Merge remote-tracking branch 'origin/master' into feat/oidc-provider-…

…cache

# Conflicts:
#	go.mod
#	go.sum

.docker/Dockerfile-build

@@ -1,5 +1,5 @@
 # syntax = docker/dockerfile:1-experimental
-FROM golang:1.22-bullseye AS builder
+FROM golang:1.23-bullseye AS builder
 
 RUN apt-get update && apt-get upgrade -y &&\
   mkdir -p /var/lib/sqlite

.docker/Dockerfile-debug

@@ -1,4 +1,4 @@
-FROM golang:1.22-bullseye
+FROM golang:1.23-bullseye
 ENV CGO_ENABLED 1
 
 RUN apt-get update && apt-get install -y --no-install-recommends inotify-tools psmisc

.github/workflows/ci.yaml

@@ -79,7 +79,7 @@ jobs:
           fetch-depth: 2
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - run: go list -json > go.list
       - name: Run nancy
         uses: sonatype-nexus-community/[email protected]
@@ -93,7 +93,7 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.59.1
+          version: v1.61.0
       - name: Build Kratos
         run: make install
       - name: Run go-acc (tests)
@@ -169,7 +169,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Install selfservice-ui-react-native
         uses: actions/checkout@v3
@@ -273,7 +273,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - run: go build -tags sqlite,json1 .
 
       - name: Install selfservice-ui-react-native

.github/workflows/format.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - run: make format
       - name: Indicate formatting issues
         run: git diff HEAD --exit-code --color

.github/workflows/licenses.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/setup-node@v2
         with:
           node-version: "18"

.golangci.yml

@@ -29,3 +29,4 @@ issues:
     - "Set is deprecated: use context-based WithConfigValue instead"
     - "SetDefaultIdentitySchemaFromRaw is deprecated: Use context-based WithDefaultIdentitySchemaFromRaw instead"
     - "SetDefaultIdentitySchema is deprecated: Use context-based WithDefaultIdentitySchema instead"
+    - "G115"

.schema/openapi/patches/selfservice.yaml

@@ -32,11 +32,15 @@
       passkey: "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
       profile: "#/components/schemas/updateRegistrationFlowWithProfileMethod"
 - op: add
-  path: /components/schemas/registrationFlowState/enum
+  path: /components/schemas/registrationFlowState
   value:
-    - choose_method
-    - sent_email
-    - passed_challenge
+    title: Registration flow state (experimental)
+    description: The experimental state represents the state of a registration flow. This field is EXPERIMENTAL and subject to change!
+    type: string
+    enum:
+      - choose_method
+      - sent_email
+      - passed_challenge
 # end
 
 # All modifications for the login flow
@@ -67,11 +71,15 @@
       passkey: "#/components/schemas/updateLoginFlowWithPasskeyMethod"
       identifier_first: "#/components/schemas/updateLoginFlowWithIdentifierFirstMethod"
 - op: add
-  path: /components/schemas/loginFlowState/enum
+  path: /components/schemas/loginFlowState
   value:
-    - choose_method
-    - sent_email
-    - passed_challenge
+    title: Login flow state (experimental)
+    description: The experimental state represents the state of a login flow. This field is EXPERIMENTAL and subject to change!
+    type: string
+    enum:
+      - choose_method
+      - sent_email
+      - passed_challenge
 # end
 
 # All modifications for the recovery flow
@@ -90,11 +98,15 @@
       link: "#/components/schemas/updateRecoveryFlowWithLinkMethod"
       code: "#/components/schemas/updateRecoveryFlowWithCodeMethod"
 - op: add
-  path: /components/schemas/recoveryFlowState/enum
+  path: /components/schemas/recoveryFlowState
+  type: string
   value:
-    - choose_method
-    - sent_email
-    - passed_challenge
+    title: Recovery flow state (experimental)
+    description: The experimental state represents the state of a recovery flow. This field is EXPERIMENTAL and subject to change!
+    enum:
+      - choose_method
+      - sent_email
+      - passed_challenge
 # End
 
 # All modifications for the verification flow
@@ -113,11 +125,15 @@
       link: "#/components/schemas/updateVerificationFlowWithLinkMethod"
       code: "#/components/schemas/updateVerificationFlowWithCodeMethod"
 - op: add
-  path: /components/schemas/verificationFlowState/enum
+  path: /components/schemas/verificationFlowState
+  type: string
   value:
-    - choose_method
-    - sent_email
-    - passed_challenge
+    title: Verification flow state (experimental)
+    description: The experimental state represents the state of a verification flow. This field is EXPERIMENTAL and subject to change!
+    enum:
+      - choose_method
+      - sent_email
+      - passed_challenge
 # End
 
 # All modifications for the settings flow
@@ -146,10 +162,14 @@
       passkey: "#/components/schemas/updateSettingsFlowWithPasskeyMethod"
       lookup_secret: "#/components/schemas/updateSettingsFlowWithLookupMethod"
 - op: add
-  path: /components/schemas/settingsFlowState/enum
+  path: /components/schemas/settingsFlowState
   value:
-    - show_form
-    - success
+    title: Settings flow state (experimental)
+    description: The experimental state represents the state of a settings flow. This field is EXPERIMENTAL and subject to change!
+    type: string
+    enum:
+      - show_form
+      - success
 # end
 
 # Some issues with AdditionalProperties

driver/config/config.go

@@ -1531,6 +1531,7 @@ func (p *Config) PasskeyConfig(ctx context.Context) *webauthn.Config {
 		AuthenticatorSelection: protocol.AuthenticatorSelection{
 			AuthenticatorAttachment: "platform",
 			RequireResidentKey:      pointerx.Ptr(true),
+			ResidentKey:             protocol.ResidentKeyRequirementRequired,
 			UserVerification:        protocol.VerificationPreferred,
 		},
 		EncodeUserIDAsString: false,

embedx/config.schema.json

@@ -1903,7 +1903,6 @@
                           "description": "A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).",
                           "items": {
                             "type": "string",
-                            "format": "uri",
                             "examples": [
                               "https://www.ory.sh",
                               "https://auth.ory.sh"

go.mod

@@ -1,10 +1,14 @@
 module github.com/ory/kratos
 
-go 1.22
+go 1.23
+
+toolchain go1.23.2
 
 replace (
 	github.com/coreos/go-oidc/v3 => github.com/ory/go-oidc/v3 v3.0.0-20241127113405-e5362711266b
 
+	github.com/go-swagger/go-swagger => github.com/aeneasr/go-swagger v0.19.1-0.20241013070044-bccef3a12e26 // See https://github.com/go-swagger/go-swagger/issues/3131
+	// github.com/go-swagger/go-swagger => ../../go-swagger/go-swagger
 	// https://github.com/gobuffalo/pop/pull/833
 	github.com/gobuffalo/pop/v6 => github.com/ory/pop/v6 v6.2.1-0.20241121111754-e5dfc0f3344b
 
@@ -36,7 +40,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-playground/validator/v10 v10.22.0
 	github.com/go-swagger/go-swagger v0.31.0
-	github.com/go-webauthn/webauthn v0.10.2 // DO NOT UPGRADE TO 0.11.0 WITHOUT ADDRESSING ory/kratos#4034
+	github.com/go-webauthn/webauthn v0.11.2
 	github.com/gobuffalo/httptest v1.5.2
 	github.com/gobuffalo/pop/v6 v6.1.2-0.20230318123913-c85387acc9a0
 	github.com/gofrs/uuid v4.4.0+incompatible
@@ -167,7 +171,7 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
-	github.com/go-webauthn/x v0.1.12 // indirect
+	github.com/go-webauthn/x v0.1.14 // indirect
 	github.com/gobuffalo/envy v1.10.2 // indirect
 	github.com/gobuffalo/fizz v1.14.4 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect

go.sum

@@ -53,6 +53,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
+github.com/aeneasr/go-swagger v0.19.1-0.20241013070044-bccef3a12e26 h1:rwCKVbnpzxQ0F/AhO9FkXnrKqRmqej4epjhe1CpNkB0=
+github.com/aeneasr/go-swagger v0.19.1-0.20241013070044-bccef3a12e26/go.mod h1:WSigRRWEig8zV6t6Sm8Y+EmUjlzA/HoaZJ5edupq7po=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -232,14 +234,12 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-swagger/go-swagger v0.31.0 h1:H8eOYQnY2u7vNKWDNykv2xJP3pBhRG/R+SOCAmKrLlc=
-github.com/go-swagger/go-swagger v0.31.0/go.mod h1:WSigRRWEig8zV6t6Sm8Y+EmUjlzA/HoaZJ5edupq7po=
 github.com/go-test/deep v1.0.4 h1:u2CU3YKy9I2pmu9pX0eq50wCgjfGIt539SqR7FbHiho=
 github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-webauthn/webauthn v0.10.2 h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4=
-github.com/go-webauthn/webauthn v0.10.2/go.mod h1:Gd1IDsGAybuvK1NkwUTLbGmeksxuRJjVN2PE/xsPxHs=
-github.com/go-webauthn/x v0.1.12 h1:RjQ5cvApzyU/xLCiP+rub0PE4HBZsLggbxGR5ZpUf/A=
-github.com/go-webauthn/x v0.1.12/go.mod h1:XlRcGkNH8PT45TfeJYc6gqpOtiOendHhVmnOxh+5yHs=
+github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
+github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
+github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
+github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
 github.com/gobuffalo/envy v1.10.2 h1:EIi03p9c3yeuRCFPOKcSfajzkLb3hrRjEpHGI8I2Wo4=
 github.com/gobuffalo/envy v1.10.2/go.mod h1:qGAGwdvDsaEtPhfBzb3o0SfDea8ByGn9j8bKmVft9z8=
 github.com/gobuffalo/fizz v1.14.4 h1:8uume7joF6niTNWN582IQ2jhGTUoa9g1fiV/tIoGdBs=

hash/hash_comparator.go

@@ -9,8 +9,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/hmac"
-	"crypto/md5"  //#nosec G501 -- compatibility for imported passwords
-	"crypto/sha1" //#nosec G505 -- compatibility for imported passwords
+	"crypto/md5"  //nolint:all // System compatibility for imported passwords
+	"crypto/sha1" //nolint:all // System compatibility for imported passwords
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/subtle"
@@ -21,6 +21,9 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm/md5crypt"
+	"github.com/go-crypt/crypt/algorithm/shacrypt"
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
@@ -33,10 +36,6 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/crypto/scrypt"
 
-	"github.com/go-crypt/crypt"
-	"github.com/go-crypt/crypt/algorithm/md5crypt"
-	"github.com/go-crypt/crypt/algorithm/shacrypt"
-
 	"github.com/ory/kratos/driver/config"
 )