Custom JWT
JWT access tokens can now be customized with additional claims using custom JavaScript code snippets. This feature is useful when you need to include custom data in the token for compatibility with other systems.
To use this feature, navigate to the "Custom JWT" tab in the Console. Both user and machine-to-machine (M2M) tokens can be customized.
Before deploying the changes, you can use the "Run test" button to see how the token will look with the custom claims.
See 🎫 Custom JWT claims for more information.
Warning
In the open-source version, the code for custom JWT will run in the same environment as the rest of the Logto code. Be careful when adding custom code to the JWT, as it can introduce security vulnerabilities.
API resources for organization roles
You can now assign permissions (scopes) from the API resources to organization roles. Like other permissions in the organization template, these permissions are organization-level, meaning that they only apply to a specific organization.
Let's see an example:
- There is an API resource called
https://shopping.api/
. - The API resource has two scopes:
read
andwrite
. - There are two organization roles:
admin
anduser
. - The
admin
role has bothread
andwrite
scopes; theuser
role has only theread
scope. - A user Alice is assigned the
admin
role in the organizationfoo
, and theuser
role in the organizationbar
.
When Alice tries to exchange an organization token for the https://shopping.api/
resource, she will receive a token with scopes based on which organization she is requesting the token for.
For the foo
organization, Alice will receive a token with both read
and write
scopes. For the bar
organization, she will receive a token with only the read
scope.
See 🏢 Organizations (Multi-tenancy) for a comprehensive introduction to organizations.
Third-party app permissions
Organizational API resources can also be used when configuring permissions for third-party apps. User will be prompted to select an organization when configuring permissions for a third-party app.
Organization custom data
Now you can save additional data associated with the organization with the organization-level customData
field by:
- Editing in the Console organization details page.
- Specifying the
customData
field when using organization Management APIs.
Connectors
- Added Hugging Face connector.
- GitHub connector now has the
user:email
as part of default scope to fetch GitHub account's private email address list.- It now picks the verified primary email among private email address list as a fallback if the user does not set a public email for GitHub account.
- Removed the plus sign in front of the phone number in the feishu connector (#5801). Credit @kamto7.
Improvements
- Added support for Redis Cluster and extra TLS options for Redis connections (#5619). Credit @alekitto.
- OIDC and OAuth 2 connectors now support
client_secret_basic
andclient_secret_jwt
client authentication methods for the token endpoint. - When a user is deleted or suspended through Management API, they will be signed out in Logto and their sessions will be invalidated immediately.
- Support comma separated
resource
parameter as some libraries do not support array of resources. - Added an API to fetch user organization scopes based on user organization roles (
GET /api/organizations/:id/users/:userId/scopes
). - Added Java Spring Boot web integration guide.
- Added
zh-cn
phrases in OIDC consent page (#5606). Credit @the-pawn-2017.
Fixes
- Organization invitation APIs should handle invitee emails case insensitively.
- Management API will not return 500 in production for status codes that are not listed in the OpenAPI spec.
- Return 403 instead of 400 when Logto tries to grant an access token to a user lacking the required permissions, especially when granting for organization related resources.
- Fixed the wrong social sign-in callback that posts to the native container (e.g. WKWebView in iOS).
- Fixed the new user from SSO register hook event not triggering bug.
- Fixed a bug that API resource indicator does not work if the indicator is not followed by a trailing slash or a pathname.