About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!
Ory Kratos v0.7 brings massive developer experience improvements:
- A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 (#1477, #1424);
- Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows (#1367);
- Sign in with Yandex, VK, Auth0, Slack;
- An all-new, secure logout flow (#1433);
- Important security updates to the self-service GET APIs (#1458, #1282);
- Built-in support for TLS (#1466);
- Improved documentation and Go Module structure;
- Resolving a case-sensitivity bug in self-service recovery and verification flows;
- Improved performance for listing identities;
- Support for Instant tracing (#1429);
- Improved control for SMTPS, supporting SSL and STARTTLS (#1430);
- Ability to run Ory Kratos in networks without outbound requests (#1445);
- Improved control over HTTP Cookie behavior (#1531);
- Several smaller user experience improvements and bug fixes;
- Improved e2e test pipeline.
In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!
Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!
For more details on breaking changes and patch notes, see below.
Breaking Changes
Prior to this change it was not possible to specify the verification/recovery link lifetime. Instead, it was bound to the flow expiry. This patch changes that and adds the ability to configure the lifespan of the link individually:
selfservice:
methods:
link:
enabled: true
config:
+ # Defines how long a recovery link is valid for (default 1h)
+ lifespan: 15m
This is a breaking change because the link strategy no longer respects the recovery / verification flow expiry time and, unless set, will default to one hour.
This change introduces a better SDK. As part of this change, several breaking changes with regards to the SDK have been introduced. We recommend reading this section carefully to understand the changes and how they might affect you.
Before, the SDK was structured into tags public
and admin
. This stems from the fact that we have two ports in Ory Kratos - one administrative and one public port.
While serves as a good overview when working with Ory Kratos, it does not express:
- What module the API belongs to (e.g. self-service, identity, ...)
- What maturity the API has (e.g. experimental, alpha, beta, ...)
- What version the API has (e.g. v0alpha0, v1beta0, ...)
This patch replaces the current admin
and public
tags with a versioned approach indicating the maturity of the API used. For example, initializeSelfServiceSettingsForBrowsers
would no longer be under the public
tag but instead under the v0alpha1
tag:
import {
Configuration,
- PublicApi
+ V0Alpha1
} from '@ory/kratos-client';
- const kratos = new PublicApi(new Configuration({ basePath: config.kratos.public }));
+ const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.public }));
To avoid confusion when setting up the SDK, and potentially using the wrong endpoints in your codebase and ending up with strange 404 errors, Ory Kratos now redirects you to the correct port, given that serve.(public|admin).base_url
are configured correctly. This is a significant improvement towards a more robust API experience!
Further, all administrative functions require, in the Ory SaaS, authorization using e.g. an Ory Personal Access Token. In the open source, we do not know what developers use to protect their APIs. As such, we believe that it is ok to have admin and public functions under one common API and differentiate with an admin
prefix. Therefore, the following patches should be made in your codebase:
import {
- AdminApi,
+ V0Alpha1,
Configuration
} from '@ory/kratos-client';
-const kratos = new AdminApi(new Configuration({ basePath: config.kratos.admin }));
+const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.admin }));
-kratos.createIdentity({
+kratos.adminCreateIdentity({
schema_id: 'default',
traits: { /* ... */ }
})
Further, we have introduced a style guide for writing SDKs annotations governing how naming conventions should be chosen.
We also streamlined how credentials are used. We now differentiate between:
- Per-request credentials such as the Ory Session Token / Cookie
- public getSelfServiceRegistrationFlow(id: string, cookie?: string, options?: any) {} + public getSelfServiceSettingsFlow(id: string, xSessionToken?: string, cookie?: string, options?: any) {}
- Global credentials such as the Ory (SaaS) Personal Access Token.
const kratos = new V0Alpha0(new Configuration({ basePath: config.kratos.admin, accessToken: 'some-token' })); kratosAdmin.adminCreateIdentity({ schema_id: 'default', traits: { /* ... */ }, });
This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.
As part of this change, the following endpoints have been removed:
GET <ory-kratos-admin>/self-service/login/flows
;GET <ory-kratos-admin>/self-service/registration/flows
;GET <ory-kratos-admin>/self-service/verification/flows
;GET <ory-kratos-admin>/self-service/recovery/flows
;GET <ory-kratos-admin>/self-service/settings/flows
.
Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows
) for fetching self-service flows going forward.
If you use the SDKs, upgrading is easy by adding the cookie
header when fetching the flows. This is only required when using browser flows on the server side.
The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.
app.get('some-route', (req: Request, res: Response) => {
- kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )
- kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+ kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})
For concrete details, check out the changes in the NodeJS app.
This patch refactors the logout functionality for browsers and APIs. It adds increased security and DoS-defenses to the logout flow.
Previously, calling GET /self-service/browser/flows/logout
would remove the session cookie and redirect the user to the logout endpoint. Now you have to make a call to GET /self-service/logout/browser
which returns a JSON response including a logout_url
URL to be used for logout. The call to /self-service/logout/browser
must be made using AJAX with cookies enabled or by including the Ory Session Cookie in the X-Session-Cookie
HTTP Header. You may also use the SDK method createSelfServiceLogoutUrlForBrowsers
to do that.
Additionally, the endpoint DELETE /sessions
has been moved to DELETE /self-service/logout/api
. Payloads and responses stay equal. The SDK method revokeSession
has been renamed to submitSelfServiceLogoutFlowWithoutBrowser
.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceRecoveryForNativeApps
to better match what it does: initializeSelfServiceRecoveryWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceVerificationForNativeApps
to better match what it does: initializeSelfServiceVerificationWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceSettingsForNativeApps
to better match what it does: initializeSelfServiceSettingsWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceregistrationForNativeApps
to better match what it does: initializeSelfServiceregistrationWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceLoginForNativeApps
to better match what it does: initializeSelfServiceLoginWithoutBrowser
. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.
Bug Fixes
-
Add json detection to setting error subbranches (fb83dcb)
-
Add verification success message (#1526) (126698c), closes #1450
-
Change SMTP config validation from URI to a Regex pattern (#1436) (5ab1e8f), closes #1435
-
Check filesystem before fallback to bundled templates (#1401) (22d999e)
-
Continue button for oidc registration step (2aad5ac), closes #1422 #1320:
When signing up with an OIDC provider and the traits model is missing some fields, the submit button shows all OIDC options. Instead, it should show just one option called "Continue".
-
Do not run network migrations when booting (12bbab9), closes #1399
-
Format test files (0468aa1)
-
Incorrect openapi specification for verification submission (#1431) (ecb0a01), closes #1368
-
Link t docker guide (953c6d6)
-
Mark ui node message as optional (#1365) (7b8d59f), closes #1361 #1362
-
Mark verified_at as omitempty (77b258e):
Closes ory/sdk#46
-
Panic if contextualizer is not set (760035a)
-
Recovery email case sensitive (#1357) (bce14c4), closes #1329
-
Remove changelog (7affb7a)
-
Remove typing from node.attribute.value (63a5e08):
Closes ory/sdk#75
Closes ory/sdk#74
Closes ory/sdk#72 -
Rename client package for external consumption (cba8b00)
-
Resolve build issues on release (7c265a8)
-
Resolve driver issues (47b1c8d)
-
Resolve network regression (8f96b1f)
-
Resolve network regressions (8fc52c0)
-
Testhelper regressions (bf3b04f)
-
Use correct url in submitSelfServiceVerificationFlow (ab8a600)
-
Use session cookie path settings for csrf cookie (#1493) (c6d08ed), closes #1292:
This PR adds configuration option for CSRF cookies and improves the domain alias logic as well as adding tests for it.
-
Use STARTTLS for smtps connections (#1430) (c21bb80), closes #781
-
Version schema (#1359) (8c4bac7), closes #1331 #1101 ory/hydra#2427
Code Generation
- Pin v0.7.0-alpha.1 release commit (53a0e38)
Code Refactoring
- Corp package (#1402) (0202dc5)
- Finalize SDK refactoring (e772641), closes kratos#1424 #1424
- Identity SDKs (d8658dc), closes #1477
- Improve session sdk (7207af4)
- Introduce DefaultContextualizer in corp package (#1390) (944d045), closes #1363
- Move cleansql to separate package (7c203dc)
- Openapi.json -> api.json (6df0de5)
- Self-service error APIs (65c482f)
Documentation
- Add docs for registration SPA flow (84458f1)
- Add go sdk examples (e948fad)
- Add kratos quickstart config notes (#1490) (2f8094c)
- Add replit instructions (8ab8607)
- Add tested and running go sdk examples (3b56bb5)
- Correct CII badge (#1447) (048aec3)
- Fix broken link (9eaf764)
- Fix building from source (#1473) (af54d5b)
- Fix typo in "Sign in/up with ID & assword" (#1383) (f39739d)
- Mark login endpoints as experimental (6faf0f6)
- Refactor documentation and adopt changes for #1477 (f5e96cd), closes #1472
- Remove changelog from docs folder (5a7e3d8)
- Resolve build issues (b51bb55)
- Resolve typos and docs react issues (2d640e4)
- Update docs for all flows (d29ea69)
- Update documentation for plaintext templates (#1369) (419784d), closes #1351
- Update error documentation (7d83609)
- Update login flow documentation (a27de91)
- Update path (f0384d9)
- Update README.md Go instructions (#1464) (8db4b4a)
- Update remaining self service documentation (bcc6284)
- Update sdk use (bcb8c06)
- Update settings documentation (258ceaf)
- Use correct path (#1333) (e401135)
Features
-
Add examples for usage of go sdk (870c2bd)
-
Add GetContextualizer (ac32717)
-
Add instana as possible tracing provider (#1429) (abe48a9), closes #1385
-
Add vk and yandex providers to oidc providers and documentation (#1339) (22a3ef9), closes #1234
-
Anti-CSRF measures when fetching flows (#1458) (5171557), closes #1282
-
Configurable recovery/verification link lifetime (f80d4e3)
-
Disable HaveIBeenPwned validation when HaveIBeenPwnedEnabled is set to false (#1445) (44002f4), closes #316:
This patch introduces an option to disable HaveIBeenPwned checks in environments where outbound network calls are disabled.
-
identities: Add a state to identities (#1312) (d22954e), closes #598
-
Improve contextualization in serve/daemon (f83cd35)
-
Include Credentials Metadata in admin api (#1274) (c8b6219), closes #820
-
Include Credentials Metadata in admin api Missing changes in handler (#1366) (a71c220)
-
Natively support SPA for login flows (6ff67af), closes #1138 #668:
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/login/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the login flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for recovery flows (5461244):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/recovery/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for registration flows (57d3c57), closes #1138 #668:
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/registration/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for settings flows (ea4395e):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/settings/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Natively support SPA for verification flows (c151500):
This patch adds the long-awaited capabilities for natively working with SPAs and AJAX requests. Previously, requests to the
/self-service/verification/browser
endpoint would always end up in a redirect. Now, if theAccept
header is set toapplication/json
, the registration flow will be returned as JSON instead. Accordingly, changes to the error and submission flow have been made to supportapplication/json
content types and SPA / AJAX requests. -
Support api in settings error (23105db)
-
Support reading session token from X-Session-Token HTTP header (dcaefd9)
-
TLS support for public and admin endpoints (#1466) (7f44f81), closes #791
-
Update openapi specs and regenerate (cac507e)
Tests
-
Add tests for cookie behavior of API and browser endpoints (d1b1521)
-
e2e: Greatly improve test performance (#1421) (2ffad9e):
Instead of running the individual profiles as separate Cypress instances, we now use one singular instance which updates the Ory Kratos configuration depending on the test context. This ensures that hot-reloading is properly working while also signficantly reducing the amount of time spent on booting up the service dependencies.
-
e2e: Resolve flaky test issues related to timeouts and speed (b083791)
-
e2e: Resolve recovery regression (72c47d6)
-
e2e: Resolve test config regressions (eb9c4f9)
-
Remove obsolete console.log (3ecc869)
-
Resolve e2e regressions (b0d3b82)
-
Resolve migratest panic (89d05ae)
-
Resolve mobile regressions (868e82e)
-
Resolve oidc regressions (2403082)
Unclassified
- add CoC shield (#1439) (826ed1a), closes #1439
- u (b03549b)
- u (318a31d)
- Format (eca7aff)
- Format (5cc9fc3)
- Format (e525805)
- Format (4a692ac)
- Format (169c0cd)
Docker images
docker pull oryd/kratos:v0-sqlite
docker pull oryd/kratos:v0.7-sqlite
docker pull oryd/kratos:v0.7.0-sqlite
docker pull oryd/kratos:v0.7.0-alpha.1-sqlite
docker pull oryd/kratos:latest-sqlite
docker pull oryd/kratos:v0
docker pull oryd/kratos:v0.7
docker pull oryd/kratos:v0.7.0
docker pull oryd/kratos:v0.7.0-alpha.1
docker pull oryd/kratos:latest