v0.8.0-alpha.1

版本发布时间: 2021-10-28 16:23:21

ory/kratos最新发布版本:v1.1.0(2024-02-20 20:26:07)

We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

Full multi-factor authentication with different enforcement policies (soft/hard MFA).
Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
Support for TOTP (Google Authenticator) two-factor verification/authentication.
Advanced two-factor recovery with lookup secrets.
A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
"Native" support for Single-Page App Single Sign-On.
Much improved single-page app and native app APIs for all self-service flows.
Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
ARM Docker Images.
Greatly improved internal e2e test pipeline using Cypress 8.x.
Improved functional tests with cupaloy snapshot testing.
Documentation on different error codes and message identifiers to easier translate messages in your own UI.
Better form decoding and ability to mark required JSON Schema fields as required in the UI.
Bug fixes that could result in users ending up in irrecoverable UI states.
Better support for return_to across flows (e.g. OIDC) and in custom UIs.
SBOM Software Supply Chain scanning & reporting.
Docker Image vulnerability checking as part of the release pipeline.
Support sending emails via AWS SES SMTP.
A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

Full multi-factor authentication with different enforcement policies (soft/hard MFA).
Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
Support for TOTP (Google Authenticator) two-factor verification/authentication.
Advanced two-factor recovery with lookup secrets.
A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
"Native" support for Single-Page App Single Sign-On.
Much improved single-page app and native app APIs for all self-service flows.
Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
ARM Docker Images.
Greatly improved internal e2e test pipeline using Cypress 8.x.
Improved functional tests with cupaloy snapshot testing.
Documentation on different error codes and message identifiers to easier translate messages in your own UI.
Better form decoding and ability to mark required JSON Schema fields as required in the UI.
Bug fixes that could result in users ending up in irrecoverable UI states.
Better support for return_to across flows (e.g. OIDC) and in custom UIs.
SBOM Software Supply Chain scanning & reporting.
Docker Image vulnerability checking as part of the release pipeline.
Support sending emails via AWS SES SMTP.
A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

Full multi-factor authentication with different enforcement policies (soft/hard MFA).
Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
Support for TOTP (Google Authenticator) two-factor verification/authentication.
Advanced two-factor recovery with lookup secrets.
A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
"Native" support for Single-Page App Single Sign-On.
Much improved single-page app and native app APIs for all self-service flows.
Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
ARM Docker Images.
Greatly improved internal e2e test pipeline using Cypress 8.x.
Improved functional tests with cupaloy snapshot testing.
Documentation on different error codes and message identifiers to easier translate messages in your own UI.
Better form decoding and ability to mark required JSON Schema fields as required in the UI.
Bug fixes that could result in users ending up in irrecoverable UI states.
Better support for return_to across flows (e.g. OIDC) and in custom UIs.
SBOM Software Supply Chain scanning & reporting.
Docker Image vulnerability checking as part of the release pipeline.
Support sending emails via AWS SES SMTP.
A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> smtps://foo:bar@my-mailserver:1234/

Breaking Changes

The location of the homebrew tap has changed from ory/ory/kratos to ory/tap/kratos.

To stay consistent with other query parameter's, the self-service login flow's forced key has been renamed to refresh.

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

To support 2FA on non-browser (e.g. native mobile) apps we have added the Ory Session Token as a possible parameter to both initializeSelfServiceLoginFlowWithoutBrowser and submitSelfServiceLoginFlow. Depending on the SDK generator, the order of the arguments may have changed. In JavaScript:

- .submitSelfServiceLoginFlow(flow.id, payload)
+ .submitSelfServiceLoginFlow(flow.id, sessionToken, payload)
+ // or if the user has no session yet:
+ .submitSelfServiceLoginFlow(flow.id, undefined, payload)

To improve the overall API design we have changed the result of POST /self-service/settings. Instead of having flow be a key, the flow is now the response. The updated identity payload stays the same!

 {
-  "flow": {
-    "id": "flow-id-..."
-    ...
-  },
+  "id": "flow-id-..."
+  ...
   "identity": {
     "id": "identity-id-..."
   }
 }

The SMTPS scheme used in courier config url with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the smtp scheme instead.

Example:

SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> smtps://foo:bar@my-mailserver:1234/

This patch changes the naming and number of prometheus metrics (see: https://github.com/ory/x/pull/379). In short: all metrics will have now http_ prefix to conform to Prometheus best practices.

Bug Fixes

Add error id (1442784)
Add mfa e2e test scenarios and resolve found issues (436992d)
Add middleware earlier #1775 (#1776) (b9d253e)
Allow refresh and aal upgrade at the same time (2ec801f)
API client leaks stack trace with an error (#1772) (d3aff6d), closes #1771
Better const handling for internal context (1e457e3)
Correct swagger path for /identities/:id/session endpoint (#1756) (d614f2a)
Decoder regression in registration (febf75a)
Deterministic clidoc dates (e48d90a)
Disable totp per default (7278589)
Docs autogen should not use time.Now (a830f5b)
Ensure correct error propagation (77ce709)
Ensure refresh issues a new session when the identity changes (a10b385)
Ensure return_to works for OIDC flows (d615734), closes #1773
Explicit validation for return to in new flows (284cf29)
Follow chrome webauthn best practice recommendation (0a7c812)
Githup-app name in config (#1822) (1b50963)
Handle return errors on the frontend and break early (0e8d481):

Closes https://github.com/ory-corp/cloud/issues/1426
Identity credential identifiers are now unique per method (57fd99a)
Improve schema validation error tracing (f793fe5)
Incorrect JSON response for browser flows (1501f56)
Kill modd as well (e5a98e5)
link: Resolve incorrect response types when opening API recovery link in browser (35ea8db)
login: Properly handle refresh (8dc7059)
lookup: Ensure correct fields are set (5ed4c55)
lookup: Resolve reuse scenarios (dbfe475)
lookup: Set up codes correctly (2f373f3)
OIDC provider field in spec (#1809) (11b25de)
oidc: Ensure nested keys work on login (71583c5)
Omitempty for VerifiedAt and StateChangedAt (#1736) (bf2ec6e):

Closes https://github.com/ory/sdk/issues/95
Only respect required modules for SDK (4c5677f)
Panic when recovering deactivated user (0a49f27), closes #1794 #1826
Potentially resolve hanging postgres connection closing (693a928)
Properly encode aal error (49b6288)
Properly open recovery endpoints in browser if flow was initiated via API (23c12e5)
Remove duplicate schema error (4e69123)
Remove initial_value again as it was not useful outside of booleans (0cc984b)
Remove obsolete openapi patch (11618ec)
Remove unnecessary cmd reference (351760e)
Replace 302 with 303 (2e2b0f8)
Resolve clidoc generation issue (1aaaa03)
Resolve merge issues (1dc7497)
Resolve openapi issues and regenerate clients (f7d60c0)
Resolve swagger regression (02b9d47)
Run format on ts files (f55f6f6)
Slow CLI start-up time (ae20c17):

Found a deeply nested dependency which was importing https://github.com/markbates/pkger, causing unreasonable CPU consumption and significant delay at start up time. With this patch, start up time was reduced from almost 3s to ~0.01s.
```
$ time kratos
kratos  2.55s user 2.46s system 508% cpu 0.986 total

$ time ./kratos-patch
./kratos-patch  0.00s user 0.00s system 64% cpu 0.001 total
```
test: OIDC storategy test (#1836) (b877dbe)
totp: Reorder QR (d096df7)
Try and reduce cookie flakyness (e7ae8d6)
Typo (8c4d8a2)
ui: Use correct type for anchor (a6595e4)
Update schema config location (539ae73)
Use parallelism of 1 in go test (8736334)
webauthn: Support react-based webauth (b6123b4)
X-session-token must not be mandatory (05d73be)

Code Generation

Pin v0.8.0-alpha.1 release commit (c2c902c)

Code Refactoring

courier: Support SMTP schemes for implicit TLS, explicit StartTLS, and cleartext SMTP (#1831) (4cb082c), closes #1770 #1769
Homogenize error messages (421a319)
Improved prometheus metrics (#1830) (0be993b), closes #1735:

This will add new prometheus metrics for Kratos that are more useful for alerting and increase overall observability.
Login flow forced renamed to refresh (92087e5)
login: Rename forced -> refresh (8d1e54b)
login: Support 2FA for non-browser SDKs (df4846d)
Move expired error into top-level flow module (01a2602)
Move homebrew tap to ory/tap (0ee67c3)
Move node identifiers to node package (b0a86dc)
Revert decision to return 422 errors and streamline 401/403 (8aa5318)
Sdk API is no v0alpha2 (3f06738)
session: CreateAndIssueCookie is now UpsertAndIssueCookie (a6d134d)
session: CreateSession is now UpsertSession (3ec81a2)
settings: Change settings success response (12f98f2)

Documentation

Add 2fa credentials (f7899a7)
Add 2fa guide (b4eed76)
Add a commandline example for the logout (#1753) (81ba264)
Add admin ui guide (ac88060)
Add advanced custom UI documentation (5e3a2cd)
Add image assets (6bc93ca)
Add missing angle bracket (#1799) (4270140)
Add ory sessions as a concept (626c0c9)
Add powershell to deps (#1853) (e945336), closes #1848
credentials: Add AAL explanation (c1f501e)
Enhance error return values (3799c24)
Fix invalid syntax (#1819) (8cd6428)
Fix the flow links used for rendering (#1752) (131d2c2)
Fix the invalid links (#1868) (6d621ec)
Remove obsolete file (b7f9052)
Update generated docs (72afb81)
Update quickstart curl examples (#1778) (6c677c4)
Use correct link (f007919), closes #1793

Features

Add intended_for_someone_else error code (572a131)
Add aal fallback for existing sessions (a5c7b11)
Add authenticators after set up (035c276)
Add DeleteCredentialsType to identity struct including tests (b12bf52)
Add e2e tests for react native 2fa (a3ac253)
Add error ids for csrf-related errors (dc2adbf)
Add error ids for redirect-related errors (246a045)
Add error ids for session-related errors (087d907)
Add explicit return_to to flow objects and API parameters (50d04ea), closes #1605 #1121:

This patch adds a return_to field to the flow objects which contains the original ?return_to=... value. It uses the Flow's request_url for that purpose.
Add ids for user-facing errors for login, registration, settings (787558b):

This patch adds a new field id to JSON error payloads. This helps tremendously in implementing better client-side (native / SPA) apps as the API now returns error IDs like no_active_session, orbidden_return_to, no_verified_address and more. UIs can use these IDs to decide what to do next in the application - for example redirecting to a particular endpoint or showing an error message.
Add initial value to bool checkboxes (63dba73)
Add internal context to login and registration (723e6ee)
Add internal context to settings flow (afb6895)
Add lookup node to disable lookup (d0836be):

See https://github.com/ory/cloud/issues/12
Add lookup to config (14119b6)
Add lookup to identity (ead3833)
Add lookup to migrations (dac4f75)
Add MFA enforcment option to whoami and settings (554d725)
Add mfa for non-browser (4096fd3)
Add missing migrations (ccc64d8)
Add option to disable recovery codes (9d3daa6):

Closes https://github.com/ory/cloud/issues/12
Add ory cli config (5b959be)
Add schema patch for new initial_value field (131e380):

The field sets a node input's initial value. This is primarily used for fields which are e.g. checkboxes or buttons (active/inactive). If this field is set on a button, it implies that clicking the button should trigger the "value" to be set.
Add script type and discriminator for attributes (de0af95):

See https://github.com/ory/sdk/issues/72
Add smtp headers config option (#1747) (7ffe0e9), closes #1725
Add support for onclick javascript in ui nodes (7cc7efa)
Add totp strategy for settings flow (d1d6617):

This patch allows adding a TOTP device in the settings, and also removing it when no longer needed.
Add webauthn identity credential (f8b9582)
Adding Dockle Container Linter (#1852) (3c0d519)
Adjust to new aal error handling (b8956bc)
API to return access, refresh, id tokens from social sign in (#1818) (198991a), closes #1518 #397:

This patch introduces the new include_credential query parameter to the GET /identities endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows.

These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default.

For more information head over to the docs.
Auto-generate list of messages (cf46339), closes #1784
Endpoint to list all identity schemas (#1703) (aa23d5d), closes #1699
Generate sdks and update versions (c9d22d9)
hash: PBKDF2 password hash verification (#1774) (33cc7e0), closes #1659
Identity schema validation on startup (#1779) (99db3f0), closes #701
identity: Add AAL constants (882573d)
Implement AAL for login and sessions (45467e0)
Implement endpoint for invalidating all sessions for a given identity (#1740) (dbd1689), closes #655:

This PR introduces endpoint to destroy all sessions for a given identity which effectively logouts user from all devices/sessions. This is useful when for some security concern we want to make sure there are no "old" sessions active or other "staff" related actions (such as force logout after password change etc.).
Implement lookup code settings and login (8f3ce7b)
Improve detection of AAL errors and return 422 instead of 403 (e2bfbea)
Improve labels for totp and lookup (b92e00e)
Improve session device annotations (87907b8)
In docker debug support with delve (#1789) (37325a1)
Introduce cve scanning (#1798) (ade13ea)
logout: Add logout token to browser response (#1758) (d3f1177)
Mark recovery email address verified (#1665) (e3efc5d), closes #1662
Mark required fiels as required (34cd5e8):

Closes https://github.com/ory-corp/cloud/issues/1328 Closes https://github.com/ory/kratos/issues/400 Closes https://github.com/ory/kratos/issues/1058 See https://ory-community.slack.com/archives/C012RJ2MQ1H/p1631825476159000
Natively support social sign in for single-page apps (1a1a350)
persistence: Add new columns for mfa (6184fe3)
Potentially add arm64 docker support (68112de)
Proper enum and type assertions for openapi (c4d8516)
Publish webauthn as loadable script instead of eval (2717c59)
Redirect on login if session aal is not matched (8feff8d)
Respect webauthn in session aal (869b4a5)
session: Respect 2fa enforcement in whoami (3a82c88)
Sign in with apple (#1833) (16ed123), closes #1782:

Adds an adapter and configuration options for enabling Social Sign In with Apple.
Sort totp nodes (5c9a494)
Stubable time in text package (22e4ed1)
Support apple m1 (54b4fb6)
Support setting the identity state via the admin API (#1805) (29c060b), closes #1767
Support strategy return to ui for settings (74670bb)
Support webauthn for mfa (e8f4d3c)
totp: Add width and height to QR code (a648ba3)
totp: Support account name setting from schema (19a6bcc)
Treat lookup as aal2 in session (3269028)
Use discriminators for ui node types in spec (59e808e)
Use initial_value in lookup strategy (efe272f)

Reverts

3745014 (d493d10)

Tests

Aal in login.NewFlow (5986e38)
AcceptToRedirectOrJSON (2ca153f)
Add credentials test (58b388c)
Add expired test to login handler (3bdb8ab)
Add identity change test to settings submit (5eb090b)
Add initial spa e2e test (20617f6)
Add initial totp integration tests (c9d456b)
Add login tests (a71cadd)
Add migrations tests for new tables (3c96ab0)
Add react app to e2e tests (1214eee)
Add schema test for totp config (c4f05ba)
Add session amr test (eedb60b)
Add settings tests (6959565)
Add test for TOTPIssuer (14731c4)
Add test for ui error page (3977a9c)
Add TestEnsureInternalContext (152bfc7)
Add totp registry tests (817e3ec)
Add totp settings tests (c5a0d0f)
Add TOTP to profile (7431e9f)
Add update session test (47bd057)
Additional checks for flow hydration (a40d7fe)
Amr persistence (b0b2d81)
Check if internal context is validated in store (a23d851)
CheckAAL (03b37e7)
Complete TOTP login integration tests (6e503cf)
e2e: Add baseurl (159b25f)
e2e: Add checkboxes to schemas (0c91f0c)
e2e: Add config for proxy to simplify cy.visit logic (7d87985)
e2e: Add mfa profile (a60d157)
e2e: Add modd to build (48cd8ae)
e2e: Add more helpers and ts defs (21b35b0)
e2e: Add more helpers for various flows and proxy settings (755ac60)
e2e: Add more routes to registry (30423c9)
e2e: Add more typings for cypress helpers (60bd63f)
e2e: Add plugin for using got (8fafc40)
e2e: Add proxy capabilities for react native app (b5668df)
e2e: Add recovery tests for SPA (b6014ee)
e2e: Add spa as allowed redirect url (2625d16)
e2e: Add SPA tests for login and refactor tests to typescript (d9a25df)
e2e: Add SPA tests for logout and refactor tests to typescript (b0c6776)
e2e: Add SPA tests for registration and refactor tests to typescript (a61ed1e)
e2e: Add support functions and type definitions (c82d68d)
e2e: Clean up helper (4806add)
e2e: Complete SPA tests for all mfa flows (2196129)
e2e: Default and empty values and required fields (72f2c5f)
e2e: Ensure advanced types work in forms also (287269c)
e2e: Ensure correct app (a9ff545)
e2e: Finalize mobile tests (acf5c3d)
e2e: Force port (a49eda8)
e2e: Homogenize profiles (7798e19)
e2e: Hot reload ory kratos on changes (841da09)
e2e: Implement recovery tests for SPA (3dea57f)
e2e: Implement required verification tests for SPA (fb55f34)
e2e: Improve stability for login tests (43df22b)
e2e: Improve stability for registration tests (a1c59a3)
e2e: Improve test reliability (061a7e3)
e2e: Migrate email tests to new proxy set up (54d8cd6)
e2e: Migrate settings tests to typescript and add SPA tests (566336d)
e2e: Move config to lower level and publish as package (c21fa26)
e2e: Move registration tests to new proxy set up (eddeb85)
e2e: Port mobile test to typescript (db42346)
e2e: Port remaining e2e tests to typescript (5853d1a)
e2e: Potentially resolve flaky login test (e237d66)
e2e: Potentially resolve webauthn startup issues (eae6f5d)
e2e: Prototype typescript implementation (2e869cf)
e2e: Recreate identities per flow (1a560a3)
e2e: Reduce flaky tests (cae86e7)
e2e: Reduce test flakes in lookup codes (bfea354)
e2e: Refactor and add support for SPA app (7609219)
e2e: Remove wait condition (af10b03)
e2e: Resolve broken test (c7cf134)
e2e: Resolve flaky test (de7cc59)
e2e: Resolve flaky test issues (1627745)
e2e: Resolve next not starting (2a2a3cb)
e2e: Resolve regression (d62f0c0)
e2e: Resolve regressions (aaff34e)
e2e: Resolve regressions (af9aedc)
e2e: Revert proxy changes (293d920)
e2e: Stabilize e2e tests (a5dca28)
e2e: Temporarily add totp to default profile (8ffac9d)
e2e: Update e2e profiles to new proxy set up (a3204cf)
e2e: Use 127.0.0.1 to prevent ipv6 issues (6f4b534)
e2e: Wait for oidc to trigger (9c67c49)
Enable cookie debug (81c3064)
Ensure aal and amr is set on recovery (5cbab54), closes #1322
Ensure aal2 can not be used for oidc (cbbcdd2)
Ensure aal2 can not be used for password (d9d39f0)
Ensure authenticated_at after all upgrade (80408b4)
Ensure redirect_url in password strategy (9eafc10)
ErrStrategyAsksToReturnToUI behavior (f739018)
Finalize webauthn tests (97e59e6)
Fix regressions in the tests (246c580)
Fix tests in cmd/serve (#1755) (b704d08)
ID methods of node attributes (ff9ff04)
Login form submission with AAL (4d54fbb)
lookup: Add secret_disable to snapshots (68d6a87)
lookup: Ensure context is cleaned up after use (8a210c4)
lookup: Refresh and reuse scenarios (89736ed)
migration: Resolve mysql migration issue with empty array (71a5649)
Move to cupaloy for snapshots (0cce70f)
Properly refresh mobile session (c31915d)
Registry regression (25c88b5)
Remove todo items (f60050e)
Resolve flaky config test (147c670)
Resolve flaky config test (#1832) (db98d01)
Resolve flaky example tests (#1817) (0e700d8)
Resolve flaky tests (2bd9100)
Resolve migratest regressions (e9a1ed1)
Resolve regressions (1502ca1)
Resolve regressions (1a93b2f)
Resolve regressions (64850ed)
Resolve remaining regressions (f02804c)
Resolve remaining regressions (0224c22)
Resolve remaining regressions (1fa2aa5)
Resolve time locality issues (53b8b2a)
Restructure session struct tests (50d3f66)
Session AAL handling (6fea3e5)
Session activate (c86fa03)
sql: Fix incorrect UUID (ea2894e)
Temporarily enable lookup globally (458f559)
totp: Ensure context is cleaned up after use (1905883)
Upgrade cypress to 8.x (c8a1dfc)
Use different return handler (e489a43)
Various aal combinations for newflow (b095b99)
Webauth settings flow (4c82772)
Webauthn aal2 login (60ace8b)
Webauthn credentials (c3e1184)
Webauthn credentials counter (f7701f6)
webauthn: Ensure context is cleaned up after use (7a8055b)

Unclassified

test(e2e) improve reliability (763dd00)
Correct session godoc (7108e65)

Changelog

8988fb8d autogen(docs): generate and format documentation bd579513 autogen(docs): generate and format documentation a179af5b autogen(docs): generate and format documentation 02c9e264 autogen(docs): generate and format documentation 36bb336a autogen(docs): generate and format documentation b4346ca7 autogen(docs): generate and format documentation e44a9b1a autogen(docs): generate and format documentation 70439b6d autogen(docs): generate and format documentation 25dc73c9 autogen(docs): generate and format documentation 8f493078 autogen(docs): generate and format documentation 67947239 autogen(docs): generate cli docs 76b402e9 autogen(docs): generate cli docs 0a8b40b9 autogen(docs): generate cli docs 77677f6b autogen(docs): generate cli docs 80372841 autogen(docs): generate cli docs dc36fdab autogen(docs): generate cli docs 4450846d autogen(docs): generate cli docs fc211279 autogen(docs): generate cli docs 63c0e86a autogen(docs): generate cli docs 9e07f6b6 autogen(docs): generate cli docs 8da43001 autogen(docs): generate cli docs 33395edb autogen(docs): generate cli docs 390ca715 autogen(docs): generate cli docs 3409eda6 autogen(docs): generate cli docs 693e0e59 autogen(docs): generate cli docs 4c46676c autogen(docs): generate cli docs 0755d416 autogen(docs): generate cli docs 884e031e autogen(docs): generate cli docs c0ca141b autogen(docs): generate cli docs 1dc96243 autogen(docs): generate cli docs d4359ffe autogen(docs): generate cli docs 21270a85 autogen(docs): generate cli docs 3093b803 autogen(docs): generate cli docs cfbcb22b autogen(docs): generate cli docs 90c67f2a autogen(docs): generate cli docs 2555feb3 autogen(docs): generate cli docs 9dfde7d4 autogen(docs): generate cli docs 6ab68f50 autogen(docs): regenerate and update changelog 42e7b0d8 autogen(docs): regenerate and update changelog 5b456b3c autogen(docs): regenerate and update changelog c5385388 autogen(docs): regenerate and update changelog 71442e9d autogen(docs): regenerate and update changelog 43c31502 autogen(docs): regenerate and update changelog cf8c7b39 autogen(docs): regenerate and update changelog 729a28c6 autogen(docs): regenerate and update changelog fc6a9764 autogen(docs): regenerate and update changelog 0b6da5ee autogen(docs): regenerate and update changelog 62f925f9 autogen(docs): regenerate and update changelog 28ad689b autogen(docs): regenerate and update changelog 5f6d3698 autogen(docs): update milestone document 31162d24 autogen(docs): update milestone document 7f41777e autogen(docs): update milestone document a720bbf5 autogen(docs): update milestone document 0c934d62 autogen(docs): update milestone document aac05d14 autogen(docs): update milestone document 4f78407a autogen(docs): update milestone document 131e62ea autogen(docs): update milestone document 9f903f68 autogen(docs): update milestone document b4972b1b autogen(docs): update milestone document 7a1be570 autogen(docs): update milestone document dd6a06f0 autogen(docs): update milestone document db1ec368 autogen(docs): update milestone document 1cb20df1 autogen(docs): update milestone document c6aa6b57 autogen(docs): update milestone document 9c365eac autogen(docs): update milestone document d200c089 autogen(docs): update milestone document 6b1ee990 autogen(docs): update milestone document d2ae1be7 autogen(openapi): Regenerate openapi spec and internal client 521b246f autogen(openapi): Regenerate openapi spec and internal client ae868609 autogen: add v0.7.6-alpha.1 to version.schema.json c2c902c1 autogen: pin v0.8.0-alpha.1 release commit e50a698b autogen: pin v0.8.0-alpha.1.pre.0 release commit c9b95e0e autogen: pin v0.8.0-alpha.1.pre.1 release commit dbe8fe3b autogen: pin v0.8.0-alpha.1.pre.3 release commit e1845420 chore: add got a69dfd7c chore: bump cypress fba1a123 chore: bump ory/cli in makefile da9bbdd8 chore: bump packages 89e5a9d8 chore: clean up strategy test 480fb367 chore: cleanup b1a0713d chore: cleanup a6dfc41e chore: format 78802949 chore: format 7cfde27e chore: format afabb860 chore: format 81da04d4 chore: format and regenerate sdk 02d894d8 chore: regen docs 70a792a7 chore: regenerate SDK 98339623 chore: regenerate SDK 3c502f82 chore: regenerate SDK e5d0eebf chore: regenerate docs f4d89ea2 chore: regenerate internal sdk 5a672806 chore: regenerate sdk 3666421a chore: regenerate sdks 89e59210 chore: remove local replaces 0ef3d578 chore: remove obsolete comment f6479fbe chore: rename file to fix docs build in other repos 164a90d8 chore: replace deprecated go-jwt dependency (#1808) 7a8466c3 chore: replaced function call with helper function (#1875) 990a39b0 chore: typos and format 3ad2d04d chore: update OpenAPI spec and SDK (#1821) be99f8ec chore: update cypress 2875b0f2 chore: update docusaurus template 21f3535b chore: update docusaurus template (#1797) 40ba1476 chore: update docusaurus template (#1814) 6adea4fc chore: update go dependencies b53ffe4b chore: update go.mod 830ae305 chore: update modules 034806f1 chore: update repository templates 56eb5c68 chore: update repository templates 31cbcd38 chore: update repository templates (#1762) c2d876d3 chore: update repository templates (#1763) 387e1c24 chore: update repository templates (#1764) 2290a020 chore: update repository templates (#1768) 2c7467df chore: update repository templates (#1840) fc4b2a5b chore: update repository templates (#1884) b8edef36 chore: update repository templates to 8191b78131173cce8788143f6ad95119d9b813c5 761d6b69 chore: upgrade crdb 69df0cca chore: upgrade cypress 67ae276b ci: add browser-tools orb e57f3037 ci: bump browser tools 285cb0a7 ci: bump orbs 76159a2a ci: ignore test directories in codeql ec04a85c ci: install browser tools 5a18229f ci: resolve cypress issue with display being set 8e2cc4b9 ci: use correct crdb start cmd 7108e654 doc: correct session godoc c1f501e9 docs(credentials): add AAL explanation f7899a76 docs: add 2fa credentials b4eed763 docs: add 2fa guide 81ba2647 docs: add a commandline example for the logout (#1753) ac88060e docs: add admin ui guide 5e3a2cdb docs: add advanced custom UI documentation 6bc93ca7 docs: add image assets 42701405 docs: add missing angle bracket (#1799) 626c0c90 docs: add ory sessions as a concept e9453369 docs: add powershell to deps (#1853) 3799c24f docs: enhance error return values 8cd6428e docs: fix invalid syntax (#1819) 131d2c28 docs: fix the flow links used for rendering (#1752) 6d621ec8 docs: fix the invalid links (#1868) b7f90527 docs: remove obsolete file 72afb81b docs: update generated docs 6c677c49 docs: update quickstart curl examples (#1778) f007919b docs: use correct link 33cc7e02 feat(hash): PBKDF2 password hash verification (#1774) 882573df feat(identity): add AAL constants d3f1177a feat(logout): add logout token to browser response (#1758) 6184fe38 feat(persistence): add new columns for mfa 3a82c880 feat(session): respect 2fa enforcement in whoami a648ba3d feat(totp): add width and height to QR code 19a6bcc9 feat(totp): support account name setting from schema 198991a9 feat: API to return access, refresh, id tokens from social sign in (#1818) b12bf523 feat: add DeleteCredentialsType to identity struct including tests 554d7255 feat: add MFA enforcment option to whoami and settings 572a1315 feat: add intended_for_someone_else error code a5c7b114 feat: add aal fallback for existing sessions 035c2761 feat: add authenticators after set up a3ac253b feat: add e2e tests for react native 2fa dc2adbf5 feat: add error ids for csrf-related errors 246a0453 feat: add error ids for redirect-related errors 087d9073 feat: add error ids for session-related errors 50d04eaa feat: add explicit return_to to flow objects and API parameters 787558b4 feat: add ids for user-facing errors for login, registration, settings 63dba737 feat: add initial value to bool checkboxes 723e6eee feat: add internal context to login and registration afb6895d feat: add internal context to settings flow d0836beb feat: add lookup node to disable lookup 14119b62 feat: add lookup to config ead3833e feat: add lookup to identity dac4f759 feat: add lookup to migrations 4096fd3f feat: add mfa for non-browser ccc64d87 feat: add missing migrations 9d3daa65 feat: add option to disable recovery codes 5b959bea feat: add ory cli config 131e3803 feat: add schema patch for new initial_value field de0af955 feat: add script type and discriminator for attributes 7ffe0e97 feat: add smtp headers config option (#1747) 7cc7efa0 feat: add support for onclick javascript in ui nodes d1d66170 feat: add totp strategy for settings flow f8b95828 feat: add webauthn identity credential 3c0d519d feat: adding Dockle Container Linter (#1852) b8956bc0 feat: adjust to new aal error handling cf46339b feat: auto-generate list of messages aa23d5d5 feat: endpoint to list all identity schemas (#1703) c9d22d91 feat: generate sdks and update versions 99db3f03 feat: identity schema validation on startup (#1779) 45467e0c feat: implement AAL for login and sessions dbd1689c feat: implement endpoint for invalidating all sessions for a given identity (#1740) 8f3ce7b3 feat: implement lookup code settings and login e2bfbea1 feat: improve detection of AAL errors and return 422 instead of 403 b92e00e3 feat: improve labels for totp and lookup 87907b8d feat: improve session device annotations 37325a18 feat: in docker debug support with delve (#1789) ade13ea0 feat: introduce cve scanning (#1798) e3efc5d0 feat: mark recovery email address verified (#1665) 34cd5e8e feat: mark required fiels as required 1a1a350a feat: natively support social sign in for single-page apps 68112def feat: potentially add arm64 docker support c4d8516f feat: proper enum and type assertions for openapi 2717c595 feat: publish webauthn as loadable script instead of eval 8feff8da feat: redirect on login if session aal is not matched 869b4a5a feat: respect webauthn in session aal 16ed123a feat: sign in with apple (#1833) 5c9a4948 feat: sort totp nodes 22e4ed15 feat: stubable time in text package 54b4fb69 feat: support apple m1 29c060bd feat: support setting the identity state via the admin API (#1805) 74670bb4 feat: support strategy return to ui for settings e8f4d3cb feat: support webauthn for mfa 3269028d feat: treat lookup as aal2 in session 59e808e8 feat: use discriminators for ui node types in spec efe272f0 feat: use initial_value in lookup strategy 35ea8db3 fix(link): resolve incorrect response types when opening API recovery link in browser 8dc70592 fix(login): properly handle refresh 5ed4c557 fix(lookup): ensure correct fields are set dbfe475b fix(lookup): resolve reuse scenarios 2f373f34 fix(lookup): set up codes correctly 71583c57 fix(oidc): ensure nested keys work on login b877dbec fix(test): OIDC storategy test (#1836) d096df73 fix(totp): reorder QR a6595e49 fix(ui): use correct type for anchor b6123b48 fix(webauthn): support react-based webauth d3aff6d3 fix: API client leaks stack trace with an error (#1772) b9d253ef fix: Add middleware earlier #1775 (#1776) 11b25deb fix: OIDC provider field in spec (#1809) 14427842 fix: add error id 436992dd fix: add mfa e2e test scenarios and resolve found issues 2ec801f2 fix: allow refresh and aal upgrade at the same time 1e457e3b fix: better const handling for internal context d614f2a7 fix: correct swagger path for /identities/:id/session endpoint (#1756) febf75ae fix: decoder regression in registration e48d90ad fix: deterministic clidoc dates 7278589f fix: disable totp per default a830f5b3 fix: docs autogen should not use time.Now 77ce709d fix: ensure correct error propagation a10b3855 fix: ensure refresh issues a new session when the identity changes d615734c fix: ensure return_to works for OIDC flows 284cf29a fix: explicit validation for return to in new flows 0a7c8128 fix: follow chrome webauthn best practice recommendation 1b509635 fix: githup-app name in config (#1822) 0e8d481c fix: handle return errors on the frontend and break early 57fd99ac fix: identity credential identifiers are now unique per method f793fe56 fix: improve schema validation error tracing 1501f562 fix: incorrect JSON response for browser flows e5a98e54 fix: kill modd as well bf2ec6e6 fix: omitempty for VerifiedAt and StateChangedAt (#1736) 4c5677f3 fix: only respect required modules for SDK 0a49f271 fix: panic when recovering deactivated user 693a9286 fix: potentially resolve hanging postgres connection closing 49b6288c fix: properly encode aal error 23c12e55 fix: properly open recovery endpoints in browser if flow was initiated via API 4e691238 fix: remove duplicate schema error 0cc984b8 fix: remove initial_value again as it was not useful outside of booleans 11618ecc fix: remove obsolete openapi patch 351760ec fix: remove unnecessary cmd reference 2e2b0f84 fix: replace 302 with 303 1aaaa035 fix: resolve clidoc generation issue 1dc74976 fix: resolve merge issues f7d60c02 fix: resolve openapi issues and regenerate clients 02b9d470 fix: resolve swagger regression f55f6f69 fix: run format on ts files ae20c177 fix: slow CLI start-up time e7ae8d63 fix: try and reduce cookie flakyness 8c4d8a22 fix: typo 539ae730 fix: update schema config location 8736334b fix: use parallelism of 1 in go test 05d73bee fix: x-session-token must not be mandatory 4cb082ce refactor(courier): support SMTP schemes for implicit TLS, explicit StartTLS, and cleartext SMTP (#1831) 8d1e54bd refactor(login): rename forced -> refresh df4846d3 refactor(login): support 2FA for non-browser SDKs a6d134de refactor(session): CreateAndIssueCookie is now UpsertAndIssueCookie 3ec81a2c refactor(session): CreateSession is now UpsertSession 12f98f28 refactor(settings): change settings success response 421a3190 refactor: homogenize error messages 0be993be refactor: improved prometheus metrics (#1830) 92087e5f refactor: login flow forced renamed to refresh 01a26025 refactor: move expired error into top-level flow module 0ee67c38 refactor: move homebrew tap to ory/tap b0a86dc6 refactor: move node identifiers to node package 8aa53187 refactor: revert decision to return 422 errors and streamline 401/403 3f067386 refactor: sdk API is no v0alpha2 d493d104 revert: 3745014 1af3530c style: format 03e76ea0 style: format b8dec6f1 style: format 3252c10a style: format fe1d7dd8 style: format 3f222abf style: format 763dd006 test(e2e) improve reliability d9a25df1 test(e2e): add SPA tests for login and refactor tests to typescript b0c67769 test(e2e): add SPA tests for logout and refactor tests to typescript a61ed1ed test(e2e): add SPA tests for registration and refactor tests to typescript 159b25f7 test(e2e): add baseurl 0c91f0c8 test(e2e): add checkboxes to schemas 7d879856 test(e2e): add config for proxy to simplify cy.visit logic a60d157b test(e2e): add mfa profile 48cd8aeb test(e2e): add modd to build 21b35b02 test(e2e): add more helpers and ts defs 755ac60c test(e2e): add more helpers for various flows and proxy settings 30423c92 test(e2e): add more routes to registry 60bd63f3 test(e2e): add more typings for cypress helpers 8fafc40d test(e2e): add plugin for using got b5668df7 test(e2e): add proxy capabilities for react native app b6014eee test(e2e): add recovery tests for SPA 2625d168 test(e2e): add spa as allowed redirect url c82d68db test(e2e): add support functions and type definitions 4806add1 test(e2e): clean up helper 21961290 test(e2e): complete SPA tests for all mfa flows 72f2c5fb test(e2e): default and empty values and required fields 287269c9 test(e2e): ensure advanced types work in forms also a9ff5457 test(e2e): ensure correct app acf5c3d6 test(e2e): finalize mobile tests a49eda8e test(e2e): force port 7798e193 test(e2e): homogenize profiles 841da091 test(e2e): hot reload ory kratos on changes 3dea57ff test(e2e): implement recovery tests for SPA fb55f347 test(e2e): implement required verification tests for SPA 43df22bd test(e2e): improve stability for login tests a1c59a34 test(e2e): improve stability for registration tests 061a7e34 test(e2e): improve test reliability 54d8cd65 test(e2e): migrate email tests to new proxy set up 566336d9 test(e2e): migrate settings tests to typescript and add SPA tests c21fa268 test(e2e): move config to lower level and publish as package eddeb851 test(e2e): move registration tests to new proxy set up db423469 test(e2e): port mobile test to typescript 5853d1a6 test(e2e): port remaining e2e tests to typescript e237d66a test(e2e): potentially resolve flaky login test eae6f5d1 test(e2e): potentially resolve webauthn startup issues 2e869cff test(e2e): prototype typescript implementation 1a560a37 test(e2e): recreate identities per flow cae86e7f test(e2e): reduce flaky tests bfea354f test(e2e): reduce test flakes in lookup codes 76092194 test(e2e): refactor and add support for SPA app af10b03e test(e2e): remove wait condition c7cf134f test(e2e): resolve broken test de7cc59f test(e2e): resolve flaky test 16277456 test(e2e): resolve flaky test issues 2a2a3cb0 test(e2e): resolve next not starting d62f0c02 test(e2e): resolve regression aaff34ed test(e2e): resolve regressions af9aedc8 test(e2e): resolve regressions 293d9208 test(e2e): revert proxy changes a5dca283 test(e2e): stabilize e2e tests 8ffac9d1 test(e2e): temporarily add totp to default profile a3204cf9 test(e2e): update e2e profiles to new proxy set up 6f4b5340 test(e2e): use 127.0.0.1 to prevent ipv6 issues 9c67c492 test(e2e): wait for oidc to trigger 68d6a876 test(lookup): add secret_disable to snapshots 8a210c41 test(lookup): ensure context is cleaned up after use 89736ed9 test(lookup): refresh and reuse scenarios 71a5649a test(migration): resolve mysql migration issue with empty array ea2894ed test(sql): fix incorrect UUID 19058830 test(totp): ensure context is cleaned up after use 7a8055be test(webauthn): ensure context is cleaned up after use 2ca153f0 test: AcceptToRedirectOrJSON f7390184 test: ErrStrategyAsksToReturnToUI behavior ff9ff048 test: ID methods of node attributes 5986e38e test: aal in login.NewFlow 7431e9fc test: add TOTP to profile 152bfc72 test: add TestEnsureInternalContext 58b388c7 test: add credentials test 3bdb8abb test: add expired test to login handler 5eb090b2 test: add identity change test to settings submit 20617f62 test: add initial spa e2e test c9d456bf test: add initial totp integration tests a71cadde test: add login tests 3c96ab05 test: add migrations tests for new tables 1214eeee test: add react app to e2e tests c4f05ba6 test: add schema test for totp config eedb60be test: add session amr test 69595652 test: add settings tests 14731c4e test: add test for TOTPIssuer 3977a9c4 test: add test for ui error page 817e3ecb test: add totp registry tests c5a0d0f8 test: add totp settings tests 47bd057d test: add update session test a40d7fe4 test: additional checks for flow hydration b0b2d817 test: amr persistence a23d8518 test: check if internal context is validated in store 03b37e76 test: checkAAL 6e503cff test: complete TOTP login integration tests 81c3064d test: enable cookie debug 5cbab54f test: ensure aal and amr is set on recovery cbbcdd2e test: ensure aal2 can not be used for oidc d9d39f0b test: ensure aal2 can not be used for password 80408b4c test: ensure authenticated_at after all upgrade 9eafc101 test: ensure redirect_url in password strategy 97e59e61 test: finalize webauthn tests 246c5802 test: fix regressions in the tests b704d083 test: fix tests in cmd/serve (#1755) 4d54fbb3 test: login form submission with AAL 0cce70f4 test: move to cupaloy for snapshots c31915de test: properly refresh mobile session 25c88b55 test: registry regression f60050e0 test: remove todo items 147c6704 test: resolve flaky config test db98d010 test: resolve flaky config test (#1832) 0e700d89 test: resolve flaky example tests (#1817) 2bd91003 test: resolve flaky tests e9a1ed18 test: resolve migratest regressions 1a93b2fb test: resolve regressions 64850ed3 test: resolve regressions 1502ca1e test: resolve regressions 0224c22e test: resolve remaining regressions 1fa2aa5b test: resolve remaining regressions f02804c5 test: resolve remaining regressions 53b8b2a2 test: resolve time locality issues 50d3f66f test: restructure session struct tests 6fea3e5a test: session AAL handling c86fa03d test: session activate 458f559e test: temporarily enable lookup globally c8a1dfca test: upgrade cypress to 8.x e489a439 test: use different return handler b095b990 test: various aal combinations for newflow 4c82772a test: webauth settings flow 60ace8b3 test: webauthn aal2 login c3e1184e test: webauthn credentials f7701f62 test: webauthn credentials counter