Table of Contents
- (2022-01-18)
- 0.8.2-alpha.1 (2021-12-17)
- 0.8.1-alpha.1 (2021-12-13)
- 0.8.0-alpha.3 (2021-10-28)
- 0.8.0-alpha.2 (2021-10-28)
- 0.8.0-alpha.1 (2021-10-27)
- 0.7.6-alpha.1 (2021-09-12)
- 0.7.5-alpha.1 (2021-09-11)
- 0.7.4-alpha.1 (2021-09-09)
- 0.7.3-alpha.1 (2021-08-28)
- 0.7.1-alpha.1 (2021-07-22)
- 0.7.0-alpha.1 (2021-07-13)
- 0.6.3-alpha.1 (2021-05-17)
- 0.6.2-alpha.1 (2021-05-14)
- 0.6.1-alpha.1 (2021-05-11)
- 0.6.0-alpha.2 (2021-05-07)
- 0.6.0-alpha.1 (2021-05-05)
- 0.5.5-alpha.1 (2020-12-09)
- 0.5.4-alpha.1 (2020-11-11)
- 0.5.3-alpha.1 (2020-10-27)
- 0.5.2-alpha.1 (2020-10-22)
- 0.5.1-alpha.1 (2020-10-20)
- 0.5.0-alpha.1 (2020-10-15)
- 0.4.6-alpha.1 (2020-07-13)
- 0.4.5-alpha.1 (2020-07-13)
- 0.4.4-alpha.1 (2020-07-10)
- 0.4.3-alpha.1 (2020-07-08)
- 0.4.2-alpha.1 (2020-07-08)
- 0.4.0-alpha.1 (2020-07-08)
- 0.3.0-alpha.1 (2020-05-15)
- 0.2.1-alpha.1 (2020-05-05)
- 0.2.0-alpha.2 (2020-05-04)
- 0.1.1-alpha.1 (2020-02-18)
- 0.1.0-alpha.6 (2020-02-16)
- 0.1.0-alpha.5 (2020-02-06)
- 0.1.0-alpha.4 (2020-02-06)
- 0.1.0-alpha.3 (2020-02-06)
- 0.1.0-alpha.2 (2020-02-03)
- 0.1.0-alpha.1 (2020-01-31)
- 0.0.3-alpha.15 (2020-01-31)
- 0.0.3-alpha.14 (2020-01-31)
- 0.0.3-alpha.13 (2020-01-31)
- 0.0.3-alpha.11 (2020-01-31)
- 0.0.3-alpha.10 (2020-01-31)
- 0.0.3-alpha.7 (2020-01-30)
- 0.0.3-alpha.5 (2020-01-30)
- 0.0.3-alpha.4 (2020-01-30)
- 0.0.3-alpha.2 (2020-01-30)
- 0.0.3-alpha.1 (2020-01-30)
- 0.0.1-alpha.9 (2020-01-29)
- 0.0.2-alpha.1 (2020-01-29)
- 0.0.1-alpha.6 (2020-01-29)
- 0.0.1-alpha.5 (2020-01-29)
- 0.0.1-alpha.3 (2020-01-28)
This patch removes the ability to use domain aliases, an obscure feature rarely used that had several issues and inconsistencies.
-
Add
identity_id
index toidentity_verifiable_addresses
table (#2147) (86fd942):The verifiable addresses are loaded eagerly into the identity. When that happens, the
identity_verifiable_addresses
table is queried bynid
andidentity_id
. This index should greatly improve performance, especially of the/sessions/whoami
endpoint. -
Add ability to resume continuity sessions from several cookies (#2131) (8b87bdb), closes #2016 #1786
-
Admin endpoint
/schemas
not redirecting to public endpoint (#2133) (413833f), closes #2084 -
Choose correct CSRF cookie when multiple are set (633076b), closes ory/kratos#2121 ory-corp/cloud#1786:
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store.
-
continuity: Properly reset cookies that became invalid (8e4b4fb), closes #2121 ory-corp/cloud#1786:
Resolves several reports related to incorrect handling of invalid continuity issues.
-
continuity: Remove cookie on any error (428ac03)
-
Do not send session after registration without hook (#2094) (3044229), closes #2093
-
Docker-compose standalone definition (3c7065a)
-
Explain mitigations in cookie error messages (ef4b01a)
-
Expose network wrapper (a570607)
-
This patch
- moves the FAQ to the Debug & Help section
- renames it to Tips & Troubleshooting
- moves many of the questions to documents where they fit better, reformatted and with added information where needed.
- also some other spelling/format fixes
See also ory/docusaurus-template#87
-
Improve courier test signature (b8888e3)
-
Include missing type string in config schema (#2142) (ec2c88a):
Inside the config.schema.json under the CORS setting, add the missing type (string) for the items of the allowed_origins array
-
login: Error handling when failed to prepare for an expired flow (#2120) (fdad834)
-
Resolve configx regression (672c0ff)
-
selfservice: Recovery self service flow passes on return_to URL (#1920) (b925d35), closes #914
-
Send 404 instead of null response for unknown verification flows (#2102) (c9490c8), closes #2099:
Fixes the verification handler to write the error, instead of nil object, when the flow does not exist. Adds tests for every handler to check proper behavior in that regard.
-
Support setting complex configs from the environment (c45bf83):
-
Update download urls according to the new names (#2078) (86ae016)
- Deprecate domain aliases (894a2cc)
-
Added phone number identifier (#1938) (294dfa8), closes #137
-
Allow registration to be disabled (#2081) (864b00d), closes #882
-
courier: Override default link base URL (cc99096):
Added a new configuration value
selfservice.methods.link.config.base_url
which allows to change the default base URL of recovery and verification links. This is useful when the email should send a link which does not match the globally configured base URL. -
docker: Add jaeger (27ec2b7)
-
Enable Buildkit (#2079) (f40df5c):
Looks like this was attempted before but the magic comment was not on the first line.
-
Make the password policy more configurable (#2118) (70c627b), closes #970
-
Selfservice and administrative session management (#2011) (0fe4155), closes #655 #2007
0.8.2-alpha.1 (2021-12-17)
This release addresses further important security updates in the base Docker Images. We also resolved all issues related to ARM support on both Linux and macOS and fixed a bug that prevent the binary from compiling on FreeBSD.
This release also makes use of our new build architecture which means that the Docker Images names have changed. We removed the "scratch" images as we received frequent complaints about them. Additionally, all Docker Images have now, per default, SQLite support built-in. If you are relying on the SQLite images, update your Docker Pull commands as follows:
- docker pull oryd/kratos:{version}-sqlite
+ docker pull oryd/kratos:{version}
Additionally, all passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.
In v0.8.1-alpha.1 we failed to include all the exciting things that landed, so we'll cover them now!
- Advanced E-Mail templating support with sprig - makes it possible to translate emails as well!
- Support wildcards for allowing redirection targets.
- Account Recovery initiated by the Admin API now works even if identities have no email address.
Enjoy this release!
-
Add missing sample app paths to oathkeeper config (#2058) (a527db4):
Add "welcome,registration,login,verification" and "**.png" to the paths oathkeeper forwards to self service ui.
-
After release hooks (56c2e61)
-
Goreleaser after hook (c763f2b)
-
Goreleaser config (7099af2):
-
Release hook (90bd769)
- Pin v0.8.2-alpha.1 release commit (627f4a1)
0.8.1-alpha.1 (2021-12-13)
This maintenance release important security updates for the base Docker Images (e.g. Alpine). Additionally, several hiccups with the new ARM support have been resolved and the binaries are now downloadable for all major platforms. Please note that passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.
Enjoy this release!
To celebrate this change, we cleaned up the ways you install Ory software, and will roll this out to all other projects soon:
There is now one central brew / bash curl repository:
-brew install ory/kratos/kratos
+brew install ory/tap/kratos
-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) kratos
-
Add error.id to invalid cookie/token settings flow (#1919) (73610d4), closes #1888
-
Adds missing webauthn authentication method (#1914) (44892f3)
-
Allow use of relative URLs in config (#1754) (5f73bb0), closes #1446
-
Bodget docs commit (f9d2f82)
-
Build docs on release (2cf137a)
-
Include text label for link email field (07a1dbb), closes #1909
-
Panic on webhook with nil body (#1890) (4bf1825), closes #1885
-
Paths (8c852c7)
-
Require minimum length of 8 characters password (#2009) (bb5846e):
Kratos follows NIST Digital Identity Guidelines - 5.1.1.2 Memorized Secret Verifiers and password policy says
Passwords must have a minimum length of 8 characters and all characters (unicode, ASCII) must be allowed.
-
Set dockerfile (c860b99)
-
Skip docs publishing for pre releases (eb6d8cd)
-
Speed up git clone (d3e4bde)
-
Update docs after release (850be90)
-
Update sdk orb (94e12e6)
-
Use bcrypt for password hashing in example (a9196f2)
-
Use new ory installation method (09cfc7e)
- Pin v0.8.1-alpha.1 release commit (8247416)
-
Add
Content-Type
to recommended CORS allowed headers (#2015) (dd890ab) -
Add subdomain configuration in csrf page (#1896) (681750f):
Add some instructions as to how kratos can be configured to work across subdomains.
-
Remove unintended characters in subdomain section in csrf page (#1897) (dfb9007)
-
Add alpine dockerfile (587eaee)
-
Add new goreleaser build chain (#1932) (cf1714d):
This patch adds full compatibility with ARM architectures, including Apple Silicon (M1). We additionally added cryptographically signed signatures verifiable using cosign for both binaries as well as docker images.
-
Add quickstart mimicking hosted ui (813fb4c)
-
Add x-total-count to paginated pages (b633ec3)
-
Advanced e-mail templating support (#1859) (54b97b4), closes #834 #925
-
Allow wildcard domains for redirect_to checks (#1528) (349cdcf), closes #943:
Support wildcard domains in redirect_to checks.
-
cmd: Add OIDC credential include (#2017) (1482844):
With this change, the
kratos identities get
CLI can additionally fetch OIDC credentials. -
Configurable health endpoints access logging (#1934) (1301f68):
This PR introduces a new boolean configuration parameter that allows turning off logging of health endpoints requests in the access log. The implementation is basically a rip-off from Ory Hydra and the configuration parameter is the same:
serve.public.request_log.disable_for_health serve.admin.request_log.disable_for_health
The default value is false.
-
Make admin recovery to work without emails #1419 (#1750) (db00e85)
- Add web hook test cases (#2051) (316e940)
- e2e: Improved SDK set up and arm fix (#1933) (c914ba1)
- e2e: Split e2e script into setup and test phase (#2027) (1761418)
- Fix changed message ID (#2013) (0bb66de)
- Update snapshots (a820653)
0.8.0-alpha.3 (2021-10-28)
Resolves issues in the quickstart.
- Pin v0.8.0-alpha.3 release commit (a307deb)
0.8.0-alpha.2 (2021-10-28)
Resolves an issue in the SDK release pipeline.
- Pin v0.8.0-alpha.2 release commit (2178929)
0.8.0-alpha.1 (2021-10-27)
We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.
On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!
This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:
- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for
return_to
across flows (e.g. OIDC) and in custom UIs. - SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.
As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!
Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!
This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1
to v0alpha2
.
The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
Example:
- SMTP Cleartext:
smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
- SMTP with StartTLS:
smtps://foo:bar@my-mailserver:1234/
->smtp://foo:bar@my-mailserver:1234/
- SMTP with implicit TLS:
smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true
-> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.
On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!
This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:
- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for
return_to
across flows (e.g. OIDC) and in custom UIs. - SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.
As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!
Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!
This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1
to v0alpha2
.
The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
Example:
- SMTP Cleartext:
smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
- SMTP with StartTLS:
smtps://foo:bar@my-mailserver:1234/
->smtp://foo:bar@my-mailserver:1234/
- SMTP with implicit TLS:
smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true
-> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.
On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!
This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:
- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for
return_to
across flows (e.g. OIDC) and in custom UIs. - SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.
As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!
Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!
This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1
to v0alpha2
.
The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
Example:
- SMTP Cleartext:
smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
- SMTP with StartTLS:
smtps://foo:bar@my-mailserver:1234/
->smtp://foo:bar@my-mailserver:1234/
- SMTP with implicit TLS:
smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true
->smtps://foo:bar@my-mailserver:1234/
The location of the homebrew tap has changed from ory/ory/kratos
to ory/tap/kratos
.
To stay consistent with other query parameter's, the self-service login flow's forced
key has been renamed to refresh
.
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1
to v0alpha2
.
To support 2FA on non-browser (e.g. native mobile) apps we have added the Ory Session Token as a possible parameter to both initializeSelfServiceLoginFlowWithoutBrowser
and submitSelfServiceLoginFlow
. Depending on the SDK generator, the order of the arguments may have changed. In JavaScript:
- .submitSelfServiceLoginFlow(flow.id, payload)
+ .submitSelfServiceLoginFlow(flow.id, sessionToken, payload)
+ // or if the user has no session yet:
+ .submitSelfServiceLoginFlow(flow.id, undefined, payload)
To improve the overall API design we have changed the result of POST /self-service/settings
. Instead of having flow be a key, the flow is now the response. The updated identity payload stays the same!
{
- "flow": {
- "id": "flow-id-..."
- ...
- },
+ "id": "flow-id-..."
+ ...
"identity": {
"id": "identity-id-..."
}
}
The SMTPS scheme used in courier config url with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the smtp scheme instead.
Example:
- SMTP Cleartext:
smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
- SMTP with StartTLS:
smtps://foo:bar@my-mailserver:1234/
->smtp://foo:bar@my-mailserver:1234/
- SMTP with implicit TLS:
smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true
->smtps://foo:bar@my-mailserver:1234/
This patch changes the naming and number of prometheus metrics (see: ory/x#379). In short: all metrics will have now http_
prefix to conform to Prometheus best practices.
-
Add error id (1442784)
-
Add mfa e2e test scenarios and resolve found issues (436992d)
-
Allow refresh and aal upgrade at the same time (2ec801f)
-
API client leaks stack trace with an error (#1772) (d3aff6d), closes #1771
-
Better const handling for internal context (1e457e3)
-
Correct swagger path for /identities/:id/session endpoint (#1756) (d614f2a)
-
Decoder regression in registration (febf75a)
-
Deterministic clidoc dates (e48d90a)
-
Disable totp per default (7278589)
-
Docs autogen should not use
time.Now
(a830f5b) -
Ensure correct error propagation (77ce709)
-
Ensure refresh issues a new session when the identity changes (a10b385)
-
Ensure return_to works for OIDC flows (d615734), closes #1773
-
Explicit validation for return to in new flows (284cf29)
-
Follow chrome webauthn best practice recommendation (0a7c812)
-
Handle return errors on the frontend and break early (0e8d481):
-
Identity credential identifiers are now unique per method (57fd99a)
-
Improve schema validation error tracing (f793fe5)
-
Incorrect JSON response for browser flows (1501f56)
-
Kill modd as well (e5a98e5)
-
link: Resolve incorrect response types when opening API recovery link in browser (35ea8db)
-
login: Properly handle refresh (8dc7059)
-
lookup: Ensure correct fields are set (5ed4c55)
-
lookup: Resolve reuse scenarios (dbfe475)
-
lookup: Set up codes correctly (2f373f3)
-
oidc: Ensure nested keys work on login (71583c5)
-
Omitempty for VerifiedAt and StateChangedAt (#1736) (bf2ec6e):
Closes ory/sdk#95
-
Only respect required modules for SDK (4c5677f)
-
Panic when recovering deactivated user (0a49f27), closes #1794 #1826
-
Potentially resolve hanging postgres connection closing (693a928)
-
Properly encode aal error (49b6288)
-
Properly open recovery endpoints in browser if flow was initiated via API (23c12e5)
-
Remove duplicate schema error (4e69123)
-
Remove initial_value again as it was not useful outside of booleans (0cc984b)
-
Remove obsolete openapi patch (11618ec)
-
Remove unnecessary cmd reference (351760e)
-
Replace 302 with 303 (2e2b0f8)
-
Resolve clidoc generation issue (1aaaa03)
-
Resolve merge issues (1dc7497)
-
Resolve openapi issues and regenerate clients (f7d60c0)
-
Resolve swagger regression (02b9d47)
-
Run format on ts files (f55f6f6)
-
Slow CLI start-up time (ae20c17):
Found a deeply nested dependency which was importing
https://github.com/markbates/pkger
, causing unreasonable CPU consumption and significant delay at start up time. With this patch, start up time was reduced from almost 3s to ~0.01s.$ time kratos kratos 2.55s user 2.46s system 508% cpu 0.986 total $ time ./kratos-patch ./kratos-patch 0.00s user 0.00s system 64% cpu 0.001 total
-
totp: Reorder QR (d096df7)
-
Try and reduce cookie flakyness (e7ae8d6)
-
Typo (8c4d8a2)
-
ui: Use correct type for anchor (a6595e4)
-
Update schema config location (539ae73)
-
Use parallelism of 1 in go test (8736334)
-
webauthn: Support react-based webauth (b6123b4)
-
X-session-token must not be mandatory (05d73be)
- Pin v0.8.0-alpha.1 release commit (c2c902c)
-
courier: Support SMTP schemes for implicit TLS, explicit StartTLS, and cleartext SMTP (#1831) (4cb082c), closes #1770 #1769
-
Homogenize error messages (421a319)
-
Improved prometheus metrics (#1830) (0be993b), closes #1735:
This will add new prometheus metrics for Kratos that are more useful for alerting and increase overall observability.
-
Login flow
forced
renamed torefresh
(92087e5) -
login: Rename forced -> refresh (8d1e54b)
-
login: Support 2FA for non-browser SDKs (df4846d)
-
Move expired error into top-level flow module (01a2602)
-
Move homebrew tap to ory/tap (0ee67c3)
-
Move node identifiers to node package (b0a86dc)
-
Revert decision to return 422 errors and streamline 401/403 (8aa5318)
-
Sdk API is no v0alpha2 (3f06738)
-
session: CreateAndIssueCookie is now UpsertAndIssueCookie (a6d134d)
-
session: CreateSession is now UpsertSession (3ec81a2)
-
settings: Change settings success response (12f98f2)
- Add 2fa credentials (f7899a7)
- Add 2fa guide (b4eed76)
- Add a commandline example for the logout (#1753) (81ba264)
- Add admin ui guide (ac88060)
- Add advanced custom UI documentation (5e3a2cd)
- Add image assets (6bc93ca)
- Add missing angle bracket (#1799) (4270140)
- Add ory sessions as a concept (626c0c9)
- Add powershell to deps (#1853) (e945336), closes #1848
- credentials: Add AAL explanation (c1f501e)
- Enhance error return values (3799c24)
- Fix invalid syntax (#1819) (8cd6428)
- Fix the flow links used for rendering (#1752) (131d2c2)
- Fix the invalid links (#1868) (6d621ec)
- Remove obsolete file (b7f9052)
- Update generated docs (72afb81)
- Update quickstart curl examples (#1778) (6c677c4)
- Use correct link (f007919), closes #1793
-
Add
intended_for_someone_else
error code (572a131) -
Add aal fallback for existing sessions (a5c7b11)
-
Add authenticators after set up (035c276)
-
Add DeleteCredentialsType to identity struct including tests (b12bf52)
-
Add e2e tests for react native 2fa (a3ac253)
-
Add error ids for csrf-related errors (dc2adbf)
-
Add error ids for redirect-related errors (246a045)
-
Add error ids for session-related errors (087d907)
-
Add explicit return_to to flow objects and API parameters (50d04ea), closes #1605 #1121:
This patch adds a
return_to
field to the flow objects which contains the original?return_to=...
value. It uses the Flow'srequest_url
for that purpose. -
Add ids for user-facing errors for login, registration, settings (787558b):
This patch adds a new field
id
to JSON error payloads. This helps tremendously in implementing better client-side (native / SPA) apps as the API now returns error IDs likeno_active_session
,orbidden_return_to
,no_verified_address
and more. UIs can use these IDs to decide what to do next in the application - for example redirecting to a particular endpoint or showing an error message. -
Add initial value to bool checkboxes (63dba73)
-
Add internal context to login and registration (723e6ee)
-
Add internal context to settings flow (afb6895)
-
Add lookup node to disable lookup (d0836be):
See ory/network#12
-
Add lookup to config (14119b6)
-
Add lookup to identity (ead3833)
-
Add lookup to migrations (dac4f75)
-
Add MFA enforcment option to whoami and settings (554d725)
-
Add mfa for non-browser (4096fd3)
-
Add missing migrations (ccc64d8)
-
Add option to disable recovery codes (9d3daa6):
Closes ory/network#12
-
Add ory cli config (5b959be)
-
Add schema patch for new initial_value field (131e380):
The field sets a node input's initial value. This is primarily used for fields which are e.g. checkboxes or buttons (active/inactive). If this field is set on a button, it implies that clicking the button should trigger the "value" to be set.
-
Add script type and discriminator for attributes (de0af95):
See ory/sdk#72
-
Add smtp headers config option (#1747) (7ffe0e9), closes #1725
-
Add support for onclick javascript in ui nodes (7cc7efa)
-
Add totp strategy for settings flow (d1d6617):
This patch allows adding a TOTP device in the settings, and also removing it when no longer needed.
-
Add webauthn identity credential (f8b9582)
-
Adjust to new aal error handling (b8956bc)
-
API to return access, refresh, id tokens from social sign in (#1818) (198991a), closes #1518 #397:
This patch introduces the new
include_credential
query parameter to theGET /identities
endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows.These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default.
For more information head over to the docs.
-
Endpoint to list all identity schemas (#1703) (aa23d5d), closes #1699
-
Generate sdks and update versions (c9d22d9)
-
hash: PBKDF2 password hash verification (#1774) (33cc7e0), closes #1659
-
Identity schema validation on startup (#1779) (99db3f0), closes #701
-
identity: Add AAL constants (882573d)
-
Implement AAL for login and sessions (45467e0)
-
Implement endpoint for invalidating all sessions for a given identity (#1740) (dbd1689), closes #655:
This PR introduces endpoint to destroy all sessions for a given identity which effectively logouts user from all devices/sessions. This is useful when for some security concern we want to make sure there are no "old" sessions active or other "staff" related actions (such as force logout after password change etc.).
-
Implement lookup code settings and login (8f3ce7b)
-
Improve detection of AAL errors and return 422 instead of 403 (e2bfbea)
-
Improve labels for totp and lookup (b92e00e)
-
Improve session device annotations (87907b8)
-
logout: Add logout token to browser response (#1758) (d3f1177)
-
Mark recovery email address verified (#1665) (e3efc5d), closes #1662
-
Mark required fiels as required (34cd5e8):
Closes https://github.com/ory-corp/cloud/issues/1328 Closes ory#400 Closes ory#1058 See https://ory-community.slack.com/archives/C012RJ2MQ1H/p1631825476159000
-
Natively support social sign in for single-page apps (1a1a350)
-
persistence: Add new columns for mfa (6184fe3)
-
Potentially add arm64 docker support (68112de)
-
Proper enum and type assertions for openapi (c4d8516)
-
Publish webauthn as loadable script instead of eval (2717c59)
-
Redirect on login if session aal is not matched (8feff8d)
-
Respect webauthn in session aal (869b4a5)
-
session: Respect 2fa enforcement in whoami (3a82c88)
-
Sign in with apple (#1833) (16ed123), closes #1782:
Adds an adapter and configuration options for enabling Social Sign In with Apple.
-
Sort totp nodes (5c9a494)
-
Stubable time in text package (22e4ed1)
-
Support apple m1 (54b4fb6)
-
Support setting the identity state via the admin API (#1805) (29c060b), closes #1767
-
Support strategy return to ui for settings (74670bb)
-
Support webauthn for mfa (e8f4d3c)
-
totp: Add width and height to QR code (a648ba3)
-
totp: Support account name setting from schema (19a6bcc)
-
Treat lookup as aal2 in session (3269028)
-
Use discriminators for ui node types in spec (59e808e)
-
Use initial_value in lookup strategy (efe272f)
- 3745014 (d493d10)
- Aal in login.NewFlow (5986e38)
- AcceptToRedirectOrJSON (2ca153f)
- Add credentials test (58b388c)
- Add expired test to login handler (3bdb8ab)
- Add identity change test to settings submit (5eb090b)
- Add initial spa e2e test (20617f6)
- Add initial totp integration tests (c9d456b)
- Add login tests (a71cadd)
- Add migrations tests for new tables (3c96ab0)
- Add react app to e2e tests (1214eee)
- Add schema test for totp config (c4f05ba)
- Add session amr test (eedb60b)
- Add settings tests (6959565)
- Add test for TOTPIssuer (14731c4)
- Add test for ui error page (3977a9c)
- Add TestEnsureInternalContext (152bfc7)
- Add totp registry tests (817e3ec)
- Add totp settings tests (c5a0d0f)
- Add TOTP to profile (7431e9f)
- Add update session test (47bd057)
- Additional checks for flow hydration (a40d7fe)
- Amr persistence (b0b2d81)
- Check if internal context is validated in store (a23d851)
- CheckAAL (03b37e7)
- Complete TOTP login integration tests (6e503cf)
- e2e: Add baseurl (159b25f)
- e2e: Add checkboxes to schemas (0c91f0c)
- e2e: Add config for proxy to simplify cy.visit logic (7d87985)
- e2e: Add mfa profile (a60d157)
- e2e: Add modd to build (48cd8ae)
- e2e: Add more helpers and ts defs (21b35b0)
- e2e: Add more helpers for various flows and proxy settings (755ac60)
- e2e: Add more routes to registry (30423c9)
- e2e: Add more typings for cypress helpers (60bd63f)
- e2e: Add plugin for using got (8fafc40)
- e2e: Add proxy capabilities for react native app (b5668df)
- e2e: Add recovery tests for SPA (b6014ee)
- e2e: Add spa as allowed redirect url (2625d16)
- e2e: Add SPA tests for login and refactor tests to typescript (d9a25df)
- e2e: Add SPA tests for logout and refactor tests to typescript (b0c6776)
- e2e: Add SPA tests for registration and refactor tests to typescript (a61ed1e)
- e2e: Add support functions and type definitions (c82d68d)
- e2e: Clean up helper (4806add)
- e2e: Complete SPA tests for all mfa flows (2196129)
- e2e: Default and empty values and required fields (72f2c5f)
- e2e: Ensure advanced types work in forms also (287269c)
- e2e: Ensure correct app (a9ff545)
- e2e: Finalize mobile tests (acf5c3d)
- e2e: Force port (a49eda8)
- e2e: Homogenize profiles (7798e19)
- e2e: Hot reload ory kratos on changes (841da09)
- e2e: Implement recovery tests for SPA (3dea57f)
- e2e: Implement required verification tests for SPA (fb55f34)
- e2e: Improve stability for login tests (43df22b)
- e2e: Improve stability for registration tests (a1c59a3)
- e2e: Improve test reliability (061a7e3)
- e2e: Migrate email tests to new proxy set up (54d8cd6)
- e2e: Migrate settings tests to typescript and add SPA tests (566336d)
- e2e: Move config to lower level and publish as package (c21fa26)
- e2e: Move registration tests to new proxy set up (eddeb85)
- e2e: Port mobile test to typescript (db42346)
- e2e: Port remaining e2e tests to typescript (5853d1a)
- e2e: Potentially resolve flaky login test (e237d66)
- e2e: Potentially resolve webauthn startup issues (eae6f5d)
- e2e: Prototype typescript implementation (2e869cf)
- e2e: Recreate identities per flow (1a560a3)
- e2e: Reduce flaky tests (cae86e7)
- e2e: Reduce test flakes in lookup codes (bfea354)
- e2e: Refactor and add support for SPA app (7609219)
- e2e: Remove wait condition (af10b03)
- e2e: Resolve broken test (c7cf134)
- e2e: Resolve flaky test (de7cc59)
- e2e: Resolve flaky test issues (1627745)
- e2e: Resolve next not starting (2a2a3cb)
- e2e: Resolve regression (d62f0c0)
- e2e: Resolve regressions (aaff34e)
- e2e: Resolve regressions (af9aedc)
- e2e: Revert proxy changes (293d920)
- e2e: Stabilize e2e tests (a5dca28)
- e2e: Temporarily add totp to default profile (8ffac9d)
- e2e: Update e2e profiles to new proxy set up (a3204cf)
- e2e: Use 127.0.0.1 to prevent ipv6 issues (6f4b534)
- e2e: Wait for oidc to trigger (9c67c49)
- Enable cookie debug (81c3064)
- Ensure aal and amr is set on recovery (5cbab54), closes #1322
- Ensure aal2 can not be used for oidc (cbbcdd2)
- Ensure aal2 can not be used for password (d9d39f0)
- Ensure authenticated_at after all upgrade (80408b4)
- Ensure redirect_url in password strategy (9eafc10)
- ErrStrategyAsksToReturnToUI behavior (f739018)
- Finalize webauthn tests (97e59e6)
- Fix regressions in the tests (246c580)
- Fix tests in cmd/serve (#1755) (b704d08)
- ID methods of node attributes (ff9ff04)
- Login form submission with AAL (4d54fbb)
- lookup: Add secret_disable to snapshots (68d6a87)
- lookup: Ensure context is cleaned up after use (8a210c4)
- lookup: Refresh and reuse scenarios (89736ed)
- migration: Resolve mysql migration issue with empty array (71a5649)
- Move to cupaloy for snapshots (0cce70f)
- Properly refresh mobile session (c31915d)
- Registry regression (25c88b5)
- Remove todo items (f60050e)
- Resolve flaky config test (147c670)
- Resolve flaky config test (#1832) (db98d01)
- Resolve flaky example tests (#1817) (0e700d8)
- Resolve flaky tests (2bd9100)
- Resolve migratest regressions (e9a1ed1)
- Resolve regressions (1502ca1)
- Resolve regressions (1a93b2f)
- Resolve regressions (64850ed)
- Resolve remaining regressions (f02804c)
- Resolve remaining regressions (0224c22)
- Resolve remaining regressions (1fa2aa5)
- Resolve time locality issues (53b8b2a)
- Restructure session struct tests (50d3f66)
- Session AAL handling (6fea3e5)
- Session activate (c86fa03)
- sql: Fix incorrect UUID (ea2894e)
- Temporarily enable lookup globally (458f559)
- totp: Ensure context is cleaned up after use (1905883)
- Upgrade cypress to 8.x (c8a1dfc)
- Use different return handler (e489a43)
- Various aal combinations for newflow (b095b99)
- Webauth settings flow (4c82772)
- Webauthn aal2 login (60ace8b)
- Webauthn credentials (c3e1184)
- Webauthn credentials counter (f7701f6)
- webauthn: Ensure context is cleaned up after use (7a8055b)
0.7.6-alpha.1 (2021-09-12)
Resolves further issues in the SDK and release pipeline.
- Pin v0.7.6-alpha.1 release commit (8b0d1ee)
0.7.5-alpha.1 (2021-09-11)
Primarily resolves issues in the SDK pipeline.
- Pin v0.7.5-alpha.1 release commit (3a741a5)
0.7.4-alpha.1 (2021-09-09)
This release adds the GitHub-app provider, improves SQL instrumentation, resolves an expired flow bug, and resolves documentation issues.
- Corret sdk annotations for enums (6152363)
- Do not panic if cookiemanager returns a nil cookie (6ea5678), closes #1695
- Respect return_to in expired flows (#1697) (394a8de), closes #1251
- Pin v0.7.4-alpha.1 release commit (67ff8a9)
- Add e2e quickstart (2b749d3)
- Browser redirects (#1700) (a44089a)
- Mark logout_url always available (9021805)
- Minor improvements (#1707) (79c132c)
- Making use of the updated instrumentedsql version (#1723) (9e6fbdd)
- oidc: Github-app provider (#1711) (fb1fe8c)
- session: Resolve incorrect assertion (0531220)
0.7.3-alpha.1 (2021-08-28)
This patch resolves a regression issue with Facebook login, a memory leak issue introduced by an external dependency, adds a "requires verification" login hook, and improves performance for some endpoints.
Also, Ory Kratos SDKs are now published in individual GitHub repositories for every language.
-
Add new message when refresh parameter is true (#1560) (0525623), closes #1117
-
Add session in spa registration if session cook is configured (#1657) (639a7dd), closes #1604
-
docs: Ensure config reference is updated (f6b3aa4), closes #1597
-
Facebook sign in regression (#1689) (85337bf), closes #1687 #1686
-
Http context memory leak (b21bd22):
Ory Kratos was using
gorilla/sessions
prior to version v1.2 which had a dependency ongorilla/context
, a deprecated library with known memory management issues. Even though we usedgorilla/context
's clean up middleware, it appears thatr.Context()
was not properly cleaned up, causing memory leaks.On average, the memory leak is pretty small, but depending on what gets added to
r.Context()
it could significantly increase the memory leak.By replacing
gorilla/sessions
with v1.2.1 we:- Increased the HTTP API throughput by an estimate of 4 times;
- Brought average memory use back down to about 12MB;
-
Remove session cookie on logout (#1587) (cdb30bb), closes #1584:
Before, the logout endpoint would invalidate the session cookie, but not remove it. This was a regression introduced in 0.7.0. This patch resolves that issue.
-
sdk: Use proper annotation for genericError (#1611) (da214b2), closes #1609
-
Skip prompt on discord authorization by default (#1594) (a667255):
When a value for prompt is not provided, Discord defaults to
prompt="consent"
. This change makes it so that if the request is not forced, prompt is explicitly set to "none". -
Static parameter for warning message in config.baseURL(...) (#1673) (db54a1b), closes #1672
-
Use eager preloading for list identites endpoint (#1588) (de5fb3e)
- Pin v0.7.3-alpha.1 release commit (b5ad53e)
-
Fix func naming for Logout flow (#1676) (bbeb613):
rename createSelfServiceLogoutUrlForBrowsers to createSelfServiceLogoutFlowUrlForBrowsers
-
Make qickstart URLs consistent (playground vs. localhost) (#1626) (bae1847):
Since the quick-start describes how to run Kratos locally the actual location of the redirect is
http://127.0.0.1:4433/self-service/login/browser
. -
Update docker.md - Outdated information (#1627) (dc32720), closes #1619:
Kratos does not automatically use a config file that exists at
$HOME/.kratos.yaml
, or any other similar pattern. The documentation in the Docker Images section of the guides could lead developers to believe that the --config flag is unnecessary if they are binding the directory the configuration file is in to $HOME or using a custom docker image to provide the file.
-
Allow multiple webhook body sources (#1606) (51b1311):
This patch adds support for loading webhooks from the local filesystem, base64 encoded inline string, and remote (http/https) sources. Please note that support for relative/absolute paths without an URI scheme are deprecated and will eventually be removed.
0.7.1-alpha.1 (2021-07-22)
This release addresses regressions introduced in Ory Kratos v0.7.0 and resolves some bugs and documentation inconsistencies.
-
Correct meta schema (8d4f3ff)
-
Do not set csrf cookies on /sessions/whoami (#1580) (36bbd43)
-
Generate CSRF token on validation creation (#1549) (6612c5f), closes #1547
-
Identity extension meta schema (#1554) (ba5ca64):
Up until now the extension meta schema was only applied to top level keys. This fix now recursively checks the extension schema on any depth.
-
Resolve wrong openapi types (b07927c)
-
Update identity state openapi spec (0217737)
- Pin v0.7.1-alpha.1 release commit (4fe76af)
- Add instruction for creating user (#1541) (c2a1b6d), closes #1530
- Clarify flags in schema which are not available in config file (e5ea5fe), closes #1514
- Fix formatting of Email and Phone Verification Flow tab content (#1536) (0bfac67)
- Fix typo (#1543) (b25bae7)
- Fix typo (#1544) (547788d)
- Update csrf pitfall flow section (#1558) (cc7ed4b), closes #1557
- Longer wait time for e2e boot (3a85a33)
0.7.0-alpha.1 (2021-07-13)
About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!
Ory Kratos v0.7 brings massive developer experience improvements:
- A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 (#1477, #1424);
- Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows (#1367);
- Sign in with Yandex, VK, Auth0, Slack;
- An all-new, secure logout flow (#1433);
- Important security updates to the self-service GET APIs (#1458, #1282);
- Built-in support for TLS (#1466);
- Improved documentation and Go Module structure;
- Resolving a case-sensitivity bug in self-service recovery and verification flows;
- Improved performance for listing identities;
- Support for Instant tracing (#1429);
- Improved control for SMTPS, supporting SSL and STARTTLS (#1430);
- Ability to run Ory Kratos in networks without outbound requests (#1445);
- Improved control over HTTP Cookie behavior (#1531);
- Several smaller user experience improvements and bug fixes;
- Improved e2e test pipeline.
In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!
Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!
For more details on breaking changes and patch notes, see below.
Prior to this change it was not possible to specify the verification/recovery link lifetime. Instead, it was bound to the flow expiry. This patch changes that and adds the ability to configure the lifespan of the link individually:
selfservice:
methods:
link:
enabled: true
config:
+ # Defines how long a recovery link is valid for (default 1h)
+ lifespan: 15m
This is a breaking change because the link strategy no longer respects the recovery / verification flow expiry time and, unless set, will default to one hour.
This change introduces a better SDK. As part of this change, several breaking changes with regards to the SDK have been introduced. We recommend reading this section carefully to understand the changes and how they might affect you.
Before, the SDK was structured into tags public
and admin
. This stems from the fact that we have two ports in Ory Kratos - one administrative and one public port.
While serves as a good overview when working with Ory Kratos, it does not express:
- What module the API belongs to (e.g. self-service, identity, ...)
- What maturity the API has (e.g. experimental, alpha, beta, ...)
- What version the API has (e.g. v0alpha0, v1beta0, ...)
This patch replaces the current admin
and public
tags with a versioned approach indicating the maturity of the API used. For example, initializeSelfServiceSettingsForBrowsers
would no longer be under the public
tag but instead under the v0alpha1
tag:
import {
Configuration,
- PublicApi
+ V0Alpha1
} from '@ory/kratos-client';
- const kratos = new PublicApi(new Configuration({ basePath: config.kratos.public }));
+ const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.public }));
To avoid confusion when setting up the SDK, and potentially using the wrong endpoints in your codebase and ending up with strange 404 errors, Ory Kratos now redirects you to the correct port, given that serve.(public|admin).base_url
are configured correctly. This is a significant improvement towards a more robust API experience!
Further, all administrative functions require, in the Ory SaaS, authorization using e.g. an Ory Personal Access Token. In the open source, we do not know what developers use to protect their APIs. As such, we believe that it is ok to have admin and public functions under one common API and differentiate with an admin
prefix. Therefore, the following patches should be made in your codebase:
import {
- AdminApi,
+ V0Alpha1,
Configuration
} from '@ory/kratos-client';
-const kratos = new AdminApi(new Configuration({ basePath: config.kratos.admin }));
+const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.admin }));
-kratos.createIdentity({
+kratos.adminCreateIdentity({
schema_id: 'default',
traits: { /* ... */ }
})
Further, we have introduced a style guide for writing SDKs annotations governing how naming conventions should be chosen.
We also streamlined how credentials are used. We now differentiate between:
- Per-request credentials such as the Ory Session Token / Cookie
- public getSelfServiceRegistrationFlow(id: string, cookie?: string, options?: any) {} + public getSelfServiceSettingsFlow(id: string, xSessionToken?: string, cookie?: string, options?: any) {}
- Global credentials such as the Ory (SaaS) Personal Access Token.
const kratos = new V0Alpha0(new Configuration({ basePath: config.kratos.admin, accessToken: 'some-token' })); kratosAdmin.adminCreateIdentity({ schema_id: 'default', traits: { /* ... */ }, });
This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.
As part of this change, the following endpoints have been removed:
GET <ory-kratos-admin>/self-service/login/flows
;GET <ory-kratos-admin>/self-service/registration/flows
;GET <ory-kratos-admin>/self-service/verification/flows
;GET <ory-kratos-admin>/self-service/recovery/flows
;GET <ory-kratos-admin>/self-service/settings/flows
.
Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows
) for fetching self-service flows going forward.
If you use the SDKs, upgrading is easy by adding the cookie
header when fetching the flows. This is only required when using browser flows on the server side.
The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.
app.get('some-route', (req: Request, res: Response) => {
- kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})
For concrete details, check out the changes in the NodeJS app.
This patch refactors the logout functionality for browsers and APIs. It adds increased security and DoS-defenses to the logout flow.
Previously, calling GET /self-service/browser/flows/logout
would remove the session cookie and redirect the user to the logout endpoint. Now you have to make a call to GET /self-service/logout/browser
which returns a JSON response including a logout_url
URL to be used for logout. The call to /self-service/logout/browser
must be made using AJAX with cookies enabled or by including the Ory Session Cookie in the X-Session-Cookie
HTTP Header. You may also use the SDK method createSelfServiceLogoutUrlForBrowsers
to do that.
Additionally, the endpoint DELETE /sessions
has been moved to DELETE /self-service/logout/api
. Payloads and responses stay equal. The SDK method revokeSession
has been renamed to submitSelfServiceLogoutFlowWithoutBrowser
.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceRecoveryForNativeApps
to better match what it does: initializeSelfServiceRecoveryWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceVerificationForNativeApps
to better match what it does: initializeSelfServiceVerificationWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceSettingsForNativeApps
to better match what it does: initializeSelfServiceSettingsWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceregistrationForNativeApps
to better match what it does: initializeSelfServiceregistrationWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceLoginForNativeApps
to better match what it does: initializeSelfServiceLoginWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
-
Add json detection to setting error subbranches (fb83dcb)
-
Add verification success message (#1526) (126698c), closes #1450
-
Change SMTP config validation from URI to a Regex pattern (#1436) (5ab1e8f), closes #1435
-
Check filesystem before fallback to bundled templates (#1401) (22d999e)
-
Continue button for oidc registration step (2aad5ac), closes #1422 #1320:
When signing up with an OIDC provider and the traits model is missing some fields, the submit button shows all OIDC options. Instead, it should show just one option called "Continue".
-
Do not run network migrations when booting (12bbab9), closes #1399
-
Format test files (0468aa1)
-
Incorrect openapi specification for verification submission (#1431) (ecb0a01), closes #1368
-
Link t docker guide (953c6d6)
-
Mark ui node message as optional (#1365) (7b8d59f), closes #1361 #1362
-
Mark verified_at as omitempty (77b258e):
Closes ory/sdk#46
-
Panic if contextualizer is not set (760035a)
-
Recovery email case sensitive (#1357) (bce14c4), closes #1329
-
Remove changelog (7affb7a)
-
Remove typing from node.attribute.value (63a5e08):
Closes ory/sdk#75 Closes ory/sdk#74 Closes ory/sdk#72
-
Rename client package for external consumption (cba8b00)
-
Resolve build issues on release (7c265a8)
-
Resolve driver issues (47b1c8d)
-
Resolve network regression (8f96b1f)
-
Resolve network regressions (8fc52c0)
-
Testhelper regressions (bf3b04f)
-
Use correct url in submitSelfServiceVerificationFlow (ab8a600)
-
Use session cookie path settings for csrf cookie (#1493) (c6d08ed), closes #1292:
This PR adds configuration option for CSRF cookies and improves the domain alias logic as well as adding tests for it.
-
Use STARTTLS for smtps connections (#1430) (c21bb80), closes #781
-
Version schema (#1359) (8c4bac7), closes #1331 #1101 ory/hydra#2427
- Pin v0.7.0-alpha.1 release commit (53a0e38)
- Corp package (#1402) (0202dc5)
- Finalize SDK refactoring (e772641), closes kratos#1424 #1424
- Identity SDKs (d8658dc), closes #1477
- Improve session sdk (7207af4)
- Introduce DefaultContextualizer in corp package (#1390) (944d045), closes #1363
- Move cleansql to separate package (7c203dc)
- Openapi.json -> api.json (6df0de5)
- Self-service error APIs (65c482f)
- Add docs for registration SPA flow (84458f1)
- Add go sdk examples (e948fad)
- Add kratos quickstart config notes (#1490) (2f8094c)
- Add replit instructions (8ab8607)
- Add tested and running go sdk examples (3b56bb5)
- Correct CII badge (#1447) (048aec3)
- Fix broken link (9eaf764)
- Fix building from source (#1473) (af54d5b)
- Fix typo in "Sign in/up with ID & assword" (#1383) (f39739d)
- Mark login endpoints as experimental (6faf0f6)
- Refactor documentation and adopt changes for #1477 (f5e96cd), closes #1472
- Remove changelog from docs folder (5a7e3d8)
- Resolve build issues (b51bb55)
- Resolve typos and docs react issues (2d640e4)
- Update docs for all flows (d29ea69)
- Update documentation for plaintext templates (#1369) (419784d), closes #1351
- Update error documentation (7d83609)
- Update login flow documentation (a27de91)
- Update path (f0384d9)
- Update README.md Go instructions (#1464) (8db4b4a)
- Update remaining self service documentation (bcc6284)
- Update sdk use (bcb8c06)
- Update settings documentation (258ceaf)
- Use correct path (#1333) (e401135)
-
Add examples for usage of go sdk (870c2bd)
-
Add GetContextualizer (ac32717)
-
Add instana as possible tracing provider (#1429) (abe48a9), closes #1385
-
Add vk and yandex providers to oidc providers and documentation (#1339) (22a3ef9), closes #1234
-
Anti-CSRF measures when fetching flows (#1458) (5171557), closes #1282
-
Configurable recovery/verification link lifetime (f80d4e3)
-
Disable HaveIBeenPwned validation when HaveIBeenPwnedEnabled is set to false (#1445) (44002f4), closes #316:
This patch introduces an option to disable HaveIBeenPwned checks in environments where outbound network calls are disabled.
-
identities: Add a state to identities (#1312) (d22954e), closes #598
-
Improve contextualization in serve/daemon (f83cd35)
-
Include Credentials Metadata in admin api (#1274) (c8b6219), closes #820
-
Include Credentials Metadata in admin api Missing changes in handler (#1366) (a71c220)
-
Natively support SPA for login flows (6ff67af), closes #1138 #668:
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/login/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the login flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for recovery flows (5461244):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/recovery/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for registration flows (57d3c57), closes #1138 #668:
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/registration/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for settings flows (ea4395e):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/settings/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for verification flows (c151500):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/verification/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Support api in settings error (23105db)
-
Support reading session token from X-Session-Token HTTP header (dcaefd9)
-
TLS support for public and admin endpoints (#1466) (7f44f81), closes #791
-
Update openapi specs and regenerate (cac507e)
-
Add tests for cookie behavior of API and browser endpoints (d1b1521)
-
e2e: Greatly improve test performance (#1421) (2ffad9e):
Instead of running the individual profiles as separate Cypress instances, we now use one singular instance which updates the Ory Kratos configuration depending on the test context. This ensures that hot-reloading is properly working while also signficantly reducing the amount of time spent on booting up the service dependencies.
-
e2e: Resolve flaky test issues related to timeouts and speed (b083791)
-
e2e: Resolve recovery regression (72c47d6)
-
e2e: Resolve test config regressions (eb9c4f9)
-
Remove obsolete console.log (3ecc869)
-
Resolve e2e regressions (b0d3b82)
-
Resolve migratest panic (89d05ae)
-
Resolve mobile regressions (868e82e)
-
Resolve oidc regressions (2403082)
- add CoC shield (#1439) (826ed1a), closes #1439
- u (b03549b)
- u (318a31d)
- Format (eca7aff)
- Format (5cc9fc3)
- Format (e525805)
- Format (4a692ac)
- Format (169c0cd)
0.6.3-alpha.1 (2021-05-17)
This release addresses some minor bugs and improves the SDK experience. Please be aware that the Ory Kratos SDK v0.6.3+ have breaking changes compared to Ory Kratos SDK v0.6.2. If you do not wish to update your code, you can keep using the Ory Kratos v0.6.2 SDK and upgrade to v0.6.3+ SDKs at a later stage, as only naming conventions have changed!
Unfortunately, some method signatures have changed in the SDKs. Below is a list of changed entries:
- Error
genericError
was renamed tojsonError
and now includes more information and better typing for errors; - The following functions have been renamed:
initializeSelfServiceLoginViaAPIFlow
->initializeSelfServiceLoginForNativeApps
initializeSelfServiceLoginViaBrowserFlow
->initializeSelfServiceLoginForBrowsers
initializeSelfServiceRegistrationViaAPIFlow
->initializeSelfServiceRegistrationForNativeApps
initializeSelfServiceRegistrationViaBrowserFlow
->initializeSelfServiceRegistrationForBrowsers
initializeSelfServiceSettingsViaAPIFlow
->initializeSelfServiceSettingsForNativeApps
initializeSelfServiceSettingsViaBrowserFlow
->initializeSelfServiceSettingsForBrowsers
initializeSelfServiceRecoveryViaAPIFlow
->initializeSelfServiceRecoveryForNativeApps
initializeSelfServiceRecoveryViaBrowserFlow
->initializeSelfServiceRecoveryForBrowsers
initializeSelfServiceVerificationViaAPIFlow
->initializeSelfServiceVerificationForNativeApps
initializeSelfServiceVerificationViaBrowserFlow
->initializeSelfServiceVerificationForBrowsers
- Some type names have changed, for example
traits
->identityTraits
.
- Improve settings oas definition (867abfc)
- Properly handle CSRF for API flows in recovery and verification strategies (461c829), closes #1141
- session: Use specific headers before bearer use (82c0b54)
- Use correct api spec path (5f41f87)
- Use correct openapi path for validation (#1340) (a0f5673)
- Pin v0.6.3-alpha.1 release commit (5edf952)
-
Improve SDK experience (71b8511):
This patch resolves UX issues in the auto-generated SDKs by using consistent naming and introducing a test suite for the Ory SaaS.
0.6.2-alpha.1 (2021-05-14)
Resolves an issue in the Go SDK.
- Pin v0.6.2-alpha.1 release commit (99c1b1d)
0.6.1-alpha.1 (2021-05-11)
This release primarily addresses issues in the SDK CI pipeline.
- Pin v0.6.1-alpha.1 release commit (1df82da)
0.6.0-alpha.2 (2021-05-07)
This release addresses issues with the SDK pipeline and also closes a bug related to email sending.
- Update node image (eef307e)
- Pin v0.6.0-alpha.2 release commit (a3658ba)
0.6.0-alpha.1 (2021-05-05)
Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions.
Kratos v0.6 includes an insane amount of work spread over the last five months - 480 commits and over 4200 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!
Here is a summary of the most important changes:
- Ory Kratos now support highly customizable web hooks - contributed by @dadrus and @martinei;
- Ory Kratos Courier can now be run as a standalone task using
kratos courier watch -c your/config.yaml
. To use the mail courier as a background task of the server runkratos serve --watch-courier
- contributed by @mattbonnell; - Reworked migrations to ensure stable migrations in production systems - backward compatibility is ensured and tested;
- Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
- Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
- Created reliable health and status checks by ensuring that e.g. migrations have completed;
- Made resilient CLI client commands e.g. kratos identities list;
- Better support for cookies in multi-domain setups called domain aliasing;
- A new, dynamically generated FAQ;
- Enhanced GitHub and Google claims parsing;
- Faster and more resilient CI/CD pipeline;
- Improvements for running Ory Kratos in secure Kubernetes environments;
- Better Helm Charts for Ory Kratos;
- Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by @seremenko-wish;
- The Argon2 memory configuration is now human readable:
hashers.argon2.memory: 131072
->hashers.argon2.memory: 131072B
(supports kb, mb, kib, mib, ...). - Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new
after_verification_return_to
query parameter (e.g.http://foo.com/registration?after_verification_return_to=verification_callback
) - contributed by @mattbonnell; - Emails are now populated at delivery time, offering more flexibility in terms of templating;
- Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by @mattbonnell;
- Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
- Resolving SDKs issues for whoami requests;
- Simplified database schema for faster processing, significantly reducing the amount of data stored and latency as several JOINS have been removed;
- Support for binding the HTTP server on UNIX sockets - contributed by @sloonz;
There are even more contributions by @NickUfer and harnash. In total, 33 people contributed to this release! Thank you all!
IMPORTANT: Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!
The probably biggest and most significant change is the refactoring of how self-service flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:
- Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
- Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
- Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.
Check out how we migrated the NodeJS app from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.
Let's take a look into how these payloads have changed (the flows have identical configuration):
Ory Kratos v0.5
Login
{
"id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
"type": "browser",
"expires_at": "2020-09-13T10:49:54.8295242Z",
"issued_at": "2020-09-13T10:39:54.8295242Z",
"request_url": "http://127.0.0.1:4433/self-service/login/browser",
"methods": {
"password": {
"method": "password",
"config": {
"action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
"method": "POST",
"fields": [
{
"name": "identifier",
"type": "text",
"required": true,
"value": ""
},
{
"name": "password",
"type": "password",
"required": true
},
{
"name": "csrf_token",
"type": "hidden",
"required": true,
"value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
}
]
}
}
},
"forced": false
}
Registration
{
"id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
"type": "browser",
"expires_at": "2020-09-13T10:53:15.1774019Z",
"issued_at": "2020-09-13T10:43:15.1774019Z",
"request_url": "http://127.0.0.1:4433/self-service/registration/browser",
"active": "password",
"messages": null,
"methods": {
"password": {
"method": "password",
"config": {
"action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
"method": "POST",
"fields": [
{
"name": "csrf_token",
"type": "hidden",
"required": true,
"value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
},
{
"name": "password",
"type": "password",
"required": true,
"messages": [
{
"id": 4000005,
"text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
"type": "error",
"context": {
"reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
}
}
]
},
{
"name": "traits.email",
"type": "text",
"value": "[email protected]"
},
{
"name": "traits.name.first",
"type": "text",
"value": "Ory"
},
{
"name": "traits.name.last",
"type": "text",
"value": "Corp"
}
]
}
}
}
}
Ory Kratos v0.6
Login
As you can see below, the input name identifier
has changed to password_identifier
.
{
"id": "07016811-917d-4788-bb9c-fc297897af6c",
"type": "browser",
"expires_at": "2021-04-28T08:37:53.924337873Z",
"issued_at": "2021-04-28T08:27:53.924337873Z",
"request_url": "http://127.0.0.1:4433/self-service/login/browser",
"ui": {
"action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
"method": "POST",
"nodes": [
{
"type": "input",
"group": "default",
"attributes": {
"name": "csrf_token",
"type": "hidden",
"value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
"required": true,
"disabled": false
},
"messages": null,
"meta": {}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "password_identifier",
"type": "text",
"value": "",
"required": true,
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070004,
"text": "ID",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "password",
"type": "password",
"required": true,
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070001,
"text": "Password",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "method",
"type": "submit",
"value": "password",
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1010001,
"text": "Sign in",
"type": "info",
"context": {}
}
}
}
]
},
"forced": false
}
Registration
{
"id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
"type": "browser",
"expires_at": "2021-04-28T08:54:12.951178972Z",
"issued_at": "2021-04-28T08:44:12.951178972Z",
"request_url": "http://127.0.0.1:4433/self-service/registration/browser",
"ui": {
"action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
"method": "POST",
"nodes": [
{
"type": "input",
"group": "default",
"attributes": {
"name": "csrf_token",
"type": "hidden",
"value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==",
"required": true,
"disabled": false
},
"messages": null,
"meta": {}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "traits.email",
"type": "email",
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070002,
"text": "E-Mail",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "password",
"type": "password",
"required": true,
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070001,
"text": "Password",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "traits.name.first",
"type": "text",
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070002,
"text": "First Name",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "traits.name.last",
"type": "text",
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1070002,
"text": "Last Name",
"type": "info"
}
}
},
{
"type": "input",
"group": "password",
"attributes": {
"name": "method",
"type": "submit",
"value": "password",
"disabled": false
},
"messages": null,
"meta": {
"label": {
"id": 1040001,
"text": "Sign up",
"type": "info",
"context": {}
}
}
}
]
}
}
These changes are analogous to settings, recovery, verification as well!
We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6!
On the last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:
- The major components of Ory Platform are and will remain Apache 2.0 licensed open source. We are not changing our approach or commitment to open source. The SaaS model allows us to keep commercialization and open source in harmony;
- Affordable pricing - Ory does not charge on a per identity basis;
- Supporting migrations from the Ory Platform (SaaS) to the open-source and vice versa;
- Offering a planet-scale service with ultra-low latencies no matter where your users are;
- The largest set of features and APIs of any Identity Product, including Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2, and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
- Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
- All the advantages of the open source projects - headless, fully customizable, strong security, built with a community; If you wish to become a part of the preview, please write a short email to [email protected]. Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.
Thank you for being a part of our community!
BCrypt is now the default hashing alogrithm. If you wish to continue using Argon2id please set hashers.algorithm
to argon2
.
This implies a significant breaking change in the verification flow payload. Please consult the new ui documentation. In essence, the login flow's methods
key was replaced with a generic ui
key which provides information for the UI that needs to be rendered.
To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all verification flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.
This implies a significant breaking change in the recovery flow payload. Please consult the new ui documentation. In essence, the login flow's methods
key was replaced with a generic ui
key which provides information for the UI that needs to be rendered.
To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all recovery flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.
This implies a significant breaking change in the settings flow payload. Please consult the new ui documentation. In essence, the login flow's methods
key was replaced with a generic ui
key which provides information for the UI that needs to be rendered.
To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all settings flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.
This implies a significant breaking change in the registration flow payload. Please consult the new ui documentation. In essence, the login flow's methods
key was replaced with a generic ui
key which provides information for the UI that needs to be rendered.
To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all registration flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.
This implies a significant breaking change in the login flow payload. Please consult the new ui documentation. In essence, the login flow's methods
key was replaced with a generic ui
key which provides information for the UI that needs to be rendered.
To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all login flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.
This change introduces a new feature: UI Nodes. Previously, all self-service flows (login, registration, ...) included form fields (e.g. methods.password.config.fields
). However, these form fields lacked support for other types of UI elements such as links (for e.g. "Sign in with Google"), images (e.g. QR codes), javascript (e.g. WebAuthn), or text (e.g. recovery codes). With this patch, these new features have been introduced. Please be aware that this introduces significant breaking changes which you will need to adopt to in your UI. Please refer to the most recent documentation to see what has changed. Conceptionally, most things stayed the same - you do however need to update how you access and render the form fields.
Please be also aware that this patch includes SQL migrations which purge existing self-service forms from the database. This means that users will need to re-start the login/registration/... flow after the SQL migrations have been applied! If you wish to keep these records, make a back up of your database prior!
This change introduces a new feature: UI Nodes. Previously, all self-service flows (login, registration, ...) included form fields (e.g. methods.password.config.fields
). However, these form fields lacked support for other types of UI elements such as links (for e.g. "Sign in with Google"), images (e.g. QR codes), javascript (e.g. WebAuthn), or text (e.g. recovery codes). With this patch, these new features have been introduced. Please be aware that this introduces significant breaking changes which you will need to adopt to in your UI. Please refer to the most recent documentation to see what has changed. Conceptionally, most things stayed the same - you do however need to update how you access and render the form fields.
Please be also aware that this patch includes SQL migrations which purge existing self-service forms from the database. This means that users will need to re-start the login/registration/... flow after the SQL migrations have been applied! If you wish to keep these records, make a back up of your database prior!
The configuration value for hashers.argon2.memory
is now a string representation of the memory amount including the unit of measurement. To convert the value divide your current setting (KB) by 1024 to get a result in MB or 1048576 to get a result in GB. Example: 131072
would now become 128MB
.
Co-authored-by: aeneasr [email protected] Co-authored-by: aeneasr [email protected]
Please run SQL migrations when applying this patch.
The following configuration keys were updated:
selfservice.methods.password.config.max_breaches
password.max_breaches
->selfservice.methods.password.config.max_breaches
password.ignore_network_errors
->selfservice.methods.password.config.ignore_network_errors
After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:
- Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
- Configuration reloading has improved significantly and works flawlessly on Kubernetes.
- Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
- It is now possible to load several config files using the
--config
flag. - Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.
Please be aware that ORY Kratos might complain about an invalid configuration, because the validation process has improved significantly.
-
Add include stub go files (6d725b1)
-
Add index to migration status (8c6ec27)
-
Add node_modules to format tasks (e5f6b36)
-
Add titles to identity schema (73c15d2)
-
Adopt to new go-swagger changes (5c45bd9)
-
Avoid unicode-escaping ampersand in recovery URL query string (#1212) (d172368)
-
Bcrypt regression in credentials counting (23fc13b)
-
Broken make quickstart-dev task (#980) (999828a), closes #965
-
Call contextualized test helpers (e1f3f78)
-
cmd: Make HTTP calls resilient (e8ed61f)
-
Code integer parsing bit size (#1178) (31e9632):
In some cases we had a wrong bitsize of
64
, while the var was later cast toint
. Replaced with a bitsize of0
, which is the value to cast toint
. -
Contextualize identity persister (f8640c0)
-
Convert all identifiers to lower case on login (#815) (d64b575), closes #814
-
Courier message dequeue race condition (#1024) (5396a82), closes #652 #732:
Fixes the courier message dequeuing race condition by modifying
*sql.Persister.NextMessages(ctx context.Context, limit uint8)
to retrieve only messages with statusMessageStatusQueued
and update the status of the retrieved messages toMessageStatusProcessing
within a transaction. On message send failure, the message's status is reset toMessageStatusQueued
, so that the message can be dequeued in a subsequentNextMessages
call. On message send success, the status is updated toMessageStatusSent
(no change there). -
Define credentials types as sql template and resolve crdb issue (a2d6eeb)
-
Dereference pointer types from new flow structures (#1019) (efedc92)
-
Do not publish version at public endpoint (3726ed4)
-
Do not reset registration method (554bb0b)
-
Do not return system errors for missing identifiers (1fcc855), closes #1286
-
Export mailhog dockertest runner (1384148)
-
Fork audit logger from root logger (68a09e7)
-
Give specific message instead of only 404 when method is disabled (#1025) (2f62041):
Enabled strategies are not only used for handlers but also in other areas (e.g. populating the flow methods). So we should keep the logic to get enabled strategies and add new functions for getting all strategies.
-
hashing: Make bcrypt default hashing algorithm (04abe77)
-
Ignore unset domain aliases (ada6997)
-
Improve cli error output (43e9678)
-
Improve error stack trace (4351773)
-
Improve test contextualization (2f92a70)
-
Initialize randomdelay with seeded source (9896289)
-
Insert credentials type constants as part of migrations (#865) (92b79b8), closes #861
-
Linking a connection may result in system error (#990) (be02a70), closes #694
-
Marking whoami auhorization parameter as 'in header' (#1244) (62d8b85), closes #1215
-
Move schema loaders to correct file (029781f)
-
Move to new transaction-safe migrations (#1063) (2588fb4):
This patch introduces a new SQL transaction model for running SQL migrations. This fix is particularly targeted at CockroachDB which has limited support for mixing DDL and DML statements.
Previously it could happen that migrations failure needed manual intervention. This has now been resolved. The new migration model is compatible with the old one and should work without a problem.
-
Pass down context to registry (0879446)
-
Re-enable SDK generation (1d5854d)
-
Record cypress runs (db35d8f)
-
Rehydrate settings form on successful submission (3457e1a), closes #1305
-
Remove absolete 'make pack' from Dockerfile (#1172) (b8eb908)
-
Remove continuity cookies on errors (85eea67)
-
Remove include stubs (1764e3a)
-
Remove obsolete clihelpers (230fd13)
-
Remove record from bash script (84a9315)
-
Remove trailing double-dot from error (59581e3)
-
Remove unused sql migration (1445d1d)
-
Remove unused var (30a8cee)
-
Remove verify hook (98cfec6), closes #1302:
The verify hook is automatically used when verification is enabled and has been removed as a configuration option.
-
Resolve build and release issues (fb582aa)
-
Resolve clidoc issues (599e9f7)
-
Resolve compile issues (63063c1)
-
Resolve contextualized table issues (5a4f0d9)
-
Resolve crdb migration issue (9f6edfd)
-
Resolve double hook invokation for registration (032322c)
-
Resolve incorrect field types on oidc sign up completion (f88b6ab)
-
Resolve lint issues (0348825)
-
Resolve lint issues (75a995b)
-
Resolve linting issues and disable nancy (c8396f6)
-
Resolve mail queue issues (b968bc4)
-
Resolve merge regressions (9862ac7)
-
Resolve oidc e2e regressions (f28087a)
-
Resolve oidc regressions and e2e tests (f5091fa)
-
Resolve potential fsnotify leaks (3159c0a)
-
Resolve regressions and test failures (8bae356)
-
Resolve regressions in cookies and payloads (9e34bf2)
-
Resolve settings sudo regressions (4b611f3)
-
Resolve test regressions (e3fb028)
-
Resolve ui issues with nested form objects (8e744b9)
-
Resolve update regression (d0d661a)
-
Return delay instead of sleeping to improve tests (27b977e)
-
Revert generator changes (c18b97f)
-
Run correct error handler for registration hooks (0d80447)
-
Simplify data breaches password error reason (#1136) (33d29bf):
This PR simplifies the error reason given when a password has appeared in data breaches to not include the actual number and rather just show "this password has appeared in data breaches and must not be used".
-
Support form and json formats in decoder (d420fe6)
-
Update openapi definitions for signup (eb0b69d)
-
Update quickstart node image (c19b2f4):
See ory#1301
-
Update to new goreleaser config (4c2a1b7)
-
Update to new healthx (6ec987a)
-
Use equalfold (1c0e52e)
-
Use new TB interface (d75a378)
-
Use numerical User ID instead of name to avoid k8s security warnings (#1151) (468a12e):
Our docker image scanner does not allow running processes inside container using non-numeric User spec (to determine if we are trying to run docker image as root).
-
Use remote dependencies (1e56457)
- Pin v0.6.0-alpha.1 release commit (507d13a)
-
Adapt new sdk in testhelpers (6e15f6f)
-
Add nid everywhere (407fd95)
-
Contextualize everything (7ebc3a9):
This patch contextualizes all configuration and DBAL models.
-
Do not use prefixed node names (fc42ece)
-
Improve Argon2 tooling (#961) (3151187), closes #955:
This adds a load testing CLI that allows to adjust the hasher parameters under simulated load.
-
Move faker to exportable module (09f8ae5)
-
Move migratest helpers to ory/x (7eca67e)
-
Move password config to selfservice (cd0e0eb)
-
Move to go 1.16 embed (43c4a13):
This patch replaces packr and pkged with the Go 1.16 embed feature.
-
Remove password node attribute prefix (e27fae4)
-
Remove profile node attribute prefix (a3ff6f7)
-
Rename config structs and interfaces (4a2f419)
-
Rename form to container (5da155a)
-
Replace flow's forms with new ui node module (647eb1e)
-
Replace flow's forms with new ui node module (f74a5c2)
-
Replace login flow methods with ui container (d4ca364)
-
Replace recovery flow methods with ui container (cac0456)
-
Replace registration flow methods with ui container (3f6388d)
-
Replace settings flow methods with ui container (0efd17e)
-
Replace verification flow methods with ui container (dbf2668)
-
Replace viper with koanf config management (5eb1bc0)
-
Update RegisterFakes calls (6268310)
-
Use underscore in webhook auth types (26829d2)
-
Add docker to docs main (8ce8b78)
-
Add docker to sidebar (ed38c88)
-
Add log docs to schema config (4967f11)
-
Add more HA docs (cbb2e27)
-
Add Rust and Dart SDKs (6d96952):
We now support for Rust and Dart SDKs!
-
Add SameSite help (2df6729)
-
Add shell-session language (d16db87)
-
Add ui node docs (e48a07d)
-
Bcrypt is default and add 72 char warning (29ae53a)
-
Describe more about Kratos login/browser flow on quickstart doc (#1047) (fe725ad)
-
Document hash timing attack mitigation (ec86993)
-
Explain how to use
after_verification_return_to
(7e1546b) -
Fix failing build (0de328f)
-
Fix link (7f6d7f5)
-
Fix note block in third party login guide (#920) (745cea0):
Allows the document to render properly
-
Link to argon2 blogpost and add cross-references (#1038) (9ab7c3d)
-
Make explicit the ID of the default schema (#1173) (cc6e9ff)
-
ORY -> Ory (ea30979)
-
prometheus: Update codedoc (47146ea)
-
Reformat settings code samples (cdbbf4d)
-
Remove unnecessary and wrong docker pull commands (#1203) (2b0342a)
-
Resolve duplication error (a3d8284)
-
Update identity-data-model links (b5fd9a3)
-
Update identity.ID field documentation (4624f03):
See ory#956
-
Update login code samples (695a30f)
-
Update login code samples (ce6c755)
-
Update quickstart samples (c3fcaba)
-
Update recovery code samples (d9fbb62)
-
Update registration code samples (317810f)
-
Update self-service code samples (6415011)
-
Update settings code samples (bbd6266)
-
Update verification code samples (4285dec)
-
Use correct extension for identity-data-model (acab3e8), closes /github.com/ory/kratos/pull/1197#issuecomment-819455322
-
Add error for when no login strategy was found (6bae66c)
-
Add facebook provider to oidc providers and documentation (#1035) (905bb03), closes #1034
-
Add gh login to claims (49deb2e)
-
Add login strategy text message (7468c83)
-
Add more tests for multi domain args (e99803b)
-
Add random delay to login flow (#1088) (cb9894f), closes #832
-
Add return_url to verification flow (#1149) (bb99912), closes #1123 #1133
-
Add sql migrations for new login flow (e947edf)
-
Add sql tracing (3c4cc1c)
-
Add tracing to config schema (007dde4)
-
Add transporter with host modification (2c41b81)
-
Add workaround template for go openapi (5d72d10)
-
Allow session cookie name configuration (77ce316), closes #268
-
Allow specifying sender name in smtp.from_address (#1100) (5904fe3)
-
Bcrypt algorithm support (#1169) (b2612ee):
This patch adds the ability to use BCrypt instead of Argon2id for password hashing. We recommend using BCrypt for web workloads where password hashing should take around 200ms. For workloads where login takes >= 2 seconds, we recommend to continue using Argon2id.
To use bcrypt for password hashing, set your config as follows:
hashers: bcrypt: cost: 12 algorithm: bcrypt
Switching the hashing algorithm will not break existing passwords!
Co-authored-by: Patrik [email protected]
-
Check migrations in health check (c6ef7ad)
-
Configure domain alias as query param (9d8563e)
-
Contextualize configuration (d3d5327)
-
Contextualize health checks (8145a1c)
-
Contextualize http client in cli calls (3b3ef8f)
-
Contextualize persitence testers (6440373)
-
Courier foreground worker with "kratos courier watch" (#1062) (500b8ba), closes #1033 #1024:
BREACKING CHANGES: This patch moves the courier watcher (responsible for sending mail) to its own foreground worker, which can be executed as a, for example, Kubernetes job.
It is still possible to have the previous behaviour which would run the worker as a background task when running
kratos serve
by using the--watch-courier
flag.To run the foreground worker, use
kratos courier watch -c your/config.yaml
. -
courier: Allow sending individual messages (cbb2c0b)
-
Do not enforce bcrypt 12 for dev envs (bbf44d8)
-
Export and add config options (4391fe5)
-
Expose courier worker (f50969e)
-
Expose crdb ui (504d518)
-
Implement and test domain aliasing (1516a54):
This patch adds a feature called domain aliasing. For more information, head over to http://ory.sh/docs/kratos/next/guides/multi-domain-cookies
-
Improve oas spec and fix mobile tests (4ead2c8)
-
Improve sorting of ui fields (797b49d):
See ory#1196
-
Include schema (348a493)
-
Migrate to openapi v3 (595224b)
-
Populate email templates at delivery time, add plaintext defaults (#1155) (7749c7a), closes #1065
-
schema: Add totp errors (a61f881)
-
Sort and label nodes with easy to use defaults (cbec27c):
Ory Kratos takes a guess based on best practices for
- ordering UI nodes (e.g. email, password, submit button)
- grouping UI nodes (e.g. keep password and oidc nodes together)
- labeling UI nodes (e.g. "Sign in with GitHub")
- using the "title" attribute from the identity schema to label trait fields
This greatly simplifies front-end code on your end and makes it even easier to integrate with Ory Kratos! If you want a custom experience with e.g. translations or other things you can always adjust this in your UI integration!
-
Support base64 inline schemas (815a248)
-
Support contextual csrf cookies (957ef38)
-
Support domain aliasing in session cookie (0681c12)
-
Support label in oidc config (a99cdcd)
-
Support retryable CRDB transactions (f0c21d7)
-
Web hooks support (recovery) (#1289) (3e181fe), closes #271:
feat: web hooks for self-service flows
This feature adds the ability to define web-hooks using a mixture of configuration and JsonNet. This allows integration with services like Mailchimp, Stripe, CRMs, and all other APIs that support REST requests. Additional to these new changes it is now possible to define hooks for verification and recovery as well!
For more information, head over to the hooks documentation.
- Add case to ensure correct behavior when verifying a different email address (#999) (f95a117), closes #998
- Add oasis test case (f80691b)
- Bump poll interval (b3dc925)
- Bump video quality (b7f8d04)
- Bump wait times (b2e43f8)
- Clean up hydra env before restart (cf49414)
- e2e: Significantly reduce wait and idle times (f525fc5)
- Longer wait times (4bec9ef)
- Reliable migration tests on crdb (2e3764b)
- Remove old noop test (16dca3f)
- Resolve compile issues (c1b5ba4)
- Resolve flaky tests (cb670a8)
- Resolve json parser test regression (a1b9b9a)
- Resolve login integration regressions (388b5b2)
- Resolve migration regression (2051a71)
- Resolve more json parser test regressions (ff791c4)
- Resolve more regressions (c5a23af)
- Resolve order regression (40a849c)
- Resolve regression (e2b0ad3)
- Resolve regression (f0c9e5f)
- Resolve regressions (4b9da3c)
- Resolve stub regressions (82650cf)
- Resolve test migrations (de0b65d)
- Resolve test regression issues (ccf9fed)
- Speed up tests (a16737c)
- Update schema tests for webhooks (d1ddfa8)
- Update test description (55fb37f)
- Use bcrypt cost 4 to reduce CI times (cabe97d)
- Use fast bcrypt for e2e (d90cf13)
- fix: resolve clidoc issues (#976) (346bc73), closes #976 #951
- 🐛 fix ory home directory path (#897) (2fca2be), closes #897
- Fix typo in config schema (16337f1)
- Format (e4b7e79)
- Format (193d266)
- Format (1ebfbde)
- Format (ba1eeef)
- Format (ada5dbb)
- Format (17a0bf5)
- Initial documentation tests via Text-Runner (#567) (c30eb26)
0.5.5-alpha.1 (2020-12-09)
The ORY Community is proud to present you the next iteration of ORY Kratos. In this release, we focused on improving production stability!
-
CSRF token is required when using the Revoke Session API endpoint (#839) (d3218a0), closes #838
-
Make password policy configurable (#888) (7a00483), closes #450 #316:
Allows configuring password breach thresholds and optionally enforces checks against the HIBP API.
-
Set samesite attribute to lax if in dev mode (#824) (91d6698), closes #821
-
Use working cache-control header for cdn/proxies/cache (#869) (d8e3d40), closes #601
- Pin v0.5.5-alpha.1 release commit (83aedcb)
-
Add contributing to sidebar (#866) (44f33f9):
The same change as in ory/hydra#2209
-
Add newsletter to config (1735ca2)
-
Add recovery flow (#868) (d95cfe9), closes #864:
Added a short section for the recovery flow on managing-user-identities.
-
Swagger specs for selfservice settings browser flow (#825) (28d50f4)
-
Update oidc provider with json conf support (#833) (670eb37)
- Add return_to parameter to logout flow (#823) (1c146dd), closes #702
- Add selinux compatible quickstart config (#889) (0f87948), closes #831
0.5.4-alpha.1 (2020-11-11)
This release introduces the new CLI command kratos hashers argon2 calibrate 500ms
. This command will choose the best parameterization for Argon2. Check out the Choose Argon2 Parameters for Secure Password Hashing and Login blog article for more insights!
-
Force brew install statement (#796) (ad542ad):
Closes ory/homebrew-kratos#1
- Pin v0.5.4-alpha.1 release commit (b02926c)
- Move pkger and ioutil helpers to ory/x (60a0fc4)
- Fix another broken link (15bae9f)
- Fix broken links (#795) (0ab0e7e), closes #793
- Fix broken relative link (#812) (b32b173)
- Fix links (#800) (5fcc272)
- Fix oidc config examples (#799) (8a4f480)
- Fix self-service recovery flow typo (#807) (800110d)
- Remove duplicate words & fix spelling (#810) (4e1b966)
- Remove leftover category from reference sidebar (#813) (94fde51)
- Use correct links (#797) (a4de293)
-
Add helper for choosing argon2 parameters (#803) (ca5a69b), closes #723 #572 #647:
This patch adds the new command "hashers argon2 calibrate" which allows one to pick the desired hashing time for password hashing and then chooses the optimal parameters for the hardware the command is running on:
$ kratos hashers argon2 calibrate 500ms Increasing memory to get over 500ms: took 2.846592732s in try 0 took 6.006488824s in try 1 took 4.42657975s with 4.00GB of memory [...] Decreasing iterations to get under 500ms: took 484.257775ms in try 0 took 488.784192ms in try 1 took 486.534204ms with 3 iterations Settled on 3 iterations. { "memory": 1048576, "iterations": 3, "parallelism": 32, "salt_length": 16, "key_length": 32 }
0.5.3-alpha.1 (2020-10-27)
This release improves the developer and user experience around CSRF counter-measures. It should now be possible to use the self-service API flows without having to explicitly disable cookie features in your SDKs and integrations. Additionally, another issue in the CGO pipeline was resolved which finally allows running ORY Kratos without CGO if the target database is not SQLite.
Further improvements to default config values have been made and a full end-to-end test suite for the exemplary kratos-selfservice-ui-react-native app. The app is now available in the iTunes store as well - just search for "ORY Profile App"!
-
Add "x-session-token" to default allowed headers (3c912e4)
-
Do not set cookies on api endpoints (2f67c28)
-
Do not set csrf cookies on potential api endpoints (4d97a95)
-
Ignore unsupported migration dialects (12bb8d1), closes #778:
Skips sqlite3 migrations when support is lacking.
-
Improve semver regex (584c0b5)
-
Properly set nosurf context even when ignored (0dcb774)
-
Update cypress (ba8b172)
-
Use correct regex for version replacement (ce870ab), closes #787
- Pin v0.5.3-alpha.1 release commit (64dc91a)
- Fix docosaurus admonitions (#788) (281a7c9)
- Pin download script version (e4137a6)
- Remove trailing garbage from quickstart (#787) (7e70924)
- Improve makefile install process and update deps (d1eb37f)
- Add e2e tests for mobile (d481d51)
- Add option to disable csrf protection in apis (a0077f1)
- Bump wait time (7a719e1)
- Install expo-cli globally (db21cfa)
- Install expo-cli in cci config with sudo (d255f46)
- Log wait-on output (62b5ba9)
- Output web server address (cb41ca7)
- Resolve csrf test issues in settings (ef8ba7d)
- Resolve test panic (6f6461f)
- Revert delay increase and improve install scripts (1eafcaa)
0.5.2-alpha.1 (2020-10-22)
This release addresses bugs and user experience issues.
- Add debug quickstart yml (#780) (16e6b4d)
- Gracefully handle double slashes in URLs (aeb9414), closes #779
- Merge gobuffalo CGO fix (fea2e77)
- Remove obsolete recovery_token and add link to schema (acf6ac4)
- Return correct error in login csrf (dd9cab0), closes #785
- Use correct assert package (76be5b0)
- Pin v0.5.2-alpha.1 release commit (79fcd8a)
- Add tests for csrf behavior (48993e2), closes #785
- Mark link as enabled in e2e test (c214b81)
- Resolve schema test regression (bb7af1b)
0.5.1-alpha.1 (2020-10-20)
This release resolves an issue where ORY Kratos Docker Images without CGO and SQLite support would fail to boot even when SQLite was not used as a data source.
- Do not require sqlite without build tag (2ee787b)
- Use extra dc config file for quickstart-dev (72c03f9)
- Pin v0.5.1-alpha.1 release commit (b85b36b)
- Fix spelling mistake (14e7f65)
- Fix spelling mistake (#772) (bf401a2)
- Improve schemas (#773) (e614859)
- Auto-update docker and git tags on release (08084a9)
- Use fixed versions for docker-compose (e73c4ce)
- Format (8be02c8)
0.5.0-alpha.1 (2020-10-15)
The ORY team and community is very proud to present the next ORY Kratos iteration!
ORY Kratos is now capable of handling native (iOS, Android, Windows, macOS, ...) login, registration, settings, recovery, and verification flows. As a goodie on top, we released a reference React Native application which you can find on GitHub.
We co-released our reference React Native application which acts as a reference on implementing these flows:
In total, almost 1200 files were changed in about 480 commits. While you can find a list of all changes in the changelist below, these are the changes we are most proud of:
- We renamed login, registration, ... requests to "flows" consistently across the code base, APIs, and data storage. We now:
- Initiate a login, registration, ... flow;
- Fetch a login, registration, ... flow; and
- Complete a login, registration, ... flow using a login flow method such as "Log in with username and password".
- All self-service flows are now capable of handling API-based requests that do not originate from Browser such as Chrome. This is set groundwork for handling native flows (see above)!
- The self service documentation has been refactored and simplified. We added code samples, screenshots, payloads, and curl commands to make things easier and clearer to understand. Video guides have also been added to help you and the community get things done faster!
- Documentation for rotating important secrets such as the cookie and session secrets was added.
- The need for reverse proxies was removed by adding the ability to change the ORY Kratos Session Cookie domain and path! The kratos-selfservice-ui-node reference implementation no longer requires HTTP Request piping which greatly simplifies the network layout and codebase!
- The ORY Kratos CLI is now capable of managing identities with an interface that works almost like the Docker CLI we all love!
- Admins are now able to initiate account recovery for identities.
- Email verification and account recovery were refactored. It is now possible to add additional strategies (e.g. recovery codes) in the future, greatly increasing the feature set and security capabilities of future ORY Kratos versions!
- Lookup to Have I Been Pwnd is no longer a hard requirement, allowing registration processes to complete when the service is unavailable or the network is slow.
- We contributed several issues and features in upstream projects such as justinas/nosurf, gobuffalo/pop, and many more!
- The build pipeline has been upgraded to support cross-compilation of CGO with Go 1.15+.
- Fetching flows no longer requires CSRF cookies to be set, improving developer experience while not compromising on security!
- ORY Kratos now has ORY Kratos Session Cookies (set in the HTTP Cookie header) and ORY Kratos Session Tokens (set as a HTTP Bearer Authorization token or the
X-Session-Token
HTTP Header).
Additionally tons of bugs were fixed, tests added, documentation improved, and much more. Please note that several things have changed in a breaking fashion. You can find details for the individual breaking changes in the changelog below.
We would like to thank all community members who contributed towards this release (in no particular order):
- https://github.com/kevgo
- https://github.com/NickUfer
- https://github.com/drwatsno
- https://github.com/alsuren
- https://github.com/wezzle
- https://github.com/sherbang
- https://github.com/perryao
- https://github.com/jikunchong
- https://github.com/err0r500
- https://github.com/debrutal
- https://github.com/c0depwn
- https://github.com/aschepis
- https://github.com/jakhog
Have fun exploring the new release, we hope you like it! If you haven't already, join the ORY Community Slack where we hold weekly community hangouts via video chat and answer your questions, exchange ideas, and present new developments!
The "common" keyword has been removed from the Swagger 2.0 spec which deprecates the common
module / package / class (depending on the generated SDK). Please use public
or admin
instead!
Additionally, the SDK for TypeScript now uses the fetch
API which allows the SDK to be used in both client-side as well as server-side contexts. Please note that several methods and parameters in the generated TypeScript SDK have changed. Please check the TypeScript results to see what needs to be changed!
This patch changes the OpenID Connect and OAuth2 ("Sign in with Google, Facebook, ...") Callback URL from http(s)://<kratos-public>/self-service/browser/flows/strategies/oidc/<provider>
to http(s)://<kratos-public>/self-service/methods/oidc/<provider>
. To apply this patch, you need to update these URLs at the OAuth2 Client configuration pages of the individual OpenID Conenct providers (e.g. GitHub, Google).
Configuration key selfservice.strategies
was renamed to selfservice.methods
.
This patch significantly changes how email verification works. The Verification Flow no longer uses its own system but now re-uses the API and Browser flows and flow methods established in other components such as login, recovery, registration.
Due to the many changes these patch notes does not cover how to upgrade this particular flow. We instead want to kindly ask you to check out the updated documentation for this flow at: https://www.ory.sh/kratos/docs/self-service/flows/verify-email-account-activation
This patch changes the SQL schema and thus requires running the SQL Migration command (e.g. ... migrate sql
).
Never apply SQL migrations without backing up your database prior.
Configuration items selfservice.flows.<name>.request_lifespan
have been renamed to selfservice.flows.<name>.lifespan
to match the new flow semantics.
Wording has changed from "Self-Service Recovery Request" to "Self-Service Recovery Flow" to follow community feedback and practice already applied in the documentation. Additionally, fetching a recovery flow over the public API no longer requires Anti-CSRF cookies to be sent.
This patch renames several important recovery flow endpoints:
/self-service/browser/flows/recovery
is now/self-service/recovery/browser
without functional changes./self-service/browser/flows/requests/recovery?request=abcd
is now/self-service/recovery/flows?id=abcd
and no longer needs anti-CSRF cookies to be available.
Additionally, the URL for completing the password and oidc recovery method has been moved. Given that this endpoint is typically not manually called, you can probably ignore this change:
/self-service/browser/flows/recovery/link?request=abcd
is now/self-service/recovery/methods/link?flow=abcd
without functional changes.
The Recovery UI Endpoint no longer receives a ?request=abcde
query parameter but instead a ?flow=abcde
query parameter. Functionality did not change however.
As part of this change SDK methods have been renamed:
const kratos = new CommonApi(config.kratos.public)
// ...
- kratos.completeSelfServiceBrowserRecoveryLinkStrategyFlow(req.query.request)
+ kratos.completeSelfServiceRecoveryFlowWithLinkMethod(req.query.flow)
This patch requires you to run SQL migrations.
Wording has changed from "Self-Service Settings Request" to "Self-Service Settings Flow" to follow community feedback and practice already applied in the documentation.
This patch renames several important settings flow endpoints:
/self-service/browser/flows/settings
is now/self-service/settings/browser
without functional changes./self-service/browser/flows/requests/settings?request=abcd
is now/self-service/settings/flows?id=abcd
and no longer needs anti-CSRF cookies to be available.
Additionally, the URL for completing the password, profile, and oidc settings method has been moved. Given that this endpoint is typically not manually called, you can probably ignore this change:
/self-service/browser/flows/login/strategies/password?request=abcd
is now/self-service/login/methods/password?flow=abcd
without functional changes./self-service/browser/flows/strategies/oidc?request=abcd
is now/self-service/methods/oidc?flow=abcd
without functional changes./self-service/browser/flows/settings/strategies/profile?request=abcd
is now/self-service/settings/methods/profile?flow=abcd
without functional changes.
The Settings UI Endpoint no longer receives a ?request=abcde
query parameter but instead a ?flow=abcde
query parameter. Functionality did not change however.
As part of this change SDK methods have been renamed:
const kratos = new CommonApi(config.kratos.public)
// ...
- kratos.getSelfServiceBrowserSettingsRequest(req.query.request)
+ kratos.getSelfServiceSettingsFlow(req.query.flow)
// You will most likely not be using this:
const kratos = new PublicApi(config.kratos.public)
- kratos.completeSelfServiceBrowserSettingsPasswordStrategyFlow //...
- kratos.completeSelfServiceSettingsFlowWithPasswordMethod //..
- kratos.completeSelfServiceBrowserSettingsProfileStrategyFlow //...
- kratos.completeSelfServiceSettingsFlowWithProfileMethod //..
This patch requires you to run SQL migrations.
This patch makes the reverse proxy functionality required in prior versions of the self-service UI example obsolete. All examples work now with a simple set up and documentation has been added to assist in subdomain scenarios.
The session field sid
has been renamed to id
to stay consistent with other APIs which also use id
terminology to clarify identifiers. The payload of, for example, /session/whoami
has changed as follows:
{
- "sid": "abcde",
+ "id": "abcde",
"expires_at": "..."
"identity": {
// ..
}
}
Wording has changed from "Self-Service Registration Request" to "Self-Service Registration Flow" to follow community feedback and practice already applied in the documentation. Additionally, fetching a login flow over the public API no longer requires Anti-CSRF cookies to be sent.
This patch renames several important registration flow endpoints:
/self-service/browser/flows/registration
is now/self-service/registration/browser
without behavioral change./self-service/browser/flows/requests/registration?request=abcd
is now/self-service/registration/flows?id=abcd
and no longer needs anti-CSRF cookies to be available.
Additionally, the URL for completing the password registration method has been moved. Given that this endpoint is typically not manually called, you can probably ignore this change:
/self-service/browser/flows/registration/strategies/password?request=abcd
is now/self-service/registration/methods/password?flow=abcd
without functional changes./self-service/browser/flows/strategies/oidc?request=abcd
is now/self-service/methods/oidc?flow=abcd
without functional changes.
The Registration UI Endpoint no longer receives a ?request=abcde
query parameter but instead a ?flow=abcde
query parameter. Functionality did not change however.
As part of this change SDK methods have been renamed:
const kratos = new CommonApi(config.kratos.public)
// ...
- kratos.getSelfServiceBrowserRegistrationRequest(req.query.request)
+ kratos.getSelfServiceRegistrationFlow(req.query.flow)
This patch requires you to run SQL migrations.
Existing login sessions will no longer be valid because the session cookie data model changed. If you apply this patch, your users will need to sign in again.
Wording has changed from "Self-Service Login Request" to "Self-Service Login Flow" to follow community feedback and practice already applied in the documentation. Additionally, fetching a login flow over the public API no longer requires Anti-CSRF cookies to be sent.
This patch renames several important login flow endpoints:
/self-service/browser/flows/login
is now/self-service/login/browser
without functional changes./self-service/browser/flows/requests/login?request=abcd
is now/self-service/login/flows?id=abcd
and no longer needs anti-CSRF cookies to be available.
Additionally, the URL for completing the password and oidc login method has been moved. Given that this endpoint is typically not manually called, you can probably ignore this change:
/self-service/browser/flows/login/strategies/password?request=abcd
is now/self-service/login/methods/password?flow=abcd
without functional changes./self-service/browser/flows/strategies/oidc?request=abcd
is now/self-service/methods/oidc?flow=abcd
without functional changes.
The Login UI Endpoint no longer receives a ?request=abcde
query parameter but instead a ?flow=abcde
query parameter. Functionality did not change however.
As part of this change SDK methods have been renamed:
const kratos = new CommonApi(config.kratos.public)
// ...
- kratos.getSelfServiceBrowserLoginRequest(req.query.request)
+ kratos.getSelfServiceLoginFlow(req.query.flow)
This patch requires you to run SQL migrations.
Configuraiton value session.cookie_same_site
has moved to session.cookie.same_site
. There was no functional change.
-
Add missing 'recovery' path in oathkeeper access-rules.yml (#763) (f180dba)
-
Add missing error handling (43c1446)
-
Add remote help description (f66bbe1)
-
Add serve help description (2eb072b)
-
Allow using json with form layout in password registration (bd2225c)
-
Annotate whoami endpoint with cookie and token (a8a781c)
-
Bump datadog version to fix build failure (4dfd322)
-
Change KRATOS_ADMIN_ENDPOINT to KRATOS_ADMIN_URL (763fdc5)
-
Clarify fetch use (8eb2e6f)
-
Complete verification by redirecting to UI with success (f0ecf51)
-
Correct cookie domain on logout (#646) (6d77e04), closes #645
-
Correct help message for import (a5f46d2)
-
Correct password and profile swagger annotations (668c184)
-
Correct password registration method api spec (08dd582)
-
Cover more test cases for persister (37d2e08)
-
Create decoder only once (34dc43b)
-
Deprecate packr2 dependency in makefile (be9a84d), closes #711 #750
-
Do not propagate parent validation error (bf6093d)
-
Don't resend verification emails once verified (#583) (a4d9969), closes #578
-
Enforce endpoint to be set (171ac18)
-
Escape jsx characters in api documentation (0946094)
-
Exit with code 1 on unimplemented CLI commands (66943d7)
-
Explicitly ignore fprint return values (f50e582)
-
Explicitly ignore fprintf results (a83dc50)
-
Fallback to default return url if logout after url is not defined (#594) (7edd367)
-
Favor packr2 over pkger (ac18a45):
-
Find and replace "request" references (41fb673)
-
Force exe buildmode for windows CGO (e017bb5)
-
Html form parse regression issue (6b07cbb)
-
Ignore x/net false positives (7044b95)
-
Improve debugging output for login hook and restructure files (dabac40)
-
Improve debugging output for registration hook and restructure files (ec11775)
-
Improve expired error responses (124a92e)
-
Improve hook tests (55ba485)
-
Improve makefile dependency building (8e1d69a)
-
Improve pagination when listing identities (c60bf44)
-
Improve post login hook log and audit messages (ddd5d5a)
-
Improve post registration hook log and audit messages (2495629)
-
Improve registration hook tests (8163152)
-
Keep HTML form type on registration error (#698) (6c9e756), closes #670
-
Lowercase emails on login (244b4dd)
-
Merge public and admin login flow fetch handlers (48c4906)
-
Missing write in registration error handler (3b2af53)
-
Properly annotate swagger password parameters (2ef57c4)
-
Properly fetch identity for session (7be4086)
-
Recursive loop on network errors in password validator (#589) (b4d5a42), closes #316:
The old code no error when ignoreNetworkErrors was set to true, but did not set a hash result which caused an infinite loop.
-
Remove incorrect security specs (4c3d46d)
-
Remove obsolete tests (f102f95):
The test is no longer valid as CSRF checks now happen after checking for login sessions in settings flows.
-
Remove redirector from code base (6689ecf)
-
Remove stray debug statements (a8e1ec4)
-
Rename import to put (8003e0f)
-
Rename quickstart schema file name (e943c90)
-
Rename recovery models and generate SDKs (d764435)
-
Resolve and test for missing data when updating flows (045ecab)
-
Resolve broken csrf tests (6befe2e)
-
Resolve broken docs links (56f4a39)
-
Resolve broken migrations and bump fizz (1ed9c70)
-
Resolve broken OIDC tests and disallow API flows (9986d8f)
-
Resolve cookie issues (6e2b6d2)
-
Resolve e2e headless test failures (82d506e)
-
Resolve e2e test failures (2627db2)
-
Resolve failing test cases (f8647b4)
-
Resolve flaky passwort setting tests (#582) (c42d936), closes #581 #577
-
Resolve handler testing issue (4f6bafd)
-
Resolve identity admin api issues (#586) (feef8a7), closes #435 #500:
This patch resolves several issues that occurred when creating or updating identities using the Admin API. Now, all hooks are running properly and updating privileged properties no longer causes errors.
-
Resolve interface type issues (064b305)
-
Resolve migratest failures (e2f34d3)
-
Resolve migratest ordering failing tests (dffecc0)
-
Resolve migration issues (b545e15)
-
Resolve panic on
serve
(ae34155) -
Resolve panic when DSN="memory" (#574) (05e55f3):
Executing the migration logic in registry.go cause a panic as the registry is not initalized at that point. Therefore we decided to move the handling to driver_default.go, after the registry has been initialized.
-
Resolve pkger issues (294066c)
-
Resolve remaining testing issues (af40d93)
-
Resolve SQL persistence tester issues (4952df4)
-
Resolve swagger issues and regenerate SDK (be4c7e4)
-
Resolve template loading issue (145fb20)
-
Resolve test issues introduced by new csrf protection (625ef5e)
-
Resolve verification sql errors (784da53)
-
Resolves a bug that prevents sessions from expiring (#612) (86b281a), closes #611
-
Revert disabling
swagger flatten
during sdk generation (98c7915) -
Set correct path for kratos in oathkeeper set up (414259f)
-
Set quickstart logging to trace (d3e9192)
-
Support browser flows only in redirector (cab5280)
-
Swagger models (1b5f9ab):
The
swagger:parameters <id>
definitions forupdateIdentity
andcreateIdentity
where defined two times with the same ID. They had some old definition swagger used. Theinternal/httpclient
should now work again as expected. -
Type (e264c69)
-
Update cli documentation examples (216ea7f)
-
Update contrib samples (79d24b4)
-
Update crdb quickstart version (249a6ba)
-
Update import description (aef1e1a)
-
Update quickstart kratos config (e3246e5)
-
Update recovery token field and column names (42abfa1)
-
Update status help description (b147831)
-
Update swagger names and fix broken tests (85b7fb1)
-
Update version help description (8bf4a79)
-
Use and test for csrf tokens and prevent api misuse (a4e3bc5)
-
Use correct HTTP method for password login (4f4fcee)
-
Use correct log message (53c384a)
-
Use correct redirection for registration (8d47113)
-
Use correct security annotation (c9bebe0)
-
Use correct swagger tags and regenerate (df99d8c)
-
Use helpers to create flow (aba8610)
-
Use nosurf fork to address VerifyToken bug (cd84e51)
-
Use params per_page and page for pagination (5dfb6e3)
-
Use proper pwd in makefile (52e22c3)
-
Use public instead of common sdk (dcb4a36)
-
Use relative threshold to judge longest common substring in password policy (#585) (3e9f8cc), closes #581
- Pin v0.5.0-alpha.1 release commit (557d37d)
-
Add flow methods to verification (00ee828):
Completely refactors the verification flow to support other methods. The original email verification flow now moved to the "link" method also used for recovery.
Additionally, several upstream bugs in gobuffalo/pop and gobuffalo/fizz have been addressed, patched, and merged which improves support for SQLite and CockroachDB migrations:
-
Add method and rename request to flow (006bf56)
-
Change oidc callback URL (36d9380)
-
Complete login flow refactoring (ad2b3db)
-
Dry up login.NewFlow (f261c44)
-
Improve CSRF infrastructure (7e367e7)
-
Improve login test reuse (b4184e5)
-
Improve NewFlowExpiredError (1caefac)
-
Improve registration tests with testhelpers (9bf4530)
-
Improve selfservice method tests (df4d06d)
-
Improve settings helper functions (fda17ca)
-
Move samesite config to cookie parent-key (753eb86)
-
Moved clihelpers to ory/x (#756) (6ccffa8):
Contributes to ory/hydra#2124.
-
Profile settings method is now API-able (c5f361f)
-
Remove common keyword from API spec (6619562)
-
Remove need for reverse proxy in selfservice-ui (beb4c32), closes #661
-
Rename
session.sid
tosession.id
(809fe73) -
Rename login request to login flow (9369d1b), closes #635:
As part of this change, fetching a login flow over the public API no longer requires Anti-CSRF cookies to be sent.
-
Rename LoginRequestErrorHandler to LoginFlowErrorHandler (66ae029)
-
Rename package recoverytoken to link (f87fb54)
-
Rename recovery request to flow internally (16c5618)
-
Rename recovery request to recovery flow (b0f433d), closes #635:
As part of this change, fetching a login flow over the public API no longer requires Anti-CSRF cookies to be sent.
-
Rename registration request to flow (8437ebc)
-
Rename registration request to registration flow (0470956), closes #635:
As part of this change, fetching a registration flow over the public API no longer requires Anti-CSRF cookies to be sent.
-
Rename request_lifespan to lifespan (#677) (3c8d5e0), closes #666
-
Rename strategies to methods (8985189):
This patch renames
strategies
such as "Username/Email & Password" to methods. -
Replace all occurrences of login request to flow (1b3c491)
-
Replace all registration request occurrences with registration flow (308ef47)
-
Replace packr2 with pkger fork (4e2acae)
-
Restructure login package (c99e2a2)
-
Use session token as cookie identifier (60fd9c2)
-
Add administrative user management guide (b97e0c6)
-
Add code samples to session checking (eba8eda)
-
Add descriptions to cobra commands (607b76d)
-
Add documentation for configuring cookies (e3dbc8a), closes #516
-
Add domain, subdomain, multi-domain cookie guides (3eb1e59), closes #661
-
Add guide for cors (a8ae759)
-
Add guide for cors (91fd278)
-
Add guide for dealing with login sessions (4e2718c)
-
Add identity state (fb4aedb)
-
Add login session to navbar (b212d64)
-
Add milestones to sidebar (aae13ec)
-
Add missing GitLab provider to the list of supported OIDC providers (#766) (a43ed33)
-
Add pagination docs (7fe0901)
-
Add secret key rotation guide (3d6e21a)
-
Add sequence diagrams for browser/api flows (590d767)
-
Add terminology section (29b81a7)
-
Add theme helpers and decouple mermaid (7c3eb32)
-
Added sidebar cli label (5d24a29):
clidoc.Generate
expects to find an entry undersidebar.json/Reference
that contains the substring "CLI" in it's label. Because that was missing, a new entry was appended on every regeneration of the file. -
Added sidebar item (#639) (8574761):
Added Kratos Video Tutorial Transcripts document to sidebar.
-
Added transcript (#627) (cec7f1f):
Added Login with Github Transcript
-
Bring oidc docs up to date (7d0e470)
-
Changed transcript location (#642) (c52764d):
Changed the location so it is in the right place.
-
Clarify 302 redirect on expired login flows (ca31b53)
-
Clarify api flow use (a38b4a1)
-
Clarify feature-set (2266ae7)
-
Clarify kratos config snippet (e7732f3)
-
Clean up docs and correct samples (8627ec5)
-
Complete registration documentation (b3af02b)
-
Correct settings and verification redir (30e25e7)
-
Document APi flows in self-service overview (71ed0bd)
-
Document how to check for login sessions (9ad73b8)
-
Explain high-level API and browser flows (fe3ee0a)
-
Fix sidebar missing comment (d90123a)
-
Fix typo (c2f94da)
-
Fixed link (c2aebbd)
-
Fixed typos/readability (#620) (7fd3ce0):
Fixed a few typos, and moved some sentences around to improve readability.
-
Improve charts and examples in self-service overview (312c91d)
-
Improve documentation and add tests (3dde956)
-
Improve long messages and render cli documentation (e5fc02f)
-
Make assumptions neutral in concepts overview (e89d980)
-
Move development section (2e6f643)
-
Move hooks (c02b588)
-
Move to json sidebar (504af3b)
-
Password login and registration methods for API clients (5a44356)
-
Quickstart next steps (#676) (ee9dd0d):
Added a section outlining some easy config changes, that users can apply to the quickstart to test out different scenarios and configurations.
-
Refactor login and registration documentation (c660a04)
-
Refactor settings and recovery documentation (11ca9f7)
-
Refactor verification docs (70f2789)
-
Regenerate clidocs with up-to-date binary (e53289c)
-
Remove
make tools
task (ec6e664), closes #711 #750:This task does not exist any more and the dependency building is much smarter now.
-
Remove duplicate word (b84e659)
-
Remove react native guide for now (daa5f2e)
-
Rename self service and add admin section (639c424)
-
Resolve regression issues (0470fd7)
-
Resolve typo in message IDs (562cfc4)
-
Update cli docs (085efca)
-
Update link to mfa issue (d03a706)
-
Update links (a06fd88)
-
Update MFA link to issue (#690) (7a744ad):
MFA issue was pushed to a later milestone. Update the documentation to point to the issue instead of the milestone.
-
Update repository templates (f422485)
-
Update sidebar (ea15c20)
-
Update ts examples (65cb46e)
-
Use correct id for multi-domain-cookies (b49288a)
-
Use NYT Capitalization for all Swagger headlines (#675) (6c96429), closes #664
-
Add ability to configure session cookie domain/path (faeb332), closes #516
-
Add and improve settings testhelpers (10a43fc)
-
Add bearer helper (ec6ca20)
-
Add enum to form field type (96028d8)
-
Add flow type to login (ce9133b)
-
Add HTTP request flow validator (1a6e847)
-
Add new prometheus metrics endpoint #672 (#673) (0f5c436):
Adds endpoint
/metrics
for prometheus metrics collection to the Admin API Endpoint. -
Add nocache helpers (54dcc4d)
-
Add pagination tests (e3aa81b)
-
Add session token security definition (d36c26f):
Adds the new Session Token as a Swagger security definition to allow setting the session token as a Bearer token when calling
/sessions/whoami
. -
Add test helper for fetching settings requests (3646383)
-
Add tests and helpers to test recovery/verifiable addresses (#579) (29979e6), closes #576
-
Add tests to cover auth (c9d3a15)
-
Add texts for settings (795548c)
-
Add the already declared (and settable) tracer as a middleware (#614) (e24fffe)
-
Add token to session (08c8c78)
-
Add type to all flows in SQL (5515776)
-
Allow import/validation of arrays (d11ac32)
-
Bump cli and migration render tasks (6dcb42a)
-
Finalize tests for registration flow refactor (8e52c3a)
-
Finish off client cli (36d60c7)
-
Implement administrative account recovery (f5f9c43)
-
Implement API flow for recovery link method (d65bf66)
-
Implement API-based tests for password method settings flows (60664aa)
-
Implement tests and anti-csrf for API settings flows (8b8b6e5)
-
Implement tests for new migrations (e08ece9)
-
Improve test readability for password method (a896d9b)
-
Log successful hook execution (f6026cf)
-
Log successful hook execution (1e7d044)
-
Make login error handle JSON aware (88f581f)
-
Make password settings method API-able (0cf6027)
-
Oidc provider claims config option (#753) (bf94a40), closes #735
-
Reply with cache-control: 0 for browser-facing APIs (1a45b53), closes #360
-
Schemas are now static assets (1776d58)
-
Support and document api flow in session issuer hook (91f3cc7)
-
Support application/json in registration (3476b97), closes #44
-
Support custom session token header (56bec76):
The
/sessions/whoami
endpoint now accepts the ORY Kratos Session Token in theX-Session-Token
HTTP header. -
Support json payloads for login and password (354e8b2)
-
Support JSON payloads in password login flow (dd32c23)
-
Support session token bearer auth and lifecycle (c12600a):
This patch adds support for issuing, validating, and revoking session tokens. Session tokens carry a reference to a session, and are equal to session cookies but can be used on environments which do not support cookies (e.g. React Native) by sending them in the Bearer Authorization.
-
Update migration tests (fb28173)
-
Use uri-reference for ui_url etc. to allow relative urls (#617) (2dba450)
-
Write request -> flow rename migrations (d7189a9)
- Add handler update tests (aea1fb8), closes #325
- Add init browser flow tests (f477ece)
- Add test for no-cache on public router (b8aa63b)
- Add test for registration request (79ed63c)
- Add tests for registration flows (4772f71)
- Complete test suite for API-based auth (fb9d62f)
- Implement API login password tests (8bfd5f2)
- Implement API registration password tests (db178b7)
- Replace e2e-memory with unit test (52bd839), closes #580
- Resolve broken decoder tests (07add1b)
- Use correct hook in test (421320c)
- u (e207a6a)
- As part of this change, fetching a settings flow over the public API no longer requires Anti-CSRF cookies to be sent. (31d560e), closes #635
- Create labels.json (68b1f6f)
- Add codedoc to identifier hint block (6fe840f)
- Format (e61a51d)
- Format (1e5b738)
- Format code (c3b5ff5)
0.4.6-alpha.1 (2020-07-13)
Resolves build and install issues and includes a few bugfixes.
- Use proper binary name in dockerfile (d36bbb0)
-
Pin v0.4.6-alpha.1 release commit (ad90e77):
Bumps from v0.4.4-alpha.1
0.4.5-alpha.1 (2020-07-13)
Resolves build and install issues and includes a few bugfixes.
- Ensure default_browser_return_url for flows is configured in after (#570) (cf9753c), closes #569
- Require selfservice.default_browser_return_url to be set in config (#571) (af2af7d)
-
Pin v0.4.5-alpha.1 release commit (3ea7fd3):
Bumps from v0.4.4-alpha.1
0.4.4-alpha.1 (2020-07-10)
The purpose of this release is to resolve issues with install scripts, homebrew, and scoop.
- Pin v0.4.4-alpha.1 release commit (154d543)
- Add description for subkeys of serve (#562) (deae005)
- Add section about password expiry (19c2414)
- Specify the use of secrets (#565) (7680450)
- Update upgrade guide (a40b1ec)
0.4.3-alpha.1 (2020-07-08)
We are very happy to announce the 0.4 release of ORY Kratos with 163 commits and 817 changed files with 52,681 additions and 9,876 deletions.
There have been many improvements and bugfixes merged. The biggest changes are:
- Account recovery ("reset password") has been implemented.
- Documentation has been improved with easier to understand examples - currently only for account recovery so let us know what you think!
- The configuration has been simplified a lot. It is now much easier to enable account recovery and email verification. This is a breaking change - please read the breaking changes section with care!
- The Identity Traits JSON Schema has been renamed to the Identity JSON Schema. This is a breaking change - please read the breaking changes section with care!
prompt=login
has been renamed torefresh=true
. This is a breaking change - please read the breaking changes section with care!- We have reworked how (error) messages are returned. They now include an ID and all the parameters required for translating and customizing UI messages. This is a breaking change - please read the breaking changes section with care!
- Instead of keeping track of
update_successful
with booleans, flows (e.g. the settings flow) that have more than one state now include a state machine. This is a breaking change - please read the breaking changes section with care! - Tons of tests have been added.
- We have reworked and fully tested the migration pipeline to prevent breaking schema changes in future versions.
- ORY Kratos now supports login with Azure AD and the Microsoft Identity Platform.
Before upgrading, please make a backup of your database and read the section "Breaking Changes" with care!
-
Pin v0.4.3-alpha.1 release commit (a3a34b1):
Bumps from v0.4.0-alpha.1
0.4.2-alpha.1 (2020-07-08)
We are very happy to announce the 0.4 release of ORY Kratos with 153 commits and 760 changed files with 36,223 additions and 9,754 deletions.
There have been many improvements and bugfixes merged. The biggest changes are:
- Account recovery ("reset password") has been implemented.
- Documentation has been improved with easier to understand examples - currently only for account recovery so let us know what you think!
- The configuration has been simplified a lot. It is now much easier to enable account recovery and email verification. This is a breaking change - please read the breaking changes section with care!
- The Identity Traits JSON Schema has been renamed to the Identity JSON Schema. This is a breaking change - please read the breaking changes section with care!
prompt=login
has been renamed torefresh=true
. This is a breaking change - please read the breaking changes section with care!- We have reworked how (error) messages are returned. They now include an ID and all the parameters required for translating and customizing UI messages. This is a breaking change - please read the breaking changes section with care!
- Instead of keeping track of
update_successful
with booleans, flows (e.g. the settings flow) that have more than one state now include a state machine. This is a breaking change - please read the breaking changes section with care! - Tons of tests have been added.
- We have reworked and fully tested the migration pipeline to prevent breaking schema changes in future versions.
- ORY Kratos now supports login with Azure AD and the Microsoft Identity Platform.
Before upgrading, please make a backup of your database and read the section "Breaking Changes" with care!
- Ignore pkged generated files (1d385e4)
-
Pin v0.4.2-alpha.1 release commit (20024cb):
Bumps from v0.4.0-alpha.1
0.4.0-alpha.1 (2020-07-08)
We are very happy to announce the 0.4 release of ORY Kratos with 153 commits and 760 changed files with 36,223 additions and 9,754 deletions.
There have been many improvements and bugfixes merged. The biggest changes are:
- Account recovery ("reset password") has been implemented.
- Documentation has been improved with easier to understand examples - currently only for account recovery so let us know what you think!
- The configuration has been simplified a lot. It is now much easier to enable account recovery and email verification. This is a breaking change - please read the breaking changes section with care!
- The Identity Traits JSON Schema has been renamed to the Identity JSON Schema. This is a breaking change - please read the breaking changes section with care!
prompt=login
has been renamed torefresh=true
. This is a breaking change - please read the breaking changes section with care!- We have reworked how (error) messages are returned. They now include an ID and all the parameters required for translating and customizing UI messages. This is a breaking change - please read the breaking changes section with care!
- Instead of keeping track of
update_successful
with booleans, flows (e.g. the settings flow) that have more than one state now include a state machine. This is a breaking change - please read the breaking changes section with care! - Tons of tests have been added.
- We have reworked and fully tested the migration pipeline to prevent breaking schema changes in future versions.
- ORY Kratos now supports login with Azure AD and the Microsoft Identity Platform.
Before upgrading, please make a backup of your database and read the section "Breaking Changes" with care! This release requires running SQL migrations when upgrading!
This patch renames the Identity Traits JSON Schema to Identity JSON Schema.
The identity payload has changed from
{
- "traits_schema_url": "...",
- "traits_schema_id": "...",
+ "schema_url": "...",
+ "schema_id": "...",
}
Additionally, it is now expected that your Identity JSON Schema includes a "traits" key at the root level.
Before (example)
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
After (example)
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
You also need to remove the traits
key from your ORY Kratos config like this:
identity:
- traits:
- default_schema_url: http://test.kratos.ory.sh/default-identity.schema.json
- schemas:
- - id: other
- url: http://test.kratos.ory.sh/other-identity.schema.json
+ default_schema_url: http://test.kratos.ory.sh/default-identity.schema.json
+ schemas:
+ - id: other
+ url: http://test.kratos.ory.sh/other-identity.schema.json
Do not forget to also update environment variables for the Identity JSON Schema as well if set.
To address these refactorings, the configuration had to be changed and with breaking changes as keys have moved or have been removed.
Hook configuration has also changed. It is no longer required to include hooks such as verification
to get
verification working. Instead, verification is enabled globally (selfservice.flows.verification.enabled
).
Also, the redirect
hook has been removed as it lead to confusion because there are already default redirect
URLs configurable. You will find more information in the details below.
Session Management
-ttl:
- session: 1h
-security:
- session:
- cookie:
- same_site: Lax
+session:
+ lifespan: 1h
+ cookie_same_site: Lax
Secrets
-secrets:
- session:
- - secret-to-encrypt-session-cookies
- - old-session-cookie-secret-that-has-been-rotated
+secrets:
+ default:
+ # This secret is used as default and will also be used for encrypting e.g. cookies when a dedicated cookie secret (as shown below) is not defined.
+ - default-secret-to-encrypt-stuff
+ cookie:
+ - secret-to-encrypt-session-cookies
+ - old-session-cookie-secret-that-has-been-rotated
URLs
The Base URL configuration has moved to serve.public
and serve.admin
. They are also no longer required and fall
back to defaults based on the machine's hostname, port configuration, and other settings:
-urls:
- self:
- public: https://kratos.my-website.com/
- admin: https://admin.kratos.cluster.localnet/
+serve:
+ public:
+ base_url: https://kratos.my-website.com/
+ admin:
+ base_url: https://admin.kratos.cluster.localnet/
The UI URLs have moved from urls
to their respective self-service flows:
-urls:
- login_ui: http://127.0.0.1:4455/auth/login
- registration_ui: http://127.0.0.1:4455/auth/registration
- settings_ui: http://127.0.0.1:4455/settings
- verify_ui: http://127.0.0.1:4455/verify
- error_ui: http://127.0.0.1:4455/error
+selfservice:
+ flows:
+ login:
+ ui_url: http://127.0.0.1:4455/auth/login
+ registration:
+ ui_url: http://127.0.0.1:4455/auth/registration
+ settings:
+ ui_url: http://127.0.0.1:4455/settings
+ # please note that `verify` has changed to `verification`!
+ verification:
+ ui_url: http://127.0.0.1:4455/verify
+ error:
+ ui_url: http://127.0.0.1:4455/error
The default redirect URL as well as whitelisted redirect URLs have also changed their location:
-urls:
- default_return_to: https://self-service/dashboard
- whitelisted_return_to_urls:
- - https://self-service/some-other-url
- - https://example.org/another-url
+selfservice:
+ default_browser_return_url: https://self-service/dashboard
# Please note that the `to` has been removed (`whitelisted_return_to_urls` -> `whitelisted_return_urls`)
+ whitelisted_return_urls:
+ - https://self-service/some-other-url
+ - https://example.org/another-url
Self-Service Login
selfservice.login
has moved to selfservice.flow.login
:
selfservice:
- login:
+ flows:
+ login:
On top of this change, a few keys under login
have changed as well:
selfservice
flows:
login:
+ ui_url: http://127.0.0.1:4455/auth/login
request_lifespan: 99m
- before:
- hooks:
- - hook: redirect
- config:
- default_redirect_url: http://test.kratos.ory.sh:4000/
- allow_user_defined_redirect: false
+ # The before hooks have been removed because there were no good use cases for them. If
+ # this is a problem for you feel free to open an issue!
after:
- default_return_to: https://self-service/login/return_to
+ default_browser_return_url: https://self-service/login/return_to
password:
- default_return_to: https://self-service/login/password/return_to
+ default_browser_return_url: https://self-service/login/password/return_to
hooks:
- hook: revoke_active_sessions
oidc:
- default_return_to: https://self-service/login/podc/return_to
+ default_browser_return_url: https://self-service/login/podc/return_to
hooks:
- hook: revoke_active_sessions
Self-Service Registration
selfservice.registration
has moved from to selfservice.flow.registration
:
selfservice:
- registration:
+ flows:
+ registration:
On top of this change, a few keys under registration
have changed as well:
selfservice
flows:
registration:
+ ui_url: http://127.0.0.1:4455/auth/registration
request_lifespan: 99m
- before:
- hooks:
- - hook: redirect
- config:
- default_redirect_url: http://test.kratos.ory.sh:4000/
- allow_user_defined_redirect: false
+ # The before hooks have been removed because there were no good use cases for them. If
+ # this is a problem for you feel free to open an issue!
after:
- default_return_to: https://self-service/registration/return_to
+ default_browser_return_url: https://self-service/registration/return_to
password:
- default_return_to: https://self-service/registration/password/return_to
+ default_browser_return_url: https://self-service/registration/password/return_to
hooks:
- hook: revoke_active_sessions
+ # The verify hook is now executed automatically when verification is turned on.
- - hook: verify
+ # The redirect hook was confusing as it aborts the registration flow and does not solve redirection on
+ # success. It has thus been removed.
- - hook: redirect
oidc:
- default_return_to: https://self-service/registration/podc/return_to
+ default_browser_return_url: https://self-service/registration/podc/return_to
hooks:
- hook: revoke_active_sessions
+ # The verify hook is now executed automatically when verification is turned on.
- - hook: verify
+ # The redirect hook was confusing as it aborts the registration flow and does not solve redirection on
+ # success. It has thus been removed.
- - hook: redirect
Self-Service Settings
selfservice.settings
has moved from to selfservice.flow.settings
:
selfservice:
- settings:
+ flows:
+ settings:
On top of this change, a few keys under settings
have changed as well:
selfservice
flows:
settings:
+ ui_url: http://127.0.0.1:4455/settings
request_lifespan: 99m
privileged_session_max_age: 99m
- default_return_to: https://self-service/settings/return_to
after:
+ default_browser_return_url: https://self-service/settings/return_to
+ # The profile/password after hooks have been removed as verification is now executed automatically
+ # when turned on.
- password:
- hooks:
- - hook: verify
- profile:
- hooks:
- - hook: verify
Self-Service Verification
selfservice.verify
has moved from to selfservice.flow.verification
:
selfservice:
- verify:
+ flows:
+ verification:
Instead of configuring verification with hooks and other components, it can now be enabled
in a central place. If enabled, a SMTP server must be configured in the courier
section.
You are still required to mark a field as verifiable in your Identity JSON Schema.
selfservice:
flows:
verification:
+ enabled: true # defaults to true
+ ui_url: http://127.0.0.1:4455/recovery
request_lifespan: 1m
- default_return_to: https://self-service/verification/return_to
after:
+ default_browser_return_url: https://self-service/verification/return_to
Replaces the update_successful
field of the settings request
with a field called state
which can be either show_form
or success
.
Flows, request methods, form fields have had a key errors to show e.g. validation errors such as ("not an email address", "incorrect username/password", and so on. The errors
key is now called messages
. Each message now has a type
which can be error
or info
, an id
which can be used to translate messages, a text
(which was previously errors[*].message). This affects all login, request, settings, and recovery flows and methods.
To refresh a login session it is now required to append refresh=true
instead of prompt=login
as the second has implications for revoking an existing issue and might be confusing when used in combination with OpenID Connect.
- Applying this patch requires running SQL Migrations.
- The field
identity.addresses
has moved toidentity.verifiable_addresses
. - Configuration key
selfservice.verification.link_lifespan
has been merged withselfservice.verification.request_lifespan
.
-
Account recovery can't use recovery token (#526) (379f24e), closes #525
-
Add and document recovery to quickstart (c229c54)
-
Add pkger to docker builds (d3ef5a0)
-
Allow linking oidc credentials without existing oidc connection (#548) (39c1234), closes #532
-
Clear error messages after updating settings successfully (#421) (7eec388), closes #420
-
Document login refresh parameter in swagger (#482) (6b94993)
-
Enable recovery for quickstart (0ccc651)
-
Improvements to Dockerfiles (#552) (6023877):
- expose ory home as volume to simplify passing in own config file
- declare Kratos default ports in Dockerfile
-
Initialize verification request with correct state (3264ecf), closes #543
-
Re-add redirect targets for quickstart (3c48ad2)
-
Reduce docker bloat by ignoring docs and others (ecc555b)
-
Resolve broken redirect in verify flow (a9ca8fd), closes #436
-
Respect multiple secrets and fix used flag (#526) (b16c2b8), closes #525
-
Respect self-service enabled flag (#470) (b198faf), closes #417:
Respects the
enabled
flag for self-service strategies.Also a new testhelper function was needed, to defer route registration (because whether strategies are enabled or not is determined only once: at route registration)
-
Typo accent -> account (984d978)
- Pin v0.4.0-alpha.1 release commit (e8690c4)
-
Improve and simplify configuration (#536) (8e7f9f5), closes #432
-
Move schema packing to pkger (173f9d2)
-
Move verify fallback to verification (1ce6469)
-
Rename identity traits schema to identity schema (#557) (949e743), closes #531
-
Rename prompt=login to refresh=true (#478) (c04346e), closes #477
-
Replace settings update_successful with state (#488) (ca3b3f4), closes #449
-
Text errors to text messages (#476) (8106951), closes #428:
This patch implements a better way to deal with text messages by giving them a unique ID, a context, and a default message.
-
Add azure to next docs (e1dd3fa)
-
Add fixme note for viper workaround (7e3eef6):
See ory/x#169
-
Add guide for setting up account recovery (bbf3762)
-
Add guide for setting up email verification (1435cbc)
-
Add new guides to sidebar (24c5cbc)
-
Correct claims.email in github guide (#422) (052a622):
There is no email_primary in claims, and the selfservice strategy is currently using claims.email.
-
Correct claims.email in github guide (#422) (58f7e15):
There is no email_primary in claims, and the selfservice strategy is currently using claims.email.
-
Correct link in user-settings (d13317d)
-
Correct stray dot (e820f41)
-
Correct user settings render form (197e246)
-
Delete old redirect homepage (b6d9244)
-
Document new account recovery feature (2252a86), closes #436
-
Document refresh=true for login (#479) (2ab5ead), closes #464
-
Fix broken link (d20816e)
-
Fix broken link (aa9d3e6)
-
Fix broken link (#506) (dac8dfd):
The rest api is no longer under sdk but under reference.
-
Fix code sample comment (781a76b)
-
Fix copy paste errors in code docs (e456a4e)
-
Fix typos (81903a5)
-
Fix ui url keys everywhere (b75debb)
-
Fix username example by renaming property and removing format (#508) (4573426)
-
Fix wording in settings flow graph (e2a0084)
-
Fixed broken links (#451) (193a781):
Fixed a few broken links, .md in the url was the problem.
-
Format guides (407c70f)
-
Improve grammar, clarify sections, update images (#419) (79019d1)
-
Make whitelisted_return_to_urls examples an array (#426) (7ed5605), closes #425
-
Move security questions to own document (2b77fba)
-
Properly annotate forms disabled field (#486) (be1acb3), closes /github.com/ory/kratos/pull/467#discussion_r434764266
-
Rename redirect page to browser-redirect-flow-completion (ae77d48)
-
Replace mailhog references with mailslurper (#509) (d0e5a0f)
-
Run format (2b3f299)
-
Typos and stale links (29fb466)
-
Update repository templates (4c89834)
-
Use central banner repo for README (d1e8a82)
-
Use shorthand closing tag for Mermaid (f9f2dbc)
-
Add support for Multitenant Azure AD as an OIDC provider (#434) (a8f1179)
-
Add tests for defaults (a16fc51)
-
Add User ID to a header when calling whoami (#530) (183b4d0)
-
Implement account recovery (#428) (e169a3e), closes #37:
This patch implements the account recovery with endpoints such as "Init Account Recovery", a new config value
urls.recovery_ui
and so on. A new identity field has been addedidentity.recovery_addresses
containing all recovery addresses.Additionally, some refactoring was made to DRY code and make naming consistent. As part of dependency upgrades, structured logging has also improved and an audit trail prototype has been added (currently streams to stderr only).
-
Allow kratos to talk to databases in docker-compose quickstart (#522) (8bf9a1a):
All of the databases must exist on the same docker network to allow the main kratos applications to communicate with them.
0.3.0-alpha.1 (2020-05-15)
This release finalizes the OpenID Connect and OAuth2 login, registration, and settings strategy with JsonNet data transformation! From now on, "Sign in with Google, Github, ..." is officially supported! It's also possible to link and unlink these connections using the Self-Service Settings Flow! The documentation has been updated to reflect those changes and includes guides to setting up "Sign in with GitHub" in under 5 Minutes! Please be aware that existing OpenID Connect connections will stop working. Check out the "Breaking Changes" section for more info! Want to learn more? Check out the docs!
We also changed the config validation output, making it easier than ever to find bugs in your config:
% kratos --config invalid-config.yml serve
INFO[0001] Config file loaded successfully. path=invalid-config.yml
ERRO[0001] The provided configuration is invalid and could not be loaded. Check the output below to understand why. config_file=invalid-config.yml
dsn: <nil>
^-- one or more required properties are missing
urls.whitelisted_return_to_urls: https://selfservice.office.example.com
^-- expected array, but got string
FATA[0001] The services failed to start because the configuration is invalid. Check the output above for more details.
This release concludes over 50 commits and 16.000 lines of code changed.
If you upgrade and have existing Social Sign In connections, it will no longer be possible to use them to sign in. Because the oidc strategy was undocumented and not officially released we do not provide an upgrade guide. If you run into this issue on a production system you may need to use SQL to change the config of those identities. If this is a real issue for you that you're unable to solve, please create an issue on GitHub.
This is a breaking change as previous OIDC configurations will not work. Please consult the newly written documentation on OpenID Connect to learn how to use OIDC in your login and registration flows. Since the OIDC feature was not publicly broadcasted yet we have chosen not to provide an upgrade path. If you have issues, please reach out on the forums or slack.
-
Access rules of oathkeeper for quick start (#390) (5ed6d05), closes #389:
To access
/
as dashboard -
Active field should not be required (#401) (aed2a5c), closes ory/sdk#14
-
Adopt jsonnet in e2e oidc tests (5e518fb)
-
Detect postgres unique constraint (3a777af)
-
Fix oidc strategy jsonnet test (f6c48bf)
-
Improve config validation error message (#414) (d1e6896), closes #413
-
Reset request id after parse (9550205)
-
Resolve regression issues and bugs (e6d5369)
-
Return correct error on id mismatch (5915f28)
-
Test and implement mapper_url for jsonnet (40ac3dc)
-
Transaction usage in the identity persister (#404) (7f5072d)
- Pin v0.3.0-alpha.1 release commit (43b693a)
-
Adopt new request parser (ad16cc9)
-
Dry config and oidc tests (3e98756)
-
Improve oidc flows and payloads and add e2e tests (#381) (f9a5079), closes #387:
This patch improves the OpenID Connect login and registration user experience by simplifying the network flows and introduces e2e tests using ORY Hydra.
-
Move cypress files to test/e2e (df8e627)
-
Partition files and change creds structure (4f1eb94):
This patch changes the data model of the OpenID Connect strategy. Instead of using an array of providers as the base config item (e.g.
{"type":"oidc","config":[{"provider":"google","subject":"..."}]}
) the credentials config is now an object with aproviders
key:{"type":"oidc","config":{"providers":[{"provider":"google","subject":"..."}]}}
. This change allows introduction of future changes to the schema without breaking compatibility. -
Replace oidc jsonschema with jsonnet (2b45e79), closes #380:
This patch replaces the previous methodology of merging OIDC data which used JSON Schema with Extensions and JSON Path in favor of a much easier to use approach with JSONNet.
-
settings: Use common request parser (ad6c402)
-
Document account enumeration defenses for oidc (266329c), closes #32
-
Document oidc strategy (#415) (9f079f4), closes #409 #124 #32
-
Explain that form data is merged with oidc data (#394) (b0dbec4), closes #127
-
Improve social sign in guide (#393) (647ced3), closes #49:
This patch changes the social sign in guide to represent more use cases such as Google and Facebook. Additionally, the example has been updated to work with Jsonnet.
This patch also documents limitations around merging user data from GitHub.
-
Prepare v0.3.0-alpha.1 (d6a6f43)
-
Add format and lint for JSONNet files (0a1b244):
This patch adds two commands
kratos jsonnet format
andkratos jsonnet lint
that help with formatting and linting JSONNet code. -
Implement oidc settings e2e tests (919925c)
-
Introduce leaklog for debugging oidc map payloads (238d7a4)
-
Write tests and fix bugs for oidc settings (575a61f)
- Format code (bc7557a)
0.2.1-alpha.1 (2020-05-05)
Resolves a bug in the kratos-selfservice-ui-node application.
- Pin v0.2.1-alpha.1 release commit (16463ea)
0.2.0-alpha.2 (2020-05-04)
This is a heavy release with over hundreds of commits and files changed! Let's take a look at some of the highlights!
ORY Oathkeeper now optional
Using ORY Oathkeeper to protect your API is now optional. The basic quickstart now uses a much simpler set up. Go check it out now!
PostgreSQL, MySQL, CockroachDB support now tested and official!
All three databases now pass acceptance tests and are thus officially supported!
Self-Service Profile Flow
The self-service profile flow has been refactored into a more generic flow allowing users to make modifications to their traits and credentials. Check out the docs to learn more about the flow and it's features.
Please keep in mind that the flow's APIs have changed. We recommend re-reading the docs!
Managing Privileged Profile Fields
Flows such as changing ones profile or primary email address should not be possible unless the login session is fresh. This prevents your colleague or evil friend to take over your account while you make yourself a coffee.
ORY Kratos now supports this by redirecting the user to the login screen if changes to sensitive fields are made. The changes will only be applied after successful reauthentication.
Changes to Hooks
This patch focuses on refactoring how self-service flows terminate and changes how hooks behave and when they are executed.
Before this patch, it was not clear whether hooks run before or after an identity is persisted. This caused problems with multiple writes on the HTTP ResponseWriter and other bugs.
This patch removes certain hooks from after login, registration, and profile
flows. Per default, these flows now respond with an appropriate payload (
redirect for browsers, JSON for API clients) and deprecate the redirect
hook.
This patch includes documentation which explains how these hooks work now.
Additionally, the documentation was updated. Especially the sections about hooks have been refactored. The login and user registration docs have been updated to reflect the latest changes as well.
BREAKING CHANGE: Please remove the redirect
hook from both login,
registration, and settings after configuration. Please remove the session
hook
from your login after configuration. Hooks have moved down a level and are now
configured at selfservice.<login|registration|settings>.<after|before>.hooks
instead of selfservice.<login|registration|settings>.<after|before>.hooks
.
Hooks are now identified by hook:
instead of job:
. Please rename those
sections accordingly.
We recommend re-reading the Hooks Documentation.
Changing Passwords
It's now possible to change your password using the Self-Service Settings Flow! Lean more about this flow here
End-To-End Tests
We added tons of end-to-end and integration tests to find and fix pesky bugs.
Please remove the redirect
hook from both login,
registration, and settings after configuration. Please remove
the session
hook from your login after configuration. Hooks
have moved down a level and are now configured at
selfservice.<login|registration|settings>.<after|before>.hooks
instead of
selfservice.<login|registration|settings>.<after|before>.hooks
.
Hooks are now identified by hook:
instead of job:
. Please
rename those sections accordingly.
Several profile-related URLs have and payloads been updated. Please consult the most recent documentation.
The payloads of the Profile Management Request API
that previously were set in { "methods": { "traits": { ... } }}
have now moved to
{ "methods": { "profile": { ... } }}
.
This patch introduces a refactor that is needed for the profile management API to be capable of handling (password, oidc, ...) credential changes as well.
To implement this, the payloads of the Profile Management Request API
that previously were set in {"form": {...} }
have now moved to
{"methods": { "traits": { ... } }}
.
In the future, as more credential updates are handled, there will
be additional keys in the forms key
{"methods": { "traits": { ... }, "password": { ... } }}
.
-
Allow setting new password in profile flow (3b5fd5c)
-
Automatically append multiStatements parameter to mySQL URI (#374) (39f77bb)
-
Create pop connection without parsed connection options (#366) (10b6481)
-
Decouple quickstart scenarios (#336) (17363b3), closes #262:
Creates several docker compose examples which include various scenarios of the quickstart.
The regular quickstart guide now works without ORY Oathkeeper and uses the standalone mode of the example app instead.
Additionally, the Makefile was improved and now automatically pulls required dependencies in the appropriate version.
-
docker: Throw away build artifacts (481ec1b)
-
Document Schema API and serve over admin endpoint (#299) (4be417c), closes #287
-
Fix swagger annotation (#331) (5c5c78f):
Closes ory/sdk#10
-
Properly annotate error API (a6f1300)
-
Remove unused returnTo (e64e5b0)
-
Resolve docker build permission issues (f3612e8)
-
Resolve failing test issues (2e968e5)
-
Resolve linux install script archive naming (#302) (c98b8aa)
-
Resolve NULL value for seen_at (#259) (a7d1e86), closes #244:
Previously, errorx tests were not executed which caused several bugs.
-
Resolve password continuity issues (56a44fa)
-
Revert use host volume mount for sqlite (#272) (#285) (a7477ab):
This reverts commit 230ab2d83f4d187f410e267c6d68554e82514948.
-
Self-service error query parameter name (#308) (be257f5):
The query parameter for the self-service errors endpoint was named
id
in the API docs, whereas it is theerror
param that is used by the handler. -
session: Regenerate CSRF Token on principal change (#290) (1527ef4), closes #217
-
session: Whoami endpoint now supports all HTTP methods (#283) (4bf645b), closes #270
-
Show log in ui only when unauthenticated or forced (df77310), closes #323
-
sql: Rename migrations with same version (#280) (07e46b9), closes #279
-
swagger: Move nolint,deadcode instructions to own file (#293) (1935510):
Closes ory/docs#279
-
Use resilient client for HIBP lookup (#288) (735b435), closes #261
-
Use semver-regex replacer func (d5c9a47)
-
Use sqlite tag on make install (2c82784)
-
Verified_at field should not be required (#353) (15d5e26):
Closes ory/sdk#11
- Pin v0.2.0-alpha.2 release commit (ab91689)
-
Prepare profile management payloads for credentials (44493f3)
-
Rename traits method to profile (4f1e033)
-
Rework hooks and self-service flow completion (#349) (a7c7fef), closes #348 #347 #179 #51 #50 #31:
This patch focuses on refactoring how self-service flows terminate and changes how hooks behave and when they are executed.
Before this patch, it was not clear whether hooks run before or after an identity is persisted. This caused problems with multiple writes on the HTTP ResponseWriter and other bugs.
This patch removes certain hooks from after login, registration, and profile flows. Per default, these flows now respond with an appropriate payload ( redirect for browsers, JSON for API clients) and deprecate the
redirect
hook. This patch includes documentation which explains how these hooks work now.Additionally, the documentation was updated. Especially the sections about hooks have been refactored. The login and user registration docs have been updated to reflect the latest changes as well.
Also, some other minor, cosmetic, changes to the documentation have been made.
-
Add banner kratos (8a9dfbb)
-
Add csrf and cookie debug section (#342) (cac2948), closes #341
-
Add HA docs (2e5c591)
-
Add hook changes to upgrade guide (55b5fe0)
-
Add more examples to config schema (#372) (ed2ccb9), closes #345
-
Add quickstart notes for docker debugging (74f082a)
-
Add settings docs and improve flows (#375) (478cd9c), closes #345
-
concepts: Fix typo (a49184c):
Closes ory/docs#296
-
concepts: Properly close code tag (1c841c2)
-
Declare api frontmatter properly (df7591f)
-
Document 0.2.0 high-level changes (9be1064)
-
Fix broken images in quickstart (52aa4cf)
-
Fix broken mermaid links (f24fc1b)
-
Improve profile section and restructure nav (#373) (3cc0979), closes #345
-
Regenerate and update changelog (7d4ed98)
-
Regenerate and update changelog (175b626)
-
Regenerate and update changelog (e60e2df)
-
Regenerate and update changelog (41eeb75)
-
Regenerate and update changelog (468105a)
-
Regenerate and update changelog (8414520)
-
Regenerate and update changelog (85d5866)
-
Regenerate and update changelog (e8d2d10)
-
Regenerate and update changelog (4c58b6d)
-
Regenerate and update changelog (a726eb2)
-
Regenerate and update changelog (87b47ba)
-
Regenerate and update changelog (537d496)
-
Regenerate and update changelog (00e6af9)
-
Regenerate and update changelog (48a2eca)
-
Regenerate and update changelog (8a71948)
-
Regenerate and update changelog (ad3d510)
-
Regenerate and update changelog (48bcc70)
-
Regenerate and update changelog (816a55c)
-
Regenerate and update changelog (4ed74d2)
-
Regenerate and update changelog (367927e)
-
Regenerate and update changelog (38f4019)
-
Update banner url (292c986)
-
Update forum and chat links (3039191)
-
Update linux install guide (3b8e549)
-
Update self service reg docs (#367) (4cf0323), closes /github.com/ory/kratos-selfservice-ui-node/blob/489c76d1b0474ee55ef56804b28f54d8718747ba/src/routes/auth.ts#L28:
The old links pointed at
/auth/browser/(login|registration)
which seems to be outdated now. -
Use git checkout in quickstart (#339) (2d2562b), closes #335
-
Allow configuring same-site for session cookies (#303) (2eb2054), closes #257:
It is now possible to set SameSite for the session cookie via the key
security.session.cookie.same_site
. -
continuity: Implement request continuity (135e047), closes #304 #311:
This patch adds a module which is capable of aborting a request, waiting for another option to complete, and then resuming the request again.
This feature makes use of a temporary cookie which keeps track of the request state.
This feature is required for several workflows that update privileged fields such as passwords, 2fa recovery codes, email addresses.
refactor: rename profile to settings flow
Renames selfservice/profile to settings. The settings flow includes a strategy for managing profile information
-
Enable CockroachDB integration (#260) (adc5153), closes #132 #155
-
Enable continuity management for settings module (009d755)
-
Enable updating auth related traits (#266) (65b88ba), closes #243
-
Implement password profile management flow (a31839a), closes #243
-
Introduce fallbacks for required configs (#376) (b3bcb25), closes #369 #352
-
login: Forced reauthentication (#248) (344fc9c), closes #243
-
Return 410 when selfservice requests expire (#289) (b414607), closes #235
-
Send verification emails on profile update (#333) (1cacc80), closes #267
-
u (0b6fa48)
-
u (03fa4f0)
-
u (a3dfd9d)
-
u (616aa0f)
-
fix:add graceful shutdown to courier handler (#296) (235d784), closes #296 #295:
Courier would not stop with the provided Background handler. This changes the methods of Courier so that the graceful package can be used in the same way as the http endpoints can be used.
-
fix(sql) change courier body to text field (#276) (ed5268d), closes #276 #269
-
Make format (b85e5af)
0.1.1-alpha.1 (2020-02-18)
docs: Regenerate and update changelog
- Add verify return to address (#252) (64ab9e5)
- Clean up docker quickstart (#255) (7f0996b)
- Resolve several verification problems (#253) (30d4632)
- Update verify URLs (#258) (5d4f909)
- Regenerate and update changelog (a125822)
- Regenerate and update changelog (b3a8220)
- Regenerate and update changelog (a141b30)
- Regenerate and update changelog (7e12e20)
- Regenerate and update changelog (3c1c67b)
- Regenerate and update changelog (ee07937)
0.1.0-alpha.6 (2020-02-16)
feat: Add verification to quickstart (#251)
- Adapt quickstart to verify changes (#247) (24eceb7)
- Gracefully handle selfservice request expiry (#242) (4421e6b), closes #233
- Set AuthenticatedAt in session issuer hook (#246) (29c83fa), closes #224
- swagger: Sanitize before validate (c72f140)
- swagger: Use correct annotations for request methods (#237) (8473c85), closes #234
- Regenerate and update changelog (922cf0f)
- Regenerate and update changelog (e097c23)
- Regenerate and update changelog (2d1685f)
- Regenerate and update changelog (f8964e9)
- Regenerate and update changelog (92b8001)
- Regenerate and update changelog (d7083ab)
- Regenerate and update changelog (c4547dc)
- Regenerate and update changelog (d8d8bba)
- Regenerate and update changelog (b012ed9)
- Add disabled flag to identifier form fields (#238) (a2178bd), closes #227
- Add verification to quickstart (#251) (172dc87)
- Implement email verification (#245) (eed00f4), closes #27
- Improve password validation strategy (#231) (256fad3)
0.1.0-alpha.5 (2020-02-06)
docs: Regenerate and update changelog
- Regenerate and update changelog (e87e9c9)
- Regenerate and update changelog (d6f0794)
- Regenerate and update changelog (eb7326c)
0.1.0-alpha.4 (2020-02-06)
ci: Bump ory/sdk to 0.1.22
- Bump ory/sdk to 0.1.22 (c0d0edf)
- Regenerate and update changelog (f02afb3)
0.1.0-alpha.3 (2020-02-06)
ci: Bump ory/sdk orb
- Bump ory/sdk orb (65b2ca0)
0.1.0-alpha.2 (2020-02-03)
docs: Regenerate and update changelog
- Add paths to sqa middleware (#216) (130c9c2)
- daemon: Register error routes on admin port (#226) (decd8d8)
- Set csrf token on public endpoints (d0b15ae)
- Introduce upgrade guide (736a3b1)
- Prepare ecosystem automation (7013b6c)
- Regenerate and update changelog (f39b942)
- Regenerate and update changelog (c121601)
- Regenerate and update changelog (a947d55)
- Regenerate and update changelog (8ba2044)
- Regenerate and update changelog (9c023e1)
- Regenerate and update changelog (1e855a9)
- Regenerate and update changelog (01ce3a8)
- Updates issue and pull request templates (#222) (4daae88)
-
Update CHANGELOG [ci skip] (ce9390c)
-
refactor!: Improve user-facing error APIs (#219) (7d4054f), closes #219 #204:
This patch refactors user-facing error APIs:
- The
/errors
endpoint moved to/self-service/errors
- The endpoint is now available at both the Admin and Public API. The Public API requires CSRF Token match or a 403 error will be returned.
- The Public API endpoint no longer returns 404 errors but 403 instead.
- The response payload changed. What was
[{"code": ...}]
is now{"id": "...", "errors": [{"code": ...}]}
This patch requires running
kratos migrate sql
as a new column (csrf_token
) has been added to the user-facing error store. - The
-
Update CHANGELOG [ci skip] (c368a11)
0.1.0-alpha.1 (2020-01-31)
docs: Updates issue and pull request templates (#215)
Signed-off-by: aeneasr [email protected]
0.0.3-alpha.15 (2020-01-31)
Update permissions in SQLite Dockerfile
- Update permissions in SQLite Dockerfile (1266e53)
0.0.3-alpha.14 (2020-01-31)
Update README.md
- Update README.md (db8d65b)
0.0.3-alpha.13 (2020-01-31)
Allow mounting SQLite in /home/ory/sqlite (#212)
0.0.3-alpha.11 (2020-01-31)
Clean up cmd and resolve packr2 issues (#211)
This patch addresses issues with the build pipeline caused by an invalid import. Profiling was also added.
-
Clean up cmd and resolve packr2 issues (#211) (2e43ec0), closes #211:
This patch addresses issues with the build pipeline caused by an invalid import. Profiling was also added.
-
Update CHANGELOG [ci skip] (fc32207)
0.0.3-alpha.10 (2020-01-31)
Update README
0.0.3-alpha.7 (2020-01-30)
Use correct project root in Dockerfile
0.0.3-alpha.5 (2020-01-30)
ci: Resolve final docker build issues (#210)
0.0.3-alpha.4 (2020-01-30)
Update CHANGELOG [ci skip]
- Update CHANGELOG [ci skip] (018c229)
- Add and use ory docker user (cccbe09)
- Update CHANGELOG [ci skip] (0e436e5)
- Update goreleaser changelog filters (7e5af97)
- Update CHANGELOG [ci skip] (4387503)
0.0.3-alpha.2 (2020-01-30)
Resolve goreleaser build issues (#208)
0.0.3-alpha.1 (2020-01-30)
Update CHANGELOG [ci skip]
- Update CHANGELOG [ci skip] (49e09ea)
- Take form field orders from JSON Schema (#205) (a880f0d), closes #205 #176
- Update CHANGELOG [ci skip] (ff52bbb)
- Adapt quickstart docker compose config (#207) (e532583), closes #207
- Update CHANGELOG [ci skip] (7f4800b)
- Update CHANGELOG [ci skip] (1b2c3f6)
- Rework public and admin fetch strategy (#203) (99aa169), closes #203 #122
- Update CHANGELOG [ci skip] (1cea427)
- ss/profile: Use request ID as query param everywhere (#202) (ed32b14), closes #202 #190
- Update CHANGELOG [ci skip] (a392027)
- Update HTTP routes for a consistent API naming (#199) (9ed4bda), closes #199 #195
0.0.1-alpha.9 (2020-01-29)
ci: Bump goreleaser orb
- Bump goreleaser orb (29cd754)
0.0.2-alpha.1 (2020-01-29)
Use correct build archive for homebrew
- Use correct build archive for homebrew (74ac29f)
0.0.1-alpha.6 (2020-01-29)
ci: Bump goreleaser orb
- Bump goreleaser orb (018c94c)
0.0.1-alpha.5 (2020-01-29)
ci: Bump goreleaser dependency
- Bump goreleaser dependency (ec49bfb)
- Resolve build issues with CGO (#196) (298f4ea), closes #196
- ss/password: Make form fields an array (#197) (6cb0058), closes #197 #186
0.0.1-alpha.3 (2020-01-28)
ci: Only compile goarmv7
- Only compile goarmv7 (d8e7ec7)
- Present ORY Hive to the world (#107) (7883589)
- Updates issue and pull request templates (0441dff)
- Updates issue and pull request templates (#174) (ad405e9)
- Updates issue and pull request templates (#39) (daf5aa8)
- Updates issue and pull request templates (#40) (f5907f3)
- Updates issue and pull request templates (#59) (8c5612c)
- Updates issue and pull request templates (#7) (a1220ba)
- Updates issue and pull request templates (#8) (c56798a)
-
Remove redundant return statement (7c2989f)
-
ss/oidc: Remove obsolete request field from form (#193) (59671ba), closes #193 #180
-
strategy/oidc: Allow multiple OIDC Connections (#191) (8984831), closes #191 #114
-
Improve Docker Compose Quickstart (#187) (9459072), closes #187 #188
-
selfservice/password: Remove request field and ensure method is set (#183) (e035adc), closes #183
-
Add tests and fixtures for the config JSON Schema (#171) (ede9c0e), closes #171
-
Add example values for config JSON Schema (12ba728)
-
Replace
url
withuri
format in config JSON Schema (68eddef) -
Replace number with integer in config JSON Schema (#177) (9eff6fd), closes #177
-
Separate post register/login hooks (#150) (f4b7812), closes #150 #149
-
Update README badges (4f7838e)
-
Bump go-acc and resolve test issues (#154) (15b1b63), closes #154 #152 #151:
Due to a bug in
go-acc
, tests would not run if-tags sqlite
was supplied as a go tool argument togo-acc
. This patch resolves that issue and also includes several test patches from previous community PRs and some internal test issues. -
Add ORY Kratos banner to README (#145) (23b824f), closes #145
-
Replace DBAL layer with gobuffalo/pop (#130) (21d08b8), closes #130:
This is a major refactoring of the internal DBAL. After a successful proof of concept and evaluation of gobuffalo/pop, we believe this to be the best DBAL for Go at the moment. It abstracts a lot of boilerplate code away.
As with all sophisticated DBALs, pop too has its quirks. There are several issues that have been discovered during testing and adoption: gobuffalo/pop#136 gobuffalo/pop#476 gobuffalo/pop#473 gobuffalo/pop#469 gobuffalo/pop#466
However, the upside of moving much of the hard database/sql plumbing into another library cleans up the code base significantly and reduces complexity.
As part of this change, the "ephermal" DBAL ("in memory") will be removed and sqlite will be used instead. This further reduces complexity of the code base and code-duplication.
To support sqlite, CGO is required, which means that we need to run tests with
go test -tags sqlite
on a machine that has g++ installed. This also means that we need a Docker Image withalpine
as opposed to purescratch
. While this is certainly a downside, the upside of less maintenance and "free" support for SQLite, PostgreSQL, MySQL, and CockroachDB simply outweighs any downsides that come with CGO. -
Replace local deps with remote ones (8605e45)
-
ss/profile: Improve success and error flows (9e0015a), closes #112:
This patch completes the profile management flow by implementing proper error and success states and adding several data integrity tests.
-
Rebrand ORY Hive to ORY Kratos (#111) (ceda7fb), closes #111
-
Fix broken tests and ci linter issues (#104) (69760fe), closes #104
-
Update to Go modules 1.13 (1da4d75)
-
Resolve minor configuration issues and response errors (#85) (a44913b), closes #85
-
Update Dockerfile and related build tools (#80) (d20c701), closes #80
-
Implement SQL Database adapter (#79) (86d07c4), closes #79 #69
-
Properly decode values in error handler (5eb9088), closes #71
-
Force path and domain on CSRF cookie (#70) (a80d8b0), closes #70 #68
-
Require no session when accessing login or sign up (#67) (c0e0da1), closes #67 #63
-
Add tests for selfservice ErrorHandler (#62) (4bb9e70), closes #62
-
OIDC provider selfservice data enrichment (#56) (936970a), closes #56 #23 #55
-
Remove local jsonschema module override (cd2a5d8)
-
Implement identity management, login, and registration (#22) (bf3395e), closes #22
-
Revert incorrect license changes (fb9740b)
-
Create FUNDING.yml (3c67ac8)
-
Initial commit (ab6f24a)
-
Add ability to define multiple schemas and serve them over HTTP (#164) (c65119c), closes #86:
All identity traits schemas have to be configured using a human readable ID and the corresponding URL. This PR enables multiple schemas to be used next to the default schema. It also adds the kratos.public/schemas/:id endpoint that mirrors all schemas.
-
Add helper for requiring authentication (3888fbd)
-
Add helpers for go-swagger (165a660):
-
Add profile management and refactor internals (3ec9263), closes #112
-
Add session destroyer hook (#148) (d17f002), closes #139:
This patch adds a hook that destroys all active session by the identity which is being logged in. This can be useful in scenarios where only one session should be active at any given time.
-
Explicitly whitelist form parser keys (#105) (28b056e), closes #98:
Previously the form parser would try to detect the field type by asserting types for the whole form. That caused passwords containing only numbers to fail to unmarshal into a string value.
This patch resolves that issue by introducing a prefix option to the BodyParser
-
Fix broken import (308aa13)
-
Handle securecookie errors appropriately (#101) (75bf6fe), closes #97:
Previously, IsNotAuthenticated would not handle securecookie errors appropriately. This has been resolved.
-
Implement message templates and SMTP delivery (#146) (dc674bf), closes #99:
This patch adds a message templates (with override capabilities) and SMTP delivery.
Integration tests using MailHog test fault resilience and e2e email delivery.
This system is designed to be extended for SMS and other use cases.
-
Move package to selfservice (063b767):
Because this module is primarily used in selfservice scenarios, it has been moved to the selfservice parent.
-
Omit request header from login/registration request (#106) (9b07587), closes #95:
When fetching a login and registration request, the HTTP Request Headers must not be included in the response, as they contain irrelevant information for the API caller.
-
Properly handle empty credentials config in sql (#93) (b79c5d1)
-
Re-introduce migration plans to CLI command (#192) (bb32cd3), closes #131
-
Reset CSRF token on principal change (#64) (9c889ab), closes #38:
Add tests for logout.
-
Resolve wrong column reference in sql (#90) (0c0eb87):
Reference ic.method instead of ici.method.
Added regression tests against this particular issue.
-
Update keyword from kratos to ory.sh/kratos (f45cbe0), closes #115
-
Update sdk generation method (24aa3d7)
-
Update to ory/x 0.0.80 (#110) (64de2f8):
Removes the need for BindEnv()
-
Use JSON Schema to type assert form body (#116) (1944c7c), closes #109