v1.0.0-rc.0 (2023-02-02)

Note
Please welcome our first release candidate! Logto is just a few steps away from general availability.

💥 Breaking changes 💥

• core: remove GET /settings and PATCH /settings API
• core: add GET /configs/admin-console and PATCH /configs/admin-console API
  • /configs/* APIs are config/key-specific now. they may have different logic per key.
• core: officially remove all deprecated /session APIs
• core: use HTTP/2 to serve TLS (HTTPS) connections
• cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  • OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  • alteration state is still a system-wide config
• for admin access of Machine to Machine applications, now it's required to add scope all for client configs to fetch proper Access Token
  • see 🚝 Interact with Management API for details

🔒 Role-Based Access Control

We are excited to introduce our latest addition to our product, Role-Based Access Control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.

With RBAC, administrators can:

• Define permissions across APIs
• Create custom roles with specific permissions
• Assign roles to users and manage their roles
• Easily manage and update permissions
• Securely validate permissions to protect APIs

Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.

Note
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.

Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!

🏄 Streamlined social sign-in flow

💡 Logto now detects a trusted email (or phone number) from the social account during social sign-in.

• If the email (or phone number) has been registered: Automatically connect the social identity to the existing user account with a single click.
• If the email (or phone number) is not registered: Automatically sync the user profile with the social-provided email (or phone number) if and only if it is marked as a required user profile.

🔢 Send and verify verification codes via Management API

The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.

• Call /api/verification-code to send verification code to a given email or phone
• Call /api/verification-code/verify to verify the code against a given email or phone

↩️ Rollback database alteration state

In case of any issues with the database, you can now use the logto db alteration rollback [target] command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19.