Account API for WebAuthn (passkeys)
You can now manage WebAuthn passkeys in Account API, including:
- Binding a WebAuthn passkey to the user's account through your website.
- Manage the passkeys in the user's account.
We have implemented Related Origin Requests so that you can manage the WebAuthn passkeys on your website which has a different domain from the Logto's sign-in page.
To learn more, check out the documentation.
Access user interaction details in custom JWT
User interaction data is now accessible through the context.interaction when generating custom token claims:
| Property | Description | Type |
|---|---|---|
interactionEvent
| The interaction event of the current user interaction | SignIn or Register
|
userId
| The user id of the current user interaction | string
|
verificationRecords
| A list of verification records submitted by the user to identify and verify their identity during interactions. | VerificationRecord[]
|
Example Use Case:
Read the verification records from the interaction context. If an Enterprise SSO verification record is present, include the corresponding user profile from the Enterprise SSO identities as additional token claims.
const { interaction } = context;
const verifications = interaction?.verificationRecords || [];
const ssoVerification = verifications.find(
(record) => record.type === "EnterpriseSso",
);
if (ssoVerification) {
return {
enterpriseSsoIdentityId:
enterpriseSsoVerification?.enterpriseSsoUserInfo?.id,
familyName: enterpriseSsoVerification?.enterpriseSsoUserInfo?.familyName,
};
}See custom token claims context for more details.
Improvements
- Updated timestamp tracking for SSO: Added
updated_atfield touser_sso_identitiestable - Changed user password digest length to 256, supporting
Legacyhashing algorithm such asSHA512 - Mask TOTP secret from audit log
- Support flexible size in Turnstile widget, allowing the widget to scale responsively and fill the available space. Contributed by @GeisonPiegas
Bug fixes
- Fixed SAML application callback API to properly handle RelayState parameter in authentication responses
- Made
access_tokenoptional for Azure OIDC SSO connector, previously, the Azure OIDC connector strictly required an access token in the token response, which caused issues with Azure B2C applications that only return ID tokens. - Fixed potential WebAuthn registration errors by specifying the displayName. For example, when using Chrome on Windows 11 with the "Use other devices" option (scanning QR code), an empty displayName will cause the registration to fail.
- Fixed an issue where the payment page could not open in iOS Safari.