🧑🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
MPL-2.0 License
Bot releases are visible (Hide)
Published by silverhand-bot over 1 year ago
We'll post some tutorials soon.
Published by silverhand-bot over 1 year ago
Note
Our brand new blog just landed. Let's enjoy the new design and beautiful illustrations by @Rany0101.
Support CLI arguments in @logto/create
(#2206 #3777)
Provide Management APIs to help link social identities to user
/users/:userId/identities
to link a social identity to a user/connectors/:connectorId/authorization-uri
to get the authorization URI for a connector/api/swagger.json
. Also available in https://docs.logto.io/api/.Published by silverhand-bot over 1 year ago
scope
.crypto.getRandomValues
in connectors, fixes an error in the AWS SES connector.Published by silverhand-bot over 1 year ago
This release contains only internal engineering improvements.
Published by silverhand-bot over 1 year ago
Note
We've received valuable feedback from our community since launching Logto Cloud (Preview) and OSS General Availability. Thank you!
Over the past month, we've been focused on enhancing Logto's functionality, fixing bugs, and improving its security features. Additionally, we're working on developing a reasonable pricing model and finalizing the details. If you're interested, please don't hesitate to contact us.
Redis cache support: We’ve added support for Redis as a central cache for well-known data. This will allow for faster and more efficient data retrieval. See 🗄️ Enable central cache for details.
New CLI command: We’ve added a new CLI command logto connector link
to link local connectors without downloading from the remote. See Manage connectors for details.
Translation updates: We’ve added Italian (it
) and Polish (pl-PL
) translations to make Logto more accessible to users worldwide.
Console updates:
The web console now supports creating users with multiple identifiers, such as email, phone number, and username.
On the user details page, you can now suspend or reactivate a user from the "more options" menu (accessible by clicking the three-dot button in the top right corner).
Two new Management APIs:
POST /users/:userId/password/verify
will allow you to verify a user's password;GET /users/:userId/has-password
will allow you to check if a user has a password.We've applied various security headers to server responses, and while the violation is currently report-only, we'll enforce them in the next version.
In most cases, no action is required. Please see #3590 #3613 for details.
Other important features we're planning for this year include SSO, MFA, and Organizations. Stay tuned!
Full Changelog: https://github.com/logto-io/logto/compare/v1.1.0...v1.2.0
Published by silverhand-bot over 1 year ago
Note
Except 한국어, other languages are credited to GhatGPT.
This release also includes various improvements and bug fixes.
Full Changelog: https://github.com/logto-io/logto/compare/v1.0.3...v1.1.0
Published by silverhand-bot over 1 year ago
@logto/schemas
not found issue.Note
For the recent major release, please refer to Announcing Logto Cloud (Preview) and OSS General Availability.
Published by silverhand-bot over 1 year ago
Published by silverhand-bot over 1 year ago
Did you know?
We have refreshed the Logto logo! We simplified the gradients but made our brand color stronger, resulting in improved recognizability.
We are grateful for your participation in testing Logto OSS, and we're excited to announce our first general availability version. In this version, we have delivered numerous improvements to the sign-in experience, making it more delightful for your end-users. This new release also includes several new practical features.
Note
In case you missed it, please see the letter from Gao: Announcing Logto Cloud (Preview) and OSS General Availability.
Let's take a look at what's new!
Rename the /api/phrase
API to /api/.well-known/phrases
.
The console now has a custom CSS code editor in the “Sign-in experience” tab that allows you to apply advanced UI customization to your application. You can preview your changes in real-time via the sign-in experience preview on the right side.
The console now supports a drag-and-drop image uploader for multiple scenarios. If a storage provider is configured in the system, you can upload images directly from your local file system. The first version of the uploader supports AWS S3 and Azure Blob Storage. For more information, please refer to the Configure storage providers documentation.
We have removed the previous profile component and moved it to the user profile page. You can access the page by clicking your user avatar in the top right corner. From there, you can also change your language or theme directly from the popover menu.
On the profile page, you can update your avatar, name, and username, as well as change your password. For cloud users, it is now possible to link your email address and social accounts (Google and GitHub at first launch).
Added "Powered by Logto" to the sign-in experience.
We have added a new CLI command db system
that allows you to get/set the system table value for your database. Enter logto db system --help
in your terminal for details.
A new parameter have been added to our JavaScript SDKs which allows users to specify their desired user interaction experience. For instance, in our React SDK:
const { signIn } = useLogto();
// Shows the sign-in page
void signIn('https://some-callback-url');
// Shows the sign-up page
void signIn('https://some-callback-url', 'signUp');
Other SDKs will be updated soon.
A new country code selector dropdown component with a search box has been added to sign-in experience, allowing users to quickly search for a country code by typing in the search box.
Users can now upload their own favicon in the sign-in-experience branding settings. A local logto icon will be used as a fallback.
Instead of showing “Logto”, now sign-in experience will change the page title based on the current context, for example, “Create account”.
The password policy has been updated to require a minimum of 8 characters and contain a mix of letters, numbers, and symbols. The allowed characters now include:
0-9
a-z
, A-Z
Users must now use at least two out of three types of characters.
Note the new password policy only applies to new users or new passwords. Existing users can continue to use their old password to sign in.
The new lite version only contains one field for the password and will be used only if the forgot-password feature is enabled (password can be reset either by email and phone). If you don't have any email or SMS service enabled, the old version of set password form containing two fields (password and confirm password) will still be used.
A new Privacy Policy URL field has been added to the sign-in-experience settings to support end-users' privacy declaration needs.
The Terms of Use and Privacy Policy manual agreement steps have been removed from the sign-in flow. The agreement checkbox in sign-in pages has been replaced with links to the Terms of Use and Privacy Policy.
Users can still read the agreements before signing in. However, the manual agreement is still mandatory for the sign-up flow, including sign-up with new social identities.
Published by silverhand-bot over 1 year ago
While Logto Cloud is still under construction, we would like to introduce some new features to our foundation, Logto OSS. This will be the last version before general availability.
Notable updates include:
Let's take a look at what's inside!
Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.
Note
From this version, Logto listens to two ports by default, one for normal users (3001
), and one for admins (3002
).
http://localhost:3002/console
.ADMIN_PORT
. For instance, ADMIN_PORT=3456
.ADMIN_ENDPOINT
. For example, ADMIN_ENDPOINT=https://admin.your-domain.com
.ADMIN_DISABLE_LOCALHOST=1
and leaving ADMIN_ENDPOINT
unset.localhost
and ENDPOINT
from the environment.https://api.logto.io
to https://default.logto.app/api
.If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.
DID YOU KNOW?
Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.
ADMIN_ENDPOINT
is not specified, localhost:[admin-port]
will be allowed to perform Cross-Origin Resource Sharing (CORS) in Logto.ADMIN_ENDPOINT
is specified, only requests from the origin of ADMIN_ENDPOINT will be allowed.In previous versions, when registering or changing passwords, all new passwords were stored in plain text in the Audit Logs before being encrypted and inserted into the database.
In this version, we have updated the process to fully mask password fields before inserting them into the Audit Logs.
Warning
For enhanced security and compliance, we strongly recommend removing all passwords from the Audit Logs or deleting all logs that include passwords.
If you have any questions regarding this issue or the removal of data, please do not hesitate to contact us via email or Discord.
We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box:
This advanced input box automatically identifies the type of characters you’re entering, such as an @
sign or consecutive numbers, and provides relevant error feedback.
By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.
We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.
You can now use the Management API PATCH /api/sign-in-exp
with body { "customCss": "arbitrary string" }
to set customized CSS for the sign-in experience. You should see the value of customCss
attached after <title>
of the page. If the style has a higher priority, it should be able to override.
For instance, if you want to give your sign-in page a feel of the Night City, try this CSS:
@font-face { font-family: 'Rock Salt'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/rocksalt/v18/MwQ0bhv11fWD6QsAVOZrt0M6p7NGrQ.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
@font-face { font-family: 'Share Tech'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/sharetech/v17/7cHtv4Uyi5K0OeZ7bohU8H0JmBUhfrE.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
#app * { font-family: 'Share Tech'; letter-spacing: 0.5px; }
#app > div[class$=viewBox] { background-image: url(https://silverhand.io/assets/v-in-nc.jpg); background-size: cover; }
#app main[class$=main] { background-image: url(https://silverhand.io/assets/gentle-universe.png); background-size: cover; opacity: 0.98; min-height: initial; padding: 24px; padding-bottom: 72px; border-radius: 12px; }
#app main[class$=main] img[class$=logo] { content: url(https://silverhand.io/assets/cyberpunk-2077.png); margin: -20px 0 -12px; height: 160px; }
#app main[class$=main] div[class$=headline] { visibility: hidden; height: 60px; }
#app main[class$=main] div[class$=headline]:before { content: 'Welcome to Night City'; visibility: visible; display: block; font-family: 'Rock Salt'; font-style: italic; line-height: 60px; font-size: 20px; color: rgba(245,250,255,0.6); padding: 0 20px; }
#app form div[class$=inputField] > div { outline: none; border: none; border-radius: 4px; }
#app form div[class$=inputField] > div > input, #app form div[class$=inputField] div[class$=countryCodeSelector] { background: initial; background-color: #453f67; font-family: 'Share Tech'; letter-spacing: 0.5px; font-size: 16px; font-weight: 600; }
#app button { font-weight: 600; font-size: 16px; border-radius: 4px; }
#app button[type=submit] { background: linear-gradient(270.84deg, #2FD6FB -24.55%, #6369FC 44.33%, #A741EB 119.2%), #5D34F2; }
"We have a city to burn!"
Note
Since Logto uses CSS Modules, you may see a hash value in the
class
property of DOM elements (e.g. a<div>
withvUugRG_container
). To override these, you can use the$=
CSS selector to match elements that end with a specified value. In this case, it should bediv[class$=container]
.
Logto now supports standard protocols (SAML, OIDC, and OAuth 2.0) for creating social connectors to integrate external identity providers. Each protocol can create multiple social connectors, giving you more control over your access needs.
Plus, we optimized the config interface for SAML connectors. Try it and let us know your feeling!
Added Russian translation. (credit @evist0)
Thank you!
Full Changelog: https://github.com/logto-io/logto/compare/v1.0.0-rc.1...v1.0.0-rc.3
Published by silverhand-bot over 1 year ago
Please see v1.0.0-rc.3.
Published by silverhand-bot over 1 year ago
Note
For the full release notes of the recent major release, please see v1.0.0-rc.0.
Full Changelog: https://github.com/logto-io/logto/compare/v1.0.0-rc.0...v1.0.0-rc.1
Published by silverhand-bot over 1 year ago
Note
Please welcome our first release candidate! Logto is just a few steps away from general availability.
GET /settings
and PATCH /settings
APIGET /configs/admin-console
and PATCH /configs/admin-console
API
/configs/*
APIs are config/key-specific now. they may have different logic per key./session
APIslogto db config
keys by removing alterationState
and adding adminConsole
since:
all
for client configs to fetch proper Access Token
We are excited to introduce our latest addition to our product, Role-Based Access Control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.
With RBAC, administrators can:
Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.
Note
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.
Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!
💡 Logto now detects a trusted email (or phone number) from the social account during social sign-in.
The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.
/api/verification-code
to send verification code to a given email or phone/api/verification-code/verify
to verify the code against a given email or phoneIn case of any issues with the database, you can now use the logto db alteration rollback [target]
command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19
.
Published by silverhand-bot almost 2 years ago
For full release notes of the recent major release, please see v1.0.0-beta.18.
Published by silverhand-bot almost 2 years ago
🙋 Hey folks!
For the first day of 2023, we shipped a few things for everybody:
Note
We are currently busy working on the general availability version which includes User profile, RBAC (Role-based access control), and much more!
If you want to perform the original fuzzy user search via Management API, adding %
around the keyword is required. E.g.:
Original: GET /users?search=foo
Now: GET /users?search=%foo%
If you are upgrading from an older version of logto, make sure to go through our Database alteration tutorial.
With hooks, Logto can enable the next-level extensibility for you to interact with other services in an event-based manner. E.g., do some async jobs after a new user registered.
We support three events in this version: PostRegister
, PostSignIn
and PostResetPassword
. Check out 🪝 Web hooks for the concept explained and detailed usage.
Management API is a programmatic way to communicate with Logto. We redesigned the user search API to make it powerful for advanced search requests.
Now you can designate one or multiple search fields as well as the match mode. For example, you can search users that:
Exact search is also supported, e.g., search users that name is exactly “John Wick”. See Advanced user search for details.
Logto is built on open standards, and we believe they can eliminate enormous gaps in software development. From this version, Logto supports creating multiple connectors based on the same open standard: OAuth 2.0 or OpenID Connect; We call them “standard connectors”.
We are developing more standard connectors like SAML and LDAP. Feel free to let us know your needs!
Besides, we’d like to highlight our community contributors:
Thank you!
💡 We revisited the Logto admin console UI and give it a fresh look! The goal of this is to make the admin console more intuitive and aesthetically pleasing, which ends up helping developers more efficiently perform the tasks.
Now you can feel the following enhancement as follows:
Please check it out and explore, and let us know how you feel! 😉
Due to the increased flexibility and complexity of Sign-in experience, and to provide even more auditable and structured logs for user interactions, we decided to refactor our Interaction APIs with the logging mechanism; The original session APIs are deprecated from now.
Note
This API change does not affect the end-user Sign-in experience.
Audit logs become fine-categorized by the new key definitions, and payloads are optimized for behavior tracing. Check out the “Audit logs” tab in Admin console to feel the change.
Published by silverhand-bot almost 2 years ago
Now GitHub release also has built-in connectors available.
Published by silverhand-bot almost 2 years ago
Note
This release is a hot-fix based on v1.0.0-beta.14.
Users could get stuck during sign-in when email or phone is the sign-up identifier (required), but they don't have one in Logto.
If you enabled email or SMS connector, please add the "Continue" template to make sure "Forgot password" works.
Please upgrade connectors as well to get the latest connector template for "Continue" flow configuration. Or you can go to the connectors repo to read the latest README.
Feel free to jump into our Discord server if you meet any issues.
Published by silverhand-bot almost 2 years ago
🙇 Fix an issue that the CLI cannot find database alteration scripts but Logto is failed to start.
Before restarting Logto, use npx @logto/cli db alt deploy
to deploy the latest database alterations.
We just changed our publish to changesets and it didn't run the version
script during version bumping. See #2461 for details.
Published by silverhand-bot almost 2 years ago
Note
If you are experience some database alteration issue when upgrading to this version, please directly upgrade to v1.0.0-beta.14.
Now Logto uses the case-insensitive strategy for matching emails. Note we still store them in raw values for better email deliveries, thus it will affect the existing emails that have the identical lowercased address.
Feel free to contact us if this issue blocks the upgrade.
We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.
When compared to Sign-in Experience v1, this version’s capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.
Besides, the forgot password flow will automatically appear when conditions meet.
We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.
We add a new command db config rotate <key>
to support key rotation via CLI.
When rotating, the CLI will generate a new key and prepend to the corresponding key array. Thus the old key is still valid and the service will use the new key for signing.
Run logto db config rotate help
for detailed usage.
If you want to trim one or more out-dated private or secret key(s) from the config, use the command db config trim <key>
. It will remove the last item (private or secret key) in the array.
You may remove the old key after a certain period (such as half a year) to allow most of your users have time to touch the new key.
If you want to remove multiple keys at once, just append a number to the command. E.g. logto db config trim oidc.cookieKeys 3
.
Run logto db config trim help
for detailed usage.
Thanks @lukashass for adding German language.
Use PATCH /api/users/:userId/is-suspended
to update a user's suspended state, once a user is suspended, all refresh tokens belong to this user will be revoked.
Suspended users will get an error toast when trying to sign in.
@ihsanguldur @alexgaribay @abellion @djyde
Published by silverhand-bot about 2 years ago
We’re super excited to announce some new capabilities in this release that will make Logto more accessible to developers and users all around the world. Get a taste of them and tell us what you think!
Here, we debut the new CLI and switch OIDC configurations from using environment variables to the database. Updating the Logto core necessitates the following two procedures:
npx @logto/cli db alteration deploy 1.0.0-beta.12
to finish updating the database schema.Note
For Docker image users: nowDB_URL_DEFAULT
has been changed toDB_URL
.
The warm reception Logto has received since its initial release in July has resulted in numerous language contributions from the community. This motivates us to localize and tailor the sign-in process even more.
Now, we're ecstatic to announce that Logto Sign-in Experience has full support for i18n, which means your products can reach a wider global audience and offer more personalized and contextualized options for all users.
The admin console already includes this functionality. The "Language" section of the Sign-in Experience tab is where you'll be able to rapidly set up and manage your keys and custom values.
Combating with complicated commands? That's not how we roll. So we're bringing some friendly little things to keep the elegance going even in the command line.
If you're trying to install Logto on your machine, skip the long, scary install command. It now reads:
npm init @logto
And you are all set. Check out Using CLI for a detailed explanation of how to use Logto CLI.
Thank you! 💗