputAttributes.Key added
-
fix: selfservice recovery flow add React unique key and numeric pattern
-
fix: remove React related key addition
-
test: update snapshot
-
-
Use ID label on login with multiple identifiers (#3657) (be907db)
-
Use org ID from session if available in login flow (#3545) (1b3647c)
Code Generation
- Pin v1.1.0 release commit (f47675b)
Documentation
-
Add example for
allowed_return_urls
to include wildcard url (#3533) (39b0c3c), closes #1528
Features
-
Add ability to convert session to JWT when calling whoami (#3472) (57b7bb8), closes #2487:
This patch adds a query parameter
tokenize_as
to/session/whoami
which encodes the session to a JWT. It is possible to customize the JWT claims by using a JsonNet template, and furthermore change the expiry of the token.The tokenize feature supports multiple templates, which makes it easy to use the resulting JWT in a variety of use cases.
-
Add GetID member functions to RecoveryAddress and Credentials (#3474) (085d500)
-
Add ID Token sign in with Google Android/iOS SDK (#3515) (055ed92)
-
Add OpenTelemetry span for password hash comparison (#3383) (e3fcf0c)
-
Add request URL to email and SMS templates (bf5f8c3)
-
Add WebhookSucceeded event (aa8c936)
-
Added various new text messages (ea91483):
To improve i18n and message customization, we added a bunch of new messages. Integrations that do message customization should probably handle those new message codes:
- 1010014
- 1010015
- 1040005
- 1040006
- 1070012
- 1070013
- 4000028
- 4000029
- 4000030
- 4000031
- 4000032
- 4000033
- 4000034
- 4000035
- 4000036
- 4010007
- 4010008
- 4040002
- 4040003
Additionally, these messages got more context:
- 1050014
- 1050018
- 1070002
- 4000001
- 4000003
- 4000004
- 4000017
- 4000018
- 4000019
- 4000020
- 4000021
- 4000022
- 4000023
- 4000024
- 4000025
- 4000026
- 4010001
- 4040001
- 4050001
- 4060005
- 4070005
- 5000001
-
Allow extra migrations in NewPersister (96c1ff7)
-
Allow fuzzy-search on credential identifiers (#3526) (2cb3ea2):
This PR adds the ability to search for sub-strings and similar strings in credential identifiers.
Note that the postgres and CRDB migrations create special indexes useful for this feature. To use online schema changes with cockroach, we recommend to manually copy the index definition and run it before applying migrations. The migration will then be a no-op.
If you run on mysql (or sqlite), no special index is created. If desired, you can create such an index manually, and it would be highly appreciated if you could contribute its definition.
This feature is a preview and will change in behavior! Similarity search is not expected to return deterministic results but are useful for humans.
-
Allow importing hmac hashed passwords (#3544) (0a0e1f7), closes #2422:
The basic format is
$hmac-<hashfunction>$<base64 encoded hash>$<base64 encoded key>
:# password = test; key=key; hash function=sha $hmac-sha1$NjcxZjU0Y2UwYzU0MGY3OGZmZTFlMjZkY2Y5YzJhMDQ3YWVhNGZkYQ==$a2V5
-
Allow marking OIDC provider-verified addresses as verified during registration (#3448) (e7b33a1), closes #3445 #3424 #1057:
This feature allows marking emails provided by social sign in providers as verified.
-
Batch list identities (#3598) (8ad54f1), closes #2448:
This change allows to filter
GET /admin/identities
by ID with the following syntax:/admin/identities?ids=id1&ids=id2&ids=id3
-
changelog: Add support for native recovery (#3624) (492808c):
Adds the ability to complete the recovery flow properly on API flows. This PR also streamlines the behavior for SPA flows to not return 422 errors anymore. To enable this new behavior, set the features.use_continue_with_transitions flag in the config to
true
. -
Claims from userinfo endpoint (#3718) (90bdc61):
-
feat: claims from userinfo endpoint
-
chore: update libraries
-
test: improve coverage
-
-
Emit error details when we find stray cookies in an API flow (#3496) (df74339)
-
Eventually consistency API controls (#3558) (00cf11c):
Adds a feature used in Ory Network which enables trading faster reads for slightly stale data.
This feature depends on Cockroach functionality and configuration, and is not possible for MySQL or PostgreSQL.
-
Extend Microsoft Graph API capabilities (#3609) (4a7bcc9):
This change queries for all user information available with the
User.Read
scope during OIDC, and populates theRawClaims
field. -
Extract identifier label for login from default identity schema (#3645) (180828e)
-
Fine-grained hooks for all available flow methods (#3519) (a37f6bd):
Adds fine-grained hook configurations to the post-settings flow for methods totp, webauthn, lookup_secret and the post-login flow for totp, lookup_secret, and code.
-
Hook to revoke sessions after password changed (#3514) (e6af6db), closes #3513:
Currently, the Kratos system does not automatically log out or invalidate other active sessions when a user changes their password. This poses a significant security risk as it allows potentially unauthorized individuals to maintain access to the account even after the password has been updated.
This PR provides the option to add the
revoke_active_sessions
hook to the actions sections of the selfservice settings. -
Improve performance by computing password hashes while validating (#3508) (a9786c5)
-
Jsonnet caching for OIDC claims mapper, webhooks, JWT session tokenizer (#3701) (1d26e09)
-
Link oidc credentials when login (#3563) (b784949), closes #2727 #3222:
When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen. This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without switching to settings flow.
-
Login with code on any credential type (#3549) (ceed7d5):
Should be able to login with the
code
credential even if the user did not register on thecode
credential. Onlyidentifier
matching is done and validation based on the identity schema. -
Parametrize courier worker (#3601) (0e4be57):
Allows one to parametrize how many messages the courier will fetch and how often it will fetch messages.
-
Passwordless browser login and registration via code to email (#3378) (eaaf375), closes #2029 ory-corp/cloud#3573:
This feature adds passwordless email code login. When a user signs up, or signs in, a code is sent to their email address which they can use to complete the authentication process.
This feature is currently only working for browser facing APIs.
-
Pooled process-isolated Jsonnet VM (9a52ddf)
-
Provide login hints when registration fails due to duplicate credentials/addresses (#3430) (8b28469):
-
feat: provide login hints when registration fails due to duplicate credentials or identifiers
-
feat: identify edge cases and write tests
-
chore: synchronize workspaces
-
feat: make login hints configurable
-
chore: synchronize workspaces
-
chore: synchronize workspaces
-
chore: synchronize workspaces
-
chore: synchronize workspaces
-
-
Support auth_type parameter (#3487) (fc30304):
The Facebook OIDC provider supports an auth_type parameter that when set to "reauthenticate" will force the user to reauthenticate (similar to
prompt=login
for other Providers). -
Support multiple origins for WebAuthN (#3380) (013f335):
Users can now supply a list of origins for webauthn in the configuration.
-
Support native social sign using apple sdk (#3476) (f561013)
-
Transmit current session ID to Hydra when accepting the login (#3426) (610c76d):
-
chore: change react-native port to 19006
-
feat: transmit current session ID when accepting login
-
fix: upgrade hydra in tests
-
-
Webhook analytic events (9c8a25e)
Reverts
-
Revert "chore: simplify courier code (#3603)" (7c54c9f), closes #3603:
This reverts commit 316cd4aacfe31efafa7d737a7c476e2c794e9c9b.
Tests
- Add test for link + oidc challenge (#3720) (67360cf)
- e2e: Logout return_to (#3418) (c348c12)
- Fix cypress setup (#3527) (70c8ddd)
- Fix e2e failures and speed up e2e tests (#3483) (70a6171)
- Fix hydra tests on master (#3737) (12166b4)
- Reduce logging in go tests (#3562) (05de3a2)
- Resolve cypress issues (#3531) (4206d26)
Unclassified
-
Revert "feat: extend Microsoft Graph API capabilities (#3609)" (#3717) (549308d), closes #3609 #3717:
This reverts commit 4a7bcc9322be37e6fd141e411bd65e3977eeb692.
Changelog
- 7c54c9f36 Revert "chore: simplify courier code (#3603)"
- 549308db1 Revert "feat: extend Microsoft Graph API capabilities (#3609)" (#3717)
- 8cc83bc75 Revert "fix: re-add exported symbols (#3611)"
- e0327b00a autogen(docs): generate and bump docs
- 7c0e02efd autogen(docs): regenerate and update changelog
- 32299d5eb autogen(docs): regenerate and update changelog
- 046aa9bd2 autogen(docs): regenerate and update changelog
- 8a0e4969a autogen(docs): regenerate and update changelog
- dbb3a7ed3 autogen(docs): regenerate and update changelog
- 043114bb7 autogen(docs): regenerate and update changelog
- 0d37eb356 autogen(docs): regenerate and update changelog
- af5583456 autogen(docs): regenerate and update changelog
- e9ed14fdb autogen(docs): regenerate and update changelog
- 34751a1a3 autogen(docs): regenerate and update changelog
- 3d6927ced autogen(docs): regenerate and update changelog
- 6b91dc14c autogen(docs): regenerate and update changelog
- 5fc88baef autogen(docs): regenerate and update changelog
- 35a820bdf autogen(docs): regenerate and update changelog
- 461ad5297 autogen(docs): regenerate and update changelog
- 4be520532 autogen(docs): regenerate and update changelog
- 32d8306e8 autogen(docs): regenerate and update changelog
- fc057a8be autogen(docs): regenerate and update changelog
- 04bca63dc autogen(docs): regenerate and update changelog
- 13de64daf autogen(docs): regenerate and update changelog
- 8384f1033 autogen(docs): regenerate and update changelog
- 566d1ca0e autogen(docs): regenerate and update changelog
- 988be61f8 autogen(docs): regenerate and update changelog
- 048af1d0e autogen(docs): regenerate and update changelog
- 53080b0bd autogen(docs): regenerate and update changelog
- 89928c810 autogen(docs): regenerate and update changelog
- 4f8ea02ce autogen(docs): regenerate and update changelog
- 0e45e8763 autogen(docs): regenerate and update changelog
- 4b7fd0d68 autogen(docs): regenerate and update changelog
- f1493c8c0 autogen(docs): regenerate and update changelog
- dd5a9f38c autogen(docs): regenerate and update changelog
- ce6b11abe autogen(docs): regenerate and update changelog
- 4eaf6c8d7 autogen(docs): regenerate and update changelog
- 60e9a363c autogen(docs): regenerate and update changelog
- 7b633794a autogen(docs): regenerate and update changelog
- 96dba50d0 autogen(docs): regenerate and update changelog
- afed81d6e autogen(docs): regenerate and update changelog
- 1792dc6ab autogen(docs): regenerate and update changelog
- 7939bd34b autogen(docs): regenerate and update changelog
- aa123f7fb autogen(docs): regenerate and update changelog
- f633959db autogen(docs): regenerate and update changelog
- a0f2420ae autogen(docs): regenerate and update changelog
- 03d3f478c autogen(docs): regenerate and update changelog
- 159c13142 autogen(docs): regenerate and update changelog
- 3735f1cd7 autogen(docs): regenerate and update changelog
- 57e219583 autogen(docs): regenerate and update changelog
- 55560a1ee autogen(docs): regenerate and update changelog
- 6fe86577a autogen(docs): regenerate and update changelog
- f303c1db9 autogen(docs): regenerate and update changelog
- 4ce179a8c autogen(docs): regenerate and update changelog
- aa0c36c97 autogen(docs): regenerate and update changelog
- 985474c60 autogen(docs): regenerate and update changelog
- c251cb257 autogen(docs): regenerate and update changelog
- 9f5982bf5 autogen(docs): regenerate and update changelog
- bafc47d09 autogen(docs): regenerate and update changelog
- 699e5d59a autogen(docs): regenerate and update changelog
- 69b43b79f autogen(docs): regenerate and update changelog
- dffcdef69 autogen(docs): regenerate and update changelog
- d21e16799 autogen(docs): regenerate and update changelog
- 3b75f3700 autogen(docs): regenerate and update changelog
- 0c5ea9bf7 autogen(docs): regenerate and update changelog
- ec85751bb autogen(docs): regenerate and update changelog
- 06c27f461 autogen(docs): regenerate and update changelog
- 44f1e70cb autogen(docs): regenerate and update changelog
- 386070561 autogen(docs): regenerate and update changelog
- ed0860680 autogen(docs): regenerate and update changelog
- 3df0d7788 autogen(docs): regenerate and update changelog
- 58bd38fc4 autogen(docs): regenerate and update changelog
- af7d1afc9 autogen(docs): regenerate and update changelog
- 8150bdb04 autogen(docs): regenerate and update changelog
- 8a261367d autogen(docs): regenerate and update changelog
- 0827ae5b9 autogen(docs): regenerate and update changelog
- 52c7d3b5d autogen(docs): regenerate and update changelog
- 72bdedacc autogen(docs): regenerate and update changelog
- bbf874fd7 autogen(docs): regenerate and update changelog
- 2f5ba1f3f autogen(docs): regenerate and update changelog
- 33fc9306a autogen(docs): regenerate and update changelog
- ecd557f93 autogen(docs): regenerate and update changelog
- cfa30744c autogen(docs): regenerate and update changelog
- 5a192f263 autogen(docs): regenerate and update changelog
- 139a11c99 autogen(docs): regenerate and update changelog
- 1a098b728 autogen(docs): regenerate and update changelog
- 2474864f4 autogen(docs): regenerate and update changelog
- 4364ba0d3 autogen(docs): regenerate and update changelog
- f6fde34c1 autogen(docs): regenerate and update changelog
- 318ea2ca1 autogen(docs): regenerate and update changelog
- 5c17c38ea autogen(docs): regenerate and update changelog
- e81e892b0 autogen(docs): regenerate and update changelog
- 80402beb1 autogen(docs): regenerate and update changelog
- 6e565d1c0 autogen(openapi): regenerate swagger spec and internal client
- c09e30c64 autogen(openapi): regenerate swagger spec and internal client
- 56821272a autogen(openapi): regenerate swagger spec and internal client
- 31f1a096c autogen(openapi): regenerate swagger spec and internal client
- 0ac757867 autogen(openapi): regenerate swagger spec and internal client
- c85d95f53 autogen(openapi): regenerate swagger spec and internal client
- ee0af6c16 autogen(openapi): regenerate swagger spec and internal client
- 9f80425a8 autogen(openapi): regenerate swagger spec and internal client
- b1dc89570 autogen(openapi): regenerate swagger spec and internal client
- ade1a5a54 autogen(openapi): regenerate swagger spec and internal client
- deeb165d8 autogen(openapi): regenerate swagger spec and internal client
- efea4a4a1 autogen(openapi): regenerate swagger spec and internal client
- 0b8ae74ee autogen(openapi): regenerate swagger spec and internal client
- 793a368cd autogen(openapi): regenerate swagger spec and internal client
- f12f622a3 autogen(openapi): regenerate swagger spec and internal client
- 28826f5df autogen(openapi): regenerate swagger spec and internal client
- 86ad5e1c3 autogen: add v1.0.0 to version.schema.json
- f47675b82 autogen: pin v1.1.0 release commit
- 1c3eeb71d autogen: pin v1.1.0-pre.0 release commit
- 6cf7fc5ec chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#3634)
- f082f16e5 chore(deps): bump github.com/lestrrat-go/jwx from 1.2.26 to 1.2.28 (#3710)
- ec42f2f60 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#3666)
- 525554d30 chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#3573)
- ea1f72195 chore(deps): bump semver from 5.7.1 to 5.7.2 in /test/e2e/proxy (#3377)
- f323b3d77 chore: add hperl as codeowner (#3433)
- f7c6767de chore: add missing tracing in manager_cookie.go (#3615)
- 8bb0d1d24 chore: add more tracing around webhooks (#3441)
- e8b92c18b chore: add more tracing to post-flow hooks (#3566)
- 47d5eb146 chore: allow node 18 (#3492)
- 21ab03149 chore: bump openapi-generator (#3686)
- 31faa2b6c chore: bump to Go 1.21
- a639e562f chore: fix email address in courier log line (#3585)
- 843a2150c chore: fix github.com/bxcodec/faker/v3 is deprecated (#3607)
- 7ae1271a1 chore: ignore CVE-2023-4806 (#3532)
- b2b231ee5 chore: improve tracing on recovery and verification (#3586)
- e1fb8bfe0 chore: move test helpers from package x to package testhelpers
- fe4ac43cd chore: pretty print allowed redirect URLs in error (#3660)
- bb2527668 chore: remove comment (#3442)
- 316cd4aac chore: simplify courier code (#3603)
- 0ec3a9afd chore: synchronize workspaces
- 0941bdb7e chore: unify and improve message context (#3462)
- dda19e83e chore: update Dockerfile-alpine (#3453)
- e3bfa1099 chore: update Ory Hydra SDK (#3729)
- 30ba71e9a chore: update docker base images (#3521)
- ae8cbdc27 chore: update opentelemetry (#3672)
- c74905291 chore: update repository templates to https://github.com/ory/meta/commit/ac80097fa427e7ae39820c59cac62dc6e11b9aff
- 3a07af4d4 chore: update repository templates to https://github.com/ory/meta/commit/af28aff50b62a9eeb69de4842e0e164f82c9e066
- 1d43d2227 chore: upgrade github.com/opencontainers/runc to v1.1.12 (#3732)
- 44aa74fe3 chore: upgrade ory/x to v0.0.589 (#3509)
- 3ddff7895 chore: use hosted httpbin in e2e tests (#3422)
- 39b0c3c03 docs: add example for
allowed_return_urls
to include wildcard url (#3533) - 4b881cae4 docs: improve enum handling and completeness (#3714)
- d4d26e6e1 docs: remove experimental warnings (#3406)
- 8ca3adcb8 docs: update link to hashed password formats (#3484)
- 492808cae feat(changelog): add support for native recovery (#3624)
- 085d5002d feat: add GetID member functions to RecoveryAddress and Credentials (#3474)
- 055ed9226 feat: add ID Token sign in with Google Android/iOS SDK (#3515)
- e3fcf0c31 feat: add OpenTelemetry span for password hash comparison (#3383)
- aa8c93677 feat: add WebhookSucceeded event
- 57b7bb846 feat: add ability to convert session to JWT when calling whoami (#3472)
- 75031e67b feat: add event (#3524)
- bf5f8c3cf feat: add request URL to email and SMS templates
- e3a3c4fe0 feat: add sms verification for phone numbers (#3649)
- e36388973 feat: add support for recovery on native flows (#3273)
- ea914834e feat: added various new text messages
- 0fa648d9f feat: allow additional id token audiences (#3616)
- 96c1ff774 feat: allow extra migrations in NewPersister
- 2cb3ea2ea feat: allow fuzzy-search on credential identifiers (#3526)
- 0a0e1f720 feat: allow importing hmac hashed passwords (#3544)
- e7b33a168 feat: allow marking OIDC provider-verified addresses as verified during registration (#3448)
- 8ad54f1be feat: batch list identities (#3598)
- 90bdc61d2 feat: claims from userinfo endpoint (#3718)
- df7433980 feat: emit error details when we find stray cookies in an API flow (#3496)
- 00cf11c07 feat: eventually consistency API controls (#3558)
- 4a7bcc932 feat: extend Microsoft Graph API capabilities (#3609)
- 180828eb5 feat: extract identifier label for login from default identity schema (#3645)
- a37f6bddc feat: fine-grained hooks for all available flow methods (#3519)
- e6af6db37 feat: hook to revoke sessions after password changed (#3514)
- 157d9345a feat: hot-reload CORS origins (#3423)
- 37f16577d feat: improve messages for easier i18n (#3457)
- a9786c599 feat: improve performance by computing password hashes while validating (#3508)
- 9d7021d87 feat: improved webhook tracing (#3746)
- 1d26e097b feat: jsonnet caching for OIDC claims mapper, webhooks, JWT session tokenizer (#3701)
- b784949d0 feat: link oidc credentials when login (#3563)
- bff9c61b1 feat: list by OIDC cred (#3721)
- ceed7d547 feat: login with code on any credential type (#3549)
- 9b0fee30f feat: one-time code native flows (#3516)
- 688111c9a feat: order sessions by created_at (#3696)
- 0e4be57e4 feat: parametrize courier worker (#3601)
- eaaf37519 feat: passwordless browser login and registration via code to email (#3378)
- 9a52ddfbe feat: pooled process-isolated Jsonnet VM
- 8b284697e feat: provide login hints when registration fails due to duplicate credentials/addresses (#3430)
- 1516cf64e feat: support MFA via SMS (#3682)
- fc303040b feat: support auth_type parameter (#3487)
- 0ec037ab2 feat: support for B2B SSO (#3489)
- 013f33588 feat: support multiple origins for WebAuthN (#3380)
- f561013dd feat: support native social sign using apple sdk (#3476)
- 610c76d91 feat: transmit current session ID to Hydra when accepting the login (#3426)
- 9c8a25eb0 feat: webhook analytic events
- b299abcfa fix:
oidc
does not require a method in the payload (#3564) - 88237e25b fix: accept all 200 responses as OK in courier (#3401)
- 6b02350c2 fix: accept login_challenge after verification (#3427)
- 1da818072 fix: add caching to Jsonnet snippet during session JWT tokenization (#3699)
- fd7995077 fix: add consistency flag (#3733)
- c5b4aaa2d fix: add max-age to default cors headers (#3584)
- 09bcb71f1 fix: add missing tracing & attributes in oidc strategy (#3429)
- 757a5e432 fix: add return_to parameter to API spec of createRecoveryLinkForIdentity (#3711)
- 95dc7a20f fix: add value code to authentication method enum (#3546)
- 9396bb0b5 fix: additional_id_token_audiences key in config schema (#3622)
- 976cd0dc3 fix: adjust tracing verbosity
- 6c1d2f1e4 fix: allow post recovery hooks to interrupt the flow (#3393)
- 22f61f015 fix: allow updating admin metadata from webhook responses (#3569)
- fb229c982 fix: always return relative URLs in the Link header for pagination
- 569b14aba fix: auto migrate old accounts to use code credential (#3581)
- 76241bee3 fix: carry
oauth2_login_challenge
over to registration flow (#3419) - e16fed1f8 fix: change ListIdentities to keyset pagination
- 1343bbbfa fix: change shebangs and makefile from /bin/bash to /usr/bin/env bash (#3597)
- a2f79c31f fix: check whoami aal before accepting hydra login request (#3669)
- 7aa2e2931 fix: code method on registration and 2fa (#3481)
- 3e3c78967 fix: consider OIDC registration flows errored with duplicate credential to be completed by strategy (#3525)
- e4908dbe4 fix: csrf token regenerate on browser flows (#3706)
- ab6dc3121 fix: data race in test
- 57a327305 fix: do not encode full config in multiple places (#3500)
- d93570d33 fix: do not generate CSRF token for api flows (#3704)
- ff177db8a fix: do not initialize parts of the registry in parallel (#3534)
- 6c7068cf4 fix: don't list org SSOs in settings (#3637)
- 40ed809db fix: don't require code credential for MFA flows (#3753)
- e08f831c2 fix: don't require session for OIDC verification (#3443)
- 142994932 fix: don't return 500 on conflict for POST /admin/identities (#3437)
- df8ec2b9b fix: don't return nil if code is invalid (#3662)
- 83bfb2d2a fix: error handling on identity import (#3520)
- ce8139f23 fix: false-positives for requiring re-authentication on update (#3421)
- 84149c4b4 fix: http courier using should use lower case json (#3740)
- 1e8b1aeb4 fix: identity list pagination in CLI command and SDK (#3482)
- 309c50694 fix: ignore CSRF middleware on Apple OIDC callback
- f124ab558 fix: ignore more cloudflare cookies (#3499)
- 6d08576bb fix: improved SSRF protection (#3629)
- ee138ec4e fix: incorrect SMTP error handling (#3636)
- b5dede329 fix: incorrect login accept challenge (#3658)
- ed996c0d2 fix: incorrect sdk generator path (#3488)
- 2c1470ab3 fix: incorrect swagger spec for filter parameter (#3684)
- 200b4138a fix: increase connection-level timeouts and shutdown timeouts (#3570)
- a28b52323 fix: issue session after verification after registration with OIDC SSO (#3467)
- e8740c349 fix: lint
- e2ac9ff4e fix: lower-case recovery & verification emails on import (#3571)
- 7ae02ba69 fix: mark identity as optional in session struct (#3463)
- 912dccdf0 fix: omit irrelevant OIDC providers in forced refresh login flows (#3608)
- 6a0a9149b fix: on verification required after registration, preserve return_to (#3589)
- c25ddffd2 fix: panic in recovery (#3639)
- c492bdcd0 fix: pass context (#3452)
- 703b91092 fix: properly normalize OIDC verified emails (#3450)
- 52639e695 fix: re-add exported symbols (#3611)
- cd9e6a0e1 fix: redirect to verification URL even if login_challenge is set (#3412)
- d814a4864 fix: reduce db lookups in whoami for aal check (#3372)
- 622018459 fix: registration code ui nodes group (#3505)
- 7a47827cf fix: registration should accept hydra login (#3592)
- 77c3196fd fix: registration with verification (#3451)
- 8cb9e4cae fix: reject obviously invalid email addresses from courier
- 7e05b7db3 fix: remove
earliest_possible_extend
default in schema (#3464) - dfcbe226b fix: remove duplicate message ID usage (#3468)
- 59a3f1469 fix: remove requirement for smtp section (#3405)
- d138abb62 fix: remove slow queries from update identities (#3553)
- eb8d1b9ab fix: rename "phone" courier channel to "sms" (#3680)
- 9c608b991 fix: respect gomail.SendError in mail queue (#3600)
- df18c09e0 fix: respond with 422 when SPA identity requires AAL2 (#3572)
- ca34e9b74 fix: return 400 bad request for invalid login challenge (#3404)
- fdf4956d9 fix: return HTTP 400 if key unmarshal fails (#3594)
- bee0341c5 fix: schema test errors (#3528)
- 241a911af fix: set iss from userinfo claims if missing (#3744)
- 18b89ea58 fix: specify correct minimum versions in migratest
- 1254bf5a3 fix: tracing context passing in /sessions/whoami
- c804cb2be fix: tracing improvements
- ffda1a0da fix: type-assert all interfaces that WebHook implements
- 9eff0f3a6 fix: ui node input attributes key added (#3561)
- be907dbbd fix: use ID label on login with multiple identifiers (#3657)
- 1b3647c2a fix: use org ID from session if available in login flow (#3545)
- fa5ec93e8 fix: use provider label in link message (#3661)
- 3a5772699 fix: use registry client for schema loading (#3471)
- df80377f5 fix: using first name as last name (#3556)
- 4c34c2417 fix: wrong continue_with enum declaration (#3522)
- c348c12ab test(e2e): logout return_to (#3418)
- 67360cf39 test: add test for link + oidc challenge (#3720)
- 70c8ddd49 test: fix cypress setup (#3527)
- 70a617194 test: fix e2e failures and speed up e2e tests (#3483)
- 12166b437 test: fix hydra tests on master (#3737)
- 05de3a29f test: reduce logging in go tests (#3562)
- 4206d2605 test: resolve cypress issues (#3531)
Artifacts can be verified with cosign using this public key.
1、 checksums.txt 2.85KB
2、 checksums.txt.sig 96B
3、 kratos_1.1.0-linux_32bit.tar.gz 13.51MB
4、 kratos_1.1.0-linux_64bit.tar.gz 14.32MB
5、 kratos_1.1.0-linux_arm64.tar.gz 13.28MB
6、 kratos_1.1.0-linux_armv6.tar.gz 13.58MB
7、 kratos_1.1.0-linux_armv7.tar.gz 13.56MB
8、 kratos_1.1.0-linux_sqlite_64bit.tar.gz 15MB
9、 kratos_1.1.0-linux_sqlite_arm64.tar.gz 13.95MB
10、 kratos_1.1.0-linux_sqlite_armv6.tar.gz 14.21MB
11、 kratos_1.1.0-linux_sqlite_armv7.tar.gz 14.2MB
12、 kratos_1.1.0-linux_sqlite_libmusl_64bit.tar.gz 14.99MB
13、 kratos_1.1.0-linux_sqlite_libmusl_arm64.tar.gz 13.95MB
14、 kratos_1.1.0-linux_sqlite_libmusl_armv6.tar.gz 14.22MB
15、 kratos_1.1.0-linux_sqlite_libmusl_armv7.tar.gz 14.2MB
16、 kratos_1.1.0-linux_static-nosqlite_64bit.tar.gz 14.32MB
17、 kratos_1.1.0-linux_static-nosqlite_arm64.tar.gz 13.28MB
18、 kratos_1.1.0-macOS_64bit.tar.gz 14.91MB
19、 kratos_1.1.0-macOS_arm64.tar.gz 14.6MB
20、 kratos_1.1.0-macOS_sqlite_64bit.tar.gz 15.96MB
21、 kratos_1.1.0-macOS_sqlite_all.tar.gz 31.02MB
22、 kratos_1.1.0-macOS_sqlite_arm64.tar.gz 15.23MB
23、 kratos_1.1.0-macOS_static-nosqlite_64bit.tar.gz 14.91MB
24、 kratos_1.1.0-macOS_static-nosqlite_arm64.tar.gz 14.6MB
25、 kratos_1.1.0-windows_32bit.zip 14.08MB
26、 kratos_1.1.0-windows_64bit.zip 14.68MB
27、 kratos_1.1.0-windows_arm64.zip 13.41MB
28、 kratos_1.1.0-windows_armv6.zip 13.85MB
29、 kratos_1.1.0-windows_armv7.zip 13.83MB
30、 kratos_1.1.0-windows_sqlite_64bit.zip 15.35MB
31、 kratos_1.1.0_darwin_amd64_v1.bom.json 222.7KB
32、 kratos_1.1.0_darwin_arm64.bom.json 222.7KB
33、 kratos_1.1.0_linux_amd64_v1.bom.json 222.7KB
34、 kratos_1.1.0_linux_arm64.bom.json 222.7KB
35、 kratos_1.1.0_sqlite_darwin_amd64_v1.bom.json 222.7KB
36、 kratos_1.1.0_sqlite_darwin_arm64.bom.json 222.7KB
37、 kratos_1.1.0_sqlite_linux_386.bom.json 222.7KB
38、 kratos_1.1.0_sqlite_linux_amd64_v1.bom.json 222.7KB
39、 kratos_1.1.0_sqlite_linux_arm64.bom.json 222.7KB
40、 kratos_1.1.0_sqlite_linux_arm_6.bom.json 222.7KB
41、 kratos_1.1.0_sqlite_linux_arm_7.bom.json 222.7KB
42、 kratos_1.1.0_sqlite_windows_386.bom.json 222.7KB
43、 kratos_1.1.0_sqlite_windows_amd64_v1.bom.json 222.7KB
44、 kratos_1.1.0_sqlite_windows_arm64.bom.json 222.7KB
45、 kratos_1.1.0_sqlite_windows_arm_6.bom.json 222.7KB
46、 kratos_1.1.0_sqlite_windows_arm_7.bom.json 222.7KB