ory/kratos v25.4.0 on GitHub

v25.4.0

Breaking Changes

The require_verified_address hook no longer returns a
plain error. Previously, users had to manually start the verification
flow, which caused a poor experience. Now, Ory Kratos automatically
creates a verification flow and redirects the user using continue_with
or an HTTP redirect. The verification flow starts with the first
verified address found for the user. This aligns the behavior of
require_verified_address with using the verification and
show_verification_ui hook combination for login.

Going forward, the node group of fields that are
failing validation during oidc sign up are default and no longer
oidc. For now, you can get the legacy behavior back by turning on
feature_flags.legacy_oidc_registration_node_group=true.

Co-authored-by: Jonas Hungershausen jonas.hungershausen@ory.sh

Before this change, show_verification_ui would
always be included in continue_with for the registration flow when
verification was enabled. After this change, show_verification_ui is
only included when the show_verification_ui post-registration hook is
defined.

Account linking incorrectly returned a 200 OK status
code even though the login flow was not completed successfully. Going
forward, the correct 400 OK status code will be sent when using the API
flow or Accept: application/json.

This patch changes the behavior of configuration item foo to do bar. To keep the existing
behavior please do baz.

Bug Fixes

Accept login challenge in session_issuer on SPA flows (#4288) (e13687a)
Accept login_challenge in SPA verification flows (#4284) (7ca3b6b)
Account linking should only happen after 2fa when required (#4174) (8e29b68)
Account linking with 2FA (#4188) (4a870a6):
This fixes some edge cases with OIDC account linking for accounts with 2FA enabled.
Add default issuer URL for LINE (#4415) (292f65d):
Fixed+expanded relevant comment.
Fixed some tracing issues.
Added error info and missing res.Body.Close() in courier.
Add exists clause (#4191) (a313dd6)
Add missing autocomplete attributes to identifier_first strategy (#4215) (e1f29c2)
Add missing csrf_token (#4363) (f441f41)
Add missing discriminator (#4365) (c10bb06)
Add missing saml group (#4268) (44eb305)
Add missing submit group (#4354) (106163d)
Add missing values to the session method enum (a043b43):
Add resend node to after registration verification flow (#4260) (9bc83a4)
Add transient payload to fedcm (#4369) (245f5dc), closes #1234 #1234:
Allow patching some /credentials sub-paths (#4277) (aefa806), closes #1234 #1234:
Also update identifiers (#4321) (7c63727):
This fixes a bug where when an identity is merged into another, the
identifier of the original identity was not updated.
Another apple fix (8a220c0):
Apply strategy filters in identifier first as well (#4352) (ec3ecc5)
Better tracing in proxy HTTP (ff5fa9b):
Cancel conditional passkey before trying again (#4247) (d9f6f75)
Check aal on sessions list endpoint (#4305) (44f97b8), closes #3671:
The session check to list a user's own sessions now requires the same AAL level as the whoami check.
Clarify import responses (2a44fd5):
Context passing and missing body close (79f4e2a):
Copybara script (b3af828):
Correctly handle HTTP route patterns in metrics (dc992d3):
Count MFA addresses in CountActiveMultiFactorCredentials for code method (9860c9a), closes ory/network#409
Deduplicate down migrations (a000460):
deps: Update go-x (ae80380):
Detect whether external_id is set in webhook response (7d0d7f6):
Div decoding (#4362) (ef9ee23)
Do not roll back transaction on partial identity insert error (#4211) (82660f0)
Don't remove OIDC buttons if invalid identifier is submitted (97848c7):
Don't show oidc subject in login hints (#4264) (b95fd3f)
Duplicate autocomplete trigger (6bbf915)
Enable b2b_sso hook in more places (#4168) (0c48ad1):
fix: allow b2b_sso hook in more places
Ensure make quickstart-dev works without options (#4401) (327c5a4):
make quickstart-dev uses the make variable QUICKSTART_OPTIONS which
is set to "" by default. This will result in two double quotes ("")
in the final shell command e.g. docker-compose "" up when the variable
is not set on the make command line, which fails at the shell level. The
fix is to leave the variable empty by default. No semantic changes.
Ensure authentication method is added to session after linking OIDC provider (5cae1f7):
Ensure context is not canceled during password hashing (#4364) (e9c6a18):
Especially during large imports of plaintext passwords there can be a
lot of useless hashing, even after the request timed out or got
canceled.
Ensure that auto_link_credentials markers are being properly overwritten (#4320) (a4fd8ac), closes #1234 #1234:
Changes:
- Add LoginStarted and RegistrationStarted events along their
  required attributes
- Sort all event attributes alphabetically
- Emit these events when a new login/registration flow is created,
  after basic validation passed
- It is unclear yet how many of these events will be emitted, as such it
  is suggested that in a first phase, they remain internal and are not yet
  sent externally to avoid surprises (note: sometimes, these events can be
  emitted without user action such as simply visiting/being redirected to
  the sign-in page, etc)
Documentation PR:
Add migrate sql up|down|status (#4228) (e6fa520):
This patch adds the ability to execute down migrations using:
```
kratos migrate sql down -e --steps {num_of_steps}
```
Please read kratos migrate sql down --help carefully.
Going forward, please use the following commands
```
kratos migrate sql up ...
kratos migrate sql status ...
```
instead of the previous, now deprecated
```
kratos migrate sql ...
kratos migrate status ...
```
commands.
See https://github.com/ory-corp/cloud/issues/7350
Add new Division ui node attributes (235af52):
Division nodes may be used to hook dynamic scripts and are not actively used in the Ory Kratos open source.
Add new endpoint to tokenize JWT with a webhook (f7fa792):
Add oid as subject source for microsoft (#4171) (77beb4d), closes #4170:
In the case of Microsoft, using sub as an identifier can lead to problems. Because the use of OIDC at Microsoft is based on an app registration, the content of sub changes with every new app registration. Sub is therefore not uniquely related to the user. It is therefore not possible to transfer users from one app registration to another without further problems.
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
With the use of oid it is possible to identify a user by a unique id.
Add session in settings after hook (1b57fdf):
Add support for Line v2.1 OIDC provider (#4240) (729effd):
For OIDC Line Login, you only need to add id_token_key_type=JWK in the exchange step to issue
tokens in ES256 format.
#1116
Allow deleting password credentials (#4304) (f2212d4):
The admin API did not allow to delete passwords at all. The restriction is now lifted to only block deletion of the first-factor credential if it is the last one.
Allow extra go migrations in persister (#4183) (7bec935)
Allow listing identities by organization ID (#4115) (b4c453b)
Allow setting the org ID on creation (#4306) (bccd2fb)
Autoconfigure kratos-changefeed (b8bf4c7):
Bump CRDB, establish foreign key, (d76e70f):
Cache OIDC providers (#4222) (30485c4):
This change significantly reduces the number of requests to /.well-known/openid-configuration endpoints.
changelog-oel: Choose identity schema in self-service registration and login flows (53f4b9f):
changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (ce1bf9f):
changelog: Add a new feature flag for the Recovery V2 to ensure backwards-compatibility (d68736b):
changelog: Add CourierMessageAbandoned & CourierMessageDispatched events (dfed493):
changelog: Find-by and delete SAML credentials (0c80f61):
changelog: Migrate http router to stdlib router (48f5adb):
changelog: Reject new password same as old password when changing the password (a7f50ab):
Console UI for multiple identity schemas (1145cda):
Custom page token column extraction (c5cb85e):
Domain telemetry improvements (93345d7):
Drop unused indices post index migration (#4201) (1008639)
Emit admin recovery code event (#4230) (a7cdc3a)
Emit event on Jsonnet claims mapping error (#4394) (8caebdb):
We now emit an event containing the Jsonnet input and output in
anonymized form when mapping the claims in the OIDC flow fails.
Emit events on jsonnet failure when templating a jwt (#4409) (959ded5):
- Fix typo: parital -> partial
- Document with comments why an event is not emitted or not documented
- Emit JsonnetMappingFailed events on jsonnet failure when templating
  a jwt (see https://www.ory.sh/docs/identities/session-to-jwt-cors).
  After review it seems we otherwise always emit events in all the right
  places, except in this very case. Tested end-to-end manually with the
  UI.
Emit oryWebAuthnInitialized event once webauthn is initialized (b4485f4):
Enable JSONNet templating for password migration hook (#4390) (b162897):
This enables JSONNet body templating for the password migration hook.
There is also a significant refactoring of some internals around webhook config handling.
Expose Ory-Error-Id HTTP header (f2b0cd5):
Fast add credential type lookups (#4177) (eeb1355)
Faster UpdateIdentity (4c2cfae):
Fewer DB loads when linking credentials, add tracing (2c5bb21)
Goreleaser (db10a68):
Gracefully handle failing password rehashing during login (#4235) (3905787):
This fixes an issue where we would successfully import long passwords (>72 chars), but fail when the user attempts to login with the correct password because we can't rehash it. In this case, we simply issue a warning to the logs, keep the old hash intact, and continue logging in the user.
hydra: Split up persister (910cf9c):
Improve domain telemetry for OSS (Hydra & Kratos) (86ab72a):
Improve identity import limits (#4378) (e38e812)
Improve kratos courier metrics and debug log message (c50ffcc):
Improve QueryForCredentials (#4181) (ca0d6a7)
Improve secondary indices for self service tables (#4179) (825aec2)
Improve verification required flows (#4407) (2014a40)
Improved events and identity recent activity (e47b858):
Improved tracing for courier (85a7071)
Index hint for CRDB when deleting identity credentials (#4276) (c703a33):
Ref https://support.cockroachlabs.com/hc/en-us/requests/25430
Jackson provider (#4242) (f18d1b2):
This adds a jackson provider to Kratos.
Load session only once when middleware is used (#4187) (234b6f2)
Monorepo (31f1894):
More extension points (#4272) (373a2e6):
This adds more extension points to the Kratos registry.
Move config testhelpers to ory/x (8d43aae):
Optimize identity-related secondary indices (#4182) (53874c1)
Passwordless SMS and expiry notice in code / link templates (#4104) (462cea9):
This feature allows Ory Kratos to use the SMS gateway for login and registration with code via SMS.
Additionally, the default email and sms templates have been updated. We now also expose ExpiresInMinutes / expires_in_minutes in the templates, making it easier to remind the user how long the code or link is valid for.
Closes #1570
Closes #3779
Recovery with any address including with a code via SMS (71844dd):
Refactor cmd/daemon (#4371) (7fe55d9)
Remove duplicate queries during settings flow and use better index hint for credentials lookup (#4193) (c33965e):
This patch reduces duplicate GetIdentity queries as part of submitting the settings flow, and improves an index to significantly reduce credential lookup.
For better debugging, more tracing ha been added to the settings module.
Remove more unused indices (#4186) (b294804)
Return field name in generated node text label (8c7a3dc):
Rework the OTP code submit count mechanism (#4251) (4ca4d79):
- feat: rework the OTP code submit count mechanism
Unlike what the previous comment suggested, incrementing and checking the submit count inside the
database transaction is not actually optimal peformance- or security-wise.
We now check atomically increment and check the submit count as the first part of the operation,
and abort as early as possible if we detect brute-forcing. This prevents a situation where the
check works only on certain transaction isolation levels.
- chore: bump dependencies
Support android webauthn origins (#4155) (a82d288):
This patch adds the ability to verify Android APK origins used during WebAuthn/Passkey exchange.
Upgrades go-webauthn and includes fixes for Go 1.23 and workarounds for Swagger.
Support CRUD OIDC providers through the onboarding portal API (664fd1a):
Support importing more credentials (#4361) (9a6dadf):
Adds support to import SAML credentials. SAML connections are only
available in Ory Enterprise License / Ory Network.
Trace identity id in errors (772572c):
Update only necessary database columns in UpdateVerifiableAddress (#4292) (168a3f6):
This is an optimization to reduce database load.
When we specify exactly which columns changed, we should be able to
elide updates to the identity_verifiable_addresses_status_via_uq_idx (nid,via,value) index. Updating that index requires contacting remote
regions.
Also fixed a bug where we did not set the verified_at timestamp
correctly sometimes.
Use one transaction for /admin/recovery/code (#4225) (3e87e0c)
Use stdlib HTTP router in Kratos (acfa6ef):
Use vendored ory/x (a9ab800):
Webhook header allowlist configuration option (#4309) (871f5aa), closes #4290:
Adds a clients.web_hook.header_allowlist configuration option for
configuring the webhook header allowlist.

Reverts

Tests: improve randomness in e2e tests (19a41ec):
Use account.apple.com for oidc discovery and appleid.apple.com for token verification and signing (c772d8b):
Use appleid audience for secret exchange (620e33e):
Use updated appleid issuer (9697c45):

Tests

Add golangci-lint config and GHA (0720950):
Don't require DB for hasher tests (41c69db):
hydra: Add snapshots for login & consent requests (ee39bdb):
Improve pgxpool tests (6297a8f):
Resturcture and improve integration tests (6f32d5d):
Update snapshots (#4167) (b51f780)

Unclassified

Improve randomness in e2e tests (ecfe435):
Run credential validation in its own goroutine when changing the password (c7fedfe):

Changelog

85aeb5b chore(ci): adjust codecov config (#4234)
cc014ee chore(deps): bump @nestjs/common and @openapitools/openapi-generator-cli (#4397)
4415b49 chore(deps): bump axios and wait-on in /test/e2e (#4334)
6d8d8ed chore(deps): bump axios, @openapitools/openapi-generator-cli and wait-on (#4366)
f019a1c chore(deps): bump cookie and express in /test/e2e/proxy (#4153)
43ab7c5 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#4325)
5522d42 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#4319)
7fad519 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#4189)
39f0276 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#4358)
5f47ac4 chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#4357)
c442302 chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#4337)
bb5f488 chore(deps): bump path-to-regexp and express in /test/e2e/proxy (#4238)
67a703b chore(deps): update actions/setup-node action to v6
c18dc33 chore(deps): update actions/upload-artifact action to v5
50f1b8f chore(deps): update dependency node to v24
bb5d7e4 chore(deps): update hadolint/hadolint-action action to v3.3.0
6b92376 chore(deps): update kratos ci
8c43e3b chore(deps): update oss workflows
732f098 chore(e2e): stabilize chromatic snapshots
6b2b90e chore(hydra): registry setup refactoring
3215ab2 chore(kratos): cleanup and improve some tests
56525d4 chore(kratos): simplify internal APIs
456a147 chore: add migration tests in kratos non-oss for crdb
0969901 chore: add missing deprecation events for legacy feature flags
d5229ef chore: add pagination secrets for Kratos
fc68716 chore: add pre-release workflows for oss
cfa1703 chore: add recovery v2 new fields
187f711 chore: add utility functions to kratos/request & tests to RemoveDisallowedHe…
9871185 chore: additional pop options
f9640ff chore: adjust project automation (#4143)
eb12772 chore: axios update
2e84f49 chore: bump Go everywhere
802b45b chore: bump deps
2b0acb7 chore: bump go deps
f49b440 chore: bump go to 1.24.6
c19b4e5 chore: bump golang in kratos oss
d03d37d chore: bump golang.org/x/crypto
d5cfa89 chore: bump ory/x (#4229)
bf674d1 chore: bump ory/x and ristretto (#4340)
94558e3 chore: bump pop to master
2ee96b7 chore: bump sec deps
332eaee chore: bump sec deps
9c7def8 chore: cleanup oss workflows
9959545 chore: document test migration (#4265)
cb10bca chore: fix build for kratos-oss
3d0ae83 chore: fix kratos linting issues
a63b7cc chore: force replacements where expected
5ea53fa chore: format
4609ebf chore: gh actions and node lib updates
90f2490 chore: go mod tidy to unblock CI
c27cbe6 chore: improve migration testdata and assertions
b26c652 chore: make tools indirect dependencies (#4345)
0636433 chore: merge ory/x repo
3a726a2 chore: minor bugs and improvements (#4331)
aa4229d chore: more gh actions and npm lib updates
05409be chore: pin GHA PM action version (#4213)
888b42a chore: recovery_code is duplicated in the schema
3dd9dec chore: refactor parameter parsing in ListIdentities and disallow combining filters
9c337a5 chore: remove asserts on ory.sh
9931ea5 chore: remove counting courier messages
f7f7bb9 chore: remove fizz migration files (#4343)
065e0c3 chore: remove sdk generation action
15ac98e chore: replace deprecated usages
7add07d chore: revert external_id feature
67cb364 chore: run go mod tidy during internal SDK generation (#4344)
60a8c5b chore: run oss cypress tests on custom runners
286d874 chore: shared serve config
9e94951 chore: simplify service and option loading
4a07685 chore: split network/enterprise SQL migrations in kratos
22887ef chore: stabilize order of recovery addresses
629d867 chore: synchronize workspaces (#4140)
1642866 chore: template migration command help
ddcc58c chore: tracing in errors
a56c3c0 chore: un-revert external_id feature
61a649d chore: update OSS readme
73d287e chore: update codeowners (#4256)
ef2dc19 chore: update copybara rules
0ebf2ac chore: update copybara transformation
0bce294 chore: update docs on ListIdentities (#4248)
a7b8029 chore: update error event name (#4375)
edab00d chore: update gha in oss
ab6d023 chore: update github actions
2515129 chore: update github actions
bd698b7 chore: update kratos goreleaser config
5badf8b chore: update opencontainers/runc to v1.3.3
6a7a203 chore: update ory/x version to get the jsonnet runtime limits
964f524 chore: update oss release workflows
c4b3dd6 chore: update repository templates to ory/meta@000f213
8cbb5bd chore: update repository templates to ory/meta@1af2225
7578f00 chore: update repository templates to ory/meta@44efd83
555c997 chore: update repository templates to ory/meta@6dd5819
2a4b8c7 chore: update repository templates to ory/meta@7ba4064
7304572 chore: update repository templates to ory/meta@83e71e6
d4f96ce chore: update repository templates to ory/meta@b1eed88
924fa61 chore: update repository templates to ory/meta@bc603a6
1faf7cc chore: update repository templates to ory/meta@c091d79
898fcb4 chore: update repository templates to ory/meta@cb2a20f
38641c8 chore: update repository templates to ory/meta@cbb120b
c80dd80 chore: update repository templates to ory/meta@d919e6f
3622cd5 chore: update repository templates to ory/meta@e54ac5d
dc46e8d chore: update repository templates to ory/meta@fc1b4d6
15f3eb3 chore: update sdks and openapi spec
3904795 chore: upgrade Cypress
b42b42a chore: upgrade crdb to v25.2 everywhere & deflake CI!
25429fa chore: upgrade lib phone numbers to v1.4.1 (#4250)
fee7cae chore: upgrade playwright (#4255)
66edadd chore: upgrade sdk generator (#4327)
bdb046d chore: upgrade to go 1.24 (#4313)
c829295 chore: use dedicated ory fork of pop
25f17e7 ci: fix rate-limit trivy issue (#4184)
3d112f8 ci: improve codecov config (#4339)
9350701 ci: resolve test fixture issues (#4411)
405f2f0 docs(kratos): better identity handler description
b22135f docs: add return_to query parameter to OAS Verification Flow for Native Apps (#4086)
a90df58 docs: clarify facebook graph API versioning (#4208)
b388a4a docs: defining oid as oidc subject_source (#4270)
0062d45 docs: improve SecurityError error message for ory elements local (#4205)
f076fe4 docs: remove unused SMS config from schema (#4212)
cb71e38 docs: usage of organization parameter in native self-service flows (#4176)
dfed493 feat(changelog): add CourierMessageAbandoned & CourierMessageDispatched events
d68736b feat(changelog): add a new feature flag for the Recovery V2 to ensure backwards-compatibility
0c80f61 feat(changelog): find-by and delete SAML credentials
48f5adb feat(changelog): migrate http router to stdlib router
a7f50ab feat(changelog): reject new password same as old password when changing the password
53f4b9f feat(changelog-oel): choose identity schema in self-service registration and login flows
ce1bf9f feat(changelog-oel): improved tracing and metrics for the high-performance SQL connection pool
910cf9c feat(hydra): split up persister
fb8856e feat: add HTML email support to HTTP channel (#4387)
6cb3e99 feat: add Login with Amazon
7032fec feat: add LoginStarted and RegistrationStarted events (#4404)
e2f878a feat: add a policy callback to customize OIDC credential linking (#4302)
0e68c7e feat: add a project revision field to set the maximum number of code submits
eb9d934 feat: add ability to send recovery code via sms
edb9e0c feat: add allowed domains configuration for captcha
00da05d feat: add attributes to webhook events for better debugging (#4206)
eca4ae9 feat: add captcha group to first-step registration
261596b feat: add context param to policy (#4315)
1c33c39 feat: add email domain matcher (#4373)
2aabe12 feat: add explicit config flag for secure cookies (#4180)
335a1e8 feat: add external ID to identities
afa7618 feat: add failure reason to events (#4203)
e6fa520 feat: add migrate sql up|down|status (#4228)
235af52 feat: add new Division ui node attributes
f7fa792 feat: add new endpoint to tokenize JWT with a webhook
77beb4d feat: add oid as subject source for microsoft (#4171)
1b57fdf feat: add session in settings after hook
729effd feat: add support for Line v2.1 OIDC provider (#4240)
f2212d4 feat: allow deleting password credentials (#4304)
7bec935 feat: allow extra go migrations in persister (#4183)
b4c453b feat: allow listing identities by organization ID (#4115)
bccd2fb feat: allow setting the org ID on creation (#4306)
b8bf4c7 feat: autoconfigure kratos-changefeed
d76e70f feat: bump CRDB, establish foreign key,
30485c4 feat: cache OIDC providers (#4222)
1145cda feat: console UI for multiple identity schemas
c5cb85e feat: custom page token column extraction
93345d7 feat: domain telemetry improvements
1008639 feat: drop unused indices post index migration (#4201)
a7cdc3a feat: emit admin recovery code event (#4230)
8caebdb feat: emit event on Jsonnet claims mapping error (#4394)
959ded5 feat: emit events on jsonnet failure when templating a jwt (#4409)
b4485f4 feat: emit oryWebAuthnInitialized event once webauthn is initialized
b162897 feat: enable JSONNet templating for password migration hook (#4390)
f2b0cd5 feat: expose Ory-Error-Id HTTP header
eeb1355 feat: fast add credential type lookups (#4177)
4c2cfae feat: faster UpdateIdentity
2c5bb21 feat: fewer DB loads when linking credentials, add tracing
db10a68 feat: goreleaser
3905787 feat: gracefully handle failing password rehashing during login (#4235)
ca0d6a7 feat: improve QueryForCredentials (#4181)
86ab72a feat: improve domain telemetry for OSS (Hydra & Kratos)
e38e812 feat: improve identity import limits (#4378)
c50ffcc feat: improve kratos courier metrics and debug log message
825aec2 feat: improve secondary indices for self service tables (#4179)
2014a40 feat: improve verification required flows (#4407)
e47b858 feat: improved events and identity recent activity
85a7071 feat: improved tracing for courier
c703a33 feat: index hint for CRDB when deleting identity credentials (#4276)
f18d1b2 feat: jackson provider (#4242)
234b6f2 feat: load session only once when middleware is used (#4187)
31f1894 feat: monorepo
373a2e6 feat: more extension points (#4272)
8d43aae feat: move config testhelpers to ory/x
53874c1 feat: optimize identity-related secondary indices (#4182)
462cea9 feat: passwordless SMS and expiry notice in code / link templates (#4104)
71844dd feat: recovery with any address including with a code via SMS
7fe55d9 feat: refactor cmd/daemon (#4371)
c33965e feat: remove duplicate queries during settings flow and use better index hint for credentials lookup (#4193)
b294804 feat: remove more unused indices (#4186)
8c7a3dc feat: return field name in generated node text label
4ca4d79 feat: rework the OTP code submit count mechanism (#4251)
664fd1a feat: support CRUD OIDC providers through the onboarding portal API
a82d288 feat: support android webauthn origins (#4155)
9a6dadf feat: support importing more credentials (#4361)
772572c feat: trace identity id in errors
168a3f6 feat: update only necessary database columns in UpdateVerifiableAddress (#4292)
3e87e0c feat: use one transaction for /admin/recovery/code (#4225)
acfa6ef feat: use stdlib HTTP router in Kratos
a9ab800 feat: use vendored ory/x
871f5aa feat: webhook header allowlist configuration option (#4309)
ae80380 fix(deps): update go-x
a6ac143 fix(hydra): instrument metrics also on public endpoints
da4ea07 fix(hydra): use prometheus metrics instead of SQA metrics
639f765 fix(kratos): do not explicitly pass identity schema on step-up login
241111b fix(sdk): add missing captcha group (#4254)
4127cbb fix(sdk): add missing enum type to autocomplete (#4396)
88c68aa fix(sdk): remove incorrect attributes (#4163)
c3f4ecf fix: IdentityCreated is over-reporting on error inserts (#4323)
e13687a fix: accept login challenge in session_issuer on SPA flows (#4288)
7ca3b6b fix: accept login_challenge in SPA verification flows (#4284)
8e29b68 fix: account linking should only happen after 2fa when required (#4174)
4a870a6 fix: account linking with 2FA (#4188)
292f65d fix: add default issuer URL for LINE (#4415)
a313dd6 fix: add exists clause (#4191)
e1f29c2 fix: add missing autocomplete attributes to identifier_first strategy (#4215)
f441f41 fix: add missing csrf_token (#4363)
c10bb06 fix: add missing discriminator (#4365)
44eb305 fix: add missing saml group (#4268)
106163d fix: add missing submit group (#4354)
a043b43 fix: add missing values to the session method enum
9bc83a4 fix: add resend node to after registration verification flow (#4260)
245f5dc fix: add transient payload to fedcm (#4369)
aefa806 fix: allow patching some /credentials sub-paths (#4277)
7c63727 fix: also update identifiers (#4321)
8a220c0 fix: another apple fix
ec3ecc5 fix: apply strategy filters in identifier first as well (#4352)
ff5fa9b fix: better tracing in proxy HTTP
d9f6f75 fix: cancel conditional passkey before trying again (#4247)
44f97b8 fix: check aal on sessions list endpoint (#4305)
2a44fd5 fix: clarify import responses
79f4e2a fix: context passing and missing body close
b3af828 fix: copybara script
dc992d3 fix: correctly handle HTTP route patterns in metrics
9860c9a fix: count MFA addresses in CountActiveMultiFactorCredentials for code method
a000460 fix: deduplicate down migrations
7d0d7f6 fix: detect whether external_id is set in webhook response
ef9ee23 fix: div decoding (#4362)
82660f0 fix: do not roll back transaction on partial identity insert error (#4211)
97848c7 fix: don't remove OIDC buttons if invalid identifier is submitted
b95fd3f fix: don't show oidc subject in login hints (#4264)
6bbf915 fix: duplicate autocomplete trigger
0c48ad1 fix: enable b2b_sso hook in more places (#4168)
327c5a4 fix: ensure make quickstart-dev works without options (#4401)
5cae1f7 fix: ensure authentication method is added to session after linking OIDC provider
e9c6a18 fix: ensure context is not canceled during password hashing (#4364)
a4fd8ac fix: ensure that auto_link_credentials markers are being properly overwritten (#4320)
b629ca7 fix: escape IPv6 regex string
98b7acd fix: exclude nothing in copybara
68500d1 fix: exclude orgs (#4351)
66afac1 fix: explicity set updated_at field when updating identity (#4131)
26518b6 fix: failing CI in OSS repos
f1cfc36 fix: fix back button for recovery flow not showing in AX v1/v2
98f9897 fix: fix nil dereference & lint warnings
f9ffaae fix: fixed typo in description of api
93d364c fix: force SQL operator precedence in pagination v2 to ensure nid isolation
f475aea fix: force profile to be first hydrator in profile_first strategy (#4380)
3dbeb64 fix: gracefully handle unused index (#4196)
cf53971 fix: identity queries
b60edba fix: ignore CSRF on all apple provider callback URLs (#4291)
41b342c fix: ignore non SQL files when applying migrations
e8170fc fix: implicit transactions for cockroach v23.5 and simplified migration logic
687d578 fix: improve linking on OIDC signup (#4314)
7c0d9c6 fix: include go.mod in vendored oryx
f8ee403 fix: incorrect if switch in previous sceen case in two step registration
7d0e78a fix: incorrect query plan (#4218)
ed4fba3 fix: incorrect response code on account linking (#4336)
f3a3292 fix: jsonx.ApplyJSONPatch
335acd4 fix: login otp sent message
6f5e79a fix: make RecoveryAddress.ID optional to prevent errors
cfd213a fix: make external_id settable through webhook
bf2b34d fix: make external_id settable through webhook
d7d3ba4 fix: make node_type stricter per uiNodeAttributes type
57d86d2 fix: migration problems
b6278af fix: order-by clause and span names (#4200)
4ac6122 fix: otlp sampling rate default
7e0b500 fix: pass on correct context during verification (#4151)
5ee54ed fix: preview_credentials_identifier_similar (#4246)
3c84b7a fix: print correct content of down migrations
5bd3b52 fix: quick typo fix for kratos-oss test script run
18056a0 fix: registration post persist hooks should not be cancelable (#4148)
7dc28eb fix: reject invalid migration names
2cc2b69 fix: remove duplicate address verification
db8a94e fix: remove selfservice.methods.link.config.base_url
d9e3295 fix: rename b2b_sso hook (#4349)
dd589fa fix: return 404 on schema file not exists
119841a fix: return return_to code if already authenticated (#4286)
8379db8 fix: revert "fix: otlp sampling rate default (#9055)"
105018d fix: routes in AX with identity_schema
306316f fix: schema key (#4332)
7f50400 fix: send correct verification status in post-recovery hook (#4224)
07cb83c fix: set correct request url in acc linking and oidc flows (#4282)
6fb39e2 fix: set default for CYPRESS_OPTS
6e30865 fix: settings linking error override (#4368)
905d1e5 fix: show code email in most error states (#4338)
5b00fe1 fix: show_verification_ui in continue_with only if configured (#4402)
dbae98a fix: span names (#4232)
906f6c8 fix: stricter JSON patch checking for PATCH identities (#4263)
c433c44 fix: support show_verification_hook in settings hooks (#4410)
0332143 fix: tests for Kratos OSS Cypress
332873d fix: throw upstream error on OIDC issues
2f8aaee fix: truncate updated at (#4149)
13ebb69 fix: upgrade to go 1.24.4 to fix CVE-2025-4673
38f8b36 fix: use appleid audience for secret exchange
928c9f8 fix: use batch insert to speed up project changes
e6d2d4d fix: use context for readiness probes (#4219)
dc8b32e fix: use default group for signup nodes in oidc (#4414)
6776835 fix: use git hash to render ory x schema references
29eeb56 fix: use hard-coded fallback key instead of panic
49e472c fix: use non-alerting errors for errors not needing alerts
76afd6d fix: use updated appleid issuer
c7fedfe performance: run credential validation in its own goroutine when changing the password
53a5a8b refactor: hash comparator instantiation (#4195)
85bf18d refactor: move database meta functions to root x folder for reusability
e24f993 refactor: remove total count from listSessions and improve secondary indices (#4173)
f46aed1 refactor: two-step registration (#4348)
19a41ec revert: tests: improve randomness in e2e tests
c772d8b revert: use account.apple.com for oidc discovery and appleid.apple.com for token verification and signing
620e33e revert: use appleid audience for secret exchange
9697c45 revert: use updated appleid issuer
ee39bdb test(hydra): add snapshots for login & consent requests
0720950 test: add golangci-lint config and GHA
41c69db test: don't require DB for hasher tests
6297a8f test: improve pgxpool tests
6f32d5d test: resturcture and improve integration tests
b51f780 test: update snapshots (#4167)
ecfe435 tests: improve randomness in e2e tests

Artifacts can be verified with cosign using this public key.