The 2022 winter release of Ory Kratos is here, and we are extremely excited to share with you some of the highlights included:

• Ory Kratos now supports verification and recovery codes, which replace are now the default strategy and should be used instead of magic links.
• Import of MD5-hashed passwords is now supported.
• Ory Kratos can now act as the login app for the Ory Hydra Consent & Login Flow using the oauth2_provider.url configuration value.
• Ory Kratos' SDK is now released as version 1. Learn more in the upgrade guide.
• New APIs are available to manage Ory Sessions.
• Ory Sessions now contain device information.
• Added all claims to the Social Sign-In data mapper as well as the option to customize admin and public metadata.
• Add webhooks that can block the request, useful to do some additional validation.
• Add asynchronous webhooks which do not block the request.
• A CLI helper to clean up stale data.

Please read the changelog carefully to identify changes which might affect you. Always test upgrading with a copy of your production system before applying the upgrade in production.

Breaking Changes

This patch changes the behavior of the recovery flow. It introduces a new strategy for account recovery that sends out short "one-time passwords" (code) that a user can use to prove ownership of their account and recovery access to it. This PR also updates the default recovery strategy to code.

This patch invalidates recovery flows initiated using the Admin API. Please re-generate any admin-generated recovery flows and tokens.

This is a breaking change, as it removes the courier.message_ttl config key and replaces it with a counter courier.message_retries.

Closes https://github.com/ory/kratos/issues/402 Closes https://github.com/ory/kratos/issues/1598

SDK Method getJsonSchema was renamed to getIdentitySchema.

Bug Fixes

• Active attribute based off IsActive checks (#2901) (bcbf68e)

• Add issuerURL for apple id (#2565) (2aeb0a2):

  No issuer url was specified when using the Apple ID provider, this forced usersers to manually enter it in the provider config.

  This PR adds the Apple ID issuer url to the provider simplifying the setup.

• Add missing go.mod to docker build (7c4964e)

• Add support for verified Graph API calls for facebook oidc provider (#2547) (1ba7c66)

• Admin recovery CSRF & duplicate form elements (#2846) (de80b7f)

• Bump docker image (#2594) (071c885)

• Bump graceful to deal with http header timeouts (9ce2d26)

• Cache migration status (#2631) (9020738):

  See https://github.com/ory-corp/cloud/issues/2691

• Check return code of ms graphapi /me request. (#2647) (3f490a3)

• cli: Dry up code (#2572) (d1b6b40)

• Codecov (#2879) (e446c5a)

• Correct name of span on recovery code deletion (#2823) (44f775f)

• Correctly calculate expired_at timestamp for FlowExpired errors (#2836) (ddde43e)

• Debugging Docker setup (#2616) (aaabe75)

• Disappearing title label on verification and recovery flow (#2613) (29aa3b6), closes #2591

• Distinguish credential types properly when collecting identifiers (#2873) (705f7b1)

• Do not crash process on invalid smtp url (#2890) (c5d3ebc):

  Closes https://github.com/ory-corp/cloud/issues/3321

• Do not double-commit webhooks on registration (#2888) (88e75d9)

• Do not invalidate recovery addr on update (#2699) (1689bb9)

• docker: Add missing dependencies (#2643) (c589520)

• docker: Update images (b5f80c1)

• Duplicate messages in recovery flow (#2592) (43fcc51)

• Express e2e tests for new account experience (#2708) (84ea0cf)

• Format (0934def)

• Format check stage in the CI (#2737) (bbe4463)

• Gosec false positives (e3e7ed0)

• Identity sessions list response includes pagination headers (#2763) (0c2efa2), closes #2762

• identity: Migrate identity_addresses to lower case (#2517) (c058e23), closes #2426

• Ignore commata in HIBP response (0856bd7)

• Ignore CSRF for session extension on public route (866b472)

• Ignore error explicitly (772d596)

• Improve migration status speed (#2637) (a2e3c41)

• Include flow id in use recovery token query (#2679) (d56586b):

  This PR adds the selfservice_recovery_flow_id to the query used when "using" a token in the recovery flow.

  This PR also adds a new enum field for identity_recovery_tokens to distinguish the two flows: admin versus self-service recovery.

• Include metadata_admin in admin identity list response (#2791) (aa698e0), closes #2711

• Incorrect swagger annotation for getSession (#2891) (797ea68)

• lint: Fixed lint error causing ci failures (4aab5e0)

• Make courier.TemplateType an enum (#2875) (65aeb0a)

• Make hydra consistently localhost (70211a1)

• Make ID field in VerifiableAddress struct optional (#2507) (0844b47), closes #2506

• Make servicelocator explicit (4f841da)

• Make swagger/openapi go 1.19 compatible (fec6772)

• Mark gosec false positives (13eaddb)

• Metadata should not be required (05afd68)

• Migration error detection (a115486)

• Missing usage to recovery_code_invalid template (#2798) (5ac7553)

• Not cleared field validation message (#2800) (cdaf68d)

• Panic (1182278)

• Patch invalidates credentials (#2721) (c4d95af), closes ory/cloud#148

• Potentially resolve tx issue in crdb (#2595) (9d22035)

• Preserve return_to param between flows (#2644) (f002649)

• Proper annotation for patch (#2784) (0cbfe41)

• Re-add service to quickstart (8c52c33)

• Re-issue outdated cookie in /whoami (#2598) (bf6f27e), closes #2562

• Remove jackc rewrites (#2634) (fe00c5b)

• Remove jsonnet import support (d708c81)

• Remove newline sign from email subject (#2576) (ca3d9c2)

• Remove rust workaround (355ec43)

• Replace io/util usage by io and os package (e2d805b)

• Resolve bug where 500s in web hooks are not properly retried (e572e81)

• Respect more http sources for computing request URL (66a9448)

• Return browser to 'return_to' when logging in without registered account using oidc. (#2496) (a4194f5), closes #2444

• Return empty array not null when there are no sessions (#2548) (fffba47)

• Revert Go 1.19 formatting changes (7fb085b)

• Revert removal of required field in uiNodeInputAttributes (#2623) (fee154b)

• sdk: Identity metadata is nullable (#2841) (4c70578):

  Closes https://github.com/ory/sdk/issues/218

• sdk: Make InputAttributes.Type an enum (ff6190f)

• sdk: Rust compile issue with required enum (#2619) (8800085)

• Send out correct verification invalid email in code strategy (#2908) (d2bb67a)

• Set cache default to false (#2906) (e407f92)

• Take over return_to param from unauthorized settings to login flow (#2787) (504fb36)

• Unable to find JSON Schema ID: default (#2393) (f43396b)

• Use correct download location for golangci-lint (c36ca53)

• Use errors instead of fatal for serve cmd (02f7e9c)

• Use full URL for webhook payload (72595ad)

• Use process-isolated Jsonnet VM (#2869) (9eeedc0)

• Verification redirect & continue label (#2905) (e1119e8):

  This PR resolves an issue with the redirect after a successful verification, if not specified.

• Wrap migration error in WithStack (#2636) (4ce9f1e)

• Wrong config key in admin recovery documentation (#2815) (154b61b)

• X-forwarded-for header parsing (#2807) (4682afa)

Code Generation

• Pin v0.11.0 release commit (59c30b6)

Code Refactoring

• Hot reloading (b0d8f38)

• Make embedding easier with internal sdk (e9aa21f)

• SDK v1 naming (11f9d30):

  Find the full upgrade guide in our documentation.

• sdk: Rename getJsonSchema to getIdentitySchema (#2606) (8dc2ecf)

• Use gotemplates for command usage (baa84c6)

• Use gotemplates for command usage (#2770) (1d22b23)

Documentation

• Cleanup v0alpha2 endpoint summaries (db9a95b)
• Cypress on arm based mac (#2795) (d8514b5)
• Enable 2FA methods in docker-compose quickstart setup (#2828) (8f52e8b)
• Fix badge (dbb7506)
• Importing credentials supported (4e8b5cf)
• sdk: Identifier is actually required (#2593) (f89d279)
• sdk: Incorrect URL (#2521) (ac6c4cc)
• Update README (5da4c6b)
• Update readme badges (7136e94)
• Write messages as single json document (#2519) (3d8cf38), closes #2498

Features

• Add "success" UITextType (#2900) (2ff34b6)

• Add admin get api for session (#2855) (1aa1321)

• Add api endpoint to fetch messages (#2651) (5fddcbf):

  Closes https://github.com/ory/kratos/issues/2639

• Add autocomplete attributes (#2523) (6284a9a), closes #2396

• Add cache headers (#2817) (71e2449)

• Add codecov yaml (90da0bb)

• Add DingTalk social login (#2494) (7b966bd)

• Add flow id check to use verification token (#2695) (54c64fc)

• Add handler with openapi def for admin revoke session (#2867) (2438ca0)

• Add identity id to "account disabled" error (#2557) (f09b1b3)

• Add missing config entry (8fe9de6)

• Add missing cookie headers to SDK methods (#2720) (32e32d1):

  See https://github.com/ory/kratos/discussions/2583

• Add OpenTelemetry span events (#2858) (37b1a3b)

• Add PATCH to adminUpdateIdentity (#2380) (#2471) (94a3741)

• Add pre-hooks to settings, verification, recovery (c0ceaf3)

• Add session cache header feature flag (#2899) (02a92b4), closes ory-corp/cloud#3283

• Add support for firebase scrypt hashes on identity import and login hash upgrade (#2734) (3852eb4), closes #2422

• Add verification via code (#2838) (a82ee92), closes #2824:

  The new code strategy is now supported as a verification strategy. If enabled, the strategy sends a code, instead of a magic link to the user's address, which they can use to verify their address.

• Adding admin session listing api (#2818) (59588d2)

• Adding device information to the session (#2715) (82bc9ce):

  Closes https://github.com/ory/kratos/issues/2091 See https://github.com/ory-corp/cloud/issues/3011

  Co-authored-by: Patrik zepatrik@users.noreply.github.com

• Allow importing scrypt hashing algorithm (#2689) (3e3b59e), closes #2422:

  It is now possible to import scrypt-hashed passwords.

• Allow setting public and admin metadata with the jsonnet data mapper (#2569) (aa6eb13), closes #2552

• Automatic TLS certificate reloading (#2744) (09751e6)

• Change code length to 6 numbers (#2894) (56feb07)

• cli: Helper for cleaning up stale records (#2406) (29d6376), closes #952

• Forward parsed request cookies to webhook Jsonnet snippet (#2917) (70ed068):

  Request cookies were already available in raw form in the ctx.request_headers top-level argument to the Jsonnet snippet. Parsing cookies in Jsonnet is tedious and error-prone, though, so we parse them internally for convenience.

• Handler for update API with credentials (#2423) (561187d), closes #2334

• Immutable cookie session values (#2761) (a6f2793), closes #2701

• Implement blocking webhooks (#1585) (e48e9fa), closes #1724 #1483

• Improve cache handling (6e8579b)

• Improve state generation logic (546ee3d)

• Ingest hydra bugfix (3c11216)

• OAuth2 integration (#2804) (7c6eb2a):

  This feature allows Ory Kratos to act as a login provider for Ory Hydra using the oauth2_provider.url configuration value.

  Closes https://github.com/ory/kratos/issues/273 Closes https://github.com/ory/kratos/discussions/2293 See https://github.com/ory/kratos-selfservice-ui-node/pull/50 See https://github.com/ory/kratos-selfservice-ui-node/pull/68 See https://github.com/ory/kratos-selfservice-ui-node/pull/108 See https://github.com/ory/kratos-selfservice-ui-node/pull/111 See https://github.com/ory/kratos-selfservice-ui-node/pull/149 See https://github.com/ory/kratos-selfservice-ui-node/pull/170 See https://github.com/ory/kratos-selfservice-ui-node/pull/198 See https://github.com/ory/kratos-selfservice-ui-node/pull/207

• Parse all id token claims into raw_claims (#2765) (1da0cf6), closes #2528:

  All ID Token claims resulting from the Social Sign In flow are now available in raw_claims and can be used in the Social Sign In JsonNet Mapper.

• Replace magic links with one time codes in recovery flow (#2645) (a1532ba), closes #1451:

  This feature introduces a new code strategy to recover an account.

  Currently, if a user needs to initiate a recovery flow to recover a lost password/MFA/etc., they’ll receive an email containing a “magic link”. This link contains a flow_id and a recovery_token. This is problematic because some antivirus software opens links in emails to check for malicious content, etc.

  Instead of the magic link, we send an 8-digit code that is clearly displayed in the email or SMS. A user can now copy/paste or type it manually into the text-field that is shown after the user clicks “submit” on the initiate flow page.

• Replace message_ttl with static max retry count (#2638) (b341756):

  This PR replaces the courier.message_ttl configuration option with a courier.message_retries option to limit how often the sending of a message is retried before it is marked as abandoned.

• Standardize license headers (#2790) (8406eaf)

• Support ip exceptions (de46c08)

• Support md5 hash import (#2725) (d1b4e17)

• Trace WebHooks (#2911) (665605b):

  Previously the context was not propagated to the http client. As a result the (instrumented) client did not find the existing span and the sapns for outgoing http request have been orphains.

  With this simple Fix they are now children of the corresponding webhook spans.

• Update for the Ory Network (#2814) (3e09e58)

• Upgrade hydra to v2 (fdb108f)

Reverts

• Revert "autogen(openapi): regenerate swagger spec and internal client" (24eddfb):

  This reverts commit 4159b93ae3f8175cf7ccf77d34e4a7a2d0181d4f.

Tests

• e2e: Add typescript (37018c0)
• e2e: Fix flaky assertions (21a8487)
• e2e: Fix issuer config (32454d2)
• e2e: Fix webauthn regression (26001e7)
• e2e: Improve webauthn test reliability (4d323d0)
• e2e: Migrate to cypress 10.x (317fab0)
• e2e: Resolve flaky hydra configuration (d8c82da)
• e2e: Resolve max-age and issuer regression (0ee4cf0)
• e2e: Resolve max-age regression (904f75d)
• e2e: Use correct dir (907dbe3)
• Fix broken assertions (e5f1311)
• Fix oidc test regression (6c14b68)
• Improve e2e tooling (390ccaa)
• Parallelize and speed up config tests (#2611) (d8dea01)
• Resolve builder regression (934c30d)
• Try and recover from allocated port error (3b5ac5f)
• Update snapshots (#2877) (cbaaceb)

Unclassified

• Revert "refactor: use gotemplates for command usage (#2770)" (#2778) (d612612), closes #2770 #2778:

  This reverts commit 1d22b235291ce7102dd186a53a431b55780973d3.

• Remove empty script (#2739) (1515b83), closes #2739

Changelog

• 1515b839 Remove empty script (#2739)
• 24eddfb2 Revert "autogen(openapi): regenerate swagger spec and internal client"
• d6126123 Revert "refactor: use gotemplates for command usage (#2770)" (#2778)
• d74c3ffa autogen(docs): generate and bump docs
• 995bd0a4 autogen(docs): regenerate and update changelog
• 5d1ff109 autogen(docs): regenerate and update changelog
• 26f2618b autogen(docs): regenerate and update changelog
• 930a4752 autogen(docs): regenerate and update changelog
• 57e569e0 autogen(docs): regenerate and update changelog
• 659cf575 autogen(docs): regenerate and update changelog
• b6c212cf autogen(docs): regenerate and update changelog
• c8805b64 autogen(docs): regenerate and update changelog
• 9d640330 autogen(docs): regenerate and update changelog
• 8fa14ecb autogen(docs): regenerate and update changelog
• 2d46209a autogen(docs): regenerate and update changelog
• 573bd160 autogen(docs): regenerate and update changelog
• 585c26be autogen(docs): regenerate and update changelog
• 782d8296 autogen(docs): regenerate and update changelog
• 1fbca138 autogen(docs): regenerate and update changelog
• bdc3797a autogen(docs): regenerate and update changelog
• 99a198d0 autogen(docs): regenerate and update changelog
• 6f7889d2 autogen(docs): regenerate and update changelog
• d75927e0 autogen(docs): regenerate and update changelog
• e17064de autogen(docs): regenerate and update changelog
• a3187782 autogen(docs): regenerate and update changelog
• ba3cf235 autogen(docs): regenerate and update changelog
• 40e22582 autogen(docs): regenerate and update changelog
• 3c00b66b autogen(docs): regenerate and update changelog
• 5bce0b99 autogen(docs): regenerate and update changelog
• e746c330 autogen(docs): regenerate and update changelog
• 0815d43e autogen(docs): regenerate and update changelog
• 9de4705f autogen(docs): regenerate and update changelog
• 8c8833e3 autogen(docs): regenerate and update changelog
• 3b640ca9 autogen(docs): regenerate and update changelog
• 14c79b46 autogen(docs): regenerate and update changelog
• 6424352d autogen(docs): regenerate and update changelog
• 0c8263b7 autogen(docs): regenerate and update changelog
• 411cd791 autogen(docs): regenerate and update changelog
• 7ec3fe3f autogen(docs): regenerate and update changelog
• ac847bbf autogen(docs): regenerate and update changelog
• 1cd2672c autogen(docs): regenerate and update changelog
• 2b253769 autogen(docs): regenerate and update changelog
• de363c6f autogen(docs): regenerate and update changelog
• 60fed3c1 autogen(docs): regenerate and update changelog
• fa4b59b8 autogen(docs): regenerate and update changelog
• bc2dfd30 autogen(docs): regenerate and update changelog
• f5c4cca4 autogen(docs): regenerate and update changelog
• 6bf5d93e autogen(docs): regenerate and update changelog
• 26d43c12 autogen(docs): regenerate and update changelog
• 7299c86e autogen(docs): regenerate and update changelog
• e126586d autogen(docs): regenerate and update changelog
• 15f5b1bd autogen(docs): regenerate and update changelog
• d9e6a7c2 autogen(docs): regenerate and update changelog
• 4e5aac2b autogen(docs): regenerate and update changelog
• db8c345f autogen(docs): regenerate and update changelog
• 1787e686 autogen(docs): regenerate and update changelog
• 5c140cec autogen(docs): regenerate and update changelog
• bcf2bbd2 autogen(docs): regenerate and update changelog
• 15d72d90 autogen(docs): regenerate and update changelog
• ed99539b autogen(docs): regenerate and update changelog
• a0d2bfba autogen(openapi): regenerate swagger spec and internal client
• d7ce190f autogen(openapi): regenerate swagger spec and internal client
• b8b8cfcb autogen(openapi): regenerate swagger spec and internal client
• 8b791b9b autogen(openapi): regenerate swagger spec and internal client
• 4eef5d90 autogen(openapi): regenerate swagger spec and internal client
• 576f9c0c autogen(openapi): regenerate swagger spec and internal client
• 037c0957 autogen(openapi): regenerate swagger spec and internal client
• 00cd0961 autogen(openapi): regenerate swagger spec and internal client
• 5cc3201b autogen(openapi): regenerate swagger spec and internal client
• 0860ef36 autogen(openapi): regenerate swagger spec and internal client
• f0bd67e7 autogen(openapi): regenerate swagger spec and internal client
• f040c9dd autogen(openapi): regenerate swagger spec and internal client
• 04111f84 autogen(openapi): regenerate swagger spec and internal client
• 60f4a2c2 autogen(openapi): regenerate swagger spec and internal client
• 39bb84dd autogen(openapi): regenerate swagger spec and internal client
• 1969b76c autogen(openapi): regenerate swagger spec and internal client
• a9f6b7f6 autogen(openapi): regenerate swagger spec and internal client
• bd4af9ab autogen(openapi): regenerate swagger spec and internal client
• 02b91009 autogen(openapi): regenerate swagger spec and internal client
• 816b029e autogen(openapi): regenerate swagger spec and internal client
• 1b677733 autogen(openapi): regenerate swagger spec and internal client
• 2b8a4f50 autogen(openapi): regenerate swagger spec and internal client
• ec70a306 autogen(openapi): regenerate swagger spec and internal client
• 3e1c444a autogen(openapi): regenerate swagger spec and internal client
• 4159b93a autogen(openapi): regenerate swagger spec and internal client
• e03a2b39 autogen(openapi): regenerate swagger spec and internal client
• 1a397ac9 autogen(openapi): regenerate swagger spec and internal client
• 182ed14f autogen(openapi): regenerate swagger spec and internal client
• cf63a1c1 autogen: add v0.10.1 to version.schema.json
• 59c30b68 autogen: pin v0.11.0 release commit
• 624e1f0d autogen: pin v0.11.0-alpha.0.pre.2 release commit
• bfe46afa chore(sdk): update order of arguments (#2840)
• fcba0237 chore: add additional files to gitignore
• 7e7e58bc chore: add node version check to test/e2e/run.sh (#2745)
• aa83e464 chore: broken link in API docs (#2534)
• 8d924254 chore: bump go to 1.19
• b1ff2208 chore: bump ory/x (#2882)
• e314968b chore: consolidate .gitignore files (#2881)
• 8102178d chore: debugf (#2842)
• e55d22f1 chore: delete semantic.yml (#2554)
• 0dcf0732 chore: deprecate coupon (#2597)
• a46cef62 chore: dry up code (#2541)
• 77c53fdc chore: fix formatting (#2753)
• ae4a72ef chore: fix golangci/lint version to v1.47.3
• 9346c183 chore: fix package-lock.json (#2861)
• bad43a80 chore: format
• de777710 chore: format
• cae5baaa chore: format
• 20fdfe8d chore: format using Make (#2736)
• 1ff40ae6 chore: format using Make (#2748)
• fc957307 chore: go 1.19 format
• 5e8c184e chore: improve package-lock.json package.json (#2712)
• f3c4aba0 chore: license checker (#2851)
• 30262cbe chore: list contributors in file (#2878)
• b3dca564 chore: remove .only from test (#2893)
• 8e01e61d chore: remove dead code (#2769)
• 1736d80d chore: remove double-tabs in Makefile (#2747)
• b553f506 chore: remove ioutil from open api templates
• 4a8f151e chore: remove legacy codedoc
• 70976e65 chore: remove listx dependency (#2752)
• af2747bb chore: remove obsolete header (#2857)
• 62261773 chore: update ory-prettier-styles (#2749)
• 8fceadc8 chore: update ory/x (#2871)
• af32ba84 chore: update repository templates
• 191cee8c chore: update repository templates
• b7e28166 chore: update repository templates
• e25c886d chore: update repository templates
• 8dbf04d0 chore: update repository templates
• aa6ef6de chore: update repository templates
• 6e3fdb7d chore: update repository templates
• 49540dd6 chore: update repository templates
• bd867832 chore: update repository templates
• e581ec67 chore: update repository templates
• ad230537 chore: update repository templates
• dd75378e chore: update repository templates
• e1e08d34 chore: update repository templates
• e5732554 chore: update repository templates
• 439f0158 chore: update repository templates to https://github.com/ory/meta/commit/19eed817e5d5b64509887ef5f1e3eff3e3ce03a1
• 8043371e chore: update repository templates to https://github.com/ory/meta/commit/23d918a32533554c30d720dc44e821de3cda18f8
• 2a6fd203 chore: update repository templates to https://github.com/ory/meta/commit/47569d9893f0bae29676417807de790338fec9be
• 93d4bf55 chore: update repository templates to https://github.com/ory/meta/commit/4a68ca0e3b70305c4a49a65777cb7f83a5eb9d89
• 8cebb8b2 chore: update repository templates to https://github.com/ory/meta/commit/4ef13422e91f15b9f70014a0d67b92498ab728d1
• 53bf4d08 chore: update repository templates to https://github.com/ory/meta/commit/6ab5ce6da0cc57d4492e932602bbfd4a76547795
• 968bf6bf chore: update repository templates to https://github.com/ory/meta/commit/852a1aece5fefac0a03f928672538c5d8c536ad8
• b024e09e chore: update repository templates to https://github.com/ory/meta/commit/935cc0443464fd76fbf41dff1081b368080c9353
• ddecb891 chore: update repository templates to https://github.com/ory/meta/commit/9f57fecccae6e37a4b7ff5863a683d27e583cd0f
• 2b42ddb2 chore: update repository templates to https://github.com/ory/meta/commit/a2fba7e968572391ac4a55ce362dca0c4800c97d
• 8ef7cd57 chore: update repository templates to https://github.com/ory/meta/commit/b41b1ee5ed62f47bac563014929c64bff0c14163
• ae6fbb85 chore: update repository templates to https://github.com/ory/meta/commit/d3f8710e356fb833d4bd71b4ba19d062df2ea89e
• 5af2c0ac chore: update x/sys for M1
• b2b0eb09 ci: add CVE-2022-30065 to trivy ignore
• 01abc2c2 ci: add sdk scope to conventional commits
• 1d7381ac ci: add issues and PRs to board
• 9391d686 ci: add moreutils and gettext
• 4e8a8c1c ci: additional types and scopes for conventional commits (#2626)
• d2d43219 ci: bump dockle action
• 28ccc011 ci: bump hydra
• 5a8a484b ci: delete semantic.yml (#2627)
• 34543f3a ci: fix codecov config
• e00a9766 ci: fix to Go 1.18
• 169e4107 ci: fix version
• bad3418c ci: ignore busybox cve
• 73ed1923 ci: ignore schema YAMLs
• 37ff495d ci: remove deprecated linters (replaced by unused)
• 09c5cc9a ci: shorten label (#2514)
• 8012a3e8 ci: update hydra
• 98edbfbc ci: update project action
• f89d2794 docs(sdk): identifier is actually required (#2593)
• ac6c4ccf docs(sdk): incorrect URL (#2521)
• db9a95b6 docs: cleanup v0alpha2 endpoint summaries
• d8514b50 docs: cypress on arm based mac (#2795)
• 8f52e8b7 docs: enable 2FA methods in docker-compose quickstart setup (#2828)
• dbb7506e docs: fix badge
• 4e8b5cf7 docs: importing credentials supported
• 5da4c6b9 docs: update README
• 7136e940 docs: update readme badges
• 3d8cf38e docs: write messages as single json document (#2519)
• 29d6376e feat(cli): helper for cleaning up stale records (#2406)
• 7c6eb2a5 feat: OAuth2 integration (#2804)
• 2ff34b60 feat: add "success" UITextType (#2900)
• 7b966bd1 feat: add DingTalk social login (#2494)
• 37b1a3bb feat: add OpenTelemetry span events (#2858)
• 94a37416 feat: add PATCH to adminUpdateIdentity (#2380) (#2471)
• 1aa13211 feat: add admin get api for session (#2855)
• 5fddcbf6 feat: add api endpoint to fetch messages (#2651)
• 6284a9a5 feat: add autocomplete attributes (#2523)
• 71e2449d feat: add cache headers (#2817)
• 90da0bb4 feat: add codecov yaml
• 54c64fce feat: add flow id check to use verification token (#2695)
• 2438ca0c feat: add handler with openapi def for admin revoke session (#2867)
• f09b1b37 feat: add identity id to "account disabled" error (#2557)
• 8fe9de6d feat: add missing config entry
• 32e32d1b feat: add missing cookie headers to SDK methods (#2720)
• c0ceaf31 feat: add pre-hooks to settings, verification, recovery
• 02a92b4d feat: add session cache header feature flag (#2899)
• 3852eb46 feat: add support for firebase scrypt hashes on identity import and login hash upgrade (#2734)
• a82ee929 feat: add verification via code (#2838)
• 59588d2e feat: adding admin session listing api (#2818)
• 82bc9ce0 feat: adding device information to the session (#2715)
• 3e3b59e5 feat: allow importing scrypt hashing algorithm (#2689)
• aa6eb13c feat: allow setting public and admin metadata with the jsonnet data mapper (#2569)
• 09751e6a feat: automatic TLS certificate reloading (#2744)
• 56feb079 feat: change code length to 6 numbers (#2894)
• 70ed068d feat: forward parsed request cookies to webhook Jsonnet snippet (#2917)
• 561187da feat: handler for update API with credentials (#2423)
• a6f27935 feat: immutable cookie session values (#2761)
• e48e9fac feat: implement blocking webhooks (#1585)
• 6e8579b8 feat: improve cache handling
• 546ee3dc feat: improve state generation logic
• 3c112165 feat: ingest hydra bugfix
• 1da0cf62 feat: parse all id token claims into raw_claims (#2765)
• a1532ba7 feat: replace magic links with one time codes in recovery flow (#2645)
• b3417561 feat: replace message_ttl with static max retry count (#2638)
• 8406eaf9 feat: standardize license headers (#2790)
• de46c085 feat: support ip exceptions
• d1b4e174 feat: support md5 hash import (#2725)
• 665605bb feat: trace WebHooks (#2911)
• 3e09e58a feat: update for the Ory Network (#2814)
• fdb108fe feat: upgrade hydra to v2
• d1b6b40a fix(cli): dry up code (#2572)
• c589520f fix(docker): add missing dependencies (#2643)
• b5f80c11 fix(docker): update images
• c058e235 fix(identity): migrate identity_addresses to lower case (#2517)
• 4aab5e01 fix(lint): fixed lint error causing ci failures
• 4c705782 fix(sdk): identity metadata is nullable (#2841)
• ff6190f3 fix(sdk): make InputAttributes.Type an enum
• 8800085d fix(sdk): rust compile issue with required enum (#2619)
• bcbf68e7 fix: active attribute based off IsActive checks (#2901)
• 2aeb0a21 fix: add issuerURL for apple id (#2565)
• 7c4964ef fix: add missing go.mod to docker build
• 1ba7c66f fix: add support for verified Graph API calls for facebook oidc provider (#2547)
• de80b7f5 fix: admin recovery CSRF & duplicate form elements (#2846)
• 071c885d fix: bump docker image (#2594)
• 9ce2d260 fix: bump graceful to deal with http header timeouts
• 90207383 fix: cache migration status (#2631)
• 3f490a31 fix: check return code of ms graphapi /me request. (#2647)
• e446c5a5 fix: codecov (#2879)
• 44f775f4 fix: correct name of span on recovery code deletion (#2823)
• ddde43ec fix: correctly calculate expired_at timestamp for FlowExpired errors (#2836)
• aaabe754 fix: debugging Docker setup (#2616)
• 29aa3b6c fix: disappearing title label on verification and recovery flow (#2613)
• 705f7b10 fix: distinguish credential types properly when collecting identifiers (#2873)
• c5d3ebc6 fix: do not crash process on invalid smtp url (#2890)
• 88e75d99 fix: do not double-commit webhooks on registration (#2888)
• 1689bb9f fix: do not invalidate recovery addr on update (#2699)
• 43fcc51b fix: duplicate messages in recovery flow (#2592)
• 84ea0cf4 fix: express e2e tests for new account experience (#2708)
• 0934deff fix: format
• bbe44632 fix: format check stage in the CI (#2737)
• e3e7ed08 fix: gosec false positives
• 0c2efa2d fix: identity sessions list response includes pagination headers (#2763)
• 866b4727 fix: ignore CSRF for session extension on public route
• 0856bd71 fix: ignore commata in HIBP response
• 772d5968 fix: ignore error explicitly
• a2e3c41f fix: improve migration status speed (#2637)
• d56586b0 fix: include flow id in use recovery token query (#2679)
• aa698e03 fix: include metadata_admin in admin identity list response (#2791)
• 797ea685 fix: incorrect swagger annotation for getSession (#2891)
• 0844b47c fix: make ID field in VerifiableAddress struct optional (#2507)
• 65aeb0a7 fix: make courier.TemplateType an enum (#2875)
• 70211a17 fix: make hydra consistently localhost
• 4f841dae fix: make servicelocator explicit
• fec67727 fix: make swagger/openapi go 1.19 compatible
• 13eaddb7 fix: mark gosec false positives
• 05afd683 fix: metadata should not be required
• a1154860 fix: migration error detection
• 5ac7553d fix: missing usage to recovery_code_invalid template (#2798)
• cdaf68db fix: not cleared field validation message (#2800)
• 11822789 fix: panic
• c4d95afa fix: patch invalidates credentials (#2721)
• 9d220356 fix: potentially resolve tx issue in crdb (#2595)
• f002649d fix: preserve return_to param between flows (#2644)
• 0cbfe410 fix: proper annotation for patch (#2784)
• 8c52c33c fix: re-add service to quickstart
• bf6f27e3 fix: re-issue outdated cookie in /whoami (#2598)
• fe00c5be fix: remove jackc rewrites (#2634)
• d708c81a fix: remove jsonnet import support
• ca3d9c24 fix: remove newline sign from email subject (#2576)
• 355ec431 fix: remove rust workaround
• e2d805b7 fix: replace io/util usage by io and os package
• e572e818 fix: resolve bug where 500s in web hooks are not properly retried
• 66a94488 fix: respect more http sources for computing request URL
• a4194f58 fix: return browser to 'return_to' when logging in without registered account using oidc. (#2496)
• fffba473 fix: return empty array not null when there are no sessions (#2548)
• 7fb085b6 fix: revert Go 1.19 formatting changes
• fee154b2 fix: revert removal of required field in uiNodeInputAttributes (#2623)
• d2bb67af fix: send out correct verification invalid email in code strategy (#2908)
• e407f925 fix: set cache default to false (#2906)
• 504fb36b fix: take over return_to param from unauthorized settings to login flow (#2787)
• f43396bd fix: unable to find JSON Schema ID: default (#2393)
• c36ca53d fix: use correct download location for golangci-lint
• 02f7e9cf fix: use errors instead of fatal for serve cmd
• 72595adc fix: use full URL for webhook payload
• 9eeedc06 fix: use process-isolated Jsonnet VM (#2869)
• e1119e8f fix: verification redirect & continue label (#2905)
• 4ce9f1eb fix: wrap migration error in WithStack (#2636)
• 154b61b9 fix: wrong config key in admin recovery documentation (#2815)
• 4682afac fix: x-forwarded-for header parsing (#2807)
• 8dc2ecf4 refactor(sdk): rename getJsonSchema to getIdentitySchema (#2606)
• 11f9d30a refactor: SDK v1 naming
• b0d8f385 refactor: hot reloading
• e9aa21f0 refactor: make embedding easier with internal sdk
• baa84c68 refactor: use gotemplates for command usage
• 1d22b235 refactor: use gotemplates for command usage (#2770)
• 37018c01 test(e2e): add typescript
• 21a8487f test(e2e): fix flaky assertions
• 32454d2f test(e2e): fix issuer config
• 26001e75 test(e2e): fix webauthn regression
• 4d323d01 test(e2e): improve webauthn test reliability
• 317fab0f test(e2e): migrate to cypress 10.x
• d8c82dab test(e2e): resolve flaky hydra configuration
• 0ee4cf05 test(e2e): resolve max-age and issuer regression
• 904f75d2 test(e2e): resolve max-age regression
• 907dbe3f test(e2e): use correct dir
• e5f13113 test: fix broken assertions
• 6c14b682 test: fix oidc test regression
• 390ccaac test: improve e2e tooling
• d8dea013 test: parallelize and speed up config tests (#2611)
• 934c30d6 test: resolve builder regression
• 3b5ac5ff test: try and recover from allocated port error
• cbaaceb9 test: update snapshots (#2877)

Artifacts can be verified with cosign using this public key.