This release addresses further important security updates in the base Docker Images. We also resolved all issues related to ARM support on both Linux and macOS and fixed a bug that prevent the binary from compiling on FreeBSD.

This release also makes use of our new build architecture which means that the Docker Images names have changed. We removed the "scratch" images as we received frequent complaints about them. Additionally,
all Docker Images have now, per default, SQLite support built-in. If you are relying on the SQLite images, update your Docker Pull commands as follows:

- docker pull oryd/kratos:{version}-sqlite
+ docker pull oryd/kratos:{version}

Additionally, all passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

In v0.8.1-alpha.1 we failed to include all the exciting things that landed, so we'll cover them now!

1. Advanced E-Mail templating support with sprig - makes it possible to translate emails as well!
2. Support wildcards for allowing redirection targets.
3. Account Recovery initiated by the Admin API now works even if identities have no email address.

Enjoy this release!

Bug Fixes

• Add missing sample app paths to oathkeeper config (#2058) (a527db4):

  Add "welcome,registration,login,verification" and "**.png" to the paths oathkeeper forwards to self service ui.

• Add section on webauthn constraints (#2072) (23663b5)

• After release hooks (56c2e61)

• Dockerfile clean up (52420cc), closes #2070

• Goreleaser after hook (c763f2b)

• Goreleaser config (7099af2):

  See https://github.com/goreleaser/goreleaser/issues/2762

• Release hook (90bd769)

Code Generation

• Pin v0.8.2-alpha.1 release commit (627f4a1)

Documentation

• Fix bodged release (032b23a)
• Quickstart update (#2060) (3387cf6), closes #2032 #1916

Changelog

• 718107bc autogen(docs): generate and bump docs
• e9617188 autogen(docs): generate and format documentation
• 32d43229 autogen(docs): generate and format documentation
• 4a0db113 autogen(docs): generate and format documentation
• 3cf12ae4 autogen(docs): generate and format documentation
• 5ad0565c autogen(docs): generate and format documentation
• 1cc0d4ab autogen(docs): generate and format documentation
• 54c8c14a autogen(docs): generate and format documentation
• 8129425a autogen(docs): generate and format documentation
• b8ca5f6c autogen(docs): generate and format documentation
• 7507a589 autogen(docs): generate and format documentation
• 063e506a autogen(docs): generate and format documentation
• 4deae97d autogen(docs): generate and format documentation
• 457c9960 autogen(docs): generate cli docs
• 3ae6677b autogen(docs): update milestone document
• 95477c24 autogen: pin v0.8.0-alpha.2.pre.1 release commit
• 942247c3 autogen: pin v0.8.0-alpha.2.pre.2 release commit
• 423f2f12 autogen: pin v0.8.0-alpha.2.pre.4 release commit
• 1f0519c1 autogen: pin v0.8.0-alpha.2.pre.5 release commit
• a53fe3be autogen: pin v0.8.0-alpha.2.pre.6 release commit
• 722fb732 autogen: pin v0.8.1-alpha.2.pre.0 release commit
• 7f160f62 autogen: pin v0.8.2-alpha.1 release commit
• 627f4a1d autogen: pin v0.8.2-alpha.1 release commit
• 02201c25 ci: fix docker ref
• 032b23ab docs: fix bodged release
• 3387cf6f docs: quickstart update (#2060)
• a527db44 fix: add missing sample app paths to oathkeeper config (#2058)
• 23663b50 fix: add section on webauthn constraints (#2072)
• 56c2e611 fix: after release hooks
• 52420ccc fix: dockerfile clean up
• c763f2b3 fix: goreleaser after hook
• 7099af20 fix: goreleaser config
• 90bd7698 fix: release hook

Docker images

• docker pull oryd/kratos:v0.8.2-alpha.1
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.2

Artifacts can be verified with cosign using this public key.

This maintenance release important security updates for the base Docker Images (e.g. Alpine). Additionally, several hiccups with the new ARM support have been resolved and the binaries are now downloadable for all major platforms. Please note that passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

Enjoy this release!

Breaking Changes

To celebrate this change, we cleaned up the ways you install Ory software, and will roll this out to all other projects soon:

There is now one central brew / bash curl repository:

-brew install ory/kratos/kratos
+brew install ory/tap/kratos

-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) kratos

Bug Fixes

• Add base64 to ReadSchema (#1918) (8c8815b), closes #1529

• Add error.id to invalid cookie/token settings flow (#1919) (73610d4), closes #1888

• Adds missing webauthn authentication method (#1914) (44892f3)

• Allow use of relative URLs in config (#1754) (5f73bb0), closes #1446

• Bodget docs commit (f9d2f82)

• Build docs on release (2cf137a)

• De-duplicate message IDs (#1973) (9d8e197)

• Do not use csrf for meta endpoints (#1927) (fd14798)

• Docs links (#2008) (8515e17)

• E2e test regression (#1937) (c9be009)

• Include text label for link email field (07a1dbb), closes #1909

• Panic on webhook with nil body (#1890) (4bf1825), closes #1885

• Paths (8c852c7)

• Require minimum length of 8 characters password (#2009) (bb5846e):

  Kratos follows NIST Digital Identity Guidelines - 5.1.1.2 Memorized Secret Verifiers and password policy says

  Passwords must have a minimum length of 8 characters and all characters (unicode, ASCII) must be allowed.

• Resolve freebsd build issue (#2004) (9c75fe9), closes #1645

• Revert tag (f1d7b9e), closes #1945

• Set dockerfile (c860b99)

• Skip docs publishing for pre releases (eb6d8cd)

• Speed up git clone (d3e4bde)

• Support complex lifespans (#2050) (0edbebe)

• Update docs after release (850be90)

• Update sdk orb (94e12e6)

• Use bcrypt for password hashing in example (a9196f2)

• Use new ory installation method (09cfc7e)

• Verification error code (#1967) (44411ab), closes #1956

Code Generation

• Pin v0.8.1-alpha.1 release commit (8247416)

Documentation

• Add Content-Type to recommended CORS allowed headers (#2015) (dd890ab)

• Add subdomain configuration in csrf page (#1896) (681750f):

  Add some instructions as to how kratos can be configured to work across subdomains.

• debug: Fix typo (#1976) (0647554)

• Fix incorrect tag (bbd2355), closes #2032 #2028

• Fixed date format example (#2038) (fc4703a)

• Improve text around bcrypt (#2037) (ba6981e)

• Levenshtein-Distance has been released (#2040) (393b6b3)

• Minor fixes (#2010) (12918db)

• Password-strength meter has been dropped (#2041) (9848fb3)

• Remove unintended characters in subdomain section in csrf page (#1897) (dfb9007)

• This has been done (#2045) (7e8c91a)

• Totp unlink image in 2fa docs (#1957) (7afb731)

• Update email template docs (#1960) (#1968) (b0f25a9)

• Webhooks have landed (#2035) (80e53eb)

Features

• Add alpine dockerfile (587eaee)

• Add new goreleaser build chain (#1932) (cf1714d):

  This patch adds full compatibility with ARM architectures, including Apple Silicon (M1). We additionally added cryptographically signed signatures verifiable using cosign for both binaries as well as docker images.

• Add quickstart mimicking hosted ui (813fb4c)

• Add x-total-count to paginated pages (b633ec3)

• Advanced e-mail templating support (#1859) (54b97b4), closes #834 #925

• Allow wildcard domains for redirect_to checks (#1528) (349cdcf), closes #943:

  Support wildcard domains in redirect_to checks.

• Buildkit with multi stage build (#2025) (57ab7f7)

• cmd: Add OIDC credential include (#2017) (1482844):

  With this change, the kratos identities get CLI can additionally fetch OIDC credentials.

• Configurable health endpoints access logging (#1934) (1301f68):

  This PR introduces a new boolean configuration parameter that allows turning off logging of health endpoints requests in the access log. The implementation is basically a rip-off from Ory Hydra and the configuration parameter is the same:

  serve.public.request_log.disable_for_health
  serve.admin.request_log.disable_for_health
  

  The default value is false.

• Generalise courier (#2019) (1762a73)

• Integrate sbom generation to goreleaser (#1850) (305bb28)

• Make admin recovery to work without emails #1419 (#1750) (db00e85)

• oidc: Add spotify provider (#2024) (0064e35)

Tests

• Add web hook test cases (#2051) (316e940)
• e2e: Improved SDK set up and arm fix (#1933) (c914ba1)
• e2e: Split e2e script into setup and test phase (#2027) (1761418)
• Fix changed message ID (#2013) (0bb66de)
• Update snapshots (a820653)

Changelog

• 648a7bb3 autogen(docs): generate and format documentation
• 37093456 autogen(docs): generate and format documentation
• 97fed155 autogen(docs): generate and format documentation
• 947ad624 autogen(docs): generate and format documentation
• 423ca0f4 autogen(docs): generate and format documentation
• 4cd63b97 autogen(docs): generate and format documentation
• ca452603 autogen(docs): generate and format documentation
• 12fb0647 autogen(docs): generate and format documentation
• d32c3740 autogen(docs): generate and format documentation
• 9fa79861 autogen(docs): generate and format documentation
• e2377bc9 autogen(docs): generate and format documentation
• d0963d8c autogen(docs): generate and format documentation
• 36f17944 autogen(docs): generate and format documentation
• c9ce2ba7 autogen(docs): generate and format documentation
• 1522fbfd autogen(docs): generate and format documentation
• fd395f1d autogen(docs): generate and format documentation
• 2c6dabe0 autogen(docs): generate and format documentation
• 6bfd55e8 autogen(docs): generate and format documentation
• 3d9c349c autogen(docs): generate and format documentation
• 0b426d2e autogen(docs): generate and format documentation
• 8e316056 autogen(docs): generate and format documentation
• 54eaf3a0 autogen(docs): generate and format documentation
• a97bfd10 autogen(docs): generate and format documentation
• 2109ea47 autogen(docs): generate and format documentation
• 69296ff6 autogen(docs): generate and format documentation
• 8f96bf4e autogen(docs): generate and format documentation
• 2b7cd129 autogen(docs): generate and format documentation
• 64bf08d3 autogen(docs): generate cli docs
• 25b148fd autogen(docs): generate cli docs
• 33a50f61 autogen(docs): generate cli docs
• 39e0eb6e autogen(docs): generate cli docs
• 26374705 autogen(docs): generate cli docs
• ac7efc3c autogen(docs): generate cli docs
• 7faf83ab autogen(docs): generate cli docs
• 810d39ae autogen(docs): generate cli docs
• 0f6c55b1 autogen(docs): generate cli docs
• f08cecd5 autogen(docs): generate cli docs
• ee217e9c autogen(docs): generate cli docs
• 70e75e1b autogen(docs): generate cli docs
• 249ccefe autogen(docs): generate cli docs
• 437cc997 autogen(docs): generate cli docs
• 4d6bdb7b autogen(docs): generate cli docs
• 25b0f472 autogen(docs): generate cli docs
• 966b9689 autogen(docs): generate cli docs
• b7ef125d autogen(docs): generate cli docs
• 6bbfe257 autogen(docs): generate cli docs
• 92f0fb99 autogen(docs): generate cli docs
• b56ff6e4 autogen(docs): generate cli docs
• 1e794fe8 autogen(docs): generate cli docs
• 7c78bc78 autogen(docs): update milestone document
• bf80e961 autogen(docs): update milestone document
• 31a3c190 autogen(docs): update milestone document
• fc17cf87 autogen(docs): update milestone document
• ea5e959d autogen(docs): update milestone document
• 31fa367b autogen(docs): update milestone document
• 8393e0af autogen(docs): update milestone document
• 981f4e32 autogen(docs): update milestone document
• bf03cc9d autogen(docs): update milestone document
• 54513cd1 autogen: add v0.8.0-alpha.3 to version.schema.json
• 2526a53c autogen: pin v0.8.0-alpha.4-pre.0 release commit
• 3e443b77 autogen: pin v0.8.0-alpha.4.pre.0 release commit
• d4214db4 autogen: pin v0.8.0-alpha.4.pre.1 release commit
• 3b9be105 autogen: pin v0.8.0-alpha.4.pre.2 release commit
• 82474161 autogen: pin v0.8.1-alpha.1 release commit
• 0711c8c3 autogen: update release artifacts
• 9e23831c chore: bump alpine images (#1974)
• dd460db1 chore: fix issues reported by the CI (#2018)
• ee4524f7 chore: update docusaurus template
• 7806591c chore: update docusaurus template (#1902)
• c50c2feb chore: update docusaurus template (#1929)
• f6efc923 chore: update repository templates
• 84c12c27 chore: update repository templates
• adc748e9 chore: use json.Marshal for the message context (#1975)
• ea868b4c ci: bump goreleaser orb (#2014)
• 06475541 docs(debug): fix typo (#1976)
• 393b6b38 docs: Levenshtein-Distance has been released (#2040)
• dd890ab9 docs: add Content-Type to recommended CORS allowed headers (#2015)
• 681750f9 docs: add subdomain configuration in csrf page (#1896)
• bbd2355b docs: fix incorrect tag
• fc4703aa docs: fixed date format example (#2038)
• ba6981e3 docs: improve text around bcrypt (#2037)
• 12918dbf docs: minor fixes (#2010)
• 9848fb3b docs: password-strength meter has been dropped (#2041)
• dfb90079 docs: remove unintended characters in subdomain section in csrf page (#1897)
• 7e8c91ac docs: this has been done (#2045)
• 7afb731c docs: totp unlink image in 2fa docs (#1957)
• b0f25a9a docs: update email template docs (#1960) (#1968)
• 80e53eb8 docs: webhooks have landed (#2035)
• 14828448 feat(cmd): add OIDC credential include (#2017)
• 0064e350 feat(oidc): add spotify provider (#2024)
• db00e85e feat: Make admin recovery to work without emails #1419 (#1750)
• 587eaeee feat: add alpine dockerfile
• cf1714da feat: add new goreleaser build chain (#1932)
• 813fb4cf feat: add quickstart mimicking hosted ui
• b633ec3d feat: add x-total-count to paginated pages
• 54b97b45 feat: advanced e-mail templating support (#1859)
• 349cdcf4 feat: allow wildcard domains for redirect_to checks (#1528)
• 57ab7f78 feat: buildkit with multi stage build (#2025)
• 1301f689 feat: configurable health endpoints access logging (#1934)
• 1762a730 feat: generalise courier (#2019)
• 305bb28d feat: integrate sbom generation to goreleaser (#1850)
• bb5846ec fix: Require minimum length of 8 characters password (#2009)
• 8c8815b7 fix: add base64 to ReadSchema (#1918)
• 73610d4c fix: add error.id to invalid cookie/token settings flow (#1919)
• 44892f37 fix: adds missing webauthn authentication method (#1914)
• 5f73bb07 fix: allow use of relative URLs in config (#1754)
• f9d2f824 fix: bodget docs commit
• 2cf137a0 fix: build docs on release
• 9d8e1972 fix: de-duplicate message IDs (#1973)
• fd147989 fix: do not use csrf for meta endpoints (#1927)
• 8515e179 fix: docs links (#2008)
• c9be0091 fix: e2e test regression (#1937)
• 07a1dbb9 fix: include text label for link email field
• 4bf18250 fix: panic on webhook with nil body (#1890)
• 8c852c73 fix: paths
• 9c75fe9e fix: resolve freebsd build issue (#2004)
• f1d7b9e2 fix: revert tag
• c860b992 fix: set dockerfile
• eb6d8cdb fix: skip docs publishing for pre releases
• d3e4bdef fix: speed up git clone
• 0edbebed fix: support complex lifespans (#2050)
• 850be906 fix: update docs after release
• 94e12e6d fix: update sdk orb
• a9196f27 fix: use bcrypt for password hashing in example
• 09cfc7e2 fix: use new ory installation method
• 44411ab4 fix: verification error code (#1967)
• c914ba10 test(e2e): improved SDK set up and arm fix (#1933)
• 17614186 test(e2e): split e2e script into setup and test phase (#2027)
• 316e940a test: add web hook test cases (#2051)
• 0bb66de5 test: fix changed message ID (#2013)
• a8206537 test: update snapshots

Docker images

• docker pull oryd/kratos:v0.8.1-alpha.1
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.1

Artifacts can be verified with cosign using this public key.

Resolves issues in the quickstart.

Bug Fixes

• Resolve quickstart issues (#1900) (d047009):

  Closes https://github.com/ory/kratos/discussions/1899

Code Generation

• Pin v0.8.0-alpha.3 release commit (a307deb)

Changelog

273785a5 autogen(docs): generate and format documentation
928f6564 autogen(docs): generate cli docs
639e8415 autogen: add v0.8.0-alpha.2 to version.schema.json
a307deb6 autogen: pin v0.8.0-alpha.3 release commit
7e091469 autogen: pin v0.8.0-alpha.3 release commit
d0470095 fix: resolve quickstart issues (#1900)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.8-sqlite
• docker pull oryd/kratos:v0.8.0-sqlite
• docker pull oryd/kratos:v0.8.0-alpha.3-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.0
• docker pull oryd/kratos:v0.8.0-alpha.3

Resolves an issue in the SDK release pipeline.

Code Generation

• Pin v0.8.0-alpha.2 release commit (2178929)

Changelog

fb5a5233 autogen(docs): generate and format documentation
833f14f8 autogen(docs): update milestone document
87923d09 autogen: add v0.8.0-alpha.1 to version.schema.json
21789297 autogen: pin v0.8.0-alpha.2 release commit
76403d8e ci: bump sdk orb

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.8-sqlite
• docker pull oryd/kratos:v0.8.0-sqlite
• docker pull oryd/kratos:v0.8.0-alpha.2-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.0
• docker pull oryd/kratos:v0.8.0-alpha.2

We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the Ory Summit is happening tomorrow and on Friday! You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

• Full multi-factor authentication with different enforcement policies (soft/hard MFA).
• Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
• Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
• Support for TOTP (Google Authenticator) two-factor verification/authentication.
• Advanced two-factor recovery with lookup secrets.
• A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS.
• "Native" support for Single-Page App Single Sign-On.
• Much improved single-page app and native app APIs for all self-service flows.
• Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
• Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
• ARM Docker Images.
• Greatly improved internal e2e test pipeline using Cypress 8.x.
• Improved functional tests with cupaloy snapshot testing.
• Documentation on different error codes and message identifiers to easier translate messages in your own UI.
• Better form decoding and ability to mark required JSON Schema fields as required in the UI.
• Bug fixes that could result in users ending up in irrecoverable UI states.
• Better support for return_to across flows (e.g. OIDC) and in custom UIs.
• SBOM Software Supply Chain scanning & reporting.
• Docker Image vulnerability checking as part of the release pipeline.
• Support sending emails via AWS SES SMTP.
• A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> smtps://foo:bar@my-mailserver:1234/

Breaking Changes

The location of the homebrew tap has changed from ory/ory/kratos to ory/tap/kratos.

To stay consistent with other query parameter's, the self-service login flow's forced key has been renamed to refresh.

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.

To support 2FA on non-browser (e.g. native mobile) apps we have added the Ory Session Token as a possible parameter to both initializeSelfServiceLoginFlowWithoutBrowser and submitSelfServiceLoginFlow. Depending on the SDK generator, the order of the arguments may have changed. In JavaScript:

- .submitSelfServiceLoginFlow(flow.id, payload)
+ .submitSelfServiceLoginFlow(flow.id, sessionToken, payload)
+ // or if the user has no session yet:
+ .submitSelfServiceLoginFlow(flow.id, undefined, payload)

To improve the overall API design we have changed the result of POST /self-service/settings. Instead of having flow be a key, the flow is now the response. The updated identity payload stays the same!

 {
-  "flow": {
-    "id": "flow-id-..."
-    ...
-  },
+  "id": "flow-id-..."
+  ...
   "identity": {
     "id": "identity-id-..."
   }
 }

The SMTPS scheme used in courier config url with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the smtp scheme instead.

Example:

• SMTP Cleartext: smtp://foo:bar@my-mailserver:1234/?disable_starttls=true
• SMTP with StartTLS: smtps://foo:bar@my-mailserver:1234/ -> smtp://foo:bar@my-mailserver:1234/
• SMTP with implicit TLS: smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true -> smtps://foo:bar@my-mailserver:1234/

This patch changes the naming and number of prometheus metrics (see: https://github.com/ory/x/pull/379). In short: all metrics will have now http_ prefix to conform to Prometheus best practices.

Bug Fixes

• Add error id (1442784)

• Add mfa e2e test scenarios and resolve found issues (436992d)

• Add middleware earlier #1775 (#1776) (b9d253e)

• Allow refresh and aal upgrade at the same time (2ec801f)

• API client leaks stack trace with an error (#1772) (d3aff6d), closes #1771

• Better const handling for internal context (1e457e3)

• Correct swagger path for /identities/:id/session endpoint (#1756) (d614f2a)

• Decoder regression in registration (febf75a)

• Deterministic clidoc dates (e48d90a)

• Disable totp per default (7278589)

• Docs autogen should not use time.Now (a830f5b)

• Ensure correct error propagation (77ce709)

• Ensure refresh issues a new session when the identity changes (a10b385)

• Ensure return_to works for OIDC flows (d615734), closes #1773

• Explicit validation for return to in new flows (284cf29)

• Follow chrome webauthn best practice recommendation (0a7c812)

• Githup-app name in config (#1822) (1b50963)

• Handle return errors on the frontend and break early (0e8d481):

  Closes https://github.com/ory-corp/cloud/issues/1426

• Identity credential identifiers are now unique per method (57fd99a)

• Improve schema validation error tracing (f793fe5)

• Incorrect JSON response for browser flows (1501f56)

• Kill modd as well (e5a98e5)

• link: Resolve incorrect response types when opening API recovery link in browser (35ea8db)

• login: Properly handle refresh (8dc7059)

• lookup: Ensure correct fields are set (5ed4c55)

• lookup: Resolve reuse scenarios (dbfe475)

• lookup: Set up codes correctly (2f373f3)

• OIDC provider field in spec (#1809) (11b25de)

• oidc: Ensure nested keys work on login (71583c5)

• Omitempty for VerifiedAt and StateChangedAt (#1736) (bf2ec6e):

  Closes https://github.com/ory/sdk/issues/95

• Only respect required modules for SDK (4c5677f)

• Panic when recovering deactivated user (0a49f27), closes #1794 #1826

• Potentially resolve hanging postgres connection closing (693a928)

• Properly encode aal error (49b6288)

• Properly open recovery endpoints in browser if flow was initiated via API (23c12e5)

• Remove duplicate schema error (4e69123)

• Remove initial_value again as it was not useful outside of booleans (0cc984b)

• Remove obsolete openapi patch (11618ec)

• Remove unnecessary cmd reference (351760e)

• Replace 302 with 303 (2e2b0f8)

• Resolve clidoc generation issue (1aaaa03)

• Resolve merge issues (1dc7497)

• Resolve openapi issues and regenerate clients (f7d60c0)

• Resolve swagger regression (02b9d47)

• Run format on ts files (f55f6f6)

• Slow CLI start-up time (ae20c17):

  Found a deeply nested dependency which was importing https://github.com/markbates/pkger, causing unreasonable CPU consumption and significant delay at start up time. With this patch, start up time was reduced from almost 3s to ~0.01s.

  $ time kratos
  kratos  2.55s user 2.46s system 508% cpu 0.986 total
  
  $ time ./kratos-patch
  ./kratos-patch  0.00s user 0.00s system 64% cpu 0.001 total
  

• test: OIDC storategy test (#1836) (b877dbe)

• totp: Reorder QR (d096df7)

• Try and reduce cookie flakyness (e7ae8d6)

• Typo (8c4d8a2)

• ui: Use correct type for anchor (a6595e4)

• Update schema config location (539ae73)

• Use parallelism of 1 in go test (8736334)

• webauthn: Support react-based webauth (b6123b4)

• X-session-token must not be mandatory (05d73be)

Code Generation

• Pin v0.8.0-alpha.1 release commit (c2c902c)

Code Refactoring

• courier: Support SMTP schemes for implicit TLS, explicit StartTLS, and cleartext SMTP (#1831) (4cb082c), closes #1770 #1769

• Homogenize error messages (421a319)

• Improved prometheus metrics (#1830) (0be993b), closes #1735:

  This will add new prometheus metrics for Kratos that are more useful for alerting and increase overall observability.

• Login flow forced renamed to refresh (92087e5)

• login: Rename forced -> refresh (8d1e54b)

• login: Support 2FA for non-browser SDKs (df4846d)

• Move expired error into top-level flow module (01a2602)

• Move homebrew tap to ory/tap (0ee67c3)

• Move node identifiers to node package (b0a86dc)

• Revert decision to return 422 errors and streamline 401/403 (8aa5318)

• Sdk API is no v0alpha2 (3f06738)

• session: CreateAndIssueCookie is now UpsertAndIssueCookie (a6d134d)

• session: CreateSession is now UpsertSession (3ec81a2)

• settings: Change settings success response (12f98f2)

Documentation

• Add 2fa credentials (f7899a7)
• Add 2fa guide (b4eed76)
• Add a commandline example for the logout (#1753) (81ba264)
• Add admin ui guide (ac88060)
• Add advanced custom UI documentation (5e3a2cd)
• Add image assets (6bc93ca)
• Add missing angle bracket (#1799) (4270140)
• Add ory sessions as a concept (626c0c9)
• Add powershell to deps (#1853) (e945336), closes #1848
• credentials: Add AAL explanation (c1f501e)
• Enhance error return values (3799c24)
• Fix invalid syntax (#1819) (8cd6428)
• Fix the flow links used for rendering (#1752) (131d2c2)
• Fix the invalid links (#1868) (6d621ec)
• Remove obsolete file (b7f9052)
• Update generated docs (72afb81)
• Update quickstart curl examples (#1778) (6c677c4)
• Use correct link (f007919), closes #1793

Features

• Add intended_for_someone_else error code (572a131)

• Add aal fallback for existing sessions (a5c7b11)

• Add authenticators after set up (035c276)

• Add DeleteCredentialsType to identity struct including tests (b12bf52)

• Add e2e tests for react native 2fa (a3ac253)

• Add error ids for csrf-related errors (dc2adbf)

• Add error ids for redirect-related errors (246a045)

• Add error ids for session-related errors (087d907)

• Add explicit return_to to flow objects and API parameters (50d04ea), closes #1605 #1121:

  This patch adds a return_to field to the flow objects which contains the original ?return_to=... value. It uses the Flow's request_url for that purpose.

• Add ids for user-facing errors for login, registration, settings (787558b):

  This patch adds a new field id to JSON error payloads. This helps tremendously in implementing better client-side (native / SPA) apps as the API now returns error IDs like no_active_session, orbidden_return_to, no_verified_address and more. UIs can use these IDs to decide what to do next in the application - for example redirecting to a particular endpoint or showing an error message.

• Add initial value to bool checkboxes (63dba73)

• Add internal context to login and registration (723e6ee)

• Add internal context to settings flow (afb6895)

• Add lookup node to disable lookup (d0836be):

  See https://github.com/ory/cloud/issues/12

• Add lookup to config (14119b6)

• Add lookup to identity (ead3833)

• Add lookup to migrations (dac4f75)

• Add MFA enforcment option to whoami and settings (554d725)

• Add mfa for non-browser (4096fd3)

• Add missing migrations (ccc64d8)

• Add option to disable recovery codes (9d3daa6):

  Closes https://github.com/ory/cloud/issues/12

• Add ory cli config (5b959be)

• Add schema patch for new initial_value field (131e380):

  The field sets a node input's initial value. This is primarily used for fields which are e.g. checkboxes or buttons (active/inactive). If this field is set on a button, it implies that clicking the button should trigger the "value" to be set.

• Add script type and discriminator for attributes (de0af95):

  See https://github.com/ory/sdk/issues/72

• Add smtp headers config option (#1747) (7ffe0e9), closes #1725

• Add support for onclick javascript in ui nodes (7cc7efa)

• Add totp strategy for settings flow (d1d6617):

  This patch allows adding a TOTP device in the settings, and also removing it when no longer needed.

• Add webauthn identity credential (f8b9582)

• Adding Dockle Container Linter (#1852) (3c0d519)

• Adjust to new aal error handling (b8956bc)

• API to return access, refresh, id tokens from social sign in (#1818) (198991a), closes #1518 #397:

  This patch introduces the new include_credential query parameter to the GET /identities endpoint which allows administrators to receive the initial access, refresh, and ID tokens from Social Sign In (OpenID Connect / OAuth 2.0) flows.

  These tokens can be stored in an encrypted format (XChaCha20Poly1305 or AES-GCM) in the database if an appropriate encryption secret is set. To get started easily these values are not encrypted per default.

  For more information head over to the docs.

• Auto-generate list of messages (cf46339), closes #1784

• Endpoint to list all identity schemas (#1703) (aa23d5d), closes #1699

• Generate sdks and update versions (c9d22d9)

• hash: PBKDF2 password hash verification (#1774) (33cc7e0), closes #1659

• Identity schema validation on startup (#1779) (99db3f0), closes #701

• identity: Add AAL constants (882573d)

• Implement AAL for login and sessions (45467e0)

• Implement endpoint for invalidating all sessions for a given identity (#1740) (dbd1689), closes #655:

  This PR introduces endpoint to destroy all sessions for a given identity which effectively logouts user from all devices/sessions. This is useful when for some security concern we want to make sure there are no "old" sessions active or other "staff" related actions (such as force logout after password change etc.).

• Implement lookup code settings and login (8f3ce7b)

• Improve detection of AAL errors and return 422 instead of 403 (e2bfbea)

• Improve labels for totp and lookup (b92e00e)

• Improve session device annotations (87907b8)

• In docker debug support with delve (#1789) (37325a1)

• Introduce cve scanning (#1798) (ade13ea)

• logout: Add logout token to browser response (#1758) (d3f1177)

• Mark recovery email address verified (#1665) (e3efc5d), closes #1662

• Mark required fiels as required (34cd5e8):

  Closes https://github.com/ory-corp/cloud/issues/1328
  Closes https://github.com/ory/kratos/issues/400
  Closes https://github.com/ory/kratos/issues/1058
  See https://ory-community.slack.com/archives/C012RJ2MQ1H/p1631825476159000

• Natively support social sign in for single-page apps (1a1a350)

• persistence: Add new columns for mfa (6184fe3)

• Potentially add arm64 docker support (68112de)

• Proper enum and type assertions for openapi (c4d8516)

• Publish webauthn as loadable script instead of eval (2717c59)

• Redirect on login if session aal is not matched (8feff8d)

• Respect webauthn in session aal (869b4a5)

• session: Respect 2fa enforcement in whoami (3a82c88)

• Sign in with apple (#1833) (16ed123), closes #1782:

  Adds an adapter and configuration options for enabling Social Sign In with Apple.

• Sort totp nodes (5c9a494)

• Stubable time in text package (22e4ed1)

• Support apple m1 (54b4fb6)

• Support setting the identity state via the admin API (#1805) (29c060b), closes #1767

• Support strategy return to ui for settings (74670bb)

• Support webauthn for mfa (e8f4d3c)

• totp: Add width and height to QR code (a648ba3)

• totp: Support account name setting from schema (19a6bcc)

• Treat lookup as aal2 in session (3269028)

• Use discriminators for ui node types in spec (59e808e)

• Use initial_value in lookup strategy (efe272f)

Reverts

• 3745014 (d493d10)

Tests

• Aal in login.NewFlow (5986e38)
• AcceptToRedirectOrJSON (2ca153f)
• Add credentials test (58b388c)
• Add expired test to login handler (3bdb8ab)
• Add identity change test to settings submit (5eb090b)
• Add initial spa e2e test (20617f6)
• Add initial totp integration tests (c9d456b)
• Add login tests (a71cadd)
• Add migrations tests for new tables (3c96ab0)
• Add react app to e2e tests (1214eee)
• Add schema test for totp config (c4f05ba)
• Add session amr test (eedb60b)
• Add settings tests (6959565)
• Add test for TOTPIssuer (14731c4)
• Add test for ui error page (3977a9c)
• Add TestEnsureInternalContext (152bfc7)
• Add totp registry tests (817e3ec)
• Add totp settings tests (c5a0d0f)
• Add TOTP to profile (7431e9f)
• Add update session test (47bd057)
• Additional checks for flow hydration (a40d7fe)
• Amr persistence (b0b2d81)
• Check if internal context is validated in store (a23d851)
• CheckAAL (03b37e7)
• Complete TOTP login integration tests (6e503cf)
• e2e: Add baseurl (159b25f)
• e2e: Add checkboxes to schemas (0c91f0c)
• e2e: Add config for proxy to simplify cy.visit logic (7d87985)
• e2e: Add mfa profile (a60d157)
• e2e: Add modd to build (48cd8ae)
• e2e: Add more helpers and ts defs (21b35b0)
• e2e: Add more helpers for various flows and proxy settings (755ac60)
• e2e: Add more routes to registry (30423c9)
• e2e: Add more typings for cypress helpers (60bd63f)
• e2e: Add plugin for using got (8fafc40)
• e2e: Add proxy capabilities for react native app (b5668df)
• e2e: Add recovery tests for SPA (b6014ee)
• e2e: Add spa as allowed redirect url (2625d16)
• e2e: Add SPA tests for login and refactor tests to typescript (d9a25df)
• e2e: Add SPA tests for logout and refactor tests to typescript (b0c6776)
• e2e: Add SPA tests for registration and refactor tests to typescript (a61ed1e)
• e2e: Add support functions and type definitions (c82d68d)
• e2e: Clean up helper (4806add)
• e2e: Complete SPA tests for all mfa flows (2196129)
• e2e: Default and empty values and required fields (72f2c5f)
• e2e: Ensure advanced types work in forms also (287269c)
• e2e: Ensure correct app (a9ff545)
• e2e: Finalize mobile tests (acf5c3d)
• e2e: Force port (a49eda8)
• e2e: Homogenize profiles (7798e19)
• e2e: Hot reload ory kratos on changes (841da09)
• e2e: Implement recovery tests for SPA (3dea57f)
• e2e: Implement required verification tests for SPA (fb55f34)
• e2e: Improve stability for login tests (43df22b)
• e2e: Improve stability for registration tests (a1c59a3)
• e2e: Improve test reliability (061a7e3)
• e2e: Migrate email tests to new proxy set up (54d8cd6)
• e2e: Migrate settings tests to typescript and add SPA tests (566336d)
• e2e: Move config to lower level and publish as package (c21fa26)
• e2e: Move registration tests to new proxy set up (eddeb85)
• e2e: Port mobile test to typescript (db42346)
• e2e: Port remaining e2e tests to typescript (5853d1a)
• e2e: Potentially resolve flaky login test (e237d66)
• e2e: Potentially resolve webauthn startup issues (eae6f5d)
• e2e: Prototype typescript implementation (2e869cf)
• e2e: Recreate identities per flow (1a560a3)
• e2e: Reduce flaky tests (cae86e7)
• e2e: Reduce test flakes in lookup codes (bfea354)
• e2e: Refactor and add support for SPA app (7609219)
• e2e: Remove wait condition (af10b03)
• e2e: Resolve broken test (c7cf134)
• e2e: Resolve flaky test (de7cc59)
• e2e: Resolve flaky test issues (1627745)
• e2e: Resolve next not starting (2a2a3cb)
• e2e: Resolve regression (d62f0c0)
• e2e: Resolve regressions (aaff34e)
• e2e: Resolve regressions (af9aedc)
• e2e: Revert proxy changes (293d920)
• e2e: Stabilize e2e tests (a5dca28)
• e2e: Temporarily add totp to default profile (8ffac9d)
• e2e: Update e2e profiles to new proxy set up (a3204cf)
• e2e: Use 127.0.0.1 to prevent ipv6 issues (6f4b534)
• e2e: Wait for oidc to trigger (9c67c49)
• Enable cookie debug (81c3064)
• Ensure aal and amr is set on recovery (5cbab54), closes #1322
• Ensure aal2 can not be used for oidc (cbbcdd2)
• Ensure aal2 can not be used for password (d9d39f0)
• Ensure authenticated_at after all upgrade (80408b4)
• Ensure redirect_url in password strategy (9eafc10)
• ErrStrategyAsksToReturnToUI behavior (f739018)
• Finalize webauthn tests (97e59e6)
• Fix regressions in the tests (246c580)
• Fix tests in cmd/serve (#1755) (b704d08)
• ID methods of node attributes (ff9ff04)
• Login form submission with AAL (4d54fbb)
• lookup: Add secret_disable to snapshots (68d6a87)
• lookup: Ensure context is cleaned up after use (8a210c4)
• lookup: Refresh and reuse scenarios (89736ed)
• migration: Resolve mysql migration issue with empty array (71a5649)
• Move to cupaloy for snapshots (0cce70f)
• Properly refresh mobile session (c31915d)
• Registry regression (25c88b5)
• Remove todo items (f60050e)
• Resolve flaky config test (147c670)
• Resolve flaky config test (#1832) (db98d01)
• Resolve flaky example tests (#1817) (0e700d8)
• Resolve flaky tests (2bd9100)
• Resolve migratest regressions (e9a1ed1)
• Resolve regressions (1502ca1)
• Resolve regressions (1a93b2f)
• Resolve regressions (64850ed)
• Resolve remaining regressions (f02804c)
• Resolve remaining regressions (0224c22)
• Resolve remaining regressions (1fa2aa5)
• Resolve time locality issues (53b8b2a)
• Restructure session struct tests (50d3f66)
• Session AAL handling (6fea3e5)
• Session activate (c86fa03)
• sql: Fix incorrect UUID (ea2894e)
• Temporarily enable lookup globally (458f559)
• totp: Ensure context is cleaned up after use (1905883)
• Upgrade cypress to 8.x (c8a1dfc)
• Use different return handler (e489a43)
• Various aal combinations for newflow (b095b99)
• Webauth settings flow (4c82772)
• Webauthn aal2 login (60ace8b)
• Webauthn credentials (c3e1184)
• Webauthn credentials counter (f7701f6)
• webauthn: Ensure context is cleaned up after use (7a8055b)

Unclassified

• test(e2e) improve reliability (763dd00)
• Correct session godoc (7108e65)

Changelog

8988fb8d autogen(docs): generate and format documentation
bd579513 autogen(docs): generate and format documentation
a179af5b autogen(docs): generate and format documentation
02c9e264 autogen(docs): generate and format documentation
36bb336a autogen(docs): generate and format documentation
b4346ca7 autogen(docs): generate and format documentation
e44a9b1a autogen(docs): generate and format documentation
70439b6d autogen(docs): generate and format documentation
25dc73c9 autogen(docs): generate and format documentation
8f493078 autogen(docs): generate and format documentation
67947239 autogen(docs): generate cli docs
76b402e9 autogen(docs): generate cli docs
0a8b40b9 autogen(docs): generate cli docs
77677f6b autogen(docs): generate cli docs
80372841 autogen(docs): generate cli docs
dc36fdab autogen(docs): generate cli docs
4450846d autogen(docs): generate cli docs
fc211279 autogen(docs): generate cli docs
63c0e86a autogen(docs): generate cli docs
9e07f6b6 autogen(docs): generate cli docs
8da43001 autogen(docs): generate cli docs
33395edb autogen(docs): generate cli docs
390ca715 autogen(docs): generate cli docs
3409eda6 autogen(docs): generate cli docs
693e0e59 autogen(docs): generate cli docs
4c46676c autogen(docs): generate cli docs
0755d416 autogen(docs): generate cli docs
884e031e autogen(docs): generate cli docs
c0ca141b autogen(docs): generate cli docs
1dc96243 autogen(docs): generate cli docs
d4359ffe autogen(docs): generate cli docs
21270a85 autogen(docs): generate cli docs
3093b803 autogen(docs): generate cli docs
cfbcb22b autogen(docs): generate cli docs
90c67f2a autogen(docs): generate cli docs
2555feb3 autogen(docs): generate cli docs
9dfde7d4 autogen(docs): generate cli docs
6ab68f50 autogen(docs): regenerate and update changelog
42e7b0d8 autogen(docs): regenerate and update changelog
5b456b3c autogen(docs): regenerate and update changelog
c5385388 autogen(docs): regenerate and update changelog
71442e9d autogen(docs): regenerate and update changelog
43c31502 autogen(docs): regenerate and update changelog
cf8c7b39 autogen(docs): regenerate and update changelog
729a28c6 autogen(docs): regenerate and update changelog
fc6a9764 autogen(docs): regenerate and update changelog
0b6da5ee autogen(docs): regenerate and update changelog
62f925f9 autogen(docs): regenerate and update changelog
28ad689b autogen(docs): regenerate and update changelog
5f6d3698 autogen(docs): update milestone document
31162d24 autogen(docs): update milestone document
7f41777e autogen(docs): update milestone document
a720bbf5 autogen(docs): update milestone document
0c934d62 autogen(docs): update milestone document
aac05d14 autogen(docs): update milestone document
4f78407a autogen(docs): update milestone document
131e62ea autogen(docs): update milestone document
9f903f68 autogen(docs): update milestone document
b4972b1b autogen(docs): update milestone document
7a1be570 autogen(docs): update milestone document
dd6a06f0 autogen(docs): update milestone document
db1ec368 autogen(docs): update milestone document
1cb20df1 autogen(docs): update milestone document
c6aa6b57 autogen(docs): update milestone document
9c365eac autogen(docs): update milestone document
d200c089 autogen(docs): update milestone document
6b1ee990 autogen(docs): update milestone document
d2ae1be7 autogen(openapi): Regenerate openapi spec and internal client
521b246f autogen(openapi): Regenerate openapi spec and internal client
ae868609 autogen: add v0.7.6-alpha.1 to version.schema.json
c2c902c1 autogen: pin v0.8.0-alpha.1 release commit
e50a698b autogen: pin v0.8.0-alpha.1.pre.0 release commit
c9b95e0e autogen: pin v0.8.0-alpha.1.pre.1 release commit
dbe8fe3b autogen: pin v0.8.0-alpha.1.pre.3 release commit
e1845420 chore: add got
a69dfd7c chore: bump cypress
fba1a123 chore: bump ory/cli in makefile
da9bbdd8 chore: bump packages
89e5a9d8 chore: clean up strategy test
480fb367 chore: cleanup
b1a0713d chore: cleanup
a6dfc41e chore: format
78802949 chore: format
7cfde27e chore: format
afabb860 chore: format
81da04d4 chore: format and regenerate sdk
02d894d8 chore: regen docs
70a792a7 chore: regenerate SDK
98339623 chore: regenerate SDK
3c502f82 chore: regenerate SDK
e5d0eebf chore: regenerate docs
f4d89ea2 chore: regenerate internal sdk
5a672806 chore: regenerate sdk
3666421a chore: regenerate sdks
89e59210 chore: remove local replaces
0ef3d578 chore: remove obsolete comment
f6479fbe chore: rename file to fix docs build in other repos
164a90d8 chore: replace deprecated go-jwt dependency (#1808)
7a8466c3 chore: replaced function call with helper function (#1875)
990a39b0 chore: typos and format
3ad2d04d chore: update OpenAPI spec and SDK (#1821)
be99f8ec chore: update cypress
2875b0f2 chore: update docusaurus template
21f3535b chore: update docusaurus template (#1797)
40ba1476 chore: update docusaurus template (#1814)
6adea4fc chore: update go dependencies
b53ffe4b chore: update go.mod
830ae305 chore: update modules
034806f1 chore: update repository templates
56eb5c68 chore: update repository templates
31cbcd38 chore: update repository templates (#1762)
c2d876d3 chore: update repository templates (#1763)
387e1c24 chore: update repository templates (#1764)
2290a020 chore: update repository templates (#1768)
2c7467df chore: update repository templates (#1840)
fc4b2a5b chore: update repository templates (#1884)
b8edef36 chore: update repository templates to 8191b78131173cce8788143f6ad95119d9b813c5
761d6b69 chore: upgrade crdb
69df0cca chore: upgrade cypress
67ae276b ci: add browser-tools orb
e57f3037 ci: bump browser tools
285cb0a7 ci: bump orbs
76159a2a ci: ignore test directories in codeql
ec04a85c ci: install browser tools
5a18229f ci: resolve cypress issue with display being set
8e2cc4b9 ci: use correct crdb start cmd
7108e654 doc: correct session godoc
c1f501e9 docs(credentials): add AAL explanation
f7899a76 docs: add 2fa credentials
b4eed763 docs: add 2fa guide
81ba2647 docs: add a commandline example for the logout (#1753)
ac88060e docs: add admin ui guide
5e3a2cdb docs: add advanced custom UI documentation
6bc93ca7 docs: add image assets
42701405 docs: add missing angle bracket (#1799)
626c0c90 docs: add ory sessions as a concept
e9453369 docs: add powershell to deps (#1853)
3799c24f docs: enhance error return values
8cd6428e docs: fix invalid syntax (#1819)
131d2c28 docs: fix the flow links used for rendering (#1752)
6d621ec8 docs: fix the invalid links (#1868)
b7f90527 docs: remove obsolete file
72afb81b docs: update generated docs
6c677c49 docs: update quickstart curl examples (#1778)
f007919b docs: use correct link
33cc7e02 feat(hash): PBKDF2 password hash verification (#1774)
882573df feat(identity): add AAL constants
d3f1177a feat(logout): add logout token to browser response (#1758)
6184fe38 feat(persistence): add new columns for mfa
3a82c880 feat(session): respect 2fa enforcement in whoami
a648ba3d feat(totp): add width and height to QR code
19a6bcc9 feat(totp): support account name setting from schema
198991a9 feat: API to return access, refresh, id tokens from social sign in (#1818)
b12bf523 feat: add DeleteCredentialsType to identity struct including tests
554d7255 feat: add MFA enforcment option to whoami and settings
572a1315 feat: add intended_for_someone_else error code
a5c7b114 feat: add aal fallback for existing sessions
035c2761 feat: add authenticators after set up
a3ac253b feat: add e2e tests for react native 2fa
dc2adbf5 feat: add error ids for csrf-related errors
246a0453 feat: add error ids for redirect-related errors
087d9073 feat: add error ids for session-related errors
50d04eaa feat: add explicit return_to to flow objects and API parameters
787558b4 feat: add ids for user-facing errors for login, registration, settings
63dba737 feat: add initial value to bool checkboxes
723e6eee feat: add internal context to login and registration
afb6895d feat: add internal context to settings flow
d0836beb feat: add lookup node to disable lookup
14119b62 feat: add lookup to config
ead3833e feat: add lookup to identity
dac4f759 feat: add lookup to migrations
4096fd3f feat: add mfa for non-browser
ccc64d87 feat: add missing migrations
9d3daa65 feat: add option to disable recovery codes
5b959bea feat: add ory cli config
131e3803 feat: add schema patch for new initial_value field
de0af955 feat: add script type and discriminator for attributes
7ffe0e97 feat: add smtp headers config option (#1747)
7cc7efa0 feat: add support for onclick javascript in ui nodes
d1d66170 feat: add totp strategy for settings flow
f8b95828 feat: add webauthn identity credential
3c0d519d feat: adding Dockle Container Linter (#1852)
b8956bc0 feat: adjust to new aal error handling
cf46339b feat: auto-generate list of messages
aa23d5d5 feat: endpoint to list all identity schemas (#1703)
c9d22d91 feat: generate sdks and update versions
99db3f03 feat: identity schema validation on startup (#1779)
45467e0c feat: implement AAL for login and sessions
dbd1689c feat: implement endpoint for invalidating all sessions for a given identity (#1740)
8f3ce7b3 feat: implement lookup code settings and login
e2bfbea1 feat: improve detection of AAL errors and return 422 instead of 403
b92e00e3 feat: improve labels for totp and lookup
87907b8d feat: improve session device annotations
37325a18 feat: in docker debug support with delve (#1789)
ade13ea0 feat: introduce cve scanning (#1798)
e3efc5d0 feat: mark recovery email address verified (#1665)
34cd5e8e feat: mark required fiels as required
1a1a350a feat: natively support social sign in for single-page apps
68112def feat: potentially add arm64 docker support
c4d8516f feat: proper enum and type assertions for openapi
2717c595 feat: publish webauthn as loadable script instead of eval
8feff8da feat: redirect on login if session aal is not matched
869b4a5a feat: respect webauthn in session aal
16ed123a feat: sign in with apple (#1833)
5c9a4948 feat: sort totp nodes
22e4ed15 feat: stubable time in text package
54b4fb69 feat: support apple m1
29c060bd feat: support setting the identity state via the admin API (#1805)
74670bb4 feat: support strategy return to ui for settings
e8f4d3cb feat: support webauthn for mfa
3269028d feat: treat lookup as aal2 in session
59e808e8 feat: use discriminators for ui node types in spec
efe272f0 feat: use initial_value in lookup strategy
35ea8db3 fix(link): resolve incorrect response types when opening API recovery link in browser
8dc70592 fix(login): properly handle refresh
5ed4c557 fix(lookup): ensure correct fields are set
dbfe475b fix(lookup): resolve reuse scenarios
2f373f34 fix(lookup): set up codes correctly
71583c57 fix(oidc): ensure nested keys work on login
b877dbec fix(test): OIDC storategy test (#1836)
d096df73 fix(totp): reorder QR
a6595e49 fix(ui): use correct type for anchor
b6123b48 fix(webauthn): support react-based webauth
d3aff6d3 fix: API client leaks stack trace with an error (#1772)
b9d253ef fix: Add middleware earlier #1775 (#1776)
11b25deb fix: OIDC provider field in spec (#1809)
14427842 fix: add error id
436992dd fix: add mfa e2e test scenarios and resolve found issues
2ec801f2 fix: allow refresh and aal upgrade at the same time
1e457e3b fix: better const handling for internal context
d614f2a7 fix: correct swagger path for /identities/:id/session endpoint (#1756)
febf75ae fix: decoder regression in registration
e48d90ad fix: deterministic clidoc dates
7278589f fix: disable totp per default
a830f5b3 fix: docs autogen should not use time.Now
77ce709d fix: ensure correct error propagation
a10b3855 fix: ensure refresh issues a new session when the identity changes
d615734c fix: ensure return_to works for OIDC flows
284cf29a fix: explicit validation for return to in new flows
0a7c8128 fix: follow chrome webauthn best practice recommendation
1b509635 fix: githup-app name in config (#1822)
0e8d481c fix: handle return errors on the frontend and break early
57fd99ac fix: identity credential identifiers are now unique per method
f793fe56 fix: improve schema validation error tracing
1501f562 fix: incorrect JSON response for browser flows
e5a98e54 fix: kill modd as well
bf2ec6e6 fix: omitempty for VerifiedAt and StateChangedAt (#1736)
4c5677f3 fix: only respect required modules for SDK
0a49f271 fix: panic when recovering deactivated user
693a9286 fix: potentially resolve hanging postgres connection closing
49b6288c fix: properly encode aal error
23c12e55 fix: properly open recovery endpoints in browser if flow was initiated via API
4e691238 fix: remove duplicate schema error
0cc984b8 fix: remove initial_value again as it was not useful outside of booleans
11618ecc fix: remove obsolete openapi patch
351760ec fix: remove unnecessary cmd reference
2e2b0f84 fix: replace 302 with 303
1aaaa035 fix: resolve clidoc generation issue
1dc74976 fix: resolve merge issues
f7d60c02 fix: resolve openapi issues and regenerate clients
02b9d470 fix: resolve swagger regression
f55f6f69 fix: run format on ts files
ae20c177 fix: slow CLI start-up time
e7ae8d63 fix: try and reduce cookie flakyness
8c4d8a22 fix: typo
539ae730 fix: update schema config location
8736334b fix: use parallelism of 1 in go test
05d73bee fix: x-session-token must not be mandatory
4cb082ce refactor(courier): support SMTP schemes for implicit TLS, explicit StartTLS, and cleartext SMTP (#1831)
8d1e54bd refactor(login): rename forced -> refresh
df4846d3 refactor(login): support 2FA for non-browser SDKs
a6d134de refactor(session): CreateAndIssueCookie is now UpsertAndIssueCookie
3ec81a2c refactor(session): CreateSession is now UpsertSession
12f98f28 refactor(settings): change settings success response
421a3190 refactor: homogenize error messages
0be993be refactor: improved prometheus metrics (#1830)
92087e5f refactor: login flow forced renamed to refresh
01a26025 refactor: move expired error into top-level flow module
0ee67c38 refactor: move homebrew tap to ory/tap
b0a86dc6 refactor: move node identifiers to node package
8aa53187 refactor: revert decision to return 422 errors and streamline 401/403
3f067386 refactor: sdk API is no v0alpha2
d493d104 revert: 3745014
1af3530c style: format
03e76ea0 style: format
b8dec6f1 style: format
3252c10a style: format
fe1d7dd8 style: format
3f222abf style: format
763dd006 test(e2e) improve reliability
d9a25df1 test(e2e): add SPA tests for login and refactor tests to typescript
b0c67769 test(e2e): add SPA tests for logout and refactor tests to typescript
a61ed1ed test(e2e): add SPA tests for registration and refactor tests to typescript
159b25f7 test(e2e): add baseurl
0c91f0c8 test(e2e): add checkboxes to schemas
7d879856 test(e2e): add config for proxy to simplify cy.visit logic
a60d157b test(e2e): add mfa profile
48cd8aeb test(e2e): add modd to build
21b35b02 test(e2e): add more helpers and ts defs
755ac60c test(e2e): add more helpers for various flows and proxy settings
30423c92 test(e2e): add more routes to registry
60bd63f3 test(e2e): add more typings for cypress helpers
8fafc40d test(e2e): add plugin for using got
b5668df7 test(e2e): add proxy capabilities for react native app
b6014eee test(e2e): add recovery tests for SPA
2625d168 test(e2e): add spa as allowed redirect url
c82d68db test(e2e): add support functions and type definitions
4806add1 test(e2e): clean up helper
21961290 test(e2e): complete SPA tests for all mfa flows
72f2c5fb test(e2e): default and empty values and required fields
287269c9 test(e2e): ensure advanced types work in forms also
a9ff5457 test(e2e): ensure correct app
acf5c3d6 test(e2e): finalize mobile tests
a49eda8e test(e2e): force port
7798e193 test(e2e): homogenize profiles
841da091 test(e2e): hot reload ory kratos on changes
3dea57ff test(e2e): implement recovery tests for SPA
fb55f347 test(e2e): implement required verification tests for SPA
43df22bd test(e2e): improve stability for login tests
a1c59a34 test(e2e): improve stability for registration tests
061a7e34 test(e2e): improve test reliability
54d8cd65 test(e2e): migrate email tests to new proxy set up
566336d9 test(e2e): migrate settings tests to typescript and add SPA tests
c21fa268 test(e2e): move config to lower level and publish as package
eddeb851 test(e2e): move registration tests to new proxy set up
db423469 test(e2e): port mobile test to typescript
5853d1a6 test(e2e): port remaining e2e tests to typescript
e237d66a test(e2e): potentially resolve flaky login test
eae6f5d1 test(e2e): potentially resolve webauthn startup issues
2e869cff test(e2e): prototype typescript implementation
1a560a37 test(e2e): recreate identities per flow
cae86e7f test(e2e): reduce flaky tests
bfea354f test(e2e): reduce test flakes in lookup codes
76092194 test(e2e): refactor and add support for SPA app
af10b03e test(e2e): remove wait condition
c7cf134f test(e2e): resolve broken test
de7cc59f test(e2e): resolve flaky test
16277456 test(e2e): resolve flaky test issues
2a2a3cb0 test(e2e): resolve next not starting
d62f0c02 test(e2e): resolve regression
aaff34ed test(e2e): resolve regressions
af9aedc8 test(e2e): resolve regressions
293d9208 test(e2e): revert proxy changes
a5dca283 test(e2e): stabilize e2e tests
8ffac9d1 test(e2e): temporarily add totp to default profile
a3204cf9 test(e2e): update e2e profiles to new proxy set up
6f4b5340 test(e2e): use 127.0.0.1 to prevent ipv6 issues
9c67c492 test(e2e): wait for oidc to trigger
68d6a876 test(lookup): add secret_disable to snapshots
8a210c41 test(lookup): ensure context is cleaned up after use
89736ed9 test(lookup): refresh and reuse scenarios
71a5649a test(migration): resolve mysql migration issue with empty array
ea2894ed test(sql): fix incorrect UUID
19058830 test(totp): ensure context is cleaned up after use
7a8055be test(webauthn): ensure context is cleaned up after use
2ca153f0 test: AcceptToRedirectOrJSON
f7390184 test: ErrStrategyAsksToReturnToUI behavior
ff9ff048 test: ID methods of node attributes
5986e38e test: aal in login.NewFlow
7431e9fc test: add TOTP to profile
152bfc72 test: add TestEnsureInternalContext
58b388c7 test: add credentials test
3bdb8abb test: add expired test to login handler
5eb090b2 test: add identity change test to settings submit
20617f62 test: add initial spa e2e test
c9d456bf test: add initial totp integration tests
a71cadde test: add login tests
3c96ab05 test: add migrations tests for new tables
1214eeee test: add react app to e2e tests
c4f05ba6 test: add schema test for totp config
eedb60be test: add session amr test
69595652 test: add settings tests
14731c4e test: add test for TOTPIssuer
3977a9c4 test: add test for ui error page
817e3ecb test: add totp registry tests
c5a0d0f8 test: add totp settings tests
47bd057d test: add update session test
a40d7fe4 test: additional checks for flow hydration
b0b2d817 test: amr persistence
a23d8518 test: check if internal context is validated in store
03b37e76 test: checkAAL
6e503cff test: complete TOTP login integration tests
81c3064d test: enable cookie debug
5cbab54f test: ensure aal and amr is set on recovery
cbbcdd2e test: ensure aal2 can not be used for oidc
d9d39f0b test: ensure aal2 can not be used for password
80408b4c test: ensure authenticated_at after all upgrade
9eafc101 test: ensure redirect_url in password strategy
97e59e61 test: finalize webauthn tests
246c5802 test: fix regressions in the tests
b704d083 test: fix tests in cmd/serve (#1755)
4d54fbb3 test: login form submission with AAL
0cce70f4 test: move to cupaloy for snapshots
c31915de test: properly refresh mobile session
25c88b55 test: registry regression
f60050e0 test: remove todo items
147c6704 test: resolve flaky config test
db98d010 test: resolve flaky config test (#1832)
0e700d89 test: resolve flaky example tests (#1817)
2bd91003 test: resolve flaky tests
e9a1ed18 test: resolve migratest regressions
1a93b2fb test: resolve regressions
64850ed3 test: resolve regressions
1502ca1e test: resolve regressions
0224c22e test: resolve remaining regressions
1fa2aa5b test: resolve remaining regressions
f02804c5 test: resolve remaining regressions
53b8b2a2 test: resolve time locality issues
50d3f66f test: restructure session struct tests
6fea3e5a test: session AAL handling
c86fa03d test: session activate
458f559e test: temporarily enable lookup globally
c8a1dfca test: upgrade cypress to 8.x
e489a439 test: use different return handler
b095b990 test: various aal combinations for newflow
4c82772a test: webauth settings flow
60ace8b3 test: webauthn aal2 login
c3e1184e test: webauthn credentials
f7701f62 test: webauthn credentials counter

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.8-sqlite
• docker pull oryd/kratos:v0.8.0-sqlite
• docker pull oryd/kratos:v0.8.0-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.8
• docker pull oryd/kratos:v0.8.0
• docker pull oryd/kratos:v0.8.0-alpha.1

Resolves further issues in the SDK and release pipeline.

Code Generation

• Pin v0.7.6-alpha.1 release commit (8b0d1ee)

Changelog

97734553 autogen(docs): generate and format documentation
83062ecb autogen: add v0.7.5-alpha.1 to version.schema.json
8b0d1ee6 autogen: pin v0.7.6-alpha.1 release commit

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.6-sqlite
• docker pull oryd/kratos:v0.7.6-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.6
• docker pull oryd/kratos:v0.7.6-alpha.1
• docker pull oryd/kratos:latest

Primarily resolves issues in the SDK pipeline.

Code Generation

• Pin v0.7.5-alpha.1 release commit (3a741a5)

Changelog

b0929b04 autogen(docs): generate and format documentation
5d618344 autogen(docs): generate and format documentation
71dcfcaa autogen(docs): update milestone document
20edaaa2 autogen: add v0.7.4-alpha.1 to version.schema.json
3a741a5e autogen: pin v0.7.5-alpha.1 release commit
e612c97c chore: update docusaurus template
7d47d053 ci: add test runner for SDKs (#1732)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.5-sqlite
• docker pull oryd/kratos:v0.7.5-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.5
• docker pull oryd/kratos:v0.7.5-alpha.1
• docker pull oryd/kratos:latest

This release adds the GitHub-app provider, improves SQL instrumentation, resolves an expired flow bug, and resolves documentation issues.

Bug Fixes

• Corret sdk annotations for enums (6152363)
• Do not panic if cookiemanager returns a nil cookie (6ea5678), closes #1695
• Respect return_to in expired flows (#1697) (394a8de), closes #1251

Code Generation

• Pin v0.7.4-alpha.1 release commit (67ff8a9)

Documentation

• Add e2e quickstart (2b749d3)
• Browser redirects (#1700) (a44089a)
• Mark logout_url always available (9021805)
• Minor improvements (#1707) (79c132c)

Features

• Making use of the updated instrumentedsql version (#1723) (9e6fbdd)
• oidc: Github-app provider (#1711) (fb1fe8c)

Tests

• session: Resolve incorrect assertion (0531220)

Changelog

f44e7af6 autogen(docs): generate and format documentation
c7a019fc autogen(docs): generate and format documentation
5044ba90 autogen(docs): generate and format documentation
f5d9d0ec autogen(docs): generate and format documentation
9ec8bf57 autogen(docs): generate and format documentation
daa4d5d3 autogen(docs): regenerate and update changelog
f4c00f4c autogen(docs): regenerate and update changelog
b6a10330 autogen(docs): regenerate and update changelog
b344b605 autogen(docs): regenerate and update changelog
cc6c1c3d autogen(docs): regenerate and update changelog
785d930a autogen(docs): update milestone document
0da20065 autogen(docs): update milestone document
9fbc78c1 autogen(docs): update milestone document
246b7dad autogen(docs): update milestone document
4f05d64e autogen(openapi): Regenerate openapi spec and internal client
93bbde8f autogen(openapi): Regenerate openapi spec and internal client
e7a237af autogen: add v0.7.3-alpha.1 to version.schema.json
67ff8a94 autogen: pin v0.7.4-alpha.1 release commit
6fe79da9 chore: update docusaurus template
e14d1fc7 chore: update repository templates (#1680)
c2c5a588 chore: update repository templates (#1701)
64c9b766 ci: bump goreleaser (#1730)
a9134192 ci: bump goreleaser orb (#1728)
2b749d39 docs: add e2e quickstart
a44089a5 docs: browser redirects (#1700)
9021805c docs: mark logout_url always available
79c132c5 docs: minor improvements (#1707)
fb1fe8c4 feat(oidc): github-app provider (#1711)
9e6fbdd0 feat: making use of the updated instrumentedsql version (#1723)
6152363c fix: corret sdk annotations for enums
6ea56785 fix: do not panic if cookiemanager returns a nil cookie
394a8de9 fix: respect return_to in expired flows (#1697)
05312203 test(session): resolve incorrect assertion

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.4-sqlite
• docker pull oryd/kratos:v0.7.4-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.4
• docker pull oryd/kratos:v0.7.4-alpha.1
• docker pull oryd/kratos:latest

Changelog

b9a2bfd4 autogen(docs): generate and format documentation
dd2e826d autogen(docs): generate and format documentation
2cb678c8 autogen(docs): generate and format documentation
f928ac15 autogen(docs): generate and format documentation
b863a829 autogen(docs): generate and format documentation
ca152002 autogen(docs): generate and format documentation
2f488ab5 autogen(docs): generate and format documentation
6bb5aa7c autogen(docs): generate and format documentation
c7352db8 autogen(docs): generate and format documentation
60d848d1 autogen(docs): generate cli docs
6d56917e autogen(docs): regenerate and update changelog
78269d14 autogen(docs): regenerate and update changelog
57f27311 autogen(docs): regenerate and update changelog
1bfd22bd autogen(docs): regenerate and update changelog
ceb1fb16 autogen(docs): regenerate and update changelog
c9fb0d4b autogen(docs): regenerate and update changelog
4259a0c3 autogen(docs): regenerate and update changelog
b4dfa2b6 autogen(docs): regenerate and update changelog
af98e2e1 autogen(docs): regenerate and update changelog
f7393d5e autogen(docs): regenerate and update changelog
1aaf6c07 autogen(docs): regenerate and update changelog
814a9c01 autogen(docs): update milestone document
4ce03f25 autogen(docs): update milestone document
80c2fbeb autogen(docs): update milestone document
c1180702 autogen(docs): update milestone document
4822a306 autogen(docs): update milestone document
b6215a04 autogen(docs): update milestone document
513d527c autogen(docs): update milestone document
1ba6c4ac autogen(docs): update milestone document
ad49e5dd autogen(docs): update milestone document
3eb87bc4 autogen(docs): update milestone document
6eb540f4 autogen(docs): update milestone document
11bdc4a8 autogen(docs): update milestone document
cc34996b autogen: add v0.7.1-alpha.1 to version.schema.json
16787fc2 autogen: pin v0.7.2-alpha.1 release commit
b5ad53ec autogen: pin v0.7.3-alpha.1 release commit
158cf374 chore: adjust CODEOWNERS
1a912c6b chore: update docusaurus template
8ab3c2fc chore: update docusaurus template (#1607)
6d80d12e chore: update docusaurus template (#1622)
2fcfdff9 chore: update repository templates (#1608)
e995cc60 chore: update repository templates (#1640)
6b582784 docs: Fixes incorrect yaml identation (#1641)
dc32720d docs: Update docker.md - Outdated information (#1627)
09c403e5 docs: change model to schema (#1639)
bbeb6132 docs: fix func naming for Logout flow (#1676)
9bc2fd08 docs: fix stub error example (#1642)
641eba67 docs: identity traits are visible to user (#1621)
bae1847e docs: make qickstart URLs consistent (playground vs. localhost) (#1626)
51b13117 feat: allow multiple webhook body sources (#1606)
1cf61cde feat: require verified address (#1355)
f6b3aa45 fix(docs): ensure config reference is updated
da214b29 fix(sdk): use proper annotation for genericError (#1611)
05256232 fix: add new message when refresh parameter is true (#1560)
639a7dd5 fix: add session in spa registration if session cook is configured (#1657)
85337bf6 fix: facebook sign in regression (#1689)
b21bd224 fix: http context memory leak
149101ed fix: outdated label (#1681)
45c28d99 fix: register argon2 CLI commands properly (#1592)
cdb30bb6 fix: remove session cookie on logout (#1587)
a6672554 fix: skip prompt on discord authorization by default (#1594)
db54a1bd fix: static parameter for warning message in config.baseURL(...) (#1673)
64c90bf5 fix: update csrf token cookie name (#1601)
de5fb3e5 fix: use eager preloading for list identites endpoint (#1588)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.3-sqlite
• docker pull oryd/kratos:v0.7.3-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.3
• docker pull oryd/kratos:v0.7.3-alpha.1
• docker pull oryd/kratos:latest

Changelog

f557328d autogen(docs): generate and format documentation
608c9198 autogen(docs): generate and format documentation
52434d39 autogen(docs): generate and format documentation
de22a1ca autogen(docs): generate cli docs
eb11e428 autogen(docs): regenerate and update changelog
dacd5ccc autogen(docs): regenerate and update changelog
16ed9434 autogen(docs): regenerate and update changelog
16fb20e6 autogen(docs): regenerate and update changelog
9bd8d019 autogen(docs): regenerate and update changelog
603ca408 autogen(docs): regenerate and update changelog
1c84205d autogen(docs): update milestone document
e2f6ca46 autogen(docs): update milestone document
18448ff0 autogen(docs): update milestone document
696fd685 autogen(docs): update milestone document
8cb65bdd autogen(docs): update milestone document
a040a0dd autogen: add v0.7.0-alpha.1 to version.schema.json
4fe76af1 autogen: pin v0.7.1-alpha.1 release commit
e8aebce3 chore: format
c2a1b6df docs: add instruction for creating user (#1541)
e5ea5fee docs: clarify flags in schema which are not available in config file
0bfac67a docs: fix formatting of Email and Phone Verification Flow tab content (#1536)
b25bae7f docs: fix typo (#1543)
547788de docs: fix typo (#1544)
cc7ed4b5 docs: update csrf pitfall flow section (#1558)
fe5056e1 fix: automatic tagging for node ui
aedbb5a2 fix: bump kratos ui image for quickstart
3cfd7845 fix: cleanup lint errors and add doc to x (#1545)
8d4f3ff2 fix: correct meta schema
835fb312 fix: do not reset link method (#1573)
36bbd434 fix: do not set csrf cookies on /sessions/whoami (#1580)
6af76387 fix: export extensionschemas (#1553)
6612c5f6 fix: generate CSRF token on validation creation (#1549)
ba5ca642 fix: identity extension meta schema (#1554)
c6145dbf fix: remove domain alias config constraint (#1542)
b07927cd fix: resolve wrong openapi types
0217737f fix: update identity state openapi spec
6c13c2be fix: use legacy ssl in quickstart config
3a85a33a test: longer wait time for e2e boot

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.1-sqlite
• docker pull oryd/kratos:v0.7.1-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.1
• docker pull oryd/kratos:v0.7.1-alpha.1
• docker pull oryd/kratos:latest

About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

• A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 (#1477, #1424);
• Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows (#1367);
• Sign in with Yandex, VK, Auth0, Slack;
• An all-new, secure logout flow (#1433);
• Important security updates to the self-service GET APIs (#1458, #1282);
• Built-in support for TLS (#1466);
• Improved documentation and Go Module structure;
• Resolving a case-sensitivity bug in self-service recovery and verification flows;
• Improved performance for listing identities;
• Support for Instant tracing (#1429);
• Improved control for SMTPS, supporting SSL and STARTTLS (#1430);
• Ability to run Ory Kratos in networks without outbound requests (#1445);
• Improved control over HTTP Cookie behavior (#1531);
• Several smaller user experience improvements and bug fixes;
• Improved e2e test pipeline.

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.

Breaking Changes

Prior to this change it was not possible to specify the verification/recovery link lifetime. Instead, it was bound to the flow expiry. This patch changes that and adds the ability to configure the lifespan of the link individually:

 selfservice:
   methods:
     link:
       enabled: true
       config:
+        # Defines how long a recovery link is valid for (default 1h)
+        lifespan: 15m

This is a breaking change because the link strategy no longer respects the recovery / verification flow expiry time and, unless set, will default to one hour.

This change introduces a better SDK. As part of this change, several breaking changes with regards to the SDK have been introduced. We recommend reading this section carefully to understand the changes and how they might affect you.

Before, the SDK was structured into tags public and admin. This stems from the fact that we have two ports in Ory Kratos - one administrative and one public port.

While serves as a good overview when working with Ory Kratos, it does not express:

• What module the API belongs to (e.g. self-service, identity, ...)
• What maturity the API has (e.g. experimental, alpha, beta, ...)
• What version the API has (e.g. v0alpha0, v1beta0, ...)

This patch replaces the current admin and public tags with a versioned approach indicating the maturity of the API used. For example, initializeSelfServiceSettingsForBrowsers would no longer be under the public tag but instead under the v0alpha1 tag:

import {
  Configuration,
- PublicApi
+ V0Alpha1
} from '@ory/kratos-client';

- const kratos = new PublicApi(new Configuration({ basePath: config.kratos.public }));
+ const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.public }));

To avoid confusion when setting up the SDK, and potentially using the wrong endpoints in your codebase and ending up with strange 404 errors, Ory Kratos now redirects you to the correct port, given that serve.(public|admin).base_url are configured correctly. This is a significant improvement towards a more robust API experience!

Further, all administrative functions require, in the Ory SaaS, authorization using e.g. an Ory Personal Access Token. In the open source, we do not know what developers use to protect their APIs. As such, we believe that it is ok to have admin and public functions under one common API and differentiate with an admin prefix. Therefore, the following patches should be made in your codebase:

import {
- AdminApi,
+ V0Alpha1,
  Configuration
} from '@ory/kratos-client';

-const kratos = new AdminApi(new Configuration({ basePath: config.kratos.admin }));
+const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.admin }));

-kratos.createIdentity({
+kratos.adminCreateIdentity({
  schema_id: 'default',
  traits: { /* ... */ }
})

Further, we have introduced a style guide for writing SDKs annotations governing how naming conventions should be chosen.

We also streamlined how credentials are used. We now differentiate between:

• Per-request credentials such as the Ory Session Token / Cookie

  - public getSelfServiceRegistrationFlow(id: string, cookie?: string, options?: any) {}
  + public getSelfServiceSettingsFlow(id: string, xSessionToken?: string, cookie?: string, options?: any) {}
  

• Global credentials such as the Ory (SaaS) Personal Access Token.

  const kratos = new V0Alpha0(new Configuration({ basePath: config.kratos.admin, accessToken: 'some-token' }));
  
  kratosAdmin.adminCreateIdentity({
    schema_id: 'default',
    traits: { /* ... */ },
  });
  

This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.

As part of this change, the following endpoints have been removed:

• GET <ory-kratos-admin>/self-service/login/flows;
• GET <ory-kratos-admin>/self-service/registration/flows;
• GET <ory-kratos-admin>/self-service/verification/flows;
• GET <ory-kratos-admin>/self-service/recovery/flows;
• GET <ory-kratos-admin>/self-service/settings/flows.

Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows) for fetching self-service flows going forward.

If you use the SDKs, upgrading is easy by adding the cookie header when fetching the flows. This is only required when using browser flows on the server side.

The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.

app.get('some-route', (req: Request, res: Response) => {
-   kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})

For concrete details, check out the changes in the NodeJS app.

This patch refactors the logout functionality for browsers and APIs. It adds increased security and DoS-defenses to the logout flow.

Previously, calling GET /self-service/browser/flows/logout would remove the session cookie and redirect the user to the logout endpoint. Now you have to make a call to GET /self-service/logout/browser which returns a JSON response including a logout_url URL to be used for logout. The call to /self-service/logout/browser must be made using AJAX with cookies enabled or by including the Ory Session Cookie in the X-Session-Cookie HTTP Header. You may also use the SDK method createSelfServiceLogoutUrlForBrowsers to do that.

Additionally, the endpoint DELETE /sessions has been moved to DELETE /self-service/logout/api. Payloads and responses stay equal. The SDK method revokeSession has been renamed to submitSelfServiceLogoutFlowWithoutBrowser.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceRecoveryForNativeApps to better match what it does: initializeSelfServiceRecoveryWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceVerificationForNativeApps to better match what it does: initializeSelfServiceVerificationWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceSettingsForNativeApps to better match what it does: initializeSelfServiceSettingsWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceregistrationForNativeApps to better match what it does: initializeSelfServiceregistrationWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceLoginForNativeApps to better match what it does: initializeSelfServiceLoginWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

Bug Fixes

• Add json detection to setting error subbranches (fb83dcb)

• Add verification success message (#1526) (126698c), closes #1450

• Cache migration status (5be2f14), closes #1337

• Change SMTP config validation from URI to a Regex pattern (#1436) (5ab1e8f), closes #1435

• Check filesystem before fallback to bundled templates (#1401) (22d999e)

• Continue button for oidc registration step (2aad5ac), closes #1422 #1320:

  When signing up with an OIDC provider and the traits model is missing some fields, the submit button shows all OIDC options. Instead, it should show just one option called "Continue".

• Deprecate sessionCookie (#1428) (eccad74), closes #1426

• Do not cache incomplete migrations (#1434) (154c26f)

• Do not run network migrations when booting (12bbab9), closes #1399

• Format test files (0468aa1)

• Improve identity list performance (f76886f), closes #1412

• Incorrect openapi specification for verification submission (#1431) (ecb0a01), closes #1368

• Link t docker guide (953c6d6)

• Mark ui node message as optional (#1365) (7b8d59f), closes #1361 #1362

• Mark verified_at as omitempty (77b258e):

  Closes https://github.com/ory/sdk/issues/46

• Panic if contextualizer is not set (760035a)

• Panic on error in issue session (5fbd855), closes #1384

• Prometheus metrics fix (#1299) (ac5d00d)

• Recovery email case sensitive (#1357) (bce14c4), closes #1329

• Remove changelog (7affb7a)

• Remove obsolete ADD for corp module (#1455) (0fa3a53)

• Remove typing from node.attribute.value (63a5e08):

  Closes https://github.com/ory/sdk/issues/75
  Closes https://github.com/ory/sdk/issues/74
  Closes https://github.com/ory/sdk/issues/72

• Rename client package for external consumption (cba8b00)

• Resolve build issues on release (7c265a8)

• Resolve driver issues (47b1c8d)

• Resolve network regression (8f96b1f)

• Resolve network regressions (8fc52c0)

• Testhelper regressions (bf3b04f)

• Use correct url in submitSelfServiceVerificationFlow (ab8a600)

• Use local schema URL for sorting UI nodes (#1449) (a003885)

• Use session cookie path settings for csrf cookie (#1493) (c6d08ed), closes #1292:

  This PR adds configuration option for CSRF cookies and improves the domain alias logic as well as adding tests for it.

• Use STARTTLS for smtps connections (#1430) (c21bb80), closes #781

• Version schema (#1359) (8c4bac7), closes #1331 #1101 ory/hydra#2427

Code Generation

• Pin v0.7.0-alpha.1 release commit (53a0e38)

Code Refactoring

• Corp package (#1402) (0202dc5)
• Finalize SDK refactoring (e772641), closes kratos#1424 #1424
• Identity SDKs (d8658dc), closes #1477
• Improve session sdk (7207af4)
• Introduce DefaultContextualizer in corp package (#1390) (944d045), closes #1363
• Move cleansql to separate package (7c203dc)
• Openapi.json -> api.json (6df0de5)
• Self-service error APIs (65c482f)

Documentation

• Add docs for registration SPA flow (84458f1)
• Add go sdk examples (e948fad)
• Add kratos quickstart config notes (#1490) (2f8094c)
• Add replit instructions (8ab8607)
• Add tested and running go sdk examples (3b56bb5)
• Correct CII badge (#1447) (048aec3)
• Fix broken link (9eaf764)
• Fix building from source (#1473) (af54d5b)
• Fix typo in "Sign in/up with ID & assword" (#1383) (f39739d)
• Mark login endpoints as experimental (6faf0f6)
• Refactor documentation and adopt changes for #1477 (f5e96cd), closes #1472
• Remove changelog from docs folder (5a7e3d8)
• Resolve build issues (b51bb55)
• Resolve typos and docs react issues (2d640e4)
• Update docs for all flows (d29ea69)
• Update documentation for plaintext templates (#1369) (419784d), closes #1351
• Update error documentation (7d83609)
• Update login flow documentation (a27de91)
• Update path (f0384d9)
• Update README.md Go instructions (#1464) (8db4b4a)
• Update remaining self service documentation (bcc6284)
• Update sdk use (bcb8c06)
• Update settings documentation (258ceaf)
• Use correct path (#1333) (e401135)

Features

• Add examples for usage of go sdk (870c2bd)

• Add GetContextualizer (ac32717)

• Add helper for starting kratos e2e (#1469) (b9c7674)

• Add instana as possible tracing provider (#1429) (abe48a9), closes #1385

• Add redoc (#1502) (492266d)

• Add vk and yandex providers to oidc providers and documentation (#1339) (22a3ef9), closes #1234

• Anti-CSRF measures when fetching flows (#1458) (5171557), closes #1282

• Configurable recovery/verification link lifetime (f80d4e3)

• Disable HaveIBeenPwned validation when HaveIBeenPwnedEnabled is set to false (#1445) (44002f4), closes #316:

  This patch introduces an option to disable HaveIBeenPwned checks in environments where outbound network calls are disabled.

• identities: Add a state to identities (#1312) (d22954e), closes #598

• Improve contextualization in serve/daemon (f83cd35)

• Include Credentials Metadata in admin api (#1274) (c8b6219), closes #820

• Include Credentials Metadata in admin api Missing changes in handler (#1366) (a71c220)

• Natively support SPA for login flows (6ff67af), closes #1138 #668:

  This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the /self-service/login/browser endpoint would always end up in a redirect. Now, if the Accept header is set to application/json, the login flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to support application/json content types and SPA / AJAX requests.

• Natively support SPA for recovery flows (5461244):

  This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the /self-service/recovery/browser endpoint would always end up in a redirect. Now, if the Accept header is set to application/json, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to support application/json content types and SPA / AJAX requests.

• Natively support SPA for registration flows (57d3c57), closes #1138 #668:

  This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the /self-service/registration/browser endpoint would always end up in a redirect. Now, if the Accept header is set to application/json, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to support application/json content types and SPA / AJAX requests.

• Natively support SPA for settings flows (ea4395e):

  This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the /self-service/settings/browser endpoint would always end up in a redirect. Now, if the Accept header is set to application/json, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to support application/json content types and SPA / AJAX requests.

• Natively support SPA for verification flows (c151500):

  This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the /self-service/verification/browser endpoint would always end up in a redirect. Now, if the Accept header is set to application/json, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to support application/json content types and SPA / AJAX requests.

• Protect logout against CSRF (#1433) (1a7a74c), closes #142

• Sign in with Auth0 (#1352) (f618a53), closes #609

• Support api in settings error (23105db)

• Support reading session token from X-Session-Token HTTP header (dcaefd9)

• Team id in slack oidc (#1409) (e4d021a), closes #1408

• TLS support for public and admin endpoints (#1466) (7f44f81), closes #791

• Update openapi specs and regenerate (cac507e)

Tests

• Add tests for cookie behavior of API and browser endpoints (d1b1521)

• e2e: Greatly improve test performance (#1421) (2ffad9e):

  Instead of running the individual profiles as separate Cypress instances, we now use one singular instance which updates the Ory Kratos configuration depending on the test context. This ensures that hot-reloading is properly working while also signficantly reducing the amount of time spent on booting up the service dependencies.

• e2e: Resolve flaky test issues related to timeouts and speed (b083791)

• e2e: Resolve recovery regression (72c47d6)

• e2e: Resolve test config regressions (eb9c4f9)

• Remove obsolete console.log (3ecc869)

• Resolve e2e regressions (b0d3b82)

• Resolve migratest panic (89d05ae)

• Resolve mobile regressions (868e82e)

• Resolve oidc regressions (2403082)

Unclassified

• add CoC shield (#1439) (826ed1a), closes #1439
• u (b03549b)
• u (318a31d)
• Format (eca7aff)
• Format (5cc9fc3)
• Format (e525805)
• Format (4a692ac)
• Format (169c0cd)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.0-sqlite
• docker pull oryd/kratos:v0.7.0-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.0
• docker pull oryd/kratos:v0.7.0-alpha.1
• docker pull oryd/kratos:latest

This release addresses some minor bugs and improves the SDK experience. Please be aware that the Ory Kratos SDK v0.6.3+ have breaking changes compared to Ory Kratos SDK v0.6.2. If you do not wish to update your code, you can keep using the Ory Kratos v0.6.2 SDK and upgrade to v0.6.3+ SDKs at a later stage, as only naming conventions have changed!

0.6.3-alpha.1 (2021-05-17)

Bug Fixes

• Properly handle CSRF for API flows in recovery and verification strategies (461c829), closes #1141
• session: Use specific headers before bearer use (82c0b54)
• Improve settings oas definition (867abfc)
• Use correct api spec path (5f41f87)
• Use correct openapi path for validation (#1340) (a0f5673)

Code Refactoring

• Improve SDK experience (71b8511):

  This patch resolves UX issues in the auto-generated SDKs by using consistent naming and introducing a test suite for the Ory SaaS.

BREAKING CHANGES

• Unfortunately, some method signatures have changed in the SDKs. Below is a list of changed entries:

• Error genericError was renamed to jsonError and now includes more information and better typing for errors;
• The following functions have been renamed:
  • initializeSelfServiceLoginViaAPIFlow -> initializeSelfServiceLoginForNativeApps
  • initializeSelfServiceLoginViaBrowserFlow -> initializeSelfServiceLoginForBrowsers
  • initializeSelfServiceRegistrationViaAPIFlow -> initializeSelfServiceRegistrationForNativeApps
  • initializeSelfServiceRegistrationViaBrowserFlow -> initializeSelfServiceRegistrationForBrowsers
  • initializeSelfServiceSettingsViaAPIFlow -> initializeSelfServiceSettingsForNativeApps
  • initializeSelfServiceSettingsViaBrowserFlow -> initializeSelfServiceSettingsForBrowsers
  • initializeSelfServiceRecoveryViaAPIFlow -> initializeSelfServiceRecoveryForNativeApps
  • initializeSelfServiceRecoveryViaBrowserFlow -> initializeSelfServiceRecoveryForBrowsers
  • initializeSelfServiceVerificationViaAPIFlow -> initializeSelfServiceVerificationForNativeApps
  • initializeSelfServiceVerificationViaBrowserFlow -> initializeSelfServiceVerificationForBrowsers
• Some type names have changed, for example traits -> identityTraits.

Changelog

c9e7477b autogen(docs): generate and format documentation
383c3f83 autogen(docs): generate and format documentation
170b6f46 autogen(docs): generate and format documentation
1bd65723 autogen(docs): generate and format documentation
7000a657 autogen(docs): generate and format documentation
a4539289 autogen(docs): regenerate and update changelog
42b6b927 autogen(docs): update milestone document
f73a5e18 autogen: add v0.6.2-alpha.1 to version.schema.json
5edf9524 autogen: pin v0.6.3-alpha.1 release commit
186a340b chore: regenerate openapi
df08e3d5 chore: regenerate openapi
82c0b545 fix(session): use specific headers before bearer use
867abfc8 fix: improve settings oas definition
461c829d fix: properly handle CSRF for API flows in recovery and verification strategies
5f41f87b fix: use correct api spec path
a0f5673d fix: use correct openapi path for validation (#1340)
71b8511a refactor: improve SDK experience

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.3-sqlite
• docker pull oryd/kratos:v0.6.3-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.3
• docker pull oryd/kratos:v0.6.3-alpha.1
• docker pull oryd/kratos:latest

Resolves an issue in the Go SDK.

0.6.2-alpha.1 (2021-05-14)

Documentation

• Update link to example email template. (#1326) (28a1723)

Changelog

8e6037a4 autogen(docs): generate and format documentation
18518e93 autogen(docs): regenerate and update changelog
7f736c0f autogen(docs): regenerate and update changelog
3ea5eb9d autogen: add v0.6.1-alpha.1 to version.schema.json
99c1b1d6 autogen: pin v0.6.2-alpha.1 release commit
28a17234 docs: update link to example email template. (#1326)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.2-sqlite
• docker pull oryd/kratos:v0.6.2-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.2
• docker pull oryd/kratos:v0.6.2-alpha.1
• docker pull oryd/kratos:latest

This release primarily addresses issues in the SDK CI pipeline.

0.6.1-alpha.1 (2021-05-11)

Features

• Allow changing password validation API DNS name (#1009) (ced85e8)

Changelog

3d44e3e1 autogen(docs): generate and format documentation
ba29af4d autogen(docs): generate and format documentation
cdab44f9 autogen(docs): regenerate and update changelog
8d776926 autogen: add v0.6.0-alpha.2 to version.schema.json
1df82daa autogen: pin v0.6.1-alpha.1 release commit
ced85e80 feat: allow changing password validation API DNS name (#1009)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.1-sqlite
• docker pull oryd/kratos:v0.6.1-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.1
• docker pull oryd/kratos:v0.6.1-alpha.1
• docker pull oryd/kratos:latest

This release addresses issues with the SDK pipeline and also closes a bug related to email sending.

0.6.0-alpha.2 (2021-05-07)

Bug Fixes

• Update node image (eef307e)

Features

• Fix unexpected emails when update profile (#1300) (7b24485), closes #1221

Changelog

7669c7bd autogen(docs): generate and format documentation
67719580 autogen(docs): regenerate and update changelog
e8af5757 autogen(docs): regenerate and update changelog
43419fa8 autogen(docs): regenerate and update changelog
41ecd06a autogen(docs): update milestone document
23ce83d8 autogen: add v0.6.0-alpha.1 to version.schema.json
a3658bad autogen: pin v0.6.0-alpha.2 release commit
7b244856 feat: fix unexpected emails when update profile (#1300)
eef307e6 fix: update node image

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.0-sqlite
• docker pull oryd/kratos:v0.6.0-alpha.2-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.0
• docker pull oryd/kratos:v0.6.0-alpha.2
• docker pull oryd/kratos:latest

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions.

Kratos v0.6 includes an insane amount of work spread over the last five months - 480 commits and over 4200 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!

Here is a summary of the most important changes:

• Ory Kratos now support highly customizable web hooks - contributed by @dadrus and @martinei;
• Ory Kratos Courier can now be run as a standalone task using kratos courier watch -c your/config.yaml. To use the mail courier as a background task of the server run kratos serve --watch-courier - contributed by @mattbonnell;
• Reworked migrations to ensure stable migrations in production systems - backward compatibility is ensured and tested;
• Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
• Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
• Created reliable health and status checks by ensuring that e.g. migrations have completed;
• Made resilient CLI client commands e.g. kratos identities list;
• Better support for cookies in multi-domain setups called domain aliasing;
• A new, dynamically generated FAQ;
• Enhanced GitHub and Google claims parsing;
• Faster and more resilient CI/CD pipeline;
• Improvements for running Ory Kratos in secure Kubernetes environments;
• Better Helm Charts for Ory Kratos;
• Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by @seremenko-wish;
• The Argon2 memory configuration is now human readable: hashers.argon2.memory: 131072 -> hashers.argon2.memory: 131072B (supports kb, mb, kib, mib, ...).
• Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new after_verification_return_to query parameter (e.g. http://foo.com/registration?after_verification_return_to=verification_callback) - contributed by @mattbonnell;
• Emails are now populated at delivery time, offering more flexibility in terms of templating;
• Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by @mattbonnell;
• Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
• Resolving SDKs issues for whoami requests;
• Simplified database schema for faster processing, significantly reducing the amount of data stored and latency as several JOINS have been removed;
• Support for binding the HTTP server on UNIX sockets - contributed by @sloonz;

There are even more contributions by @NickUfer and harnash. In total, 33 people contributed to this release! Thank you all!

IMPORTANT: Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how self-service flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

Check out how we migrated the NodeJS app from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

Ory Kratos v0.5

Login

{
  "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
  "type": "browser",
  "expires_at": "2020-09-13T10:49:54.8295242Z",
  "issued_at": "2020-09-13T10:39:54.8295242Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
        "method": "POST",
        "fields": [
          {
            "name": "identifier",
            "type": "text",
            "required": true,
            "value": ""
          },
          {
            "name": "password",
            "type": "password",
            "required": true
          },
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
          }
        ]
      }
    }
  },
  "forced": false
}

Registration

{
  "id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
  "type": "browser",
  "expires_at": "2020-09-13T10:53:15.1774019Z",
  "issued_at": "2020-09-13T10:43:15.1774019Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "active": "password",
  "messages": null,
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
        "method": "POST",
        "fields": [
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
          },
          {
            "name": "password",
            "type": "password",
            "required": true,
            "messages": [
              {
                "id": 4000005,
                "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
                "type": "error",
                "context": {
                  "reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
                }
              }
            ]
          },
          {
            "name": "traits.email",
            "type": "text",
            "value": "[email protected]"
          },
          {
            "name": "traits.name.first",
            "type": "text",
            "value": "Ory"
          },
          {
            "name": "traits.name.last",
            "type": "text",
            "value": "Corp"
          }
        ]
      }
    }
  }
}

Ory Kratos v0.6

Login

As you can see below, the input name identifier has changed to password_identifier.

{
  "id": "07016811-917d-4788-bb9c-fc297897af6c",
  "type": "browser",
  "expires_at": "2021-04-28T08:37:53.924337873Z",
  "issued_at": "2021-04-28T08:27:53.924337873Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password_identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1010001,
            "text": "Sign in",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  },
  "forced": false
}

Registration

{
  "id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
  "type": "browser",
  "expires_at": "2021-04-28T08:54:12.951178972Z",
  "issued_at": "2021-04-28T08:44:12.951178972Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.email",
          "type": "email",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.first",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "First Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.last",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "Last Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1040001,
            "text": "Sign up",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  }
}

These changes are analogous to settings, recovery, verification as well!

We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6!

On the last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:

1. The major components of Ory Platform are and will remain Apache 2.0 licensed open source. We are not changing our approach or commitment to open source. The SaaS model allows us to keep commercialization and open source in harmony;
2. Affordable pricing - Ory does not charge on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open-source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2, and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community;
   If you wish to become a part of the preview, please write a short email to [email protected]. Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.

Thank you for being a part of our community!

0.6.0-alpha.1 (2021-05-05)

Bug Fixes

• Add include stub go files (6d725b1)

• Add index to migration status (8c6ec27)

• Add node_modules to format tasks (e5f6b36)

• Add titles to identity schema (73c15d2)

• Adopt to new go-swagger changes (5c45bd9)

• Allow absolute file URLs as config values (#1069) (4bb4f67)

• Allow hashtag in ui urls (#1040) (7591f07)

• Avoid unicode-escaping ampersand in recovery URL query string (#1212) (d172368)

• Bcrypt regression in credentials counting (23fc13b)

• Broken make quickstart-dev task (#980) (999828a), closes #965

• Broken make sdk task (#977) (5b01c7a), closes #950

• Call contextualized test helpers (e1f3f78)

• Code integer parsing bit size (#1178) (31e9632):

  In some cases we had a wrong bitsize of 64, while the var was later cast to int. Replaced with a bitsize of 0, which is the value to cast to int.

• Contextualize identity persister (f8640c0)

• Convert all identifiers to lower case on login (#815) (d64b575), closes #814

• Courier adress (#1198) (ebe4e64), closes #1194

• Courier message dequeue race condition (#1024) (5396a82), closes #652 #732:

  Fixes the courier message dequeuing race condition by modifying *sql.Persister.NextMessages(ctx context.Context, limit uint8) to retrieve only messages with status MessageStatusQueued and update the status of the retrieved messages to MessageStatusProcessing within a transaction. On message send failure, the message's status is reset to MessageStatusQueued, so that the message can be dequeued in a subsequent NextMessages call. On message send success, the status is updated to MessageStatusSent (no change there).

• Define credentials types as sql template and resolve crdb issue (a2d6eeb)

• Dereference pointer types from new flow structures (#1019) (efedc92)

• Do not include smtp in tracing (#1268) (bbfcbf9)

• Do not publish version at public endpoint (3726ed4)

• Do not reset registration method (554bb0b)

• Do not return system errors for missing identifiers (1fcc855), closes #1286

• Export mailhog dockertest runner (1384148)

• Fix random delay norm distribution math (#1131) (bd9d28f)

• Fork audit logger from root logger (68a09e7)

• Gitlab oidc flow (#1159) (0bb3eb6), closes #1157

• Give specific message instead of only 404 when method is disabled (#1025) (2f62041):

  Enabled strategies are not only used for handlers but also in other areas
  (e.g. populating the flow methods). So we should keep the logic to get
  enabled strategies and add new functions for getting all strategies.

• Ignore unset domain aliases (ada6997)

• Improve cli error output (43e9678)

• Improve error stack trace (4351773)

• Improve error tracing (#1005) (456fd25)

• Improve test contextualization (2f92a70)

• Initialize randomdelay with seeded source (9896289)

• Insert credentials type constants as part of migrations (#865) (92b79b8), closes #861

• Linking a connection may result in system error (#990) (be02a70), closes #694

• Marking whoami auhorization parameter as 'in header' (#1244) (62d8b85), closes #1215

• Move schema loaders to correct file (029781f)

• Move to new transaction-safe migrations (#1063) (2588fb4):

  This patch introduces a new SQL transaction model for running SQL migrations. This fix is particularly targeted at CockroachDB which has limited support for mixing DDL and DML statements.

  Previously it could happen that migrations failure needed manual intervention. This has now been resolved. The new migration model is compatible with the old one and should work without a problem.

• Pass down context to registry (0879446)

• Re-enable SDK generation (1d5854d)

• Record cypress runs (db35d8f)

• Rehydrate settings form on successful submission (3457e1a), closes #1305

• Remove absolete 'make pack' from Dockerfile (#1172) (b8eb908)

• Remove continuity cookies on errors (85eea67)

• Remove include stubs (1764e3a)

• Remove obsolete clihelpers (230fd13)

• Remove record from bash script (84a9315)

• Remove stray non-ctx configs (#1053) (1fe137e)

• Remove trailing double-dot from error (59581e3)

• Remove unused sql migration (1445d1d)

• Remove unused var (30a8cee)

• Remove verify hook (98cfec6), closes #1302:

  The verify hook is automatically used when verification is enabled and has been removed as a configuration option.

• Replace jwt module (#1254) (3803c8c), closes #1250

• Resolve build and release issues (fb582aa)

• Resolve clidoc issues (599e9f7)

• Resolve compile issues (63063c1)

• Resolve contextualized table issues (5a4f0d9)

• Resolve crdb migration issue (9f6edfd)

• Resolve double hook invokation for registration (032322c)

• Resolve incorrect field types on oidc sign up completion (f88b6ab)

• Resolve lint issues (0348825)

• Resolve lint issues (75a995b)

• Resolve linting issues and disable nancy (c8396f6)

• Resolve mail queue issues (b968bc4)

• Resolve merge regressions (9862ac7)

• Resolve oidc e2e regressions (f28087a)

• Resolve oidc regressions and e2e tests (f5091fa)

• Resolve potential fsnotify leaks (3159c0a)

• Resolve regressions and test failures (8bae356)

• Resolve regressions in cookies and payloads (9e34bf2)

• Resolve settings sudo regressions (4b611f3)

• Resolve test regressions (e3fb028)

• Resolve ui issues with nested form objects (8e744b9)

• Resolve update regression (d0d661a)

• Return delay instead of sleeping to improve tests (27b977e)

• Revert generator changes (c18b97f)

• Run correct error handler for registration hooks (0d80447)

• Simplify data breaches password error reason (#1136) (33d29bf):

  This PR simplifies the error reason given when a password has appeared in data breaches to not include the actual number and rather just show "this password has appeared in data breaches and must not be used".

• Support form and json formats in decoder (d420fe6)

• Update openapi definitions for signup (eb0b69d)

• Update quickstart node image (c19b2f4):

  See https://github.com/ory/kratos/discussions/1301

• cmd: Make HTTP calls resilient (e8ed61f)

• hashing: Make bcrypt default hashing algorithm (04abe77)

• Update to new goreleaser config (4c2a1b7)

• Update to new healthx (6ec987a)

• Use equalfold (1c0e52e)

• Use new TB interface (d75a378)

• Use numerical User ID instead of name to avoid k8s security warnings (#1151) (468a12e):

  Our docker image scanner does not allow running processes inside
  container using non-numeric User spec (to determine if we are trying
  to run docker image as root).

• Use remote dependencies (1e56457)

Code Refactoring

• Adapt new sdk in testhelpers (6e15f6f)

• Add nid everywhere (407fd95)

• Contextualize everything (7ebc3a9):

  This patch contextualizes all configuration and DBAL models.

• Do not use prefixed node names (fc42ece)

• Improve Argon2 tooling (#961) (3151187), closes #955:

  This adds a load testing CLI that allows to adjust the hasher parameters under simulated load.

• Move faker to exportable module (09f8ae5)

• Move migratest helpers to ory/x (7eca67e)

• Move password config to selfservice (cd0e0eb)

• Move to go 1.16 embed (43c4a13):

  This patch replaces packr and pkged with the Go 1.16 embed feature.

• Remove password node attribute prefix (e27fae4)

• Remove profile node attribute prefix (a3ff6f7)

• Rename config structs and interfaces (4a2f419)

• Rename form to container (5da155a)

• Replace flow's forms with new ui node module (647eb1e)

• Replace flow's forms with new ui node module (f74a5c2)

• Replace login flow methods with ui container (d4ca364)

• Replace recovery flow methods with ui container (cac0456)

• Replace registration flow methods with ui container (3f6388d)

• Replace settings flow methods with ui container (0efd17e)

• Replace verification flow methods with ui container (dbf2668)

• Replace viper with koanf config management (5eb1bc0)

• Update RegisterFakes calls (6268310)

• Use underscore in webhook auth types (26829d2)

Documentation

• Add docker to docs main (8ce8b78)

• Add docker to sidebar (ed38c88)

• Add dotnet sdk (#1183) (32d874a)

• Add faq sidebar (#1105) (10697aa)

• Add log docs to schema config (4967f11)

• Add more HA docs (cbb2e27)

• Add Rust and Dart SDKs (6d96952):

  We now support for Rust and Dart SDKs!

• Add SameSite help (2df6729)

• Add shell-session language (d16db87)

• Add ui node docs (e48a07d)

• Adding double colons (#1187) (fc712f4)

• Bcrypt is default and add 72 char warning (29ae53a)

• Better import identities examples (#997) (2e2880a)

• Change forum to discussions readme (#1220) (ae39956)

• Describe more about Kratos login/browser flow on quickstart doc (#1047) (fe725ad)

• Docker file links (#1182) (4d9b6a3)

• Document hash timing attack mitigation (ec86993)

• Explain how to use after_verification_return_to (7e1546b)

• FAQ improvements (#1135) (44d0bc9)

• FAQ item & minor changes (#1174) (11cf630)

• Fix broken link (#1037) (6b9aae8)

• Fix failing build (0de328f)

• Fix formatting (#966) (687251a)

• Fix identity state bullets (#1095) (f476334)

• Fix known/unknown email account recovery (#1211) (e208ca5)

• Fix link (7f6d7f5)

• Fix link (#1128) (e7043e9)

• Fix link to blogpost (#949) (4622e32), closes #945

• Fix link to self-service flows overview (#995) (2be8778)

• Fix note block in third party login guide (#920) (745cea0):

  Allows the document to render properly

• Fix npm links (#991) (4ce4468)

• Fix self-service code flows labels (#1253) (f2ed424)

• Fix typo in README (#1122) (e500707)

• Link to argon2 blogpost and add cross-references (#1038) (9ab7c3d)

• Make explicit the ID of the default schema (#1173) (cc6e9ff)

• Minor cosmetics (#1050) (34db06f)

• Minor improvements (#1052) (f0672b5)

• ORY -> Ory (ea30979)

• Reformat settings code samples (cdbbf4d)

• Remove unnecessary and wrong docker pull commands (#1203) (2b0342a)

• Resolve duplication error (a3d8284)

• Update build from source (9b5754f), closes #979

• Update email template docs (1778cb9), closes #897

• Update identity-data-model links (b5fd9a3)

• Update identity.ID field documentation (4624f03):

  See https://github.com/ory/kratos/discussions/956

• Update kratos video link (#1073) (e86178f)

• Update login code samples (695a30f)

• Update login code samples (ce6c755)

• Update quickstart samples (c3fcaba)

• Update recovery code samples (d9fbb62)

• Update registration code samples (317810f)

• Update self-service code samples (6415011)

• Update settings code samples (bbd6266)

• Update verification code samples (4285dec)

• Use correct extension for identity-data-model (acab3e8), closes /github.com/ory/kratos/pull/1197#issuecomment-819455322

• prometheus: Update codedoc (47146ea)

Features

• Add email template specification in doc (#898) (4230d9e)

• Add error for when no login strategy was found (6bae66c)

• Add facebook provider to oidc providers and documentation (#1035) (905bb03), closes #1034

• Add FAQ to docs (#1096) (9c6b68c)

• Add gh login to claims (49deb2e)

• Add login strategy text message (7468c83)

• Add more tests for multi domain args (e99803b)

• Add Prometheus monitoring to Public APIs (#1022) (75a4f1a)

• Add random delay to login flow (#1088) (cb9894f), closes #832

• Add return_url to verification flow (#1149) (bb99912), closes #1123 #1133

• Add sql migrations for new login flow (e947edf)

• Add sql tracing (3c4cc1c)

• Add tracing to config schema (007dde4)

• Add transporter with host modification (2c41b81)

• Add workaround template for go openapi (5d72d10)

• Adds slack sogial login (#974) (7c66053), closes #953

• Allow session cookie name configuration (77ce316), closes #268

• Allow specifying sender name in smtp.from_address (#1100) (5904fe3)

• Bcrypt algorithm support (#1169) (b2612ee):

  This patch adds the ability to use BCrypt instead of Argon2id for password hashing. We recommend using BCrypt for web workloads where password hashing should take around 200ms. For workloads where login takes >= 2 seconds, we recommend to continue using Argon2id.

  To use bcrypt for password hashing, set your config as follows:

  hashers:
  bcrypt:
     cost: 12
   algorithm: bcrypt
  

  Switching the hashing algorithm will not break existing passwords!

  Co-authored-by: Patrik [email protected]

• Check migrations in health check (c6ef7ad)

• Configure domain alias as query param (9d8563e)

• Contextualize configuration (d3d5327)

• Contextualize health checks (8145a1c)

• Contextualize http client in cli calls (3b3ef8f)

• Contextualize persitence testers (6440373)

• Courier foreground worker with "kratos courier watch" (#1062) (500b8ba), closes #1033 #1024:

  BREACKING CHANGES: This patch moves the courier watcher (responsible for sending mail) to its own foreground worker, which can be executed as a, for example, Kubernetes job.

  It is still possible to have the previous behaviour which would run the worker as a background task when running kratos serve by using the --watch-courier flag.

  To run the foreground worker, use kratos courier watch -c your/config.yaml.

• Do not enforce bcrypt 12 for dev envs (bbf44d8)

• Email input validation (#1287) (cd56b73), closes #1285

• Export and add config options (4391fe5)

• Expose courier worker (f50969e)

• Expose crdb ui (504d518)

• Global docs sidebar (#1258) (7108262)

• Implement and test domain aliasing (1516a54):

  This patch adds a feature called domain aliasing. For more information, head over to http://ory.sh/docs/kratos/next/guides/multi-domain-cookies

• Improve oas spec and fix mobile tests (4ead2c8)

• Improve sorting of ui fields (797b49d):

  See https://github.com/ory/kratos/discussions/1196

• Include schema (348a493)

• Make cli commands consumable in Ory Cloud (#926) (fed790b)

• Migrate to openapi v3 (595224b)

• Populate email templates at delivery time, add plaintext defaults (#1155) (7749c7a), closes #1065

• Sort and label nodes with easy to use defaults (cbec27c):

  Ory Kratos takes a guess based on best practices for

  • ordering UI nodes (e.g. email, password, submit button)
  • grouping UI nodes (e.g. keep password and oidc nodes together)
  • labeling UI nodes (e.g. "Sign in with GitHub")
  • using the "title" attribute from the identity schema to label trait fields

  This greatly simplifies front-end code on your end and makes it even easier to integrate with Ory Kratos! If you want a custom experience with e.g. translations or other things you can always adjust this in your UI integration!

• Support base64 inline schemas (815a248)

• Support contextual csrf cookies (957ef38)

• Support domain aliasing in session cookie (0681c12)

• Support label in oidc config (a99cdcd)

• Support retryable CRDB transactions (f0c21d7)

• Unix sockets support (#1255) (ad010de)

• Web hooks support (recovery) (#1289) (3e181fe), closes #271:

  feat: web hooks for self-service flows

  This feature adds the ability to define web-hooks using a mixture of configuration and JsonNet. This allows integration with services like Mailchimp, Stripe, CRMs, and all other APIs that support REST requests. Additional to these new changes it is now possible to define hooks for verification and recovery as well!

  For more information, head over to the hooks documentation.

• courier: Allow sending individual messages (cbb2c0b)

• oidc: Support google hd claim (#1097) (1f20a5c)

• schema: Add totp errors (a61f881)

Tests

• Add case to ensure correct behavior when verifying a different email address (#999) (f95a117), closes #998
• Add oasis test case (f80691b)
• Bump poll interval (b3dc925)
• Bump video quality (b7f8d04)
• Bump wait times (b2e43f8)
• Clean up hydra env before restart (cf49414)
• Longer wait times (4bec9ef)
• Reliable migration tests on crdb (2e3764b)
• Remove old noop test (16dca3f)
• Resolve compile issues (c1b5ba4)
• Resolve flaky tests (cb670a8)
• Resolve json parser test regression (a1b9b9a)
• Resolve login integration regressions (388b5b2)
• Resolve migration regression (2051a71)
• Resolve more json parser test regressions (ff791c4)
• Resolve regression (e2b0ad3)
• Update schema tests for webhooks (d1ddfa8)
• e2e: Significantly reduce wait and idle times (f525fc5)
• Resolve more regressions (c5a23af)
• Resolve order regression (40a849c)
• Resolve regression (f0c9e5f)
• Resolve regressions (4b9da3c)
• Resolve stub regressions (82650cf)
• Resolve test migrations (de0b65d)
• Resolve test regression issues (ccf9fed)
• Speed up tests (a16737c)
• Update test description (55fb37f)
• Use bcrypt cost 4 to reduce CI times (cabe97d)
• Use fast bcrypt for e2e (d90cf13)

Unclassified

• Format (e4b7e79)
• Format (193d266)
• Format (1ebfbde)
• Format (ba1eeef)
• Format (ada5dbb)
• Initial documentation tests via Text-Runner (#567) (c30eb26)
• fix: resolve clidoc issues (#976) (346bc73), closes #976 #951
• Format (17a0bf5)
• 🐛 fix ory home directory path (#897) (2fca2be), closes #897
• Fix typo in config schema (16337f1)

BREAKING CHANGES

• hashing: BCrypt is now the default hashing alogrithm. If you wish to continue using Argon2id please set hashers.algorithm to argon2.
• This implies a significant breaking change in the verification flow payload. Please consult the new ui documentation. In essence, the login flow's methods key was replaced with a generic ui key which provides information for the UI that needs to be rendered.

To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all verification flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.

• This implies a significant breaking change in the recovery flow payload. Please consult the new ui documentation. In essence, the login flow's methods key was replaced with a generic ui key which provides information for the UI that needs to be rendered.

To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all recovery flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.

• This implies a significant breaking change in the settings flow payload. Please consult the new ui documentation. In essence, the login flow's methods key was replaced with a generic ui key which provides information for the UI that needs to be rendered.

To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all settings flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.

• This implies a significant breaking change in the registration flow payload. Please consult the new ui documentation. In essence, the login flow's methods key was replaced with a generic ui key which provides information for the UI that needs to be rendered.

To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all registration flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.

• This implies a significant breaking change in the login flow payload. Please consult the new ui documentation. In essence, the login flow's methods key was replaced with a generic ui key which provides information for the UI that needs to be rendered.

To apply this patch you must apply SQL migrations. These migrations will drop the flow method table implying that all login flows that are ongoing will become invalid. We recommend purging the flow table manually as well after this migration has been applied, if you have users doing at least one self-service flow per minute.

• This change introduces a new feature: UI Nodes. Previously, all self-service flows (login, registration, ...) included form fields (e.g. methods.password.config.fields). However, these form fields lacked support for other types of UI elements such as links (for e.g. "Sign in with Google"), images (e.g. QR codes), javascript (e.g. WebAuthn), or text (e.g. recovery codes). With this patch, these new features have been introduced. Please be aware that this introduces significant breaking changes which you will need to adopt to in your UI. Please refer to the most recent documentation to see what has changed. Conceptionally, most things stayed the same - you do however need to update how you access and render the form fields.

Please be also aware that this patch includes SQL migrations which purge existing self-service forms from the database. This means that users will need to re-start the login/registration/... flow after the SQL migrations have been applied! If you wish to keep these records, make a back up of your database prior!

• This change introduces a new feature: UI Nodes. Previously, all self-service flows (login, registration, ...) included form fields (e.g. methods.password.config.fields). However, these form fields lacked support for other types of UI elements such as links (for e.g. "Sign in with Google"), images (e.g. QR codes), javascript (e.g. WebAuthn), or text (e.g. recovery codes). With this patch, these new features have been introduced. Please be aware that this introduces significant breaking changes which you will need to adopt to in your UI. Please refer to the most recent documentation to see what has changed. Conceptionally, most things stayed the same - you do however need to update how you access and render the form fields.

Please be also aware that this patch includes SQL migrations which purge existing self-service forms from the database. This means that users will need to re-start the login/registration/... flow after the SQL migrations have been applied! If you wish to keep these records, make a back up of your database prior!

• The configuration value for hashers.argon2.memory is now a string representation of the memory amount including the unit of measurement. To convert the value divide your current setting (KB) by 1024 to get a result in MB or 1048576 to get a result in GB. Example: 131072 would now become 128MB.

Co-authored-by: aeneasr [email protected]
Co-authored-by: aeneasr [email protected]

• Please run SQL migrations when applying this patch.
• The following configuration keys were updated:

selfservice.methods.password.config.max_breaches

• password.max_breaches -> selfservice.methods.password.config.max_breaches
• password.ignore_network_errors -> selfservice.methods.password.config.ignore_network_errors

• After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that ORY Kratos might complain about an invalid configuration, because the validation process has improved significantly.

Changelog

346bc739 fix: resolve clidoc issues (#976)
2fca2bed 🐛 fix ory home directory path (#897)
16337f13 Fix typo in config schema
b28aea86 autogen(docs): generate and format documentation
412af90a autogen(docs): generate and format documentation
cfae68b7 autogen(docs): generate and format documentation
9438f87e autogen(docs): generate and format documentation
ef300aa7 autogen(docs): generate and format documentation
9c4fdeae autogen(docs): generate and format documentation
00d2e98d autogen(docs): generate and format documentation
9ff58626 autogen(docs): generate and format documentation
80e9eb81 autogen(docs): generate and format documentation
d9955bd5 autogen(docs): generate and format documentation
69f090d5 autogen(docs): generate and format documentation
17340f75 autogen(docs): generate and format documentation
bbf38d32 autogen(docs): generate and format documentation
527c22e6 autogen(docs): generate and format documentation
d1c8cef6 autogen(docs): generate and format documentation
c2358be1 autogen(docs): generate and format documentation
eb2f369a autogen(docs): generate and format documentation
7522a54f autogen(docs): generate and format documentation
e0e333c5 autogen(docs): generate and format documentation
3bdbdc0c autogen(docs): generate and format documentation
7a5143c4 autogen(docs): generate and format documentation
2fb367bc autogen(docs): generate and format documentation
b8971a25 autogen(docs): generate and format documentation
9efe448b autogen(docs): generate and format documentation
8ac1cf1a autogen(docs): generate and format documentation
93351636 autogen(docs): generate and format documentation
56c9ba0b autogen(docs): generate and format documentation
ad4f5e6f autogen(docs): generate and format documentation
f44cced6 autogen(docs): generate and format documentation
8516e404 autogen(docs): generate and format documentation
8d646453 autogen(docs): generate and format documentation
23d78bae autogen(docs): generate and format documentation
f335dba7 autogen(docs): generate and format documentation
28851465 autogen(docs): generate and format documentation
0068aa56 autogen(docs): generate and format documentation
40493f8f autogen(docs): generate and format documentation
278b0a7a autogen(docs): generate and format documentation
8985775d autogen(docs): generate and format documentation
4301ea61 autogen(docs): generate and format documentation
a7b05441 autogen(docs): generate and format documentation
343d02d7 autogen(docs): generate and format documentation
b3b6d2ec autogen(docs): generate and format documentation
7cf1e72a autogen(docs): generate and format documentation
5405defa autogen(docs): generate and format documentation
f87c939b autogen(docs): generate and format documentation
fbd3f828 autogen(docs): generate and format documentation
ba2f2c31 autogen(docs): generate and format documentation
6c8ca8e2 autogen(docs): generate and format documentation
3840285b autogen(docs): generate and format documentation
91f0531d autogen(docs): generate and format documentation
f115821d autogen(docs): generate and format documentation
75e81fec autogen(docs): generate and format documentation
1008d2fa autogen(docs): generate and format documentation
c034e3ed autogen(docs): generate and format documentation
6b6edc23 autogen(docs): generate and format documentation
2b0031ff autogen(docs): generate and format documentation
5adbfadb autogen(docs): generate and format documentation
ff1aede2 autogen(docs): generate and format documentation
1811b10d autogen(docs): generate and format documentation
e3f20379 autogen(docs): generate and format documentation
2725d2ce autogen(docs): generate and format documentation
162df3e5 autogen(docs): generate and format documentation
a0b68861 autogen(docs): generate and format documentation
75408a0b autogen(docs): generate and format documentation
784a44eb autogen(docs): generate and format documentation
e3b79200 autogen(docs): generate cli docs
8085fdec autogen(docs): generate cli docs
6653d236 autogen(docs): generate cli docs
5f88465a autogen(docs): generate cli docs
4bda1f09 autogen(docs): generate cli docs
e786410b autogen(docs): generate cli docs
1d3a4349 autogen(docs): generate cli docs
425de3f1 autogen(docs): generate cli docs
95b33768 autogen(docs): generate cli docs
73db8a1b autogen(docs): generate cli docs
2bca952f autogen(docs): generate cli docs
abfcdfda autogen(docs): generate cli docs
d0b47976 autogen(docs): generate cli docs
15d50e2d autogen(docs): generate cli docs
d87dcc74 autogen(docs): generate cli docs
0f5106c2 autogen(docs): generate cli docs
76486046 autogen(docs): generate cli docs
af200d13 autogen(docs): generate cli docs
653e476a autogen(docs): generate cli docs
6788f055 autogen(docs): generate cli docs
c9d14922 autogen(docs): generate cli docs
79d6a46f autogen(docs): generate cli docs
e216c43c autogen(docs): generate cli docs
6c895f1d autogen(docs): generate cli docs
714508bc autogen(docs): regenerate and update changelog
4b8958a0 autogen(docs): regenerate and update changelog
3cb38805 autogen(docs): regenerate and update changelog
3661e9ba autogen(docs): regenerate and update changelog
1d213c6b autogen(docs): regenerate and update changelog
bc0be6fd autogen(docs): regenerate and update changelog
c8e10295 autogen(docs): regenerate and update changelog
81f13de8 autogen(docs): regenerate and update changelog
7360f2b4 autogen(docs): regenerate and update changelog
5a450c71 autogen(docs): regenerate and update changelog
3929742c autogen(docs): regenerate and update changelog
0e210643 autogen(docs): regenerate and update changelog
813d85e4 autogen(docs): update milestone document
41492f9d autogen(docs): update milestone document
aad6ee9d autogen(docs): update milestone document
2e43773c autogen(docs): update milestone document
0c04a84d autogen(docs): update milestone document
ef1e3f77 autogen(docs): update milestone document
b20f6513 autogen(docs): update milestone document
71e602ca autogen(docs): update milestone document
a559cf44 autogen(docs): update milestone document
0a1380fa autogen(docs): update milestone document
6e7e8e00 autogen(docs): update milestone document
ade41e03 autogen(docs): update milestone document
33c5f6bf autogen(docs): update milestone document
71aa2045 autogen(docs): update milestone document
abf15a35 autogen(docs): update milestone document
63b269f2 autogen(docs): update milestone document
1bd2b95e autogen(docs): update milestone document
64eb80c2 autogen(docs): update milestone document
0bdca786 autogen(docs): update milestone document
b17b5f8b autogen(docs): update milestone document
4e831f2b autogen(docs): update milestone document
0a72f96e autogen(docs): update milestone document
1b8bdc4d autogen(docs): update milestone document
eb0399c2 autogen(docs): update milestone document
8660d6d9 autogen(docs): update milestone document
dc410bee autogen(docs): update milestone document
8cf1e789 autogen(docs): update milestone document
e28f759e autogen(docs): update milestone document
688d04a1 autogen(docs): update milestone document
6d462ca0 autogen(docs): update milestone document
48078e9a autogen(docs): update milestone document
529a2a49 autogen(openapi): Regenerate openapi spec and internal client
f6b9f233 autogen(openapi): Regenerate openapi spec and internal client
7de219bd autogen(openapi): Regenerate swagger spec and internal client
c4c6ed96 autogen(openapi): Regenerate swagger spec and internal client
7381b8d6 autogen(openapi): Regenerate swagger spec and internal client
e8fac42b autogen(openapi): Regenerate swagger spec and internal client
7768464c autogen(openapi): Regenerate swagger spec and internal client
17bbbd28 autogen(openapi): Regenerate swagger spec and internal client
e96216ff autogen(openapi): Regenerate swagger spec and internal client
20cf594d autogen(openapi): Regenerate swagger spec and internal client
2e6f87ba autogen(openapi): Regenerate swagger spec and internal client
0c07aca4 autogen(openapi): Regenerate swagger spec and internal client
e8064b56 autogen(openapi): Regenerate swagger spec and internal client
76f6002a autogen: add v0.5.5-alpha.1 to version.schema.json
507d13a8 autogen: pin v0.6.0-alpha.1 release commit
b51dd98d autogen: pin v0.6.0-alpha.1.pre.0 release commit
c89bcb33 autogen: pin v0.6.0-alpha.1.pre.1 release commit
fa7fa701 autogen: pin v0.6.0-alpha.1.pre.2 release commit
ebc8d8d4 autogen: pin v0.6.0-alpha.1.pre.3 release commit
9b6afb24 chore(identity): remove unused function
e43ec543 chore: add sqlite links
2f265236 chore: bump cockroach
be72d426 chore: bump cypress and openapi generator
23f347bf chore: bump deps
8ef26f0a chore: bump go deps
4ad89dee chore: bump go.mod
04d89b93 chore: bump gobuffalo
a3129ac1 chore: bump ory/x
8858f719 chore: bump ory/x
e6f78665 chore: bump ory/x and gjson (#1171)
61834d10 chore: bump ory/x to 0.0.192
15ade1c5 chore: enable goimports linter (#1177)
5b437de2 chore: fix docs build (#1179)
aee52d23 chore: fix mermaid (#1197)
3e982211 chore: fix misprint (#1308)
8f01c5c3 chore: fix sdk link (#1190)
0b551e48 chore: format
a8964042 chore: regenerate SDK for new login flow
364ee591 chore: regenerate sdk
8afa98a1 chore: remove incorrect dependency (#1271)
4097e277 chore: remove obsolete package
9aaae858 chore: remove stray print
e49c7534 chore: remove unused file
734e538f chore: resolve lint issues
19198cf2 chore: resolve linter issues
e3cf3da3 chore: typos and Hydra replacements (#1307)
5ac23807 chore: update docusaurus template
d79e1adb chore: update docusaurus template
7f97ca80 chore: update docusaurus template
ab538938 chore: update docusaurus template
c713c17b chore: update docusaurus template
6bc87522 chore: update docusaurus template
39d9b95a chore: update docusaurus template (#1098)
81c452aa chore: update docusaurus template (#1120)
d44178d4 chore: update docusaurus template (#1158)
2b620ae7 chore: update docusaurus template (#1176)
11698b51 chore: update docusaurus template (#1259)
fdbb3971 chore: update docusaurus template (#1260)
45ce1c6c chore: update docusaurus template (#1309)
8ed70e36 chore: update go modules
e8a38ea8 chore: update go-sqlite3 dependency
1d5c5dde chore: update go.mod with local rewrites
eb1889f6 chore: update gomodules
694bbbb5 chore: update package lock e2e
fec00257 chore: update package.lock
7386ab1e chore: update repository templates
6edcd26d chore: update repository templates
948e6e27 chore: update repository templates
35cac8b8 chore: update repository templates
91686e6a chore: update repository templates (#1061)
222f0ca5 chore: update repository templates (#1076)
510ac232 chore: update repository templates (#1118)
ca8a7c38 chore: update repository templates (#1209)
fde9dd38 chore: upgrades discordgo dependency for discord api 8 support (#1010)
2d70d67e ci: add codeql (#928)
c9d0c89c ci: add cypress recordings
b4a1c235 ci: add killall
4ef8ccbe ci: bump orbs
d07994ea ci: bump orbs
26b92f82 ci: bump orbs and fix sdk
49910f38 ci: bump orbs and update config
481d523a ci: disable sdk/generate
3835377a ci: execute the new step
feb1f4f8 ci: fix config issues
373a23f6 ci: fix nancy check by stripping the local rewrite
888651cc ci: ignore test faker in golangci-lint
dbda88ff ci: make sure generated FAQ files are commited (#1099)
e29cfab4 ci: resolve go 1.16 go.sum woes
21b7b16d ci: resolve go 1.16 issues
4882e55a ci: resolve ignore issue
a6cc4294 ci: resolve test issues
65539c99 ci: simplify and speed up CI (#1126)
47146ea8 docs(prometheus): update codedoc
44d0bc96 docs: FAQ improvements (#1135)
11cf6300 docs: FAQ item & minor changes (#1174)
e5007078 docs: Fix typo in README (#1122)
ea309797 docs: ORY -> Ory
6d969528 docs: add Rust and Dart SDKs
2df6729b docs: add SameSite help
8ce8b785 docs: add docker to docs main
ed38c88b docs: add docker to sidebar
32d874a0 docs: add dotnet sdk (#1183)
10697aa4 docs: add faq sidebar (#1105)
4967f11d docs: add log docs to schema config
cbb2e27f docs: add more HA docs
d16db878 docs: add shell-session language
e48a07d0 docs: add ui node docs
fc712f45 docs: adding double colons (#1187)
29ae53a9 docs: bcrypt is default and add 72 char warning
2e2880ac docs: better import identities examples (#997)
ae399561 docs: change forum to discussions readme (#1220)
fe725ad1 docs: describe more about Kratos login/browser flow on quickstart doc (#1047)
4d9b6a3f docs: docker file links (#1182)
ec869930 docs: document hash timing attack mitigation
7e1546be docs: explain how to use after_verification_return_to
6b9aae8a docs: fix broken link (#1037)
0de328ff docs: fix failing build
687251a2 docs: fix formatting (#966)
f476334c docs: fix identity state bullets (#1095)
e208ca50 docs: fix known/unknown email account recovery (#1211)
7f6d7f50 docs: fix link
e7043e9b docs: fix link (#1128)
4622e322 docs: fix link to blogpost (#949)
2be87784 docs: fix link to self-service flows overview (#995)
745cea02 docs: fix note block in third party login guide (#920)
4ce44681 docs: fix npm links (#991)
f2ed4242 docs: fix self-service code flows labels (#1253)
002448dc docs: fix typo in config schema (#896)
9ab7c3df docs: link to argon2 blogpost and add cross-references (#1038)
cc6e9ffb docs: make explicit the ID of the default schema (#1173)
34db06fd docs: minor cosmetics (#1050)
f0672b5c docs: minor improvements (#1052)
cdbbf4df docs: reformat settings code samples
2b0342ad docs: remove unnecessary and wrong docker pull commands (#1203)
a3d8284a docs: resolve duplication error
9b5754f3 docs: update build from source
1778cb9a docs: update email template docs
b5fd9a3a docs: update identity-data-model links
4624f03a docs: update identity.ID field documentation
e86178f4 docs: update kratos video link (#1073)
695a30f6 docs: update login code samples
ce6c7558 docs: update login code samples
c3fcaba6 docs: update quickstart samples
d9fbb62f docs: update recovery code samples
317810ff docs: update registration code samples
6415011a docs: update self-service code samples
bbd6266c docs: update settings code samples
4285dec5 docs: update verification code samples
acab3e8b docs: use correct extension for identity-data-model
cbb2c0be feat(courier): allow sending individual messages
1f20a5ce feat(oidc): support google hd claim (#1097)
a61f8814 feat(schema): add totp errors
9c6b68c4 feat: add FAQ to docs (#1096)
75a4f1a5 feat: add Prometheus monitoring to Public APIs (#1022)
4230d9e0 feat: add email template specification in doc (#898)
6bae66cd feat: add error for when no login strategy was found
905bb032 feat: add facebook provider to oidc providers and documentation (#1035)
49deb2e1 feat: add gh login to claims
7468c835 feat: add login strategy text message
e99803b6 feat: add more tests for multi domain args
cb9894fe feat: add random delay to login flow (#1088)
bb99912d feat: add return_url to verification flow (#1149)
e947edf4 feat: add sql migrations for new login flow
3c4cc1ce feat: add sql tracing
007dde44 feat: add tracing to config schema
2c41b81b feat: add transporter with host modification
5d72d10f feat: add workaround template for go openapi
7c660533 feat: adds slack sogial login (#974)
77ce3162 feat: allow session cookie name configuration
5904fe31 feat: allow specifying sender name in smtp.from_address (#1100)
b2612eef feat: bcrypt algorithm support (#1169)
c6ef7ad1 feat: check migrations in health check
9d8563ee feat: configure domain alias as query param
d3d5327a feat: contextualize configuration
8145a1c9 feat: contextualize health checks
3b3ef8f0 feat: contextualize http client in cli calls
64403736 feat: contextualize persitence testers
500b8bac feat: courier foreground worker with "kratos courier watch" (#1062)
bbf44d88 feat: do not enforce bcrypt 12 for dev envs
cd56b73d feat: email input validation (#1287)
4391fe57 feat: export and add config options
f50969ec feat: expose courier worker
504d5181 feat: expose crdb ui
71082624 feat: global docs sidebar (#1258)
1516a546 feat: implement and test domain aliasing
4ead2c82 feat: improve oas spec and fix mobile tests
797b49d0 feat: improve sorting of ui fields
348a493c feat: include schema
fed790b0 feat: make cli commands consumable in Ory Cloud (#926)
595224b1 feat: migrate to openapi v3
7749c7a7 feat: populate email templates at delivery time, add plaintext defaults (#1155)
cbec27c9 feat: sort and label nodes with easy to use defaults
815a2489 feat: support base64 inline schemas
957ef38b feat: support contextual csrf cookies
0681c123 feat: support domain aliasing in session cookie
a99cdcdd feat: support label in oidc config
f0c21d7e feat: support retryable CRDB transactions
ad010de2 feat: unix sockets support (#1255)
3e181fe3 feat: web hooks support (recovery) (#1289)
e8ed61fc fix(cmd): make HTTP calls resilient
04abe774 fix(hashing): make bcrypt default hashing algorithm
6d725b14 fix: add include stub go files
8c6ec274 fix: add index to migration status
e5f6b36c fix: add node_modules to format tasks
73c15d23 fix: add titles to identity schema
5c45bd9f fix: adopt to new go-swagger changes
4bb4f679 fix: allow absolute file URLs as config values (#1069)
7591f07f fix: allow hashtag in ui urls (#1040)
d1723687 fix: avoid unicode-escaping ampersand in recovery URL query string (#1212)
23fc13ba fix: bcrypt regression in credentials counting
999828ae fix: broken make quickstart-dev task (#980)
5b01c7a3 fix: broken make sdk task (#977)
e1f3f783 fix: call contextualized test helpers
31e9632b fix: code integer parsing bit size (#1178)
f8640c04 fix: contextualize identity persister
d64b5757 fix: convert all identifiers to lower case on login (#815)
ebe4e643 fix: courier adress (#1198)
5396a82c fix: courier message dequeue race condition (#1024)
a2d6eeb2 fix: define credentials types as sql template and resolve crdb issue
efedc920 fix: dereference pointer types from new flow structures (#1019)
bbfcbf9c fix: do not include smtp in tracing (#1268)
3726ed4d fix: do not publish version at public endpoint
554bb0b4 fix: do not reset registration method
1fcc8557 fix: do not return system errors for missing identifiers
13841487 fix: export mailhog dockertest runner
bd9d28fe fix: fix random delay norm distribution math (#1131)
68a09e7f fix: fork audit logger from root logger
0bb3eb6d fix: gitlab oidc flow (#1159)
2f62041a fix: give specific message instead of only 404 when method is disabled (#1025)
ada6997f fix: ignore unset domain aliases
43e96788 fix: improve cli error output
43517737 fix: improve error stack trace
456fd254 fix: improve error tracing (#1005)
2f92a706 fix: improve test contextualization
98962892 fix: initialize randomdelay with seeded source
92b79b86 fix: insert credentials type constants as part of migrations (#865)
be02a70c fix: linking a connection may result in system error (#990)
62d8b852 fix: marking whoami auhorization parameter as 'in header' (#1244)
029781f6 fix: move schema loaders to correct file
2588fb48 fix: move to new transaction-safe migrations (#1063)
08794461 fix: pass down context to registry
1d5854d6 fix: re-enable SDK generation
db35d8ff fix: record cypress runs
3457e1a4 fix: rehydrate settings form on successful submission
b8eb9085 fix: remove absolete 'make pack' from Dockerfile (#1172)
85eea674 fix: remove continuity cookies on errors
1764e3a0 fix: remove include stubs
230fd138 fix: remove obsolete clihelpers
84a9315a fix: remove record from bash script
1fe137e0 fix: remove stray non-ctx configs (#1053)
59581e3f fix: remove trailing double-dot from error
1445d1d1 fix: remove unused sql migration
30a8cee2 fix: remove unused var
98cfec6d fix: remove verify hook
3803c8ce fix: replace jwt module (#1254)
fb582aa0 fix: resolve build and release issues
599e9f77 fix: resolve clidoc issues
63063c15 fix: resolve compile issues
5a4f0d92 fix: resolve contextualized table issues
9f6edfd1 fix: resolve crdb migration issue
032322c6 fix: resolve double hook invokation for registration
f88b6abe fix: resolve incorrect field types on oidc sign up completion
75a995b3 fix: resolve lint issues
03488250 fix: resolve lint issues
c8396f60 fix: resolve linting issues and disable nancy
b968bc4e fix: resolve mail queue issues
9862ac72 fix: resolve merge regressions
f28087aa fix: resolve oidc e2e regressions
f5091fac fix: resolve oidc regressions and e2e tests
3159c0ab fix: resolve potential fsnotify leaks
8bae3565 fix: resolve regressions and test failures
9e34bf2f fix: resolve regressions in cookies and payloads
4b611f34 fix: resolve settings sudo regressions
e3fb0281 fix: resolve test regressions
8e744b93 fix: resolve ui issues with nested form objects
d0d661aa fix: resolve update regression
27b977eb fix: return delay instead of sleeping to improve tests
c18b97f3 fix: revert generator changes
0d804471 fix: run correct error handler for registration hooks
33d29bf7 fix: simplify data breaches password error reason (#1136)
d420fe6e fix: support form and json formats in decoder
eb0b69d5 fix: update openapi definitions for signup
c19b2f4c fix: update quickstart node image
4c2a1b7f fix: update to new goreleaser config
6ec987ae fix: update to new healthx
1c0e52ec fix: use equalfold
d75a378e fix: use new TB interface
468a12e5 fix: use numerical User ID instead of name to avoid k8s security warnings (#1151)
1e56457d fix: use remote dependencies
6e15f6f8 refactor: adapt new sdk in testhelpers
407fd958 refactor: add nid everywhere
7ebc3a9a refactor: contextualize everything
fc42ece2 refactor: do not use prefixed node names
31511872 refactor: improve Argon2 tooling (#961)
09f8ae57 refactor: move faker to exportable module
7eca67eb refactor: move migratest helpers to ory/x
cd0e0ebb refactor: move password config to selfservice
43c4a13c refactor: move to go 1.16 embed
e27fae4b refactor: remove password node attribute prefix
a3ff6f7e refactor: remove profile node attribute prefix
4a2f4197 refactor: rename config structs and interfaces
5da155a0 refactor: rename form to container
f74a5c25 refactor: replace flow's forms with new ui node module
647eb1e6 refactor: replace flow's forms with new ui node module
d4ca364f refactor: replace login flow methods with ui container
cac04562 refactor: replace recovery flow methods with ui container
3f6388d0 refactor: replace registration flow methods with ui container
0efd17e7 refactor: replace settings flow methods with ui container
dbf26687 refactor: replace verification flow methods with ui container
5eb1bc0b refactor: replace viper with koanf config management
62683106 refactor: update RegisterFakes calls
26829d21 refactor: use underscore in webhook auth types
193d2668 styles: format
ada5dbb5 styles: format
e4b7e79f styles: format
17a0bf58 styles: format
ba1eeef4 styles: format
1ebfbdea styles: format
f525fc53 test(e2e): significantly reduce wait and idle times
f95a1176 test: add case to ensure correct behavior when verifying a different email address (#999)
f80691b9 test: add oasis test case
b3dc925a test: bump poll interval
b7f8d042 test: bump video quality
b2e43f8b test: bump wait times
cf494149 test: clean up hydra env before restart
4bec9ef5 test: longer wait times
2e3764ba test: reliable migration tests on crdb
16dca3f7 test: remove old noop test
c1b5ba42 test: resolve compile issues
cb670a85 test: resolve flaky tests
a1b9b9a9 test: resolve json parser test regression
388b5b27 test: resolve login integration regressions
2051a716 test: resolve migration regression
ff791c41 test: resolve more json parser test regressions
c5a23af8 test: resolve more regressions
40a849ca test: resolve order regression
f0c9e5ff test: resolve regression
e2b0ad3c test: resolve regression
4b9da3c9 test: resolve regressions
82650cf1 test: resolve stub regressions
de0b65d9 test: resolve test migrations
ccf9fedd test: resolve test regression issues
a16737cc test: speed up tests
d1ddfa80 test: update schema tests for webhooks
55fb37f6 test: update test description
cabe97d0 test: use bcrypt cost 4 to reduce CI times
d90cf132 test: use fast bcrypt for e2e
c30eb26f tests: initial documentation tests via Text-Runner (#567)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.0-sqlite
• docker pull oryd/kratos:v0.6.0-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.0
• docker pull oryd/kratos:v0.6.0-alpha.1
• docker pull oryd/kratos:latest

The ORY Community is proud to present you the next iteration of ORY Kratos. In this release, we focused on improving production stability!

0.5.5-alpha.1 (2020-12-09)

Bug Fixes

• CSRF token is required when using the Revoke Session API endpoint (#839) (d3218a0), closes #838

• Incorrect home path (#848) (5265af0)

• Make password policy configurable (#888) (7a00483), closes #450 #316:

  Allows configuring password breach thresholds and optionally enforces checks against the HIBP API.

• Remove obsolete types (#887) (b8bac7a), closes #716

• Set samesite attribute to lax if in dev mode (#824) (91d6698), closes #821

• Use working cache-control header for cdn/proxies/cache (#869) (d8e3d40), closes #601

Documentation

• Add contributing to sidebar (#866) (44f33f9):

  The same change as in https://github.com/ory/hydra/pull/2209

• Add newsletter to config (1735ca2)

• Add recovery flow (#868) (d95cfe9), closes #864:

  Added a short section for the recovery flow on managing-user-identities.

• Fix account recovery click instruction (#870) (383de9e)

• Fix broken link (#893) (dec38a2), closes #835

• Fix oidc config example structure (#845) (c102a68)

• Fix redirect (#802) (b868782)

• Fix typo (#847) (9b3da9f)

• Fix typo (#881) (3078293)

• Fix typo MKFA to MFA (#826) (a5613d0)

• Remove workaround note (#886) (05409bc), closes #718

• Swagger specs for selfservice settings browser flow (#825) (28d50f4)

• Update oidc provider with json conf support (#833) (670eb37)

Features

• Add return_to parameter to logout flow (#823) (1c146dd), closes #702
• Add selinux compatible quickstart config (#889) (0f87948), closes #831

Tests

• Ensure registration runs only once (#872) (5ffc036)

Unclassified

• docs: fix link and typo in Configuring Cookies (#883) (c51ed6b), closes #883

Changelog

f0caf516 autogen(docs): generate and format documentation
62faa5f7 autogen(docs): generate and format documentation
faf0bf15 autogen(docs): generate and format documentation
65304575 autogen(docs): generate and format documentation
51dc5932 autogen(docs): generate and format documentation
5279e048 autogen(docs): generate and format documentation
37ac90c8 autogen(docs): generate and format documentation
991e9670 autogen(docs): generate and format documentation
263e3644 autogen(docs): generate and format documentation
62b4d638 autogen(docs): generate and format documentation
5aaef917 autogen(docs): generate cli docs
ed32fc62 autogen(docs): regenerate and update changelog
b008e873 autogen(docs): regenerate and update changelog
74667081 autogen(docs): regenerate and update changelog
c700c2d3 autogen(docs): regenerate and update changelog
105181d5 autogen(docs): regenerate and update changelog
a9cac1cb autogen(docs): regenerate and update changelog
6c7779ce autogen(docs): regenerate and update changelog
bbaebd7a autogen(docs): regenerate and update changelog
3ecdc028 autogen(docs): regenerate and update changelog
9b8da55c autogen(docs): regenerate and update changelog
0ba72e93 autogen(docs): regenerate and update changelog
096c44d2 autogen(docs): regenerate and update changelog
5121fa0f autogen(docs): update milestone document
347ad056 autogen(docs): update milestone document
14bc665e autogen(docs): update milestone document
c7b80118 autogen(docs): update milestone document
5beb7b08 autogen(docs): update milestone document
ba525c64 autogen(docs): update milestone document
624b7f78 autogen: add v0.5.4-alpha.1 to version.schema.json
83aedcb8 autogen: pin v0.5.5-alpha.1 release commit
42c4d3d8 autogen: pin v0.5.5-alpha.1.pre.1 release commit
f742074a chore: bump ory/x and use pkgerx migration box (#860)
260f6448 chore: format docs
5eb799fb chore: remove .DS_Store (#819)
0943ff6c chore: update docusaurus template
4b540cf0 chore: update docusaurus template (#827)
9c90d5c4 chore: update docusaurus template (#836)
946632a3 chore: update docusaurus template (#837)
2adc2752 chore: update docusaurus template (#840)
09c12a2d chore: update docusaurus template (#841)
3e2d8522 chore: update docusaurus template (#843)
ad05e041 chore: update docusaurus template (#850)
ad1a6620 chore: update docusaurus template (#852)
4c92ff8d chore: update docusaurus template (#855)
35b748ff chore: update docusaurus template (#856)
a6e1a170 chore: update docusaurus template (#857)
b4ec7af3 chore: update docusaurus template (#859)
117245dc chore: update docusaurus template (#867)
9f2cefa4 chore: update docusaurus template (#871)
7e4435df chore: update docusaurus template (#876)
a724372b chore: update docusaurus template (#877)
3244ff64 chore: update docusaurus template (#878)
7620f979 chore: update docusaurus template (#880)
566a91bb chore: update docusaurus template (#884)
678c1d18 chore: update docusaurus template (#885)
b97861de chore: update repository templates (#844)
aa8b5c67 chore: update repository templates (#851)
e92ed174 chore: update repository templates (#853)
c9253cff ci: always build docs
3ab9e9df ci: bump ory-prettier-styles and run format check in validate
04cb93b7 ci: disable dupl due to false positives (#892)
44f33f97 docs: add contributing to sidebar (#866)
1735ca2c docs: add newsletter to config
d95cfe97 docs: add recovery flow (#868)
383de9ec docs: fix account recovery click instruction (#870)
dec38a28 docs: fix broken link (#893)
c102a684 docs: fix oidc config example structure (#845)
b8687822 docs: fix redirect (#802)
9b3da9f0 docs: fix typo (#847)
30782937 docs: fix typo (#881)
a5613d08 docs: fix typo MKFA to MFA (#826)
05409bc1 docs: remove workaround note (#886)
28d50f45 docs: swagger specs for selfservice settings browser flow (#825)
670eb37d docs: update oidc provider with json conf support (#833)
c51ed6b7 docs: fix link and typo in Configuring Cookies (#883)
1c146dd2 feat: add return_to parameter to logout flow (#823)
0f879481 feat: add selinux compatible quickstart config (#889)
d3218a0f fix: CSRF token is required when using the Revoke Session API endpoint (#839)
5265af00 fix: incorrect home path (#848)
7a004839 fix: make password policy configurable (#888)
b8bac7aa fix: remove obsolete types (#887)
91d6698e fix: set samesite attribute to lax if in dev mode (#824)
d8e3d400 fix: use working cache-control header for cdn/proxies/cache (#869)
a87dd81e style: format
76f371f5 style: format
5ffc036a test: ensure registration runs only once (#872)

Docker images

• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.5
• docker pull oryd/kratos:v0.5.5
• docker pull oryd/kratos:v0.5.5-alpha.1
• docker pull oryd/kratos:latest
• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.5-sqlite
• docker pull oryd/kratos:v0.5.5-sqlite
• docker pull oryd/kratos:v0.5.5-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite

This release introduces the new CLI command kratos hashers argon2 calibrate 500ms. This command will choose the best parameterization for Argon2. Check out the Choose Argon2 Parameters for Secure Password Hashing and Login blog article for more insights!

0.5.4-alpha.1 (2020-11-11)

Bug Fixes

• Case in settings handler method (#798) (83eb4e0)

• Force brew install statement (#796) (ad542ad):

  Closes https://github.com/ory/homebrew-kratos/issues/1

Code Refactoring

• Move pkger and ioutil helpers to ory/x (60a0fc4)

Documentation

• Fix another broken link (15bae9f)
• Fix broken links (#795) (0ab0e7e), closes #793
• Fix broken relative link (#812) (b32b173)
• Fix links (#800) (5fcc272)
• Fix oidc config examples (#799) (8a4f480)
• Fix self-service recovery flow typo (#807) (800110d)
• Remove duplicate words & fix spelling (#810) (4e1b966)
• Remove leftover category from reference sidebar (#813) (94fde51)
• Use correct links (#797) (a4de293)

Features

• Add helper for choosing argon2 parameters (#803) (ca5a69b), closes #723 #572 #647:

  This patch adds the new command "hashers argon2 calibrate" which allows one to pick the desired hashing time for password hashing and then chooses the optimal parameters for the hardware the command is running on:

  $ kratos hashers argon2 calibrate 500ms
  Increasing memory to get over 500ms:
      took 2.846592732s in try 0
      took 6.006488824s in try 1
    took 4.42657975s with 4.00GB of memory
  [...]
  Decreasing iterations to get under 500ms:
      took 484.257775ms in try 0
      took 488.784192ms in try 1
    took 486.534204ms with 3 iterations
  Settled on 3 iterations.
  
  {
    "memory": 1048576,
    "iterations": 3,
    "parallelism": 32,
    "salt_length": 16,
    "key_length": 32
  }
  

Changelog

18290427 autogen(docs): generate and format documentation
e1ff24a3 autogen(docs): regenerate and update changelog
4fdb8608 autogen(docs): regenerate and update changelog
b95e176e autogen(docs): regenerate and update changelog
4fd3b470 autogen(docs): regenerate and update changelog
ddcffff6 autogen(docs): regenerate and update changelog
c9ba42b3 autogen(docs): regenerate and update changelog
1595edad autogen(docs): regenerate and update changelog
d9e27c81 autogen(docs): regenerate and update changelog
7784eee7 autogen(docs): regenerate and update changelog
13d8a404 autogen(docs): regenerate and update changelog
9247ec92 autogen(docs): update milestone document
75185b5d autogen(docs): update milestone document
aa1e3924 autogen(docs): update milestone document
5ea97dff autogen: add v0.5.3-alpha.1 to version.schema.json
b02926c4 autogen: pin v0.5.4-alpha.1 release commit
4645ef08 chore: update docusaurus template
58d86bd4 chore: update docusaurus template (#806)
cb4bbf63 chore: update docusaurus template (#816)
15bae9f8 docs: fix another broken link
0ab0e7ec docs: fix broken links (#795)
b32b173f docs: fix broken relative link (#812)
5fcc272e docs: fix links (#800)
8a4f4801 docs: fix oidc config examples (#799)
800110d8 docs: fix self-service recovery flow typo (#807)
4e1b9666 docs: remove duplicate words & fix spelling (#810)
94fde510 docs: remove leftover category from reference sidebar (#813)
a4de2939 docs: use correct links (#797)
ca5a69b7 feat: add helper for choosing argon2 parameters (#803)
83eb4e00 fix: case in settings handler method (#798)
ad542ad5 fix: force brew install statement (#796)
60a0fc44 refactor: move pkger and ioutil helpers to ory/x
a046ef9b style: format

Docker images

• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.5
• docker pull oryd/kratos:v0.5.4
• docker pull oryd/kratos:v0.5.4-alpha.1
• docker pull oryd/kratos:latest
• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.5-sqlite
• docker pull oryd/kratos:v0.5.4-sqlite
• docker pull oryd/kratos:v0.5.4-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite

This release improves the developer and user experience around CSRF counter-measures. It should now be possible to use the self-service API flows without having to explicitly disable cookie features in your SDKs and integrations. Additionally, another issue in the CGO pipeline was resolved which finally allows running ORY Kratos without CGO if the target database is not SQLite.

Further improvements to default config values have been made and a full end-to-end test suite for the exemplary kratos-selfservice-ui-react-native app. The app is now available in the iTunes store as well - just search for "ORY Profile App"!

0.5.3-alpha.1 (2020-10-27)

Bug Fixes

• Add "x-session-token" to default allowed headers (3c912e4)

• Do not set cookies on api endpoints (2f67c28)

• Do not set csrf cookies on potential api endpoints (4d97a95)

• Ignore unsupported migration dialects (12bb8d1), closes #778:

  Skips sqlite3 migrations when support is lacking.

• Improve semver regex (584c0b5)

• Properly set nosurf context even when ignored (0dcb774)

• Update cypress (ba8b172)

• Use correct regex for version replacement (ce870ab), closes #787

Documentation

• Fix docosaurus admonitions (#788) (281a7c9)
• Pin download script version (e4137a6)
• Remove trailing garbage from quickstart (#787) (7e70924)

Features

• Improve makefile install process and update deps (d1eb37f)

Tests

• Add e2e tests for mobile (d481d51)
• Add option to disable csrf protection in apis (a0077f1)
• Bump wait time (7a719e1)
• Install expo-cli globally (db21cfa)
• Install expo-cli in cci config with sudo (d255f46)
• Log wait-on output (62b5ba9)
• Output web server address (cb41ca7)
• Resolve csrf test issues in settings (ef8ba7d)
• Resolve test panic (6f6461f)
• Revert delay increase and improve install scripts (1eafcaa)

Changelog

6fdc7726 autogen(docs): generate and format documentation
6536f46b autogen(docs): regenerate and update changelog
389e0f99 autogen(docs): regenerate and update changelog
0404e753 autogen(docs): update milestone document
41a8eaff autogen(docs): update milestone document
0fec10c9 autogen: add v0.5.2-alpha.1 to version.schema.json
054e2e3d autogen: add v0.5.3-alpha.1.pre.0 to version.schema.json
64dc91af autogen: pin v0.5.3-alpha.1 release commit
0de4f93e autogen: pin v0.5.3-alpha.1.pre.0 release commit
c551f0f2 chore: bump cypress dependency
4dac92d1 chore: update docusaurus template
281a7c92 docs: fix docosaurus admonitions (#788)
e4137a6a docs: pin download script version
7e709242 docs: remove trailing garbage from quickstart (#787)
d1eb37f5 feat: improve makefile install process and update deps
3c912e4c fix: add "x-session-token" to default allowed headers
2f67c287 fix: do not set cookies on api endpoints
4d97a95d fix: do not set csrf cookies on potential api endpoints
12bb8d14 fix: ignore unsupported migration dialects
584c0b50 fix: improve semver regex
0dcb7741 fix: properly set nosurf context even when ignored
ba8b1729 fix: update cypress
ce870aba fix: use correct regex for version replacement
7be571ec style: format and update format toolchain
d481d51f test: add e2e tests for mobile
a0077f12 test: add option to disable csrf protection in apis
7a719e17 test: bump wait time
db21cfa1 test: install expo-cli globally
d255f462 test: install expo-cli in cci config with sudo
62b5ba92 test: log wait-on output
cb41ca78 test: output web server address
ef8ba7dc test: resolve csrf test issues in settings
6f6461fe test: resolve test panic
1eafcaa8 test: revert delay increase and improve install scripts

Docker images

• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.5
• docker pull oryd/kratos:v0.5.3
• docker pull oryd/kratos:v0.5.3-alpha.1
• docker pull oryd/kratos:latest
• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.5-sqlite
• docker pull oryd/kratos:v0.5.3-sqlite
• docker pull oryd/kratos:v0.5.3-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite

This release addresses bugs and user experience issues.

0.5.2-alpha.1 (2020-10-22)

Bug Fixes

• Add debug quickstart yml (#780) (16e6b4d)
• Gracefully handle double slashes in URLs (aeb9414), closes #779
• Merge gobuffalo CGO fix (fea2e77)
• Remove obsolete recovery_token and add link to schema (acf6ac4)
• Return correct error in login csrf (dd9cab0), closes #785
• Use correct assert package (76be5b0)

Documentation

• Small improvements to discord oidc provider guide (#783) (6a3c453)

Tests

• Add tests for csrf behavior (48993e2), closes #785
• Mark link as enabled in e2e test (c214b81)
• Resolve schema test regression (bb7af1b)

Changelog

35aef2dd autogen(docs): generate and format documentation
8720041e autogen(docs): regenerate and update changelog
8ce70d1f autogen(docs): regenerate and update changelog
bb4277fa autogen(docs): regenerate and update changelog
850155de autogen(docs): update milestone document
20da86cd autogen(docs): update milestone document
6eddbcb0 autogen: add v0.5.1-alpha.1 to version.schema.json
79fcd8a6 autogen: pin v0.5.2-alpha.1 release commit
6a3c4533 docs: small improvements to discord oidc provider guide (#783)
16e6b4d7 fix: add debug quickstart yml (#780)
aeb94147 fix: gracefully handle double slashes in URLs
fea2e77c fix: merge gobuffalo CGO fix
acf6ac4e fix: remove obsolete recovery_token and add link to schema
dd9cab0e fix: return correct error in login csrf
76be5b0a fix: use correct assert package
48993e2c test: add tests for csrf behavior
c214b81a test: mark link as enabled in e2e test
bb7af1b7 test: resolve schema test regression

Docker images

• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.5
• docker pull oryd/kratos:v0.5.2
• docker pull oryd/kratos:v0.5.2-alpha.1
• docker pull oryd/kratos:latest
• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.5-sqlite
• docker pull oryd/kratos:v0.5.2-sqlite
• docker pull oryd/kratos:v0.5.2-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite