github ory/kratos v26.2.0
on GitHub

8 hours ago

v26.2.0

Bug Fixes

  • remove more instances of injecting unrecoverable email faults (81e9151):

  • Add missing indices on identity_id (a085d87):

  • Add missing StrategyUsed attribute to Login and registration events (e72c297):

  • Add missing transient nodes clear (ed56dac):

  • Add oidc linking/unlinking to api settings flow (6a6928c):

  • Always retry curl invocations to surmount transient third-party failures (2473954):

  • Base64encoded schemaURL cannot be resolved (a86c212):

  • Batch identity error propagation (2f9c3e3):

  • Clarify password import (849b0de):

  • Context passing in jsonnetsecure (7e33125):

  • Correctly scan SQL NULL into go JSON types (6183672):

  • Courier should not retry message dispatches in one go (70f7b38):

  • Data race making test flaky (c651ecf):

  • Deadlock when using -parallel 1 (8adaa02):

  • Don't attempt to redirect to ory.com in kratos tests (a06b3c2):

  • Down migrations in newer MySQL versions (e948a0b):

  • Duplicate credential error placeholder case mismatch (84ee596):

  • Failing down migration (7bb24c5):

  • Fetch login challenge after code submissions (048d315):

  • Fix benchmark test (2886abe):

  • Fix data race in courier test by protecting slice with mutex (6673982):

  • Fix flaky email test (01e1dd0):

  • Handle batch identities errors more gracefully (952d7ea):

  • Incorrect default value for page_tokens (9a5f8b9):

  • Incorrect error handling (1757cdd):

  • Incorrect usage of database/sql (590d898):

  • kratos: Otp fast-path 2fa body error (95341a8):

  • Lint (e7045c5):

  • Pass transient payload to webhooks in API/native OIDC flows (d023775):

  • Properly accept login challenge in verification after login flows (f6d59bb):

  • Recovery code expires_in regression (8f54814):

  • Recovery code expiry error (3447e0a):

  • Redact subject codes (071ad54):

  • Remove flaky test for unused function (b4d8591):

  • Remove redundant ORDER BY in QueryForCredentials (65b27fd):

  • Remove WithDumpMigrations option to MigrationBox (7ee85fb):

  • Request log config key (1799e3a):

  • Resolve incorrect error handling (9144b55):

  • Resolve null response in OAuth2 flow with existing session (e7d8bd1):

  • Return a specific error message for email & phone validation errors (d6b0f49):

  • Return correct CSRF errors (b7b7fd4):

  • Return oauth2 login challenge on Bad Request in self-service flows (bc33d5c):

  • Seamlessly migrate existing users to SCIM (76d35cf):

  • Show captcha on otp submission (039d5bc):

  • Stray debug print (3da622f):

  • Transfer OAuth2 login challenge in account linking flow (1ab143c):

  • Update CONTRIBUTING.md (95bf33b):

  • Update dependencies and replace @ory/client for kratos-selfserivce-ui-react-native (3d88a43):

  • Update packages to fix GHSA-7h2j-956f-4vf2 (79fb49d):

  • Upgrade vulnerable dependencies across Go and npm (c2adee4):

    Co-authored-by: Deepak Prabhakara deepak.prabhakara@ory.sh

  • Use correct client authentication method for Apple OIDC (6c2f8fb):

  • X data race and parallize some tests (116a66e):

Code Generation

  • Prepare for OSS release - v26.2.0 (9d70859):

Code Refactoring

  • Squash merge old backoffice migration and fix up command (7790322):

Documentation

  • Improve readme and dev instructions (56be7ba):

  • Update readmes (bc8dca6):

Features

  • Add captcha strategy for recovery flow (3dee8f5):

  • Add captcha strategy for verification flow (420f69d):

  • Add column identity_id to identity_credential_identifiers and session_devices (57b099f):

  • Add native api flow support for passkeys (39c341b):

  • Add ratelimit buckets to swagger definitions (a14c3f2):

  • Add session to all settings hooks payloads (aebbc2b):

  • Add support for NULL and more column types to keysetpagination (3f24dbf):

  • Auto account linking for google and apple (623742e):

  • Automatic transaction retries for postgres (80dcbac):

  • Better multi-region queries (af48288):

  • Collect external latency data and write to logs (97ce640):

  • Consider Go migrations DirHash when restoring full schema from backups (99c8cdc):

  • Forward (some) user request headers to SMS HTTP channel (f2ce286):

  • Generate events for SSO and SCIM provider revisions (da8ec11):

  • Hydra benchmarking tool (aa3071f):

  • Improved tracing (46c1028):

  • Infer regional-by-row region using foreign key constraints (46c18eb):

  • Keto-cli improvements (86968f5):

  • kratos: Auto-send code when it is the only available method (86103bc):

  • Login with uae pass (1544efe):

  • Make new identity_id column on identifiers and session_devices NOT NULL and establish foreign key (6bf18bf):

  • Make SCIM work with MySQL (a34e951):

  • Rename project revision columns (e25723e):

  • Speed up OIDC login+registration handling (6bfbaf5):

  • Update GetActiveRecoveryStrategies method (b94f4c9):

  • Use keysetpagination planner for keto read queries (85590e8):

Tests

  • Add assertions for json response body (0f5085c):

  • Deflake and improve performance (0451169):

  • Deflake directory watcherx (00c4f9e):

  • Deflake SAML config assertion (71da1e3):

  • Faster and more reliable courier tests (2a552ea):

  • Fix data races (4014eeb):

  • Fix data races (8482dd5):

  • hydra: Add plaintext backups for all DB types (3369ebd):

  • Minor setup improvements (b9e094d):

Unclassified

Changelog

  • e7d5dd2 apply review changes
  • e3d4145 autogen(docs): generate and bump docs
  • 791b0d5 autogen(sdk): bump to 05ddc40c27a9fb30a648f0efc7aa5360fef9df7a
  • 3e9dbcd autogen(sdk): bump to 0f7be9e16ea12f9cb277f8cb3f03058e9db1aaa9
  • c0f99fb autogen(sdk): bump to 17d4d13913cbfcaaec44f5c608a9f602d447adc8
  • abbcc57 autogen(sdk): bump to 2402a6ef297dbf54d1304dba8c3a2732f19f0186
  • f909afa autogen(sdk): bump to 293291285821b39e6a97e428f4678b7f1f17b081
  • 8b52ac9 autogen(sdk): bump to 2f63cc936d612b530a3b1058656e54716f71559f
  • ecf73dc autogen(sdk): bump to 4c3e8f5aa769533cc0208b700c01b3241b6fa41b
  • 6876a3b autogen(sdk): bump to 4d380b9988c7f01acf6b71d30eeb5021cdaef973
  • bdbd733 autogen(sdk): bump to 5f25484faec4f9ffeaddea00540785f50d8d2997
  • f769f6b autogen(sdk): bump to 75ad7a5b7e4585b55145404ba1e487522b028886
  • 00fa85f autogen(sdk): bump to cab70529e9041391cd406fb96b8ce0b53b1a657f
  • 9d70859 autogen: prepare for OSS release - v26.2.0
  • df866b3 chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.8.3 in /kratos/kratos-oss/test/e2e/mock/webhook
  • 2270ea3 chore(deps): update actions/checkout action to v6
  • d964878 chore(deps): update actions/upload-artifact action to v6
  • d0e4b09 chore(deps): update actions/upload-artifact action to v7
  • 46f56e7 chore(deps): update dependency @types/lodash to v4.17.21
  • eba4233 chore(deps): update dependency golangci/golangci-lint to v2.11.1
  • f9431e2 chore(deps): update go modules
  • 6e6cc75 chore(deps): update golangci/golangci-lint-action action to v9
  • 8301fd4 chore(deps): update jackson (major)
  • 64fc530 chore(deps): update kratos to v4 (major)
  • 7710d46 chore(deps): update mysql docker tag to v9.6
  • d349787 chore(keto): use ory/x router
  • 1b8debe chore(kratos): use httprouter from ory/x
  • 5596300 chore: add Kratos OEL tests for connection pooling & add validation for connection pooling misconfiguration/misuse
  • 8c6b692 chore: add cause to context cancels with 'context.WithTimeoutCause' in ./x
  • 946e950 chore: add helpers for Kratos OEL to support various databases
  • 4e6e4ac chore: add recovery code expiresIn regression test
  • 06f470f chore: add retries to more curl invocations
  • 391495b chore: added CLIENT_SECRET_VERIFIER to our deployment
  • 68bea59 chore: audit and fix npm dependencies
  • 0b6c1bd chore: bump to CRDB v25.4
  • 9c29335 chore: bump to Go 1.26 massive cleanup in ory/x
  • 9a4d03b chore: cleanup package-lock files
  • 4a06f58 chore: correct typos
  • c1df2e8 chore: deflake registration expiry unit test
  • e9d8a8c chore: delete unused CRDB changefeed watcherx module
  • c6c8bea chore: deprecate organization APIs
  • 2a4be28 chore: drop unused index
  • cb78942 chore: fix for critical CVE - GHSA-p77j-4mvh-x3m3
  • 362467b chore: fixed typo in API description
  • 828b019 chore: generate elements locales from source and add CLI helpers
  • 9b52402 chore: improve clidoc generation
  • 55e24db chore: improve error reporting to help diagnose flaky test
  • 1d0309b chore: improve readability of popx.MigrationBox
  • e006333 chore: keysetpagination improvements
  • f9de4cc chore: make SCIM work with single-region CRDB
  • 50f6515 chore: more npm security updates
  • cf94909 chore: reduce number of auth steps in cypress test
  • f7b5a64 chore: remove internal address types
  • c0b6fba chore: remove repeated VerifiableAddresses assignment in web_hook.go
  • c90675c chore: remove unused code
  • 4118515 chore: remove unused log code
  • 07284c7 chore: remove unused x/watcherx/websocket
  • 029d8a3 chore: rename ./internal to ./pkg to make all functions visible
  • 01c7b53 chore: run go mod tidy and misc cleanup
  • e0496de chore: run npm audit fix
  • b28c196 chore: security updates for glob library
  • de64ac1 chore: simplify HTTP metrics instrumentation
  • 25d35cc chore: simplify decoderx usage
  • 7d6e01d chore: split SCIM from multi-region & make it work with SQLite
  • f57f519 chore: unify common dependency interfaces
  • 8e369de chore: update @openapitools/openapi-generator-cli
  • 601c9ac chore: update OSS ory.sh to ory.com
  • 3bb9244 chore: update pop to latest & only run pop.SetNowFunc() inside init()
  • 16343d6 chore: update to dockertest v4
  • 9823ae0 chore: update uaepass jsonnet stubs
  • b410c7f chore: updated axios
  • 286f885 chore: updated golang.org/x/crypto
  • 7b18f23 chore: updated minimatch
  • b922c60 chore: updated playwright (except e2e) and other deps
  • 5ed2524 chore: upgrade AX to next.js 16
  • 7e2a849 chore: use pgx pool in Kratos OEL & fix some OEL commands not using enterprise migrations
  • 550fd75 chore: use sync.Map instead of custom concurrent map
  • 45cc87e ci: add docker driver to cve scan
  • 56be7ba docs: improve readme and dev instructions
  • bc8dca6 docs: update readmes
  • 86103bc feat(kratos): auto-send code when it is the only available method
  • 3dee8f5 feat: add captcha strategy for recovery flow
  • 420f69d feat: add captcha strategy for verification flow
  • 57b099f feat: add column identity_id to identity_credential_identifiers and session_devices
  • 39c341b feat: add native api flow support for passkeys
  • a14c3f2 feat: add ratelimit buckets to swagger definitions
  • aebbc2b feat: add session to all settings hooks payloads
  • 3f24dbf feat: add support for NULL and more column types to keysetpagination
  • 623742e feat: auto account linking for google and apple
  • 80dcbac feat: automatic transaction retries for postgres
  • af48288 feat: better multi-region queries
  • 97ce640 feat: collect external latency data and write to logs
  • 99c8cdc feat: consider Go migrations DirHash when restoring full schema from backups
  • f2ce286 feat: forward (some) user request headers to SMS HTTP channel
  • da8ec11 feat: generate events for SSO and SCIM provider revisions
  • aa3071f feat: hydra benchmarking tool
  • 46c1028 feat: improved tracing
  • 46c18eb feat: infer regional-by-row region using foreign key constraints
  • 86968f5 feat: keto-cli improvements
  • 1544efe feat: login with uae pass
  • a34e951 feat: make SCIM work with MySQL
  • 6bf18bf feat: make new identity_id column on identifiers and session_devices NOT NULL and establish foreign key
  • e25723e feat: rename project revision columns
  • 6bfbaf5 feat: speed up OIDC login+registration handling
  • b94f4c9 feat: update GetActiveRecoveryStrategies method
  • 85590e8 feat: use keysetpagination planner for keto read queries
  • 95341a8 fix(kratos): otp fast-path 2fa body error
  • 81e9151 fix: remove more instances of injecting unrecoverable email faults
  • e72c297 fix: add missing StrategyUsed attribute to Login and registration events
  • a085d87 fix: add missing indices on identity_id
  • ed56dac fix: add missing transient nodes clear
  • 6a6928c fix: add oidc linking/unlinking to api settings flow
  • 2473954 fix: always retry curl invocations to surmount transient third-party failures
  • a86c212 fix: base64encoded schemaURL cannot be resolved
  • 2f9c3e3 fix: batch identity error propagation
  • 849b0de fix: clarify password import
  • 7e33125 fix: context passing in jsonnetsecure
  • 6183672 fix: correctly scan SQL NULL into go JSON types
  • 70f7b38 fix: courier should not retry message dispatches in one go
  • c651ecf fix: data race making test flaky
  • 8adaa02 fix: deadlock when using -parallel 1
  • a06b3c2 fix: don't attempt to redirect to ory.com in kratos tests
  • e948a0b fix: down migrations in newer MySQL versions
  • 84ee596 fix: duplicate credential error placeholder case mismatch
  • 7bb24c5 fix: failing down migration
  • 048d315 fix: fetch login challenge after code submissions
  • 2886abe fix: fix benchmark test
  • 6673982 fix: fix data race in courier test by protecting slice with mutex
  • 01e1dd0 fix: fix flaky email test
  • 952d7ea fix: handle batch identities errors more gracefully
  • 9a5f8b9 fix: incorrect default value for page_tokens
  • 1757cdd fix: incorrect error handling
  • 590d898 fix: incorrect usage of database/sql
  • e7045c5 fix: lint
  • d023775 fix: pass transient payload to webhooks in API/native OIDC flows
  • f6d59bb fix: properly accept login challenge in verification after login flows
  • 8f54814 fix: recovery code expires_in regression
  • 3447e0a fix: recovery code expiry error
  • 071ad54 fix: redact subject codes
  • 7ee85fb fix: remove WithDumpMigrations option to MigrationBox
  • b4d8591 fix: remove flaky test for unused function
  • 65b27fd fix: remove redundant ORDER BY in QueryForCredentials
  • 1799e3a fix: request log config key
  • 9144b55 fix: resolve incorrect error handling
  • e7d8bd1 fix: resolve null response in OAuth2 flow with existing session
  • d6b0f49 fix: return a specific error message for email & phone validation errors
  • b7b7fd4 fix: return correct CSRF errors
  • bc33d5c fix: return oauth2 login challenge on Bad Request in self-service flows
  • 76d35cf fix: seamlessly migrate existing users to SCIM
  • 039d5bc fix: show captcha on otp submission
  • 3da622f fix: stray debug print
  • 1ab143c fix: transfer OAuth2 login challenge in account linking flow
  • 95bf33b fix: update CONTRIBUTING.md
  • 3d88a43 fix: update dependencies and replace @ory/client for kratos-selfserivce-ui-react-native
  • 79fb49d fix: update packages to fix GHSA-7h2j-956f-4vf2
  • c2adee4 fix: upgrade vulnerable dependencies across Go and npm
  • 6c2f8fb fix: use correct client authentication method for Apple OIDC
  • 116a66e fix: x data race and parallize some tests
  • 7982b73 fixes
  • 7790322 refactor: squash merge old backoffice migration and fix up command
  • 3f06c5d storybook snapshots
  • 3369ebd test(hydra): add plaintext backups for all DB types
  • 0f5085c test: add assertions for json response body
  • 71da1e3 test: deflake SAML config assertion
  • 0451169 test: deflake and improve performance
  • 00c4f9e test: deflake directory watcherx
  • 2a552ea test: faster and more reliable courier tests
  • 8482dd5 test: fix data races
  • 4014eeb test: fix data races
  • b9e094d test: minor setup improvements

Artifacts can be verified with cosign using this public key.

Check out latest releases or
releases around ory/kratos v26.2.0

Don't miss a new kratos release

NewReleases is sending notifications on new releases.

Get notifications