github ory/kratos v25.4.0-pre.0
on GitHub

pre-release14 hours ago

v25.4.0-pre.0

Breaking Changes

The require_verified_address hook no longer returns a
plain error. Previously, users had to manually start the verification
flow, which caused a poor experience. Now, Ory Kratos automatically
creates a verification flow and redirects the user using continue_with
or an HTTP redirect. The verification flow starts with the first
verified address found for the user. This aligns the behavior of
require_verified_address with using the verification and
show_verification_ui hook combination for login.

Going forward, the node group of fields that are
failing validation during oidc sign up are default and no longer
oidc. For now, you can get the legacy behavior back by turning on
feature_flags.legacy_oidc_registration_node_group=true.

Co-authored-by: Jonas Hungershausen jonas.hungershausen@ory.sh

Before this change, show_verification_ui would
always be included in continue_with for the registration flow when
verification was enabled. After this change, show_verification_ui is
only included when the show_verification_ui post-registration hook is
defined.

Account linking incorrectly returned a 200 OK status
code even though the login flow was not completed successfully. Going
forward, the correct 400 OK status code will be sent when using the API
flow or Accept: application/json.

This patch changes the behavior of configuration item foo to do bar. To keep the existing
behavior please do baz. 

-->

## Related issue(s)

<!--
If this pull request

1. is a fix for a known bug, link the issue where the bug was reported

This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
behavior please do baz.

-->

Related issue(s)

Related issue(s)

Related issue(s)

Related issue(s)

Related issue(s)

**Changes:**
- Add `LoginStarted` and `RegistrationStarted` events along their
required attributes
- Sort all event attributes alphabetically
- Emit these events when a new login/registration flow is created,
*after* basic validation passed
- It is unclear yet how many of these events will be emitted, as such it
is suggested that in a first phase, they remain internal and are not yet
sent externally to avoid surprises (note: sometimes, these events can be
emitted without user action such as simply visiting/being redirected to
the sign-in page, etc)

**Documentation PR:**

  • Add migrate sql up|down|status (#4228) (e6fa520):

    This patch adds the ability to execute down migrations using: 

    kratos migrate sql down -e --steps {num_of_steps}

    Please read kratos migrate sql down --help carefully.

    Going forward, please use the following commands 

    kratos migrate sql up ...
kratos migrate sql status ...

    instead of the previous, now deprecated 

    kratos migrate sql ...
kratos migrate status ...

    commands.

    See https://github.com/ory-corp/cloud/issues/7350

  • Add new Division ui node attributes (235af52):

    Division nodes may be used to hook dynamic scripts and are not actively used in the Ory Kratos open source.

  • Add new endpoint to tokenize JWT with a webhook (f7fa792):

  • Add oid as subject source for microsoft (#4171) (77beb4d), closes #4170:

    In the case of Microsoft, using sub as an identifier can lead to problems. Because the use of OIDC at Microsoft is based on an app registration, the content of sub changes with every new app registration. Sub is therefore not uniquely related to the user. It is therefore not possible to transfer users from one app registration to another without further problems.
    https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims

    With the use of oid it is possible to identify a user by a unique id.

  • Add support for Line v2.1 OIDC provider (#4240) (729effd):

    For OIDC Line Login, you only need to add id_token_key_type=JWK in the exchange step to issue
    tokens in ES256 format.

    #1116

  • Allow deleting password credentials (#4304) (f2212d4):

    The admin API did not allow to delete passwords at all. The restriction is now lifted to only block deletion of the first-factor credential if it is the last one.

  • Allow extra go migrations in persister (#4183) (7bec935)

  • Allow listing identities by organization ID (#4115) (b4c453b)

  • Allow setting the org ID on creation (#4306) (bccd2fb)

  • Autoconfigure kratos-changefeed (b8bf4c7):

  • Cache OIDC providers (#4222) (30485c4):

    This change significantly reduces the number of requests to /.well-known/openid-configuration endpoints.

  • changelog-oel: Choose identity schema in self-service registration and login flows (53f4b9f):

  • changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (ce1bf9f):

  • changelog: Add a new feature flag for the Recovery V2 to ensure backwards-compatibility (d68736b):

  • changelog: Add CourierMessageAbandoned & CourierMessageDispatched events (dfed493):

  • changelog: Find-by and delete SAML credentials (0c80f61):

  • changelog: Migrate http router to stdlib router (48f5adb):

  • changelog: Reject new password same as old password when changing the password (a7f50ab):

  • Console UI for multiple identity schemas (1145cda):

  • Domain telemetry improvements (93345d7):

  • Drop unused indices post index migration (#4201) (1008639)

  • Emit admin recovery code event (#4230) (a7cdc3a)

  • Emit event on Jsonnet claims mapping error (#4394) (8caebdb):

    We now emit an event containing the Jsonnet input and output in
    anonymized form when mapping the claims in the OIDC flow fails.

  • Emit events on jsonnet failure when templating a jwt (#4409) (959ded5):

    • Fix typo: parital -> partial
    • Document with comments why an event is not emitted or not documented
    • Emit JsonnetMappingFailed events on jsonnet failure when templating
      a jwt (see https://www.ory.sh/docs/identities/session-to-jwt-cors).
      After review it seems we otherwise always emit events in all the right
      places, except in this very case. Tested end-to-end manually with the
      UI.

    Related issue(s)

    https://github.com/ory-corp/cloud/issues/7291

    Checklist

    • I have read the contributing
      guidelines.
    • I have referenced an issue containing the design document if my
      change
      introduces a new feature.
    • I am following the
      contributing code
      guidelines.
    • I have read the security policy.
    • I confirm that this pull request does not address a security
      vulnerability. If this pull request addresses a security vulnerability,
      I
      confirm that I got the approval (please contact
      security@ory.sh) from the maintainers to push
      the changes.
    • I have added tests that prove my fix is effective or that my
      feature
      works.
    • I have added or changed the
      documentation      .

    Further Comments

  • Emit oryWebAuthnInitialized event once webauthn is initialized (b4485f4):

  • Enable JSONNet templating for password migration hook (#4390) (b162897):

    This enables JSONNet body templating for the password migration hook.
    There is also a significant refactoring of some internals around webhook config handling.

  • Fast add credential type lookups (#4177) (eeb1355)

  • Fewer DB loads when linking credentials, add tracing (2c5bb21)

  • Goreleaser (db10a68):

  • Gracefully handle failing password rehashing during login (#4235) (3905787):

    This fixes an issue where we would successfully import long passwords (>72 chars), but fail when the user attempts to login with the correct password because we can't rehash it. In this case, we simply issue a warning to the logs, keep the old hash intact, and continue logging in the user.

  • hydra: Split up persister (910cf9c):

  • Improve domain telemetry for OSS (Hydra & Kratos) (86ab72a):

  • Improve identity import limits (#4378) (e38e812)

  • Improve QueryForCredentials (#4181) (ca0d6a7)

  • Improve secondary indices for self service tables (#4179) (825aec2)

  • Improve verification required flows (#4407) (2014a40)

  • Improved tracing for courier (85a7071)

  • Index hint for CRDB when deleting identity credentials (#4276) (c703a33):

    Ref https://support.cockroachlabs.com/hc/en-us/requests/25430

  • Jackson provider (#4242) (f18d1b2):

    This adds a jackson provider to Kratos.

  • Load session only once when middleware is used (#4187) (234b6f2)

  • Monorepo (31f1894):

  • More extension points (#4272) (373a2e6):

    This adds more extension points to the Kratos registry.

  • Move config testhelpers to ory/x (8d43aae):

  • Optimize identity-related secondary indices (#4182) (53874c1)

  • Passwordless SMS and expiry notice in code / link templates (#4104) (462cea9):

    This feature allows Ory Kratos to use the SMS gateway for login and registration with code via SMS.

    Additionally, the default email and sms templates have been updated. We now also expose ExpiresInMinutes / expires_in_minutes in the templates, making it easier to remind the user how long the code or link is valid for.

    Closes #1570
    Closes #3779

  • Recovery with any address including with a code via SMS (71844dd):

  • Refactor cmd/daemon (#4371) (7fe55d9)

  • Remove duplicate queries during settings flow and use better index hint for credentials lookup (#4193) (c33965e):

    This patch reduces duplicate GetIdentity queries as part of submitting the settings flow, and improves an index to significantly reduce credential lookup.

    For better debugging, more tracing ha been added to the settings module.

  • Remove more unused indices (#4186) (b294804)

  • Return field name in generated node text label (8c7a3dc):

  • Rework the OTP code submit count mechanism (#4251) (4ca4d79):

    • feat: rework the OTP code submit count mechanism

    Unlike what the previous comment suggested, incrementing and checking the submit count inside the
    database transaction is not actually optimal peformance- or security-wise.

    We now check atomically increment and check the submit count as the first part of the operation,
    and abort as early as possible if we detect brute-forcing. This prevents a situation where the
    check works only on certain transaction isolation levels.

    • chore: bump dependencies

  • Support android webauthn origins (#4155) (a82d288):

    This patch adds the ability to verify Android APK origins used during WebAuthn/Passkey exchange.

    Upgrades go-webauthn and includes fixes for Go 1.23 and workarounds for Swagger.

  • Support CRUD OIDC providers through the onboarding portal API (664fd1a):

  • Support importing more credentials (#4361) (9a6dadf):

    Adds support to import SAML credentials. SAML connections are only
    available in Ory Enterprise License / Ory Network.

  • Update only necessary database columns in UpdateVerifiableAddress (#4292) (168a3f6):

    This is an optimization to reduce database load.

    When we specify exactly which columns changed, we should be able to
    elide updates to the identity_verifiable_addresses_status_via_uq_idx (nid,via,value) index. Updating that index requires contacting remote
    regions.

    Also fixed a bug where we did not set the verified_at timestamp
    correctly sometimes.

  • Use one transaction for /admin/recovery/code (#4225) (3e87e0c)

  • Use stdlib HTTP router in Kratos (acfa6ef):

  • Use vendored ory/x (a9ab800):

  • Webhook header allowlist configuration option (#4309) (871f5aa), closes #4290:

    Adds a clients.web_hook.header_allowlist configuration option for
    configuring the webhook header allowlist.

Reverts

  • Tests: improve randomness in e2e tests (19a41ec):

  • Use account.apple.com for oidc discovery and appleid.apple.com for token verification and signing (c772d8b):

  • Use appleid audience for secret exchange (620e33e):

  • Use updated appleid issuer (9697c45):

Tests

  • Add golangci-lint config and GHA (0720950):

  • Don't require DB for hasher tests (41c69db):

  • hydra: Add snapshots for login & consent requests (ee39bdb):

  • Resturcture and improve integration tests (6f32d5d):

  • Update snapshots (#4167) (b51f780)

Unclassified

  • Improve randomness in e2e tests (ecfe435):

  • Run credential validation in its own goroutine when changing the password (c7fedfe):

Changelog

  • 1a78af0 autogen(docs): generate and bump docs
  • 7ea6e4d autogen(docs): generate and bump docs
  • df31e46 autogen(docs): regenerate and update changelog
  • 02f1a93 autogen(docs): regenerate and update changelog
  • eb563c2 autogen(docs): regenerate and update changelog
  • df2e1f0 autogen(docs): regenerate and update changelog
  • 63800ec autogen(docs): regenerate and update changelog
  • 53e733b autogen(docs): regenerate and update changelog
  • 4916616 autogen(docs): regenerate and update changelog
  • 91145e1 autogen(docs): regenerate and update changelog
  • bafd32a autogen(docs): regenerate and update changelog
  • a6c71e5 autogen(docs): regenerate and update changelog
  • 8cce35b autogen(docs): regenerate and update changelog
  • ef2ad44 autogen(docs): regenerate and update changelog
  • ea4da51 autogen(docs): regenerate and update changelog
  • 8cd1ce5 autogen(docs): regenerate and update changelog
  • 74f97f5 autogen(docs): regenerate and update changelog
  • b1fe71a autogen(docs): regenerate and update changelog
  • 13f3eb8 autogen(docs): regenerate and update changelog
  • 4b46b97 autogen(docs): regenerate and update changelog
  • 18755fe autogen(docs): regenerate and update changelog
  • 80183b6 autogen(docs): regenerate and update changelog
  • 68074a3 autogen(docs): regenerate and update changelog
  • 76fe6e0 autogen(docs): regenerate and update changelog
  • 276a080 autogen(docs): regenerate and update changelog
  • 354a074 autogen(docs): regenerate and update changelog
  • dabbfdd autogen(docs): regenerate and update changelog
  • b6922c8 autogen(docs): regenerate and update changelog
  • b810c34 autogen(docs): regenerate and update changelog
  • 4d5f644 autogen(docs): regenerate and update changelog
  • b96f0ce autogen(docs): regenerate and update changelog
  • 362cc67 autogen(docs): regenerate and update changelog
  • 701ecbc autogen(docs): regenerate and update changelog
  • f3e7d70 autogen(docs): regenerate and update changelog
  • bc9c4fb autogen(docs): regenerate and update changelog
  • 9e85871 autogen(docs): regenerate and update changelog
  • 712dad3 autogen(docs): regenerate and update changelog
  • 631c4be autogen(docs): regenerate and update changelog
  • d5e0f6f autogen(docs): regenerate and update changelog
  • b449fb5 autogen(docs): regenerate and update changelog
  • 020d3de autogen(docs): regenerate and update changelog
  • 793e1eb autogen(docs): regenerate and update changelog
  • 89a6c89 autogen(docs): regenerate and update changelog
  • a3fa760 autogen(docs): regenerate and update changelog
  • 6eeeaa8 autogen(docs): regenerate and update changelog
  • a1d3eaf autogen(docs): regenerate and update changelog
  • 97bece4 autogen(docs): regenerate and update changelog
  • 2fdcd97 autogen(docs): regenerate and update changelog
  • 390807e autogen(docs): regenerate and update changelog
  • 6db6346 autogen(docs): regenerate and update changelog
  • 20b9b11 autogen(docs): regenerate and update changelog
  • 5ae668d autogen(docs): regenerate and update changelog
  • 74a1557 autogen(docs): regenerate and update changelog
  • 7784a60 autogen(docs): regenerate and update changelog
  • fa8c94c autogen(docs): regenerate and update changelog
  • 11705a5 autogen(docs): regenerate and update changelog
  • 2830e74 autogen(docs): regenerate and update changelog
  • 0c22b8d autogen(docs): regenerate and update changelog
  • 3e8f50a autogen(docs): regenerate and update changelog
  • 5665f20 autogen(docs): regenerate and update changelog
  • 57fef20 autogen(docs): regenerate and update changelog
  • 215af57 autogen(docs): regenerate and update changelog
  • 25b862b autogen(docs): regenerate and update changelog
  • 18d7f5e autogen(docs): regenerate and update changelog
  • daa5737 autogen(docs): regenerate and update changelog
  • 74ae377 autogen(docs): regenerate and update changelog
  • 5c3310d autogen(docs): regenerate and update changelog
  • deb3661 autogen(docs): regenerate and update changelog
  • a893cd8 autogen(docs): regenerate and update changelog
  • 2fcc786 autogen(docs): regenerate and update changelog
  • 6fea496 autogen(docs): regenerate and update changelog
  • 0d1d003 autogen(docs): regenerate and update changelog
  • c9fe7d6 autogen(docs): regenerate and update changelog
  • 816ea44 autogen(docs): regenerate and update changelog
  • f7ddaae autogen(docs): regenerate and update changelog
  • c61132e autogen(docs): regenerate and update changelog
  • 5e26610 autogen(docs): regenerate and update changelog
  • 57eb414 autogen(docs): regenerate and update changelog
  • c17fb30 autogen(docs): regenerate and update changelog
  • 0d25727 autogen(docs): regenerate and update changelog
  • 05c5e48 autogen(docs): regenerate and update changelog
  • 7c24b77 autogen(docs): regenerate and update changelog
  • 6a40ec8 autogen(docs): regenerate and update changelog
  • f75bf14 autogen(docs): regenerate and update changelog
  • 253c5b6 autogen(docs): regenerate and update changelog
  • b40606c autogen(docs): regenerate and update changelog
  • 9d3afa7 autogen(docs): regenerate and update changelog
  • f104ec1 autogen(openapi): regenerate swagger spec and internal client
  • 5bf46cb autogen(openapi): regenerate swagger spec and internal client
  • fd73955 autogen(openapi): regenerate swagger spec and internal client
  • 2040ca5 autogen(openapi): regenerate swagger spec and internal client
  • 751ba69 autogen(openapi): regenerate swagger spec and internal client
  • b188e18 autogen(openapi): regenerate swagger spec and internal client
  • 7093c3b autogen(openapi): regenerate swagger spec and internal client
  • 307c99c autogen(openapi): regenerate swagger spec and internal client
  • 053b161 autogen(openapi): regenerate swagger spec and internal client
  • 0a828a4 autogen(openapi): regenerate swagger spec and internal client
  • d31c1ee autogen(openapi): regenerate swagger spec and internal client
  • f3958a7 autogen(openapi): regenerate swagger spec and internal client
  • 5e7366c autogen(openapi): regenerate swagger spec and internal client
  • 60d1641 autogen(openapi): regenerate swagger spec and internal client
  • df2f186 autogen(openapi): regenerate swagger spec and internal client
  • 47e583b autogen(openapi): regenerate swagger spec and internal client
  • eb0080d autogen(openapi): regenerate swagger spec and internal client
  • 7294145 autogen(openapi): regenerate swagger spec and internal client
  • 6b81d4a autogen(openapi): regenerate swagger spec and internal client
  • cbc38e8 autogen(openapi): regenerate swagger spec and internal client
  • fc03889 autogen(openapi): regenerate swagger spec and internal client
  • c7e46a4 autogen(openapi): regenerate swagger spec and internal client
  • 1bf108e autogen(openapi): regenerate swagger spec and internal client
  • 5621ec5 autogen(openapi): regenerate swagger spec and internal client
  • 2037e6e autogen(openapi): regenerate swagger spec and internal client
  • 32853dd autogen(openapi): regenerate swagger spec and internal client
  • eb48b61 autogen(openapi): regenerate swagger spec and internal client
  • 45538f1 autogen(openapi): regenerate swagger spec and internal client
  • 9d244f0 autogen(openapi): regenerate swagger spec and internal client
  • 4910460 autogen(openapi): regenerate swagger spec and internal client
  • 3b63c2d autogen(openapi): regenerate swagger spec and internal client
  • f758170 autogen(sdk): bump to 056bd4a9d7ab75942b1f5cd8567172f2c677f240
  • 7857efc autogen(sdk): bump to 75f32e68695ea5d7765019b4a21518fef880b9c1
  • 213199f autogen(sdk): bump to c7456c98d0d168c7e616701fd608a4590a913bc8
  • 6d3120f autogen(sdk): bump to e053d3d2ff76e9368800441286c19b377ae84a19
  • 8acf6b2 autogen(sdk): bump to ed5c7faf75cfb08af5b84cbede18a8e4d1bfd9dc
  • 648f917 autogen(sdk): bump to f7fdf0d23e41b4e0bd817c550878775525d24d10
  • 4f1a2b7 autogen: add v1.3.0 to version.schema.json
  • f72af7d autogen: update license overview
  • c5525c1 autogen: update license overview
  • c443faa autogen: update license overview
  • 5820129 autogen: update license overview
  • 59d44f6 autogen: update license overview
  • ae0ac73 autogen: update license overview
  • fbd2e44 autogen: update license overview
  • afb43c3 autogen: update license overview
  • cb823da autogen: update license overview
  • e26aab1 autogen: update license overview
  • 861063d autogen: update license overview
  • 316e051 autogen: update license overview
  • 8967cc7 autogen: update license overview
  • 18be2f6 autogen: update license overview
  • bd47362 autogen: update license overview
  • f5f5604 autogen: update license overview
  • f766645 autogen: update license overview
  • 23f3232 autogen: update license overview
  • cb6a32e autogen: update license overview
  • 5e94d50 autogen: update license overview
  • 869ca2e autogen: update license overview
  • 2acaf78 autogen: update license overview
  • 7d60364 autogen: update license overview
  • ff0f88b autogen: update license overview
  • 3e4da0b autogen: update license overview
  • 474c45f autogen: update license overview
  • 4b568d2 autogen: update license overview
  • 9581e9c autogen: update license overview
  • f1349ba autogen: update license overview
  • 9338f3b autogen: update license overview
  • 941ce2a autogen: update license overview
  • 5876555 autogen: update license overview
  • 72b2211 autogen: update license overview
  • eee9be6 autogen: update license overview
  • a71d674 autogen: update license overview
  • a4e7ff8 autogen: update license overview
  • 8df7a0c autogen: update license overview
  • d74a608 autogen: update license overview
  • b23d81f autogen: update license overview
  • 88b8771 autogen: update license overview
  • ad15a55 autogen: update license overview
  • 199f4e5 autogen: update license overview
  • c8de9f1 autogen: update license overview
  • 081f63e chore(backoffice): fix numerous lint warnings
  • 85aeb5b chore(ci): adjust codecov config (#4234)
  • cc014ee chore(deps): bump @nestjs/common and @openapitools/openapi-generator-cli (#4397)
  • 4415b49 chore(deps): bump axios and wait-on in /test/e2e (#4334)
  • 6d8d8ed chore(deps): bump axios, @openapitools/openapi-generator-cli and wait-on (#4366)
  • f019a1c chore(deps): bump cookie and express in /test/e2e/proxy (#4153)
  • 43ab7c5 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#4325)
  • 5522d42 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#4319)
  • 7fad519 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#4189)
  • 39f0276 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#4358)
  • 5f47ac4 chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#4357)
  • c442302 chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#4337)
  • bb5f488 chore(deps): bump path-to-regexp and express in /test/e2e/proxy (#4238)
  • 732f098 chore(e2e): stabilize chromatic snapshots
  • 6b2b90e chore(hydra): registry setup refactoring
  • 3215ab2 chore(kratos): cleanup and improve some tests
  • 56525d4 chore(kratos): simplify internal APIs
  • 0969901 chore: add missing deprecation events for legacy feature flags
  • d5229ef chore: add pagination secrets for Kratos
  • fc68716 chore: add pre-release workflows for oss
  • cfa1703 chore: add recovery v2 new fields
  • 187f711 chore: add utility functions to kratos/request & tests to RemoveDisallowedHe…
  • 9871185 chore: additional pop options
  • f9640ff chore: adjust project automation (#4143)
  • eb12772 chore: axios update
  • 2e84f49 chore: bump Go everywhere
  • 802b45b chore: bump deps
  • 2b0acb7 chore: bump go deps
  • f49b440 chore: bump go to 1.24.6
  • c19b4e5 chore: bump golang in kratos oss
  • d03d37d chore: bump golang.org/x/crypto
  • d5cfa89 chore: bump ory/x (#4229)
  • bf674d1 chore: bump ory/x and ristretto (#4340)
  • 94558e3 chore: bump pop to master
  • 2ee96b7 chore: bump sec deps
  • 332eaee chore: bump sec deps
  • 9c7def8 chore: cleanup oss workflows
  • 9959545 chore: document test migration (#4265)
  • cb10bca chore: fix build for kratos-oss
  • 3d0ae83 chore: fix kratos linting issues
  • a63b7cc chore: force replacements where expected
  • 5ea53fa chore: format
  • 4609ebf chore: gh actions and node lib updates
  • 90f2490 chore: go mod tidy to unblock CI
  • c27cbe6 chore: improve migration testdata and assertions
  • b26c652 chore: make tools indirect dependencies (#4345)
  • 0636433 chore: merge ory/x repo
  • 3a726a2 chore: minor bugs and improvements (#4331)
  • aa4229d chore: more gh actions and npm lib updates
  • 05409be chore: pin GHA PM action version (#4213)
  • 888b42a chore: recovery_code is duplicated in the schema
  • 3dd9dec chore: refactor parameter parsing in ListIdentities and disallow combining filters
  • 9c337a5 chore: remove asserts on ory.sh
  • 9931ea5 chore: remove counting courier messages
  • f7f7bb9 chore: remove fizz migration files (#4343)
  • 065e0c3 chore: remove sdk generation action
  • 15ac98e chore: replace deprecated usages
  • 7add07d chore: revert external_id feature
  • 67cb364 chore: run go mod tidy during internal SDK generation (#4344)
  • 60a8c5b chore: run oss cypress tests on custom runners
  • 286d874 chore: shared serve config
  • 9e94951 chore: simplify service and option loading
  • 22887ef chore: stabilize order of recovery addresses
  • 629d867 chore: synchronize workspaces (#4140)
  • 1642866 chore: template migration command help
  • ddcc58c chore: tracing in errors
  • a56c3c0 chore: un-revert external_id feature
  • 61a649d chore: update OSS readme
  • 73d287e chore: update codeowners (#4256)
  • ef2dc19 chore: update copybara rules
  • 0ebf2ac chore: update copybara transformation
  • 0bce294 chore: update docs on ListIdentities (#4248)
  • a7b8029 chore: update error event name (#4375)
  • ab6d023 chore: update github actions
  • 2515129 chore: update github actions
  • 6a7a203 chore: update ory/x version to get the jsonnet runtime limits
  • 964f524 chore: update oss release workflows
  • c4b3dd6 chore: update repository templates to ory/meta@000f213
  • 8cbb5bd chore: update repository templates to ory/meta@1af2225
  • 7578f00 chore: update repository templates to ory/meta@44efd83
  • 555c997 chore: update repository templates to ory/meta@6dd5819
  • 2a4b8c7 chore: update repository templates to ory/meta@7ba4064
  • 7304572 chore: update repository templates to ory/meta@83e71e6
  • d4f96ce chore: update repository templates to ory/meta@b1eed88
  • 924fa61 chore: update repository templates to ory/meta@bc603a6
  • 1faf7cc chore: update repository templates to ory/meta@c091d79
  • 898fcb4 chore: update repository templates to ory/meta@cb2a20f
  • 38641c8 chore: update repository templates to ory/meta@cbb120b
  • c80dd80 chore: update repository templates to ory/meta@d919e6f
  • 3622cd5 chore: update repository templates to ory/meta@e54ac5d
  • dc46e8d chore: update repository templates to ory/meta@fc1b4d6
  • 15f3eb3 chore: update sdks and openapi spec
  • 3904795 chore: upgrade Cypress
  • b42b42a chore: upgrade crdb to v25.2 everywhere & deflake CI!
  • 25429fa chore: upgrade lib phone numbers to v1.4.1 (#4250)
  • fee7cae chore: upgrade playwright (#4255)
  • 66edadd chore: upgrade sdk generator (#4327)
  • bdb046d chore: upgrade to go 1.24 (#4313)
  • c829295 chore: use dedicated ory fork of pop
  • 25f17e7 ci: fix rate-limit trivy issue (#4184)
  • 3d112f8 ci: improve codecov config (#4339)
  • 9350701 ci: resolve test fixture issues (#4411)
  • 405f2f0 docs(kratos): better identity handler description
  • b22135f docs: add return_to query parameter to OAS Verification Flow for Native Apps (#4086)
  • a90df58 docs: clarify facebook graph API versioning (#4208)
  • b388a4a docs: defining oid as oidc subject_source (#4270)
  • 0062d45 docs: improve SecurityError error message for ory elements local (#4205)
  • f076fe4 docs: remove unused SMS config from schema (#4212)
  • cb71e38 docs: usage of organization parameter in native self-service flows (#4176)
  • dfed493 feat(changelog): add CourierMessageAbandoned & CourierMessageDispatched events
  • d68736b feat(changelog): add a new feature flag for the Recovery V2 to ensure backwards-compatibility
  • 0c80f61 feat(changelog): find-by and delete SAML credentials
  • 48f5adb feat(changelog): migrate http router to stdlib router
  • a7f50ab feat(changelog): reject new password same as old password when changing the password
  • 53f4b9f feat(changelog-oel): choose identity schema in self-service registration and login flows
  • ce1bf9f feat(changelog-oel): improved tracing and metrics for the high-performance SQL connection pool
  • 910cf9c feat(hydra): split up persister
  • fb8856e feat: add HTML email support to HTTP channel (#4387)
  • 7032fec feat: add LoginStarted and RegistrationStarted events (#4404)
  • e2f878a feat: add a policy callback to customize OIDC credential linking (#4302)
  • 0e68c7e feat: add a project revision field to set the maximum number of code submits
  • eb9d934 feat: add ability to send recovery code via sms
  • edb9e0c feat: add allowed domains configuration for captcha
  • 00da05d feat: add attributes to webhook events for better debugging (#4206)
  • eca4ae9 feat: add captcha group to first-step registration
  • 261596b feat: add context param to policy (#4315)
  • 1c33c39 feat: add email domain matcher (#4373)
  • 2aabe12 feat: add explicit config flag for secure cookies (#4180)
  • 335a1e8 feat: add external ID to identities
  • afa7618 feat: add failure reason to events (#4203)
  • e6fa520 feat: add migrate sql up|down|status (#4228)
  • 235af52 feat: add new Division ui node attributes
  • f7fa792 feat: add new endpoint to tokenize JWT with a webhook
  • 77beb4d feat: add oid as subject source for microsoft (#4171)
  • 729effd feat: add support for Line v2.1 OIDC provider (#4240)
  • f2212d4 feat: allow deleting password credentials (#4304)
  • 7bec935 feat: allow extra go migrations in persister (#4183)
  • b4c453b feat: allow listing identities by organization ID (#4115)
  • bccd2fb feat: allow setting the org ID on creation (#4306)
  • b8bf4c7 feat: autoconfigure kratos-changefeed
  • 30485c4 feat: cache OIDC providers (#4222)
  • 1145cda feat: console UI for multiple identity schemas
  • 93345d7 feat: domain telemetry improvements
  • 1008639 feat: drop unused indices post index migration (#4201)
  • a7cdc3a feat: emit admin recovery code event (#4230)
  • 8caebdb feat: emit event on Jsonnet claims mapping error (#4394)
  • 959ded5 feat: emit events on jsonnet failure when templating a jwt (#4409)
  • b4485f4 feat: emit oryWebAuthnInitialized event once webauthn is initialized
  • b162897 feat: enable JSONNet templating for password migration hook (#4390)
  • eeb1355 feat: fast add credential type lookups (#4177)
  • 2c5bb21 feat: fewer DB loads when linking credentials, add tracing
  • db10a68 feat: goreleaser
  • 3905787 feat: gracefully handle failing password rehashing during login (#4235)
  • ca0d6a7 feat: improve QueryForCredentials (#4181)
  • 86ab72a feat: improve domain telemetry for OSS (Hydra & Kratos)
  • e38e812 feat: improve identity import limits (#4378)
  • 825aec2 feat: improve secondary indices for self service tables (#4179)
  • 2014a40 feat: improve verification required flows (#4407)
  • 85a7071 feat: improved tracing for courier
  • c703a33 feat: index hint for CRDB when deleting identity credentials (#4276)
  • f18d1b2 feat: jackson provider (#4242)
  • 234b6f2 feat: load session only once when middleware is used (#4187)
  • 31f1894 feat: monorepo
  • 373a2e6 feat: more extension points (#4272)
  • 8d43aae feat: move config testhelpers to ory/x
  • 53874c1 feat: optimize identity-related secondary indices (#4182)
  • 462cea9 feat: passwordless SMS and expiry notice in code / link templates (#4104)
  • 71844dd feat: recovery with any address including with a code via SMS
  • 7fe55d9 feat: refactor cmd/daemon (#4371)
  • c33965e feat: remove duplicate queries during settings flow and use better index hint for credentials lookup (#4193)
  • b294804 feat: remove more unused indices (#4186)
  • 8c7a3dc feat: return field name in generated node text label
  • 4ca4d79 feat: rework the OTP code submit count mechanism (#4251)
  • 664fd1a feat: support CRUD OIDC providers through the onboarding portal API
  • a82d288 feat: support android webauthn origins (#4155)
  • 9a6dadf feat: support importing more credentials (#4361)
  • 168a3f6 feat: update only necessary database columns in UpdateVerifiableAddress (#4292)
  • 3e87e0c feat: use one transaction for /admin/recovery/code (#4225)
  • acfa6ef feat: use stdlib HTTP router in Kratos
  • a9ab800 feat: use vendored ory/x
  • 871f5aa feat: webhook header allowlist configuration option (#4309)
  • ae80380 fix(deps): update go-x
  • a6ac143 fix(hydra): instrument metrics also on public endpoints
  • da4ea07 fix(hydra): use prometheus metrics instead of SQA metrics
  • 639f765 fix(kratos): do not explicitly pass identity schema on step-up login
  • 241111b fix(sdk): add missing captcha group (#4254)
  • 4127cbb fix(sdk): add missing enum type to autocomplete (#4396)
  • 88c68aa fix(sdk): remove incorrect attributes (#4163)
  • c3f4ecf fix: IdentityCreated is over-reporting on error inserts (#4323)
  • e13687a fix: accept login challenge in session_issuer on SPA flows (#4288)
  • 7ca3b6b fix: accept login_challenge in SPA verification flows (#4284)
  • 8e29b68 fix: account linking should only happen after 2fa when required (#4174)
  • 4a870a6 fix: account linking with 2FA (#4188)
  • 292f65d fix: add default issuer URL for LINE (#4415)
  • a313dd6 fix: add exists clause (#4191)
  • e1f29c2 fix: add missing autocomplete attributes to identifier_first strategy (#4215)
  • f441f41 fix: add missing csrf_token (#4363)
  • c10bb06 fix: add missing discriminator (#4365)
  • 44eb305 fix: add missing saml group (#4268)
  • 106163d fix: add missing submit group (#4354)
  • a043b43 fix: add missing values to the session method enum
  • 9bc83a4 fix: add resend node to after registration verification flow (#4260)
  • 245f5dc fix: add transient payload to fedcm (#4369)
  • aefa806 fix: allow patching some /credentials sub-paths (#4277)
  • 7c63727 fix: also update identifiers (#4321)
  • 8a220c0 fix: another apple fix
  • ec3ecc5 fix: apply strategy filters in identifier first as well (#4352)
  • d9f6f75 fix: cancel conditional passkey before trying again (#4247)
  • 44f97b8 fix: check aal on sessions list endpoint (#4305)
  • 2a44fd5 fix: clarify import responses
  • 79f4e2a fix: context passing and missing body close
  • b3af828 fix: copybara script
  • dc992d3 fix: correctly handle HTTP route patterns in metrics
  • 9860c9a fix: count MFA addresses in CountActiveMultiFactorCredentials for code method
  • a000460 fix: deduplicate down migrations
  • 7d0d7f6 fix: detect whether external_id is set in webhook response
  • ef9ee23 fix: div decoding (#4362)
  • 82660f0 fix: do not roll back transaction on partial identity insert error (#4211)
  • 97848c7 fix: don't remove OIDC buttons if invalid identifier is submitted
  • b95fd3f fix: don't show oidc subject in login hints (#4264)
  • 6bbf915 fix: duplicate autocomplete trigger
  • 0c48ad1 fix: enable b2b_sso hook in more places (#4168)
  • 327c5a4 fix: ensure make quickstart-dev works without options (#4401)
  • 5cae1f7 fix: ensure authentication method is added to session after linking OIDC provider
  • e9c6a18 fix: ensure context is not canceled during password hashing (#4364)
  • a4fd8ac fix: ensure that auto_link_credentials markers are being properly overwritten (#4320)
  • b629ca7 fix: escape IPv6 regex string
  • 98b7acd fix: exclude nothing in copybara
  • 68500d1 fix: exclude orgs (#4351)
  • 66afac1 fix: explicity set updated_at field when updating identity (#4131)
  • 26518b6 fix: failing CI in OSS repos
  • f1cfc36 fix: fix back button for recovery flow not showing in AX v1/v2
  • 98f9897 fix: fix nil dereference & lint warnings
  • 93d364c fix: force SQL operator precedence in pagination v2 to ensure nid isolation
  • f475aea fix: force profile to be first hydrator in profile_first strategy (#4380)
  • 3dbeb64 fix: gracefully handle unused index (#4196)
  • cf53971 fix: identity queries
  • b60edba fix: ignore CSRF on all apple provider callback URLs (#4291)
  • 41b342c fix: ignore non SQL files when applying migrations
  • 687d578 fix: improve linking on OIDC signup (#4314)
  • 7c0d9c6 fix: include go.mod in vendored oryx
  • f8ee403 fix: incorrect if switch in previous sceen case in two step registration
  • 7d0e78a fix: incorrect query plan (#4218)
  • ed4fba3 fix: incorrect response code on account linking (#4336)
  • f3a3292 fix: jsonx.ApplyJSONPatch
  • 335acd4 fix: login otp sent message
  • bf2b34d fix: make external_id settable through webhook
  • cfd213a fix: make external_id settable through webhook
  • d7d3ba4 fix: make node_type stricter per uiNodeAttributes type
  • 57d86d2 fix: migration problems
  • b6278af fix: order-by clause and span names (#4200)
  • 4ac6122 fix: otlp sampling rate default
  • 7e0b500 fix: pass on correct context during verification (#4151)
  • 5ee54ed fix: preview_credentials_identifier_similar (#4246)
  • 3c84b7a fix: print correct content of down migrations
  • 5bd3b52 fix: quick typo fix for kratos-oss test script run
  • 18056a0 fix: registration post persist hooks should not be cancelable (#4148)
  • 7dc28eb fix: reject invalid migration names
  • 2cc2b69 fix: remove duplicate address verification
  • db8a94e fix: remove selfservice.methods.link.config.base_url
  • d9e3295 fix: rename b2b_sso hook (#4349)
  • dd589fa fix: return 404 on schema file not exists
  • 119841a fix: return return_to code if already authenticated (#4286)
  • 8379db8 fix: revert "fix: otlp sampling rate default (#9055)"
  • 105018d fix: routes in AX with identity_schema
  • 306316f fix: schema key (#4332)
  • 7f50400 fix: send correct verification status in post-recovery hook (#4224)
  • 07cb83c fix: set correct request url in acc linking and oidc flows (#4282)
  • 6fb39e2 fix: set default for CYPRESS_OPTS
  • 6e30865 fix: settings linking error override (#4368)
  • 905d1e5 fix: show code email in most error states (#4338)
  • 5b00fe1 fix: show_verification_ui in continue_with only if configured (#4402)
  • dbae98a fix: span names (#4232)
  • 906f6c8 fix: stricter JSON patch checking for PATCH identities (#4263)
  • c433c44 fix: support show_verification_hook in settings hooks (#4410)
  • 0332143 fix: tests for Kratos OSS Cypress
  • 332873d fix: throw upstream error on OIDC issues
  • 2f8aaee fix: truncate updated at (#4149)
  • 13ebb69 fix: upgrade to go 1.24.4 to fix CVE-2025-4673
  • 38f8b36 fix: use appleid audience for secret exchange
  • 928c9f8 fix: use batch insert to speed up project changes
  • e6d2d4d fix: use context for readiness probes (#4219)
  • dc8b32e fix: use default group for signup nodes in oidc (#4414)
  • 6776835 fix: use git hash to render ory x schema references
  • 29eeb56 fix: use hard-coded fallback key instead of panic
  • 49e472c fix: use non-alerting errors for errors not needing alerts
  • 76afd6d fix: use updated appleid issuer
  • c7fedfe performance: run credential validation in its own goroutine when changing the password
  • 53a5a8b refactor: hash comparator instantiation (#4195)
  • 85bf18d refactor: move database meta functions to root x folder for reusability
  • e24f993 refactor: remove total count from listSessions and improve secondary indices (#4173)
  • f46aed1 refactor: two-step registration (#4348)
  • 19a41ec revert: tests: improve randomness in e2e tests
  • c772d8b revert: use account.apple.com for oidc discovery and appleid.apple.com for token verification and signing
  • 620e33e revert: use appleid audience for secret exchange
  • 9697c45 revert: use updated appleid issuer
  • ee39bdb test(hydra): add snapshots for login & consent requests
  • 0720950 test: add golangci-lint config and GHA
  • 41c69db test: don't require DB for hasher tests
  • 6f32d5d test: resturcture and improve integration tests
  • b51f780 test: update snapshots (#4167)
  • ecfe435 tests: improve randomness in e2e tests

Artifacts can be verified with cosign using this public key.

Check out latest releases or
releases around ory/kratos v25.4.0-pre.0

Don't miss a new kratos release

NewReleases is sending notifications on new releases.

Get notifications