v0.13.0
版本发布时间: 2023-04-19 01:07:18
ory/kratos最新发布版本:v1.2.0(2024-06-05 19:02:56)
We’re excited to announce the release of Ory Kratos v0.13.0! This update brings many enhancements and fixes, improving the user experience and overall performance. In general, Ory Kratos is reaching complete API stability and we're adding some missing features next, paving the road to v1.0.
Ory Kratos serves over 500M users monthly in various companies, and is the backbone of the Ory Network (the best, cheapest, easiest way to run Ory).
Here are the highlights:
- We’ve added new social sign-in options with Patreon OIDC and LinkedIn providers, making it even easier for your users to register and log in. Furthermore, we’ve introduced a new admin API that allows you to remove specific 2nd factor credentials, giving you more control over your user accounts.
- Performance has been a key focus in this release. We’ve optimized the whoami calls, parallelized the getIdentity and getSession calls, and made asynchronous webhooks fully async. These improvements will result in faster response times and a smoother experience for your users. Additionally, we’ve implemented better tracing to help you diagnose and resolve issues more effectively.
- We’ve also made several updates to the webhook system. A new response.parse configuration has been introduced, allowing you to update identity data during registration. This includes admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses. Please note that can_interrupt is now deprecated in favor of response.parse.
- Lastly, we’ve made several important fixes, such as resolving the wrong message ID on resend code buttons, implementing the offline scope as Google expects, and improving the OIDC flow on duplicate account registration. We’ve also added the ability to configure whether the system should notify unknown recipients when attempting to recover an account or verify an address, enhancing security with “anti-account-enumeration measures.”
We hope you enjoy these new features and improvements in Ory Kratos v0.13.0! All features are already live on the Ory Network - the simplest, fastest and most scalable way to run Ory.
Please note that the v0.12.0 release was skipped due to CI issues.
Head over to the changelog at https://github.com/ory/kratos/blob/master/CHANGELOG.md to read all the details. As always, we appreciate your feedback and support!
Breaking Changes
By default, Kratos no longer sends out these Emails. If you want to keep notifying unknown addresses (keep the current behavior), set selfservice.flows.recovery.notify_unknown_recipients to true for recovery, or selfservice.flows.verification.notify_unknown_recipients for verification flows.
Bug Fixes
-
Account experience redirects to verification page (#3195) (2e96d75)
-
Account settings broken on OIDC removal (#3185) (61ae531), closes ory-corp/cloud#3514
-
Add
after_verification_return_toto sdk and api docs (#3097) (c70704c), closes #3096 -
Add
HydraLoginRequeston flow creation (#3152) (09312dd), closes #3108:The oauth2_login_request field was missing when initially creating the login flow.
-
Add missing
codediscriminator in updateVerificationFlow (#3213) (21576be) -
Add mutex to test SMTP server setup/teardown (20c2359)
-
Avoid unchecked casts from IdentityPool to PrivilegedIdentityPool (71d35dd)
-
Correctly apply patches to identity metadata (#3103) (1193a56), closes #2950
-
Don't return 500 if active strategy is disabled (#3197) (3a734c2)
-
Don't treat missing session as error in tracing (290d28a)
-
Error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218) (b1bdcd3)
-
Handle upstream errors in patreon provider (#3032) (39fa31f)
-
Identity.CopyWithoutCredentials (989c99d)
-
Implement offline scope in the way google expects (#3088) (39043d4)
-
Improve webhook resilience (#3200) (0a05d99):
- fix: improve webhook logging
- chore: bump x
- feat: decouple context in PostRegistrationPostPersist hook
-
Invalid SQL syntax in ListIdentities (#3202) (162ab9b):
PostgresQL does not support
... WHERE x IN ( )with an empty argument list. -
Issuer missing from netid claims (#3080) (dec7cbc):
The NetID provider omits the issuer claim in the userinfo response. To resolve this issue, the ID token returned by NetID is now validated and its
subandissvalues are used. -
Lint errors and unused code (ae49ef0)
-
Make session AAL satisfaction check resilient against a nil identity in the session (5ab1a56):
Also fix tracing.
-
Missing issuer regression in OIDC (#3220) (52f0740):
Closes https://github.com/ory/kratos/issues/3182 Closes https://github.com/ory/kratos/issues/3040
-
Nolint comment (93e6501)
-
Only return one result set for credentials_identifier (#3107) (59f35d1), closes #3105
-
Orphaned webhook spans (a7f9414)
-
Re-use existing CSRF token in verification flows (#3188) (08a3447):
-
fix: re-use existing CSRF token in verification flows
-
chore: fix if/else
-
-
Reduce SQL tracing noise (1650426)
-
Remove
http.Redirectfromshow_verification_uihook (#3238) (054705b) -
Report correct errors for json schema validation (#3085) (9477ea4):
- Implemented the translation of
jsonschema.ValidationErrorto errors codes documented here - Added missing error codes for relevant schema errors
Validation Name ID maxLengthErrorValidationMaxLength 4000017 minimumErrorValidationMinimum. 4000018 exclusiveMinimumErrorValidationExclusiveMinimum 4000019 maximumErrorValidationMaximum 4000020 exclusiveMaximumErrorValidationExclusiveMaximum 4000021 multipleOfErrorValidationMultipleOf 4000022 maxItemsErrorValidationMaxItems 4000023 minItemsErrorValidationMinItems 4000024 uniqueItemsErrorValidationUniqueItems 4000025 typeErrorValidationWrongType 4000026 - Updated e2e tests to check these IDs explicitly
- Implemented the translation of
-
Respect the after recovery return to URL from config (#3141) (3467fd3):
-
Set DB connection max idle time (8d4762c)
-
Set proper maxAge for session cookies (#3209) (1180c05), closes #3208
-
Test contract names (e9ac00b)
Code Generation
- Pin v0.13.0 release commit (349d0ee)
Code Refactoring
Documentation
- Fix broken docs links and code example to get verification flow (#3170) (bdbddcc)
- Update security email (#3164) (9252f5a)
Features
-
Add a new admin API to remove a specific 2nd factor credential (#2962) (44556a4), closes #2505
-
Add API to batch insert identities (#3157) (829bda7), closes ory/network#266
-
Add Inspect option to driver (8aa75e9)
-
Add test to verify GetIdentityConfidential expands everything (#3217) (f088ccd)
-
Add token prefixes to session and logout tokens (#3132) (8210cd0):
This feature adds token prefixes to Ory session and logout tokens:
-
ory_st_: Ory session token prefix -
ory_lt_: Logout token prefix
-
-
Add upstream parameters to oidc provider (#3138) (b6b1679), closes #3127 #2069:
This PR introduces the upstream OIDC query parameters
login_hintandhd.To send additional upstream parameters the form can post this on a login, registration or settings link submit. For example the form below does an OIDC flow to Google. We can now add additional parameters such as
login_hintandhdto the upstream request to Google login with a pre-filled emailemail@example.com:<form action="https://kratos/self-service/login?flow="> <input type="submit" name="provider" value="google" /> <input type="hidden" name="upstream_parameters.login_hint" value="email@example.com" /> <input type="hidden" name="upstream_parameters.hd" value="example.com" /> </form> -
Allow importing (salted) SHA hashing algorithms (#2741) (132255e), closes #2422
-
Allow passing transient data from registration to webhook (#3104) (4a3a076)
-
Don't pre-generate UUIDs for transient objects (e17f307)
-
Even more tracing of hidden HTTP requests (9d8b1e2)
-
Improve tracing span naming in hooks (bf828d3)
-
Improve webhook diagnostics (d4eb2f6)
-
Improved oidc flow on duplicate account registration (#3151) (4d2fda4):
This PR improves the OIDC registration flow when a duplicate account error happens.
Currently the flow looks as follows:
- User registers with password (or other credentials)
- User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
- Kratos attempts a registration since the OIDC credentials do not exist
- (optional) User needs to add missing traits (e.g. full name) which could not be retrieved from the OIDC provider
- User gets a duplicate account error with a "Continue" button.
- After submitting the "Continue" button the flow continues again to the OIDC provider, back to Kratos and redirects to UI with duplicate error (Steps 3 to 5)
Instead of causing a confusing redirect loop we should show the user the error with a fresh login flow (since the account exists). This also gives the user the option to do a recovery flow.
- User registers with password (or other credentials)
- User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
- Kratos attempts a registration since the OIDC credentials do not exist
- (optional) User needs to add missing traits
- User is returned to a Login flow with the duplication error
-
Let DB generate ID for session devices (62402c7)
-
Make notification to unknown recipients configurable (#3075) (1a5ead4), closes #2345 #2585:
Added the ability to configure whether the system should notify unknown recipients, if some tries to recover their account or verify their address ("anti-account-enumeration measures").
-
Make password validator (HIBP check) cancelable and add tracing (28f8914)
-
Parallelize get identity and session calls (#3023) (6393519)
-
Refactor credentials fetching (#3183) (590269f):
This change revamps the way we fetch identity credentials. We no longer need most of the helper fields for gobuffalo/pop inside the
IdentityandCredentialsstructures, and we collect all the credentials in one joined query rather than using pop'sEagerPreloadfunctionality. -
Return hydra error messages (b3d037b)
-
Return verification flow ID after registration flow (#3144) (eb854be), closes #2975
-
Show "continue" screen after successful verification (#3090) (fb6b160), closes /github.com/ory-corp/cloud#3925 /github.com/ory/network#228:
The
linkstrategy for verification now shows a confirmation screen with a "continue" link after successful verification, aligning its behavior to thecodestrategy.Also fixes a bug, where the
default_browser_return_urlof the verification flow was not respected when using the code strategy. -
Social sign in via linkedin (#3079) (5de6bf4), closes #2856:
Adds LinkedIn as a social sign in provider.
-
Webhooks that update identities (2cbee3e), closes #2161:
Introduces a new configuration
response.parsein webhooks. This enables updating of identity data during registration, including admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses.Please note that
can_interruptis being deprecated in favor ofresponse.parse.
Tests
- e2e: Fix compile errors in commands (#3179) (0002668)
- Parallelize several unit tests (#3081) (5403f86)
Unclassified
-
Revert "fix: do not omit last page on identity list (#3169)" (#3184) (73b5f13), closes #3169 #3184:
This reverts commit f95f48a79395b7b99c7482c0974bc5188e007cc0.
Changelog
- 73b5f139 Revert "fix: do not omit last page on identity list (#3169)" (#3184)
- af3f9e55 autogen(docs): generate and bump docs
- 9322677b autogen(docs): regenerate and update changelog
- f3123ec2 autogen(docs): regenerate and update changelog
- 59aa38a9 autogen(docs): regenerate and update changelog
- 5b88a993 autogen(docs): regenerate and update changelog
- 9c0b68c8 autogen(docs): regenerate and update changelog
- 4181fbc3 autogen(docs): regenerate and update changelog
- cca36f82 autogen(docs): regenerate and update changelog
- dbe3d839 autogen(docs): regenerate and update changelog
- acf92618 autogen(docs): regenerate and update changelog
- 586eaf9e autogen(docs): regenerate and update changelog
- 17f0de4c autogen(docs): regenerate and update changelog
- 59b1ce54 autogen(docs): regenerate and update changelog
- 9c3bfe3d autogen(docs): regenerate and update changelog
- db066b77 autogen(docs): regenerate and update changelog
- 5a78fd4b autogen(docs): regenerate and update changelog
- 5740b9d7 autogen(docs): regenerate and update changelog
- 6f908b9e autogen(docs): regenerate and update changelog
- ddea6410 autogen(docs): regenerate and update changelog
- bda6bc84 autogen(docs): regenerate and update changelog
- 74ae8523 autogen(docs): regenerate and update changelog
- 40ab76af autogen(docs): regenerate and update changelog
- 48a44693 autogen(docs): regenerate and update changelog
- 90977ca0 autogen(docs): regenerate and update changelog
- 033b19c0 autogen(docs): regenerate and update changelog
- debc487e autogen(docs): regenerate and update changelog
- 79c94d54 autogen(docs): regenerate and update changelog
- e916a748 autogen(docs): regenerate and update changelog
- a5421649 autogen(docs): regenerate and update changelog
- b87b7238 autogen(docs): regenerate and update changelog
- 17dd35d3 autogen(docs): regenerate and update changelog
- 411633d2 autogen(docs): regenerate and update changelog
- fd373835 autogen(docs): regenerate and update changelog
- b69981a2 autogen(docs): regenerate and update changelog
- d6ad787c autogen(docs): regenerate and update changelog
- b3370a54 autogen(docs): regenerate and update changelog
- 8c6e3a18 autogen(docs): regenerate and update changelog
- 3d07161a autogen(docs): regenerate and update changelog
- fb9add52 autogen(docs): regenerate and update changelog
- a49d7e65 autogen(docs): regenerate and update changelog
- bb12fe78 autogen(docs): regenerate and update changelog
- a5770367 autogen(docs): regenerate and update changelog
- 851abc12 autogen(docs): regenerate and update changelog
- 5535171e autogen(docs): regenerate and update changelog
- f9054087 autogen(docs): regenerate and update changelog
- 6d83dc98 autogen(docs): regenerate and update changelog
- 9d59fd71 autogen(docs): regenerate and update changelog
- ea6ad2a8 autogen(docs): regenerate and update changelog
- 601b7fc6 autogen(docs): regenerate and update changelog
- d2506508 autogen(docs): regenerate and update changelog
- 8396a551 autogen(docs): regenerate and update changelog
- ee1f02ec autogen(docs): regenerate and update changelog
- 022f0537 autogen(openapi): regenerate swagger spec and internal client
- 5e18b026 autogen(openapi): regenerate swagger spec and internal client
- 122f2a26 autogen(openapi): regenerate swagger spec and internal client
- f2960124 autogen: add v0.11.1 to version.schema.json
- 349d0ee1 autogen: pin v0.13.0 release commit
- 2e72c5b4 autogen: pin v0.13.0 release commit
- 9b512003 chore(ci): don't run pm workflow on forks (#3229)
- 0cc50c69 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3198)
- 2d489e70 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3120)
- 3b8f4266 chore: bump hydra to v2 (#3083)
- 03ef8bfe chore: bump ory/jsonschema/v3
- c15de85a chore: clarift documentation on code strategy payloads (#3228)
- e3eb39e1 chore: fix wrong message id on resend code button (#3067)
- 3bf6ec3d chore: one uuid library ought to be enough for everybody
- a4f8f3a4 chore: remove obsolete packages and dependencies
- ba1aecf0 chore: unset email and name after release hook (#3026)
- 8e87693f chore: update GHA versions (#3078)
- 0ba0bd6d chore: update ory/x (#3221)
- bdbddcce docs: fix broken docs links and code example to get verification flow (#3170)
- 9252f5a3 docs: update security email (#3164)
- 829bda70 feat: add API to batch insert identities (#3157)
- 8aa75e97 feat: add Inspect option to driver
- 44556a46 feat: add a new admin API to remove a specific 2nd factor credential (#2962)
- 20ea29e0 feat: add patreon oidc provider (#3021)
- f088ccdf feat: add test to verify GetIdentityConfidential expands everything (#3217)
- 8210cd09 feat: add token prefixes to session and logout tokens (#3132)
- b6b1679c feat: add upstream parameters to oidc provider (#3138)
- 132255ef feat: allow importing (salted) SHA hashing algorithms (#2741)
- 4a3a0765 feat: allow passing transient data from registration to webhook (#3104)
- e17f3077 feat: don't pre-generate UUIDs for transient objects
- 852dea90 feat: drop unused index (#3165)
- 9d8b1e22 feat: even more tracing of hidden HTTP requests
- c288d4d1 feat: identity by identifier (#3077)
- bf828d3f feat: improve tracing span naming in hooks
- d4eb2f6b feat: improve webhook diagnostics
- 4d2fda45 feat: improved oidc flow on duplicate account registration (#3151)
- 62402c7b feat: let DB generate ID for session devices
- 1a5ead43 feat: make notification to unknown recipients configurable (#3075)
- 28f8914b feat: make password validator (HIBP check) cancelable and add tracing
- 63935199 feat: parallelize get identity and session calls (#3023)
- 590269f9 feat: refactor credentials fetching (#3183)
- b3d037b3 feat: return hydra error messages
- eb854bec feat: return verification flow ID after registration flow (#3144)
- fb6b1600 feat: show "continue" screen after successful verification (#3090)
- 5de6bf46 feat: social sign in via linkedin (#3079)
- 2cbee3e8 feat: webhooks that update identities
- a206772d fix: access rules example (#3178)
- 2e96d75c fix: account experience redirects to verification page (#3195)
- 61ae531b fix: account settings broken on OIDC removal (#3185)
- 09312dd2 fix: add
HydraLoginRequeston flow creation (#3152) - c70704ce fix: add
after_verification_return_toto sdk and api docs (#3097) - 21576beb fix: add missing
codediscriminator in updateVerificationFlow (#3213) - 756bed4d fix: add missing index (#3181)
- 20c23594 fix: add mutex to test SMTP server setup/teardown
- 71d35ddd fix: avoid unchecked casts from IdentityPool to PrivilegedIdentityPool
- 1193a568 fix: correctly apply patches to identity metadata (#3103)
- f95f48a7 fix: do not omit last page on identity list (#3169)
- 3a734c2d fix: don't return 500 if active strategy is disabled (#3197)
- e260fcf0 fix: don't reuse ports in courier/SMTP tests (#3156)
- 290d28ad fix: don't treat missing session as error in tracing
- b1bdcd32 fix: error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218)
- 39fa31f8 fix: handle upstream errors in patreon provider (#3032)
- 989c99d6 fix: identity.CopyWithoutCredentials
- 39043d45 fix: implement offline scope in the way google expects (#3088)
- 0a05d994 fix: improve webhook resilience (#3200)
- 162ab9b5 fix: invalid SQL syntax in ListIdentities (#3202)
- dec7cbc4 fix: issuer missing from netid claims (#3080)
- ae49ef04 fix: lint errors and unused code
- 342bfb03 fix: make async webhooks fully async (#3111)
- 5ab1a56c fix: make session AAL satisfaction check resilient against a nil identity in the session
- 52f07402 fix: missing issuer regression in OIDC (#3220)
- 93e6501c fix: nolint comment
- 59f35d11 fix: only return one result set for credentials_identifier (#3107)
- a7f94144 fix: orphaned webhook spans
- 08a34476 fix: re-use existing CSRF token in verification flows (#3188)
- 1650426a fix: reduce SQL tracing noise
- 054705b8 fix: remove
http.Redirectfromshow_verification_uihook (#3238) - c629b72b fix: remove network omit flag (#3066)
- 9477ea4a fix: report correct errors for json schema validation (#3085)
- 3467fd3b fix: respect the after recovery return to URL from config (#3141)
- 8d4762c1 fix: set DB connection max idle time
- 1180c051 fix: set proper maxAge for session cookies (#3209)
- 523b93fd fix: sqa config values unified across projects (#3237)
- e9ac00b3 fix: test contract names
- 3bc1ff0e fix: use correct names in WebAuthN dialogs (#3215)
- dba38032 fix: use type alias instead of type definition (#3148)
- 46eb063f fix: webhook tracing and missing defers (#3145)
- b9ccccf0 fix: wrong context in logout trace span (#3168)
- ceb5cc2b refactor: identity persistence (#3101)
- 00026682 test(e2e): fix compile errors in commands (#3179)
- 5403f863 test: parallelize several unit tests (#3081)
Artifacts can be verified with cosign using this public key.
1、 checksums.txt 2.43KB
2、 checksums.txt.sig 96B
3、 kratos_0.13.0-linux_32bit.tar.gz 13.23MB
4、 kratos_0.13.0-linux_64bit.tar.gz 13.85MB
5、 kratos_0.13.0-linux_arm64.tar.gz 12.76MB
6、 kratos_0.13.0-linux_armv6.tar.gz 13.23MB
7、 kratos_0.13.0-linux_armv7.tar.gz 13.22MB
8、 kratos_0.13.0-linux_sqlite_64bit.tar.gz 14.47MB
9、 kratos_0.13.0-linux_sqlite_arm64.tar.gz 13.37MB
10、 kratos_0.13.0-linux_sqlite_armv6.tar.gz 13.79MB
11、 kratos_0.13.0-linux_sqlite_armv7.tar.gz 13.78MB
12、 kratos_0.13.0-linux_sqlite_libmusl_64bit.tar.gz 14.46MB
13、 kratos_0.13.0-linux_sqlite_libmusl_arm64.tar.gz 13.39MB
14、 kratos_0.13.0-linux_sqlite_libmusl_armv6.tar.gz 13.82MB
15、 kratos_0.13.0-linux_sqlite_libmusl_armv7.tar.gz 13.8MB
16、 kratos_0.13.0-macOS_64bit.tar.gz 14.39MB
17、 kratos_0.13.0-macOS_arm64.tar.gz 14.07MB
18、 kratos_0.13.0-macOS_sqlite_64bit.tar.gz 15.44MB
19、 kratos_0.13.0-macOS_sqlite_all.tar.gz 29.95MB
20、 kratos_0.13.0-macOS_sqlite_arm64.tar.gz 14.67MB
21、 kratos_0.13.0-windows_32bit.zip 13.77MB
22、 kratos_0.13.0-windows_64bit.zip 14.03MB
23、 kratos_0.13.0-windows_arm64.zip 12.92MB
24、 kratos_0.13.0-windows_armv6.zip 13.52MB
25、 kratos_0.13.0-windows_armv7.zip 13.5MB
26、 kratos_0.13.0-windows_sqlite_64bit.zip 14.6MB
27、 kratos_0.13.0_sqlite_darwin_amd64_v1.bom.json 202.13KB
28、 kratos_0.13.0_sqlite_darwin_arm64.bom.json 202.13KB
29、 kratos_0.13.0_sqlite_linux_386.bom.json 202.13KB
30、 kratos_0.13.0_sqlite_linux_amd64_v1.bom.json 202.13KB
31、 kratos_0.13.0_sqlite_linux_arm64.bom.json 202.13KB
32、 kratos_0.13.0_sqlite_linux_arm_6.bom.json 202.13KB
33、 kratos_0.13.0_sqlite_linux_arm_7.bom.json 202.13KB
34、 kratos_0.13.0_sqlite_windows_386.bom.json 202.13KB
35、 kratos_0.13.0_sqlite_windows_amd64_v1.bom.json 202.13KB
36、 kratos_0.13.0_sqlite_windows_arm64.bom.json 202.13KB
37、 kratos_0.13.0_sqlite_windows_arm_6.bom.json 202.13KB
38、 kratos_0.13.0_sqlite_windows_arm_7.bom.json 202.13KB