v1.2.0
版本发布时间: 2024-06-05 19:02:56
ory/kratos最新发布版本:v1.2.0(2024-06-05 19:02:56)
Ory Kratos v1.2 is the most complete, scalable, and secure open-source identity server available. We are thrilled to announce its release!
This release introduces two major features: two-step registration and full PassKey with resident key support.
Passkeys provide a secure and convenient authentication method, eliminating the need for passwords while ensuring strong security. With this release, we have added support for resident keys, enabling offline authentication. Credential discovery allows users to link existing passkeys to their Ory account seamlessly.
Two-step registration improves the user experience by dividing the registration process into two steps. Users first enter their identity traits, and then choose a credential method for authentication, resulting in a streamlined process. This feature is especially useful when enabling multiple authentication strategies, as it eliminates the need to repeat identity traits for each strategy.
The 107 commits since v1.1 include several improvements:
- Webhooks now carry session information if available.
- Transient Payloads are now available across all self-service flows.
- Sign in with Twitter is now available.
- Sign in with LinkedIn now includes an additional v2 provider compatible with LinkedIn's new SSO API.
- Two-Step Registration: An improved registration experience that separates entering profile information from choosing authentication methods.
- User Credentials Meta-Information can now be included on the list endpoint.
- Social Sign-In is now resilient to double-submit issues common with Facebook and Apple mobile login.
Two-Step Registration Enabled by Default: This is now the default setting. To disable, set selfservice.flows.registration.enable_legacy_one_step to true.
- Improved account linking and credential discovery during sign-up.
- The
return_toparameter is now respected in OIDC API flows. - Adjustments to database indices.
- Enhanced error messages for security violations.
- Improved SDK types.
- The
verificationandverification_uihooks are now available in the login flow. - Webhooks now contain the correct identity state in the after-verification hook chain.
We are doing this survey to find out how we can support self-hosted Ory users better. We strive to provide you with the best product and service possible and your feedback will help us understand what we're doing well and where we can improve to better meet your needs. We truly value your opinion and thank you in advance for taking the time to share your thoughts with us!
Fill out the survey now!
Breaking Changes
This feature enables two-step registration per default. Two-step registration is a significantly improved sign up flow and recommended when using more than one sign up methods. To disable two-step registration, set selfservice.flows.registration.enable_legacy_one_step to true. This value defaults to false.
Bug Fixes
-
Add login succeeded event to post registration hook (#3739) (b685fa5)
-
Add missing indexes and remove unused index (6d7372e)
-
Add missing indexes and remove unused index (#3756) (c905f02)
-
Allow updating just the verified_at timestamp of addresses (#3880) (696cc1b)
-
Always issue session last (#3876) (e942507):
In post persist hooks, the session issuance hook always needs to come last. This fixes the getHooks function to ensure this.
-
Db index and duplicate credentials error (#3896) (9f34a21):
- fix: don't return password cred type if empty
- fix: better index for config.user_handle on identity_credentials
-
Do not require method to be passkey in settings schema (#3862) (660f330)
-
Execute verification & verification_ui properly in login flows (#3847) (5aad1c1)
-
Ignore decrypt errors in WithDeclassifiedCredentials (#3731) (8f5192f)
-
Include all creds in duplicate credential err (#3881) (e06c241)
-
Make sure emails can still be sent with SMS enabled (#3795) (7c68c5a)
-
oidc: Grace period for continuity container on oidc callbacks (#3915) (1a9a096)
-
Respect return_to in OIDC API flow error case (#3893) (e8f1bcb):
- fix: respect return_to in OIDC API flow error case
This fix ensures that we redirect the user to the return_to URL when an error occurs during the OIDC login for native flows.
Native flows are initialized through the API, and the browser URL is retrieved from a 422 response after a POST to submit the login flow. Successful OIDC flows already returned the
codeto thereturn_toURL. Now, unsuccessful flows return theflowwith the current flow ID (which might have changed), so that the caller can retrieve the full flow and act accordingly.- fix: ignore trivvy CVE report
Bump in distroless is still open
-
sdk: Expand identity in session extension (#3843) (04f0231), closes #3842
-
sdk: Improve discriminators for node and Go (#3821) (9ddf7cc)
-
Test assertions on declassifying OIDC tokens (#3773) (7f8a7f1)
-
Tolerate more "truthy" values when creating new flows (#3841) (49d93c0), closes #3839:
Use strconv.ParseBool to accept multiple "truthy" values for the
refreshandreturn_session_token_exchange_codequery parameters when creating a new login flow.For some SDKs (e.g.: Python), these stringification of booleans is not user-controlled and these endpoints could not be used fully due to the backend ignoring any value other than
true(all lowercase). -
Use correct post-verification identity state in post-hooks (#3863) (6e63d06)
-
Webhook transient payload in OIDC login flows (#3857) (2cdfc70):
- fix: transient payload with OIDC login
Code Generation
- Pin v1.2.0 release commit (1a70648)
Documentation
Features
-
Add
include_credentialquery param to/admin/identitieslist call (#3343) (d94530a) -
Allow admin to create API code recovery flows (#3939) (25d1ecd)
-
Linkedin v2 provider (#3804) (a6ad983):
-
feat: add linkedin-v2 provider
-
docs: document linkedin special-case
-
-
PassKeys with Resident Keys and two-step registration (#3748) (3621411)
-
Use authenticate endpoint for x (#3833) (3d9ba5d):
Improves the "Log in with X" experience by not asking the user to re-authenticate every time.
Tests
-
Resolve flaky e2e tests (#3935) (a14927d):
-
test: resolve flaky code registration tests
-
chore: don't fail logout if cookie is not found
-
chore: remove .only
-
chore: reduce wait
-
chore: u
-
chore: u
-
chore: u
-
Unclassified
Changelog
- 087748c06 Remove unnecessary COPY command from Dockerfile (#3771)
- d755fbb2d autogen(docs): generate and bump docs
- b96c6a512 autogen(docs): regenerate and update changelog
- f8fbb006c autogen(docs): regenerate and update changelog
- bdf992e5a autogen(docs): regenerate and update changelog
- b7fd23b21 autogen(docs): regenerate and update changelog
- 0f81b7684 autogen(docs): regenerate and update changelog
- f696fcfb5 autogen(docs): regenerate and update changelog
- 34399c2ef autogen(docs): regenerate and update changelog
- ecbd1e36e autogen(docs): regenerate and update changelog
- 41310b3df autogen(docs): regenerate and update changelog
- fa5a1129f autogen(docs): regenerate and update changelog
- 9fa25b57a autogen(docs): regenerate and update changelog
- dfc931f65 autogen(docs): regenerate and update changelog
- 31f77b853 autogen(docs): regenerate and update changelog
- ddbea202b autogen(docs): regenerate and update changelog
- 9c69ef23e autogen(docs): regenerate and update changelog
- 9710549ea autogen(docs): regenerate and update changelog
- 264395a54 autogen(docs): regenerate and update changelog
- cd92f2a8b autogen(docs): regenerate and update changelog
- a1bf427e7 autogen(docs): regenerate and update changelog
- 7f1fd8181 autogen(openapi): regenerate swagger spec and internal client
- 60537a92c autogen(openapi): regenerate swagger spec and internal client
- da6b38a3d autogen(openapi): regenerate swagger spec and internal client
- b7e514489 autogen(openapi): regenerate swagger spec and internal client
- ec90929e1 autogen(openapi): regenerate swagger spec and internal client
- ab8e1b5ba autogen(openapi): regenerate swagger spec and internal client
- 718cb7c3e autogen(openapi): regenerate swagger spec and internal client
- 0b6f91e67 autogen(openapi): regenerate swagger spec and internal client
- fa806aa31 autogen(openapi): regenerate swagger spec and internal client
- 3c0668989 autogen(openapi): regenerate swagger spec and internal client
- 473e17c69 autogen(openapi): regenerate swagger spec and internal client
- 8ebdfd2fb autogen(openapi): regenerate swagger spec and internal client
- 644e66911 autogen(openapi): regenerate swagger spec and internal client
- b132c94e5 autogen(openapi): regenerate swagger spec and internal client
- 14594039a autogen(openapi): regenerate swagger spec and internal client
- dee584498 autogen(openapi): regenerate swagger spec and internal client
- 037bdf82d autogen(openapi): regenerate swagger spec and internal client
- d9dbaadc3 autogen(openapi): regenerate swagger spec and internal client
- b47554b15 autogen(openapi): regenerate swagger spec and internal client
- eb67bed1f autogen(openapi): regenerate swagger spec and internal client
- 5dcbb77cc autogen(openapi): regenerate swagger spec and internal client
- ca7cd23dd autogen(openapi): regenerate swagger spec and internal client
- 6638c3e81 autogen: add v1.1.0 to version.schema.json
- 1a70648c4 autogen: pin v1.2.0 release commit
- 2baecaeee autogen: pin v1.2.0-pre.0 release commit
- 49e1a390d chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#3805)
- 0f3d082ad chore(deps): bump github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29 (#3812)
- 83792ef81 chore: allow smtp jim config (#3932)
- 3ecdf2bfe chore: fix function name in comment (#3869)
- fbbac77e2 chore: improve courier logging (#3943)
- 5288bc701 chore: make identity schema provider a proper service (#3908)
- 63ce47071 chore: remove e2e playwright env (#3794)
- 17f9a4fe9 chore: render CLI doc messages into their own *.md file in docs (#3886)
- de8e59c30 chore: update repository templates to https://github.com/ory/meta/commit/e838bee8d0a29d022b61472be9efccf096099130
- 050a4dc37 chore: upgrade nyaruka/phonenumbers to v1.3.6 (#3940)
- 0713e2dcb chore: upgrade ory/x to v0.0.619 (#3845)
- cd01cb9fb docs: remove delete reference from batch patch identity (#3906)
- 3621411dc feat: PassKeys with Resident Keys and two-step registration (#3748)
- d94530a71 feat: add
include_credentialquery param to/admin/identitieslist call (#3343) - 4642de0cf feat: add headers to web hooks (#3849)
- 386078e0b feat: add session to post login webhook (#3877)
- b8b747b2a feat: add transient payloads to all flows (#3738)
- 930fb1984 feat: add twitter SSO (#3778)
- 43e4eadce feat: add verification hook to login flow (#3829)
- 25d1ecd90 feat: allow admin to create API code recovery flows (#3939)
- c9dcce5a4 feat: control edge cache ttl (#3808)
- a6ad983ac feat: linkedin v2 provider (#3804)
- 04390bee4 feat: send OIDC claim keys to tracing (#3798)
- 3d9ba5df8 feat: use authenticate endpoint for x (#3833)
- 1a9a096d6 fix(oidc): grace period for continuity container on oidc callbacks (#3915)
- 04f02318d fix(sdk): expand identity in session extension (#3843)
- 9ddf7cc7c fix(sdk): improve discriminators for node and Go (#3821)
- e5d3b0afd fix: CVEs in dependencies (#3902)
- b685fa547 fix: add login succeeded event to post registration hook (#3739)
- da90502dc fix: add missing env vars to set up guide (#3855)
- 6d7372ee3 fix: add missing indexes and remove unused index
- c905f0247 fix: add missing indexes and remove unused index (#3756)
- b291c959c fix: add sms mfa via parameter to spec (#3766)
- 696cc1b59 fix: allow updating just the verified_at timestamp of addresses (#3880)
- e94250705 fix: always issue session last (#3876)
- 7017490ca fix: audit issues (#3797)
- 9730e099a fix: change return urls in quickstarts (#3928)
- cc39f8df7 fix: close res body (#3870)
- 9f34a21ea fix: db index and duplicate credentials error (#3896)
- 660f330ab fix: do not require method to be passkey in settings schema (#3862)
- 800f8f103 fix: don't require connection_uri in SMTP (#3861)
- 8eee972d8 fix: don't treat passkeys as AAL2 (#3853)
- ad0619d80 fix: drop index if exists (#3846)
- 8f8fd9030 fix: drop trigram index on identifiers (#3827)
- 63d785e5e fix: enum type of session expandables (#3891)
- c435727c1 fix: enum type of session expandables (#3895)
- 5aad1c1e6 fix: execute verification & verification_ui properly in login flows (#3847)
- 8f5192fbb fix: ignore decrypt errors in WithDeclassifiedCredentials (#3731)
- c08b3ad76 fix: improve SDK discriminators (#3844)
- e06c241ff fix: include all creds in duplicate credential err (#3881)
- 11d221a4d fix: linkedin issuer override (#3875)
- 7c68c5aa6 fix: make sure emails can still be sent with SMS enabled (#3795)
- 0b32ce113 fix: missing indices and foreign keys (#3800)
- d01b6705b fix: passing transient payloads (#3838)
- c5f39f4bc fix: prevent SMTP URL leak on unparsable URL (#3770)
- e8f1bcb13 fix: respect return_to in OIDC API flow error case (#3893)
- e6db689e0 fix: show error page on identity mismatch (#3790)
- 7f8a7f142 fix: test assertions on declassifying OIDC tokens (#3773)
- 49d93c0e3 fix: tolerate more "truthy" values when creating new flows (#3841)
- da51dcdb8 fix: tweaks to UpsertSessions (#3878)
- 6e63d06db fix: use correct post-verification identity state in post-hooks (#3863)
- 2cdfc70c7 fix: webhook transient payload in OIDC login flows (#3857)
- 6b275f35a test: deflake session test (#3864)
- 7277368bc test: resolve failing test for empty tokens (#3775)
- a14927dfa test: resolve flaky e2e tests (#3935)
Artifacts can be verified with cosign using this public key.
1、 checksums.txt 2.85KB
2、 checksums.txt.sig 96B
3、 kratos_1.2.0-linux_32bit.tar.gz 15.39MB
4、 kratos_1.2.0-linux_64bit.tar.gz 16.32MB
5、 kratos_1.2.0-linux_arm64.tar.gz 15.27MB
6、 kratos_1.2.0-linux_armv6.tar.gz 15.46MB
7、 kratos_1.2.0-linux_armv7.tar.gz 15.45MB
8、 kratos_1.2.0-linux_sqlite_64bit.tar.gz 17MB
9、 kratos_1.2.0-linux_sqlite_arm64.tar.gz 15.95MB
10、 kratos_1.2.0-linux_sqlite_armv6.tar.gz 16.1MB
11、 kratos_1.2.0-linux_sqlite_armv7.tar.gz 16.08MB
12、 kratos_1.2.0-linux_sqlite_libmusl_64bit.tar.gz 16.99MB
13、 kratos_1.2.0-linux_sqlite_libmusl_arm64.tar.gz 15.95MB
14、 kratos_1.2.0-linux_sqlite_libmusl_armv6.tar.gz 16.1MB
15、 kratos_1.2.0-linux_sqlite_libmusl_armv7.tar.gz 16.09MB
16、 kratos_1.2.0-linux_static-nosqlite_64bit.tar.gz 16.32MB
17、 kratos_1.2.0-linux_static-nosqlite_arm64.tar.gz 15.27MB
18、 kratos_1.2.0-macOS_64bit.tar.gz 16.75MB
19、 kratos_1.2.0-macOS_arm64.tar.gz 16.04MB
20、 kratos_1.2.0-macOS_sqlite_64bit.tar.gz 17.2MB
21、 kratos_1.2.0-macOS_sqlite_all.tar.gz 33.44MB
22、 kratos_1.2.0-macOS_sqlite_arm64.tar.gz 16.42MB
23、 kratos_1.2.0-macOS_static-nosqlite_64bit.tar.gz 16.75MB
24、 kratos_1.2.0-macOS_static-nosqlite_arm64.tar.gz 16.05MB
25、 kratos_1.2.0-windows_32bit.zip 15.98MB
26、 kratos_1.2.0-windows_64bit.zip 16.7MB
27、 kratos_1.2.0-windows_arm64.zip 15.42MB
28、 kratos_1.2.0-windows_armv6.zip 15.74MB
29、 kratos_1.2.0-windows_armv7.zip 15.72MB
30、 kratos_1.2.0-windows_sqlite_64bit.zip 17.37MB
31、 kratos_1.2.0_darwin_amd64_v1.bom.json 224.67KB
32、 kratos_1.2.0_darwin_arm64.bom.json 224.67KB
33、 kratos_1.2.0_linux_amd64_v1.bom.json 224.67KB
34、 kratos_1.2.0_linux_arm64.bom.json 224.67KB
35、 kratos_1.2.0_sqlite_darwin_amd64_v1.bom.json 224.67KB
36、 kratos_1.2.0_sqlite_darwin_arm64.bom.json 224.67KB
37、 kratos_1.2.0_sqlite_linux_386.bom.json 224.67KB
38、 kratos_1.2.0_sqlite_linux_amd64_v1.bom.json 224.67KB
39、 kratos_1.2.0_sqlite_linux_arm64.bom.json 224.67KB
40、 kratos_1.2.0_sqlite_linux_arm_6.bom.json 224.67KB
41、 kratos_1.2.0_sqlite_linux_arm_7.bom.json 224.67KB
42、 kratos_1.2.0_sqlite_windows_386.bom.json 224.67KB
43、 kratos_1.2.0_sqlite_windows_amd64_v1.bom.json 224.67KB
44、 kratos_1.2.0_sqlite_windows_arm64.bom.json 224.67KB
45、 kratos_1.2.0_sqlite_windows_arm_6.bom.json 224.67KB
46、 kratos_1.2.0_sqlite_windows_arm_7.bom.json 224.67KB