v25.4.0

Compare Source

v25.4.0

Breaking Changes

The require_verified_address hook no longer returns a
plain error. Previously, users had to manually start the verification
flow, which caused a poor experience. Now, Ory Kratos automatically
creates a verification flow and redirects the user using continue_with
or an HTTP redirect. The verification flow starts with the first
verified address found for the user. This aligns the behavior of
require_verified_address with using the verification and
show_verification_ui hook combination for login.

Going forward, the node group of fields that are
failing validation during oidc sign up are default and no longer
oidc. For now, you can get the legacy behavior back by turning on
feature_flags.legacy_oidc_registration_node_group=true.

Co-authored-by: Jonas Hungershausen [email protected]

Before this change, show_verification_ui would
always be included in continue_with for the registration flow when
verification was enabled. After this change, show_verification_ui is
only included when the show_verification_ui post-registration hook is
defined.

Account linking incorrectly returned a 200 OK status
code even though the login flow was not completed successfully. Going
forward, the correct 400 OK status code will be sent when using the API
flow or Accept: application/json.

This patch changes the behavior of configuration item foo to do bar. To keep the existing
behavior please do baz.

Bug Fixes

• Accept login challenge in session_issuer on SPA flows (#​4288) (e13687a)

• Accept login_challenge in SPA verification flows (#​4284) (7ca3b6b)

• Account linking should only happen after 2fa when required (#​4174) (8e29b68)

• Account linking with 2FA (#​4188) (4a870a6):

  This fixes some edge cases with OIDC account linking for accounts with 2FA enabled.

• Add default issuer URL for LINE (#​4415) (292f65d):

  Fixed+expanded relevant comment.

  Fixed some tracing issues.

  Added error info and missing res.Body.Close() in courier.

• Add exists clause (#​4191) (a313dd6)

• Add missing autocomplete attributes to identifier_first strategy (#​4215) (e1f29c2)

• Add missing csrf_token (#​4363) (f441f41)

• Add missing discriminator (#​4365) (c10bb06)

• Add missing saml group (#​4268) (44eb305)

• Add missing submit group (#​4354) (106163d)

• Add missing values to the session method enum (a043b43):

• Add resend node to after registration verification flow (#​4260) (9bc83a4)

• Add transient payload to fedcm (#​4369) (245f5dc), closes #​1234 #​1234:

• Allow patching some /credentials sub-paths (#​4277) (aefa806), closes #​1234 #​1234:

• Also update identifiers (#​4321) (7c63727):

  This fixes a bug where when an identity is merged into another, the
  identifier of the original identity was not updated.

• Another apple fix (8a220c0):

• Apply strategy filters in identifier first as well (#​4352) (ec3ecc5)

• Better tracing in proxy HTTP (ff5fa9b):

• Cancel conditional passkey before trying again (#​4247) (d9f6f75)

• Check aal on sessions list endpoint (#​4305) (44f97b8), closes #​3671:

  The session check to list a user's own sessions now requires the same AAL level as the whoami check.

• Clarify import responses (2a44fd5):

• Context passing and missing body close (79f4e2a):

• Copybara script (b3af828):

• Correctly handle HTTP route patterns in metrics (dc992d3):

• Count MFA addresses in CountActiveMultiFactorCredentials for code method (9860c9a), closes ory/network#409

• Deduplicate down migrations (a000460):

• deps: Update go-x (ae80380):

• Detect whether external_id is set in webhook response (7d0d7f6):

• Div decoding (#​4362) (ef9ee23)

• Do not roll back transaction on partial identity insert error (#​4211) (82660f0)

• Don't remove OIDC buttons if invalid identifier is submitted (97848c7):

• Don't show oidc subject in login hints (#​4264) (b95fd3f)

• Duplicate autocomplete trigger (6bbf915)

• Enable b2b_sso hook in more places (#​4168) (0c48ad1):

  fix: allow b2b_sso hook in more places

• Ensure make quickstart-dev works without options (#​4401) (327c5a4):

  make quickstart-dev uses the make variable QUICKSTART_OPTIONS which
  is set to "" by default. This will result in two double quotes ("")
  in the final shell command e.g. docker-compose "" up when the variable
  is not set on the make command line, which fails at the shell level. The
  fix is to leave the variable empty by default. No semantic changes.

• Ensure authentication method is added to session after linking OIDC provider (5cae1f7):

• Ensure context is not canceled during password hashing (#​4364) (e9c6a18):

  Especially during large imports of plaintext passwords there can be a
  lot of useless hashing, even after the request timed out or got
  canceled.

• Ensure that auto_link_credentials markers are being properly overwritten (#​4320) (a4fd8ac), closes #​1234 #​1234:

  Changes:

  • Add LoginStarted and RegistrationStarted events along their
    required attributes
  • Sort all event attributes alphabetically
  • Emit these events when a new login/registration flow is created,
    after basic validation passed
  • It is unclear yet how many of these events will be emitted, as such it
    is suggested that in a first phase, they remain internal and are not yet
    sent externally to avoid surprises (note: sometimes, these events can be
    emitted without user action such as simply visiting/being redirected to
    the sign-in page, etc)

  Documentation PR:

• Add migrate sql up|down|status (#​4228) (e6fa520):

  This patch adds the ability to execute down migrations using:

  kratos migrate sql down -e --steps {num_of_steps}
  

  Please read kratos migrate sql down --help carefully.

  Going forward, please use the following commands

  kratos migrate sql up ...
  kratos migrate sql status ...
  

  instead of the previous, now deprecated

  kratos migrate sql ...
  kratos migrate status ...
  

  commands.

  See ory-corp/cloud#7350

• Add new Division ui node attributes (235af52):

  Division nodes may be used to hook dynamic scripts and are not actively used in the Ory Kratos open source.

• Add new endpoint to tokenize JWT with a webhook (f7fa792):

• Add oid as subject source for microsoft (#​4171) (77beb4d), closes #​4170:

  In the case of Microsoft, using sub as an identifier can lead to problems. Because the use of OIDC at Microsoft is based on an app registration, the content of sub changes with every new app registration. Sub is therefore not uniquely related to the user. It is therefore not possible to transfer users from one app registration to another without further problems.
  https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims

  With the use of oid it is possible to identify a user by a unique id.

• Add session in settings after hook (1b57fdf):

• Add support for Line v2.1 OIDC provider (#​4240) (729effd):

  For OIDC Line Login, you only need to add id_token_key_type=JWK in the exchange step to issue
  tokens in ES256 format.

  https://redirect.github.com/ory/kratos/discussions/1116

• Allow deleting password credentials (#​4304) (f2212d4):

  The admin API did not allow to delete passwords at all. The restriction is now lifted to only block deletion of the first-factor credential if it is the last one.

• Allow extra go migrations in persister (#​4183) (7bec935)

• Allow listing identities by organization ID (#​4115) (b4c453b)

• Allow setting the org ID on creation (#​4306) (bccd2fb)

• Autoconfigure kratos-changefeed (b8bf4c7):

• Bump CRDB, establish foreign key, (d76e70f):

• Cache OIDC providers (#​4222) (30485c4):

  This change significantly reduces the number of requests to /.well-known/openid-configuration endpoints.

• changelog-oel: Choose identity schema in self-service registration and login flows (53f4b9f):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (ce1bf9f):

• changelog: Add a new feature flag for the Recovery V2 to ensure backwards-compatibility (d68736b):

• changelog: Add CourierMessageAbandoned & CourierMessageDispatched events (dfed493):

• changelog: Find-by and delete SAML credentials (0c80f61):

• changelog: Migrate http router to stdlib router (48f5adb):

• changelog: Reject new password same as old password when changing the password (a7f50ab):

• Console UI for multiple identity schemas (1145cda):

• Custom page token column extraction (c5cb85e):

• Domain telemetry improvements (93345d7):

• Drop unused indices post index migration (#​4201) (1008639)

• Emit admin recovery code event (#​4230) (a7cdc3a)

• Emit event on Jsonnet claims mapping error (#​4394) (8caebdb):

  We now emit an event containing the Jsonnet input and output in
  anonymized form when mapping the claims in the OIDC flow fails.

• Emit events on jsonnet failure when templating a jwt (#​4409) (959ded5):

  • Fix typo: parital -> partial
  • Document with comments why an event is not emitted or not documented
  • Emit JsonnetMappingFailed events on jsonnet failure when templating
    a jwt (see https://www.ory.sh/docs/identities/session-to-jwt-cors).
    After review it seems we otherwise always emit events in all the right
    places, except in this very case. Tested end-to-end manually with the
    UI.

• Emit oryWebAuthnInitialized event once webauthn is initialized (b4485f4):

• Enable JSONNet templating for password migration hook (#​4390) (b162897):

  This enables JSONNet body templating for the password migration hook.
  There is also a significant refactoring of some internals around webhook config handling.

• Expose Ory-Error-Id HTTP header (f2b0cd5):

• Fast add credential type lookups (#​4177) (eeb1355)

• Faster UpdateIdentity (4c2cfae):

• Fewer DB loads when linking credentials, add tracing (2c5bb21)

• Goreleaser (db10a68):

• Gracefully handle failing password rehashing during login (#​4235) (3905787):

  This fixes an issue where we would successfully import long passwords (>72 chars), but fail when the user attempts to login with the correct password because we can't rehash it. In this case, we simply issue a warning to the logs, keep the old hash intact, and continue logging in the user.

• hydra: Split up persister (910cf9c):

• Improve domain telemetry for OSS (Hydra & Kratos) (86ab72a):

• Improve identity import limits (#​4378) (e38e812)

• Improve kratos courier metrics and debug log message (c50ffcc):

• Improve QueryForCredentials (#​4181) (ca0d6a7)

• Improve secondary indices for self service tables (#​4179) (825aec2)

• Improve verification required flows (#​4407) (2014a40)

• Improved events and identity recent activity (e47b858):

• Improved tracing for courier (85a7071)

• Index hint for CRDB when deleting identity credentials (#​4276) (c703a33):

  Ref https://support.cockroachlabs.com/hc/en-us/requests/25430

• Jackson provider (#​4242) (f18d1b2):

  This adds a jackson provider to Kratos.

• Load session only once when middleware is used (#​4187) (234b6f2)

• Monorepo (31f1894):

• More extension points (#​4272) (373a2e6):

  This adds more extension points to the Kratos registry.

• Move config testhelpers to ory/x (8d43aae):

• Optimize identity-related secondary indices (#​4182) (53874c1)

• Passwordless SMS and expiry notice in code / link templates (#​4104) (462cea9):

  This feature allows Ory Kratos to use the SMS gateway for login and registration with code via SMS.

  Additionally, the default email and sms templates have been updated. We now also expose ExpiresInMinutes / expires_in_minutes in the templates, making it easier to remind the user how long the code or link is valid for.

  Closes #​1570
  Closes #​3779

• Recovery with any address including with a code via SMS (71844dd):

• Refactor cmd/daemon (#​4371) (7fe55d9)

• Remove duplicate queries during settings flow and use better index hint for credentials lookup (#​4193) (c33965e):

  This patch reduces duplicate GetIdentity queries as part of submitting the settings flow, and improves an index to significantly reduce credential lookup.

  For better debugging, more tracing ha been added to the settings module.

• Remove more unused indices (#​4186) (b294804)

• Return field name in generated node text label (8c7a3dc):

• Rework the OTP code submit count mechanism (#​4251) (4ca4d79):

  • feat: rework the OTP code submit count mechanism

  Unlike what the previous comment suggested, incrementing and checking the submit count inside the
  database transaction is not actually optimal peformance- or security-wise.

  We now check atomically increment and check the submit count as the first part of the operation,
  and abort as early as possible if we detect brute-forcing. This prevents a situation where the
  check works only on certain transaction isolation levels.

  • chore: bump dependencies

• Support android webauthn origins (#​4155) (a82d288):

  This patch adds the ability to verify Android APK origins used during WebAuthn/Passkey exchange.

  Upgrades go-webauthn and includes fixes for Go 1.23 and workarounds for Swagger.

• Support CRUD OIDC providers through the onboarding portal API (664fd1a):

• Support importing more credentials (#​4361) (9a6dadf):

  Adds support to import SAML credentials. SAML connections are only
  available in Ory Enterprise License / Ory Network.

• Trace identity id in errors (772572c):

• Update only necessary database columns in UpdateVerifiableAddress (#​4292) (168a3f6):

  This is an optimization to reduce database load.

  When we specify exactly which columns changed, we should be able to
  elide updates to the identity_verifiable_addresses_status_via_uq_idx (nid,via,value) index. Updating that index requires contacting remote
  regions.

  Also fixed a bug where we did not set the verified_at timestamp
  correctly sometimes.

• Use one transaction for /admin/recovery/code (#​4225) (3e87e0c)

• Use stdlib HTTP router in Kratos (acfa6ef):

• Use vendored ory/x (a9ab800):

• Webhook header allowlist configuration option (#​4309) (871f5aa), closes #​4290:

  Adds a clients.web_hook.header_allowlist configuration option for
  configuring the webhook header allowlist.

Reverts

• Tests: improve randomness in e2e tests (19a41ec):

• Use account.apple.com for oidc discovery and appleid.apple.com for token verification and signing (c772d8b):

• Use appleid audience for secret exchange (620e33e):

• Use updated appleid issuer (9697c45):

Tests

• Add golangci-lint config and GHA (0720950):

• Don't require DB for hasher tests (41c69db):

• hydra: Add snapshots for login & consent requests (ee39bdb):

• Improve pgxpool tests (6297a8f):

• Resturcture and improve integration tests (6f32d5d):

• Update snapshots (#​4167) (b51f780)

Unclassified

• Improve randomness in e2e tests (ecfe435):

• Run credential validation in its own goroutine when changing the password (c7fedfe):

Changelog

• 85aeb5b chore(ci): adjust codecov config (#​4234)
• cc014ee chore(deps): bump @​nestjs/common and @​openapitools/openapi-generator-cli (#​4397)
• 4415b49 chore(deps): bump axios and wait-on in /test/e2e (#​4334)
• 6d8d8ed chore(deps): bump axios, @​openapitools/openapi-generator-cli and wait-on (#​4366)
• f019a1c chore(deps): bump cookie and express in /test/e2e/proxy (#​4153)
• 43ab7c5 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#​4325)
• 5522d42 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​4319)
• 7fad519 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#​4189)
• 39f0276 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#​4358)
• 5f47ac4 chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​4357)
• c442302 chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#​4337)
• bb5f488 chore(deps): bump path-to-regexp and express in /test/e2e/proxy (#​4238)
• 67a703b chore(deps): update actions/setup-node action to v6
• c18dc33 chore(deps): update actions/upload-artifact action to v5
• 50f1b8f chore(deps): update dependency node to v24
• bb5d7e4 chore(deps): update hadolint/hadolint-action action to v3.3.0
• 6b92376 chore(deps): update kratos ci
• 8c43e3b chore(deps): update oss workflows
• 732f098 chore(e2e): stabilize chromatic snapshots
• 6b2b90e chore(hydra): registry setup refactoring
• 3215ab2 chore(kratos): cleanup and improve some tests
• 56525d4 chore(kratos): simplify internal APIs
• 456a147 chore: add migration tests in kratos non-oss for crdb
• 0969901 chore: add missing deprecation events for legacy feature flags
• d5229ef chore: add pagination secrets for Kratos
• [fc68716](https://redirect.github.com/ory/kratos/commit/fc68716addf9836b41abfd438f6