MyGit

v0.7.0-alpha.1

ory/kratos

版本发布时间: 2021-07-14 02:48:28

ory/kratos最新发布版本:v1.2.0(2024-06-05 19:02:56)

About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.

Breaking Changes

Prior to this change it was not possible to specify the verification/recovery link lifetime. Instead, it was bound to the flow expiry. This patch changes that and adds the ability to configure the lifespan of the link individually:

 selfservice:
   methods:
     link:
       enabled: true
       config:
+        # Defines how long a recovery link is valid for (default 1h)
+        lifespan: 15m

This is a breaking change because the link strategy no longer respects the recovery / verification flow expiry time and, unless set, will default to one hour.

This change introduces a better SDK. As part of this change, several breaking changes with regards to the SDK have been introduced. We recommend reading this section carefully to understand the changes and how they might affect you.

Before, the SDK was structured into tags public and admin. This stems from the fact that we have two ports in Ory Kratos - one administrative and one public port.

While serves as a good overview when working with Ory Kratos, it does not express:

This patch replaces the current admin and public tags with a versioned approach indicating the maturity of the API used. For example, initializeSelfServiceSettingsForBrowsers would no longer be under the public tag but instead under the v0alpha1 tag:

import {
  Configuration,
- PublicApi
+ V0Alpha1
} from '@ory/kratos-client';

- const kratos = new PublicApi(new Configuration({ basePath: config.kratos.public }));
+ const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.public }));

To avoid confusion when setting up the SDK, and potentially using the wrong endpoints in your codebase and ending up with strange 404 errors, Ory Kratos now redirects you to the correct port, given that serve.(public|admin).base_url are configured correctly. This is a significant improvement towards a more robust API experience!

Further, all administrative functions require, in the Ory SaaS, authorization using e.g. an Ory Personal Access Token. In the open source, we do not know what developers use to protect their APIs. As such, we believe that it is ok to have admin and public functions under one common API and differentiate with an admin prefix. Therefore, the following patches should be made in your codebase:

import {
- AdminApi,
+ V0Alpha1,
  Configuration
} from '@ory/kratos-client';

-const kratos = new AdminApi(new Configuration({ basePath: config.kratos.admin }));
+const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.admin }));

-kratos.createIdentity({
+kratos.adminCreateIdentity({
  schema_id: 'default',
  traits: { /* ... */ }
})

Further, we have introduced a style guide for writing SDKs annotations governing how naming conventions should be chosen.

We also streamlined how credentials are used. We now differentiate between:

This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.

As part of this change, the following endpoints have been removed:

Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows) for fetching self-service flows going forward.

If you use the SDKs, upgrading is easy by adding the cookie header when fetching the flows. This is only required when using browser flows on the server side.

The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.

app.get('some-route', (req: Request, res: Response) => {
-   kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})

For concrete details, check out the changes in the NodeJS app.

This patch refactors the logout functionality for browsers and APIs. It adds increased security and DoS-defenses to the logout flow.

Previously, calling GET /self-service/browser/flows/logout would remove the session cookie and redirect the user to the logout endpoint. Now you have to make a call to GET /self-service/logout/browser which returns a JSON response including a logout_url URL to be used for logout. The call to /self-service/logout/browser must be made using AJAX with cookies enabled or by including the Ory Session Cookie in the X-Session-Cookie HTTP Header. You may also use the SDK method createSelfServiceLogoutUrlForBrowsers to do that.

Additionally, the endpoint DELETE /sessions has been moved to DELETE /self-service/logout/api. Payloads and responses stay equal. The SDK method revokeSession has been renamed to submitSelfServiceLogoutFlowWithoutBrowser.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceRecoveryForNativeApps to better match what it does: initializeSelfServiceRecoveryWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceVerificationForNativeApps to better match what it does: initializeSelfServiceVerificationWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceSettingsForNativeApps to better match what it does: initializeSelfServiceSettingsWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceregistrationForNativeApps to better match what it does: initializeSelfServiceregistrationWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceLoginForNativeApps to better match what it does: initializeSelfServiceLoginWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

Bug Fixes

Code Generation

Code Refactoring

Documentation

Features

Tests

Unclassified

Docker images

相关地址:原始地址 下载(tar) 下载(zip)

1、 kratos_0.7.0-alpha.1-sqlite-libmusl_linux_64bit.tar.gz 11.55MB

2、 kratos_0.7.0-alpha.1-sqlite_linux_64bit.tar.gz 11.56MB

3、 kratos_0.7.0-alpha.1-sqlite_macos_64bit.tar.gz 12.34MB

4、 kratos_0.7.0-alpha.1-sqlite_windows_64bit.zip 11.57MB

5、 kratos_0.7.0-alpha.1_checksums.txt 1.8KB

6、 kratos_0.7.0-alpha.1_linux_32bit.tar.gz 10.25MB

7、 kratos_0.7.0-alpha.1_linux_64bit.tar.gz 10.93MB

8、 kratos_0.7.0-alpha.1_linux_arm32v5.tar.gz 10.16MB

9、 kratos_0.7.0-alpha.1_linux_arm32v6.tar.gz 10.14MB

10、 kratos_0.7.0-alpha.1_linux_arm32v7.tar.gz 10.14MB

11、 kratos_0.7.0-alpha.1_linux_arm64.tar.gz 9.94MB

12、 kratos_0.7.0-alpha.1_macos_64bit.tar.gz 11.2MB

13、 kratos_0.7.0-alpha.1_macos_arm64.tar.gz 11.11MB

14、 kratos_0.7.0-alpha.1_windows_32bit.zip 10.61MB

15、 kratos_0.7.0-alpha.1_windows_64bit.zip 11.01MB

16、 kratos_0.7.0-alpha.1_windows_arm32v5.zip 10.37MB

17、 kratos_0.7.0-alpha.1_windows_arm32v6.zip 10.36MB

18、 kratos_0.7.0-alpha.1_windows_arm32v7.zip 10.34MB

查看:2021-07-14发行的版本