v0.7.4-alpha.1

This release adds the GitHub-app provider, improves SQL instrumentation, resolves an expired flow bug, and resolves documentation issues.

Bug Fixes

• Corret sdk annotations for enums (6152363)
• Do not panic if cookiemanager returns a nil cookie (6ea5678), closes #1695
• Respect return_to in expired flows (#1697) (394a8de), closes #1251

Code Generation

• Pin v0.7.4-alpha.1 release commit (67ff8a9)

Documentation

• Add e2e quickstart (2b749d3)
• Browser redirects (#1700) (a44089a)
• Mark logout_url always available (9021805)
• Minor improvements (#1707) (79c132c)

Features

• Making use of the updated instrumentedsql version (#1723) (9e6fbdd)
• oidc: Github-app provider (#1711) (fb1fe8c)

Tests

• session: Resolve incorrect assertion (0531220)

Changelog

f44e7af autogen(docs): generate and format documentation
c7a019f autogen(docs): generate and format documentation
5044ba9 autogen(docs): generate and format documentation
f5d9d0e autogen(docs): generate and format documentation
9ec8bf5 autogen(docs): generate and format documentation
daa4d5d autogen(docs): regenerate and update changelog
f4c00f4 autogen(docs): regenerate and update changelog
b6a1033 autogen(docs): regenerate and update changelog
b344b60 autogen(docs): regenerate and update changelog
cc6c1c3 autogen(docs): regenerate and update changelog
785d930 autogen(docs): update milestone document
0da2006 autogen(docs): update milestone document
9fbc78c autogen(docs): update milestone document
246b7da autogen(docs): update milestone document
4f05d64 autogen(openapi): Regenerate openapi spec and internal client
93bbde8 autogen(openapi): Regenerate openapi spec and internal client
e7a237a autogen: add v0.7.3-alpha.1 to version.schema.json
67ff8a9 autogen: pin v0.7.4-alpha.1 release commit
6fe79da chore: update docusaurus template
e14d1fc chore: update repository templates (#1680)
c2c5a58 chore: update repository templates (#1701)
64c9b76 ci: bump goreleaser (#1730)
a913419 ci: bump goreleaser orb (#1728)
2b749d3 docs: add e2e quickstart
a44089a docs: browser redirects (#1700)
9021805 docs: mark logout_url always available
79c132c docs: minor improvements (#1707)
fb1fe8c feat(oidc): github-app provider (#1711)
9e6fbdd feat: making use of the updated instrumentedsql version (#1723)
6152363 fix: corret sdk annotations for enums
6ea5678 fix: do not panic if cookiemanager returns a nil cookie
394a8de fix: respect return_to in expired flows (#1697)
0531220 test(session): resolve incorrect assertion

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.4-sqlite
• docker pull oryd/kratos:v0.7.4-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.4
• docker pull oryd/kratos:v0.7.4-alpha.1
• docker pull oryd/kratos:latest

v0.7.3-alpha.1

Changelog

b9a2bfd autogen(docs): generate and format documentation
dd2e826 autogen(docs): generate and format documentation
2cb678c autogen(docs): generate and format documentation
f928ac1 autogen(docs): generate and format documentation
b863a82 autogen(docs): generate and format documentation
ca15200 autogen(docs): generate and format documentation
2f488ab autogen(docs): generate and format documentation
6bb5aa7 autogen(docs): generate and format documentation
c7352db autogen(docs): generate and format documentation
60d848d autogen(docs): generate cli docs
6d56917 autogen(docs): regenerate and update changelog
78269d1 autogen(docs): regenerate and update changelog
57f2731 autogen(docs): regenerate and update changelog
1bfd22b autogen(docs): regenerate and update changelog
ceb1fb1 autogen(docs): regenerate and update changelog
c9fb0d4 autogen(docs): regenerate and update changelog
4259a0c autogen(docs): regenerate and update changelog
b4dfa2b autogen(docs): regenerate and update changelog
af98e2e autogen(docs): regenerate and update changelog
f7393d5 autogen(docs): regenerate and update changelog
1aaf6c0 autogen(docs): regenerate and update changelog
814a9c0 autogen(docs): update milestone document
4ce03f2 autogen(docs): update milestone document
80c2fbe autogen(docs): update milestone document
c118070 autogen(docs): update milestone document
4822a30 autogen(docs): update milestone document
b6215a0 autogen(docs): update milestone document
513d527 autogen(docs): update milestone document
1ba6c4a autogen(docs): update milestone document
ad49e5d autogen(docs): update milestone document
3eb87bc autogen(docs): update milestone document
6eb540f autogen(docs): update milestone document
11bdc4a autogen(docs): update milestone document
cc34996 autogen: add v0.7.1-alpha.1 to version.schema.json
16787fc autogen: pin v0.7.2-alpha.1 release commit
b5ad53e autogen: pin v0.7.3-alpha.1 release commit
158cf37 chore: adjust CODEOWNERS
1a912c6 chore: update docusaurus template
8ab3c2f chore: update docusaurus template (#1607)
6d80d12 chore: update docusaurus template (#1622)
2fcfdff chore: update repository templates (#1608)
e995cc6 chore: update repository templates (#1640)
6b58278 docs: Fixes incorrect yaml identation (#1641)
dc32720 docs: Update docker.md - Outdated information (#1627)
09c403e docs: change model to schema (#1639)
bbeb613 docs: fix func naming for Logout flow (#1676)
9bc2fd0 docs: fix stub error example (#1642)
641eba6 docs: identity traits are visible to user (#1621)
bae1847 docs: make qickstart URLs consistent (playground vs. localhost) (#1626)
51b1311 feat: allow multiple webhook body sources (#1606)
1cf61cd feat: require verified address (#1355)
f6b3aa4 fix(docs): ensure config reference is updated
da214b2 fix(sdk): use proper annotation for genericError (#1611)
0525623 fix: add new message when refresh parameter is true (#1560)
639a7dd fix: add session in spa registration if session cook is configured (#1657)
85337bf fix: facebook sign in regression (#1689)
b21bd22 fix: http context memory leak
149101e fix: outdated label (#1681)
45c28d9 fix: register argon2 CLI commands properly (#1592)
cdb30bb fix: remove session cookie on logout (#1587)
a667255 fix: skip prompt on discord authorization by default (#1594)
db54a1b fix: static parameter for warning message in config.baseURL(...) (#1673)
64c90bf fix: update csrf token cookie name (#1601)
de5fb3e fix: use eager preloading for list identites endpoint (#1588)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.3-sqlite
• docker pull oryd/kratos:v0.7.3-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.3
• docker pull oryd/kratos:v0.7.3-alpha.1
• docker pull oryd/kratos:latest

v0.7.1-alpha.1

Changelog

f557328 autogen(docs): generate and format documentation
608c919 autogen(docs): generate and format documentation
52434d3 autogen(docs): generate and format documentation
de22a1c autogen(docs): generate cli docs
eb11e42 autogen(docs): regenerate and update changelog
dacd5cc autogen(docs): regenerate and update changelog
16ed943 autogen(docs): regenerate and update changelog
16fb20e autogen(docs): regenerate and update changelog
9bd8d01 autogen(docs): regenerate and update changelog
603ca40 autogen(docs): regenerate and update changelog
1c84205 autogen(docs): update milestone document
e2f6ca4 autogen(docs): update milestone document
18448ff autogen(docs): update milestone document
696fd68 autogen(docs): update milestone document
8cb65bd autogen(docs): update milestone document
a040a0d autogen: add v0.7.0-alpha.1 to version.schema.json
4fe76af autogen: pin v0.7.1-alpha.1 release commit
e8aebce chore: format
c2a1b6d docs: add instruction for creating user (#1541)
e5ea5fe docs: clarify flags in schema which are not available in config file
0bfac67 docs: fix formatting of Email and Phone Verification Flow tab content (#1536)
b25bae7 docs: fix typo (#1543)
547788d docs: fix typo (#1544)
cc7ed4b docs: update csrf pitfall flow section (#1558)
fe5056e fix: automatic tagging for node ui
aedbb5a fix: bump kratos ui image for quickstart
3cfd784 fix: cleanup lint errors and add doc to x (#1545)
8d4f3ff fix: correct meta schema
835fb31 fix: do not reset link method (#1573)
36bbd43 fix: do not set csrf cookies on /sessions/whoami (#1580)
6af7638 fix: export extensionschemas (#1553)
6612c5f fix: generate CSRF token on validation creation (#1549)
ba5ca64 fix: identity extension meta schema (#1554)
c6145db fix: remove domain alias config constraint (#1542)
b07927c fix: resolve wrong openapi types
0217737 fix: update identity state openapi spec
6c13c2b fix: use legacy ssl in quickstart config
3a85a33 test: longer wait time for e2e boot

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.7-sqlite
• docker pull oryd/kratos:v0.7.1-sqlite
• docker pull oryd/kratos:v0.7.1-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.7
• docker pull oryd/kratos:v0.7.1
• docker pull oryd/kratos:v0.7.1-alpha.1
• docker pull oryd/kratos:latest

v0.7.0-alpha.1

About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

• A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 (#1477, #1424);
• Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows (#1367);
• Sign in with Yandex, VK, Auth0, Slack;
• An all-new, secure logout flow (#1433);
• Important security updates to the self-service GET APIs (#1458, #1282);
• Built-in support for TLS (#1466);
• Improved documentation and Go Module structure;
• Resolving a case-sensitivity bug in self-service recovery and verification flows;
• Improved performance for listing identities;
• Support for Instant tracing (#1429);
• Improved control for SMTPS, supporting SSL and STARTTLS (#1430);
• Ability to run Ory Kratos in networks without outbound requests (#1445);
• Improved control over HTTP Cookie behavior (#1531);
• Several smaller user experience improvements and bug fixes;
• Improved e2e test pipeline.

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.

Breaking Changes

Prior to this change it was not possible to specify the verification/recovery link lifetime. Instead, it was bound to the flow expiry. This patch changes that and adds the ability to configure the lifespan of the link individually:

 selfservice:
   methods:
     link:
       enabled: true
       config:
+        # Defines how long a recovery link is valid for (default 1h)
+        lifespan: 15m

This is a breaking change because the link strategy no longer respects the recovery / verification flow expiry time and, unless set, will default to one hour.

This change introduces a better SDK. As part of this change, several breaking changes with regards to the SDK have been introduced. We recommend reading this section carefully to understand the changes and how they might affect you.

Before, the SDK was structured into tags public and admin. This stems from the fact that we have two ports in Ory Kratos - one administrative and one public port.

While serves as a good overview when working with Ory Kratos, it does not express:

• What module the API belongs to (e.g. self-service, identity, ...)
• What maturity the API has (e.g. experimental, alpha, beta, ...)
• What version the API has (e.g. v0alpha0, v1beta0, ...)

This patch replaces the current admin and public tags with a versioned approach indicating the maturity of the API used. For example, initializeSelfServiceSettingsForBrowsers would no longer be under the public tag but instead under the v0alpha1 tag:

import {
  Configuration,
- PublicApi
+ V0Alpha1
} from '@ory/kratos-client';

- const kratos = new PublicApi(new Configuration({ basePath: config.kratos.public }));
+ const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.public }));

To avoid confusion when setting up the SDK, and potentially using the wrong endpoints in your codebase and ending up with strange 404 errors, Ory Kratos now redirects you to the correct port, given that serve.(public|admin).base_url are configured correctly. This is a significant improvement towards a more robust API experience!

Further, all administrative functions require, in the Ory SaaS, authorization using e.g. an Ory Personal Access Token. In the open source, we do not know what developers use to protect their APIs. As such, we believe that it is ok to have admin and public functions under one common API and differentiate with an admin prefix. Therefore, the following patches should be made in your codebase:

import {
- AdminApi,
+ V0Alpha1,
  Configuration
} from '@ory/kratos-client';

-const kratos = new AdminApi(new Configuration({ basePath: config.kratos.admin }));
+const kratos = new V0Alpha1(new Configuration({ basePath: config.kratos.admin }));

-kratos.createIdentity({
+kratos.adminCreateIdentity({
  schema_id: 'default',
  traits: { /* ... */ }
})

Further, we have introduced a style guide for writing SDKs annotations governing how naming conventions should be chosen.

We also streamlined how credentials are used. We now differentiate between:

• Per-request credentials such as the Ory Session Token / Cookie

  - public getSelfServiceRegistrationFlow(id: string, cookie?: string, options?: any) {}
  + public getSelfServiceSettingsFlow(id: string, xSessionToken?: string, cookie?: string, options?: any) {}
  

• Global credentials such as the Ory (SaaS) Personal Access Token.

  const kratos = new V0Alpha0(new Configuration({ basePath: config.kratos.admin, accessToken: 'some-token' }));
  
  kratosAdmin.adminCreateIdentity({
    schema_id: 'default',
    traits: { /* ... */ },
  });

This patch introduces CSRF countermeasures for fetching all self-service flows. This ensures that users can not accidentally leak sensitive information when copy/pasting e.g. login URLs (see #1282). If a self-service flow for browsers is requested, the CSRF cookie must be included in the call, regardless if it is a client-side browser app or a server-side browser app calling. This does not apply for API-based flows.

As part of this change, the following endpoints have been removed:

• GET <ory-kratos-admin>/self-service/login/flows;
• GET <ory-kratos-admin>/self-service/registration/flows;
• GET <ory-kratos-admin>/self-service/verification/flows;
• GET <ory-kratos-admin>/self-service/recovery/flows;
• GET <ory-kratos-admin>/self-service/settings/flows.

Please ensure that your server-side applications use the public port (e.g. GET <ory-kratos-public>/self-service/login/flows) for fetching self-service flows going forward.

If you use the SDKs, upgrading is easy by adding the cookie header when fetching the flows. This is only required when using browser flows on the server side.

The following example illustrates a ExpressJS (NodeJS) server-side application fetching the self-service flows.

app.get('some-route', (req: Request, res: Response) => {
-   kratos.getSelfServiceLoginFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceLoginFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRecoveryFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRecoveryFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceRegistrationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceRegistrationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceVerificationFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceVerificationFlow(flow, req.header('cookie')).then((flow) => /* ... */ )

-   kratos.getSelfServiceSettingsFlow(flow).then((flow) => /* ... */ )
+   kratos.getSelfServiceSettingsFlow(flow, undefined, req.header('cookie')).then((flow) => /* ... */ )
})

For concrete details, check out the changes in the NodeJS app.

This patch refactors the logout functionality for browsers and APIs. It adds increased security and DoS-defenses to the logout flow.

Previously, calling GET /self-service/browser/flows/logout would remove the session cookie and redirect the user to the logout endpoint. Now you have to make a call to GET /self-service/logout/browser which returns a JSON response including a logout_url URL to be used for logout. The call to /self-service/logout/browser must be made using AJAX with cookies enabled or by including the Ory Session Cookie in the X-Session-Cookie HTTP Header. You may also use the SDK method createSelfServiceLogoutUrlForBrowsers to do that.

Additionally, the endpoint DELETE /sessions has been moved to DELETE /self-service/logout/api. Payloads and responses stay equal. The SDK method revokeSession has been renamed to submitSelfServiceLogoutFlowWithoutBrowser.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceRecoveryForNativeApps to better match what it does: initializeSelfServiceRecoveryWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceVerificationForNativeApps to better match what it does: initializeSelfServiceVerificationWithoutBrowser. As in the previous release you may still use the old SDK if you do not want to deal with the SDK breaking changes for now.

We listened to your feedback and have improved the naming of the SDK method initializeSelfServiceSettingsForNativeApps to better match what it does: `initializeS...

v0.6.3-alpha.1

This release addresses some minor bugs and improves the SDK experience. Please be aware that the Ory Kratos SDK v0.6.3+ have breaking changes compared to Ory Kratos SDK v0.6.2. If you do not wish to update your code, you can keep using the Ory Kratos v0.6.2 SDK and upgrade to v0.6.3+ SDKs at a later stage, as only naming conventions have changed!

0.6.3-alpha.1 (2021-05-17)

Bug Fixes

• Properly handle CSRF for API flows in recovery and verification strategies (461c829), closes #1141
• session: Use specific headers before bearer use (82c0b54)
• Improve settings oas definition (867abfc)
• Use correct api spec path (5f41f87)
• Use correct openapi path for validation (#1340) (a0f5673)

Code Refactoring

• Improve SDK experience (71b8511):

  This patch resolves UX issues in the auto-generated SDKs by using consistent naming and introducing a test suite for the Ory SaaS.

BREAKING CHANGES

• Unfortunately, some method signatures have changed in the SDKs. Below is a list of changed entries:

• Error genericError was renamed to jsonError and now includes more information and better typing for errors;
• The following functions have been renamed:
  • initializeSelfServiceLoginViaAPIFlow -> initializeSelfServiceLoginForNativeApps
  • initializeSelfServiceLoginViaBrowserFlow -> initializeSelfServiceLoginForBrowsers
  • initializeSelfServiceRegistrationViaAPIFlow -> initializeSelfServiceRegistrationForNativeApps
  • initializeSelfServiceRegistrationViaBrowserFlow -> initializeSelfServiceRegistrationForBrowsers
  • initializeSelfServiceSettingsViaAPIFlow -> initializeSelfServiceSettingsForNativeApps
  • initializeSelfServiceSettingsViaBrowserFlow -> initializeSelfServiceSettingsForBrowsers
  • initializeSelfServiceRecoveryViaAPIFlow -> initializeSelfServiceRecoveryForNativeApps
  • initializeSelfServiceRecoveryViaBrowserFlow -> initializeSelfServiceRecoveryForBrowsers
  • initializeSelfServiceVerificationViaAPIFlow -> initializeSelfServiceVerificationForNativeApps
  • initializeSelfServiceVerificationViaBrowserFlow -> initializeSelfServiceVerificationForBrowsers
• Some type names have changed, for example traits -> identityTraits.

Changelog

c9e7477 autogen(docs): generate and format documentation
383c3f8 autogen(docs): generate and format documentation
170b6f4 autogen(docs): generate and format documentation
1bd6572 autogen(docs): generate and format documentation
7000a65 autogen(docs): generate and format documentation
a453928 autogen(docs): regenerate and update changelog
42b6b92 autogen(docs): update milestone document
f73a5e1 autogen: add v0.6.2-alpha.1 to version.schema.json
5edf952 autogen: pin v0.6.3-alpha.1 release commit
186a340 chore: regenerate openapi
df08e3d chore: regenerate openapi
82c0b54 fix(session): use specific headers before bearer use
867abfc fix: improve settings oas definition
461c829 fix: properly handle CSRF for API flows in recovery and verification strategies
5f41f87 fix: use correct api spec path
a0f5673 fix: use correct openapi path for validation (#1340)
71b8511 refactor: improve SDK experience

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.3-sqlite
• docker pull oryd/kratos:v0.6.3-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.3
• docker pull oryd/kratos:v0.6.3-alpha.1
• docker pull oryd/kratos:latest

v0.6.2-alpha.1

Resolves an issue in the Go SDK.

0.6.2-alpha.1 (2021-05-14)

Documentation

• Update link to example email template. (#1326) (28a1723)

Changelog

8e6037a autogen(docs): generate and format documentation
18518e9 autogen(docs): regenerate and update changelog
7f736c0 autogen(docs): regenerate and update changelog
3ea5eb9 autogen: add v0.6.1-alpha.1 to version.schema.json
99c1b1d autogen: pin v0.6.2-alpha.1 release commit
28a1723 docs: update link to example email template. (#1326)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.2-sqlite
• docker pull oryd/kratos:v0.6.2-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.2
• docker pull oryd/kratos:v0.6.2-alpha.1
• docker pull oryd/kratos:latest

v0.6.1-alpha.1

This release primarily addresses issues in the SDK CI pipeline.

0.6.1-alpha.1 (2021-05-11)

Features

• Allow changing password validation API DNS name (#1009) (ced85e8)

Changelog

3d44e3e autogen(docs): generate and format documentation
ba29af4 autogen(docs): generate and format documentation
cdab44f autogen(docs): regenerate and update changelog
8d77692 autogen: add v0.6.0-alpha.2 to version.schema.json
1df82da autogen: pin v0.6.1-alpha.1 release commit
ced85e8 feat: allow changing password validation API DNS name (#1009)

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.1-sqlite
• docker pull oryd/kratos:v0.6.1-alpha.1-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.1
• docker pull oryd/kratos:v0.6.1-alpha.1
• docker pull oryd/kratos:latest

v0.6.0-alpha.2

This release addresses issues with the SDK pipeline and also closes a bug related to email sending.

0.6.0-alpha.2 (2021-05-07)

Bug Fixes

• Update node image (eef307e)

Features

• Fix unexpected emails when update profile (#1300) (7b24485), closes #1221

Changelog

7669c7b autogen(docs): generate and format documentation
6771958 autogen(docs): regenerate and update changelog
e8af575 autogen(docs): regenerate and update changelog
43419fa autogen(docs): regenerate and update changelog
41ecd06 autogen(docs): update milestone document
23ce83d autogen: add v0.6.0-alpha.1 to version.schema.json
a3658ba autogen: pin v0.6.0-alpha.2 release commit
7b24485 feat: fix unexpected emails when update profile (#1300)
eef307e fix: update node image

Docker images

• docker pull oryd/kratos:v0-sqlite
• docker pull oryd/kratos:v0.6-sqlite
• docker pull oryd/kratos:v0.6.0-sqlite
• docker pull oryd/kratos:v0.6.0-alpha.2-sqlite
• docker pull oryd/kratos:latest-sqlite
• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.6
• docker pull oryd/kratos:v0.6.0
• docker pull oryd/kratos:v0.6.0-alpha.2
• docker pull oryd/kratos:latest

v0.6.0-alpha.1

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions.

Kratos v0.6 includes an insane amount of work spread over the last five months - 480 commits and over 4200 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!

Here is a summary of the most important changes:

• Ory Kratos now support highly customizable web hooks - contributed by @dadrus and @martinei;
• Ory Kratos Courier can now be run as a standalone task using kratos courier watch -c your/config.yaml. To use the mail courier as a background task of the server run kratos serve --watch-courier - contributed by @mattbonnell;
• Reworked migrations to ensure stable migrations in production systems - backward compatibility is ensured and tested;
• Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
• Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
• Created reliable health and status checks by ensuring that e.g. migrations have completed;
• Made resilient CLI client commands e.g. kratos identities list;
• Better support for cookies in multi-domain setups called domain aliasing;
• A new, dynamically generated FAQ;
• Enhanced GitHub and Google claims parsing;
• Faster and more resilient CI/CD pipeline;
• Improvements for running Ory Kratos in secure Kubernetes environments;
• Better Helm Charts for Ory Kratos;
• Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by @seremenko-wish;
• The Argon2 memory configuration is now human readable: hashers.argon2.memory: 131072 -> hashers.argon2.memory: 131072B (supports kb, mb, kib, mib, ...).
• Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new after_verification_return_to query parameter (e.g. http://foo.com/registration?after_verification_return_to=verification_callback) - contributed by @mattbonnell;
• Emails are now populated at delivery time, offering more flexibility in terms of templating;
• Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by @mattbonnell;
• Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
• Resolving SDKs issues for whoami requests;
• Simplified database schema for faster processing, significantly reducing the amount of data stored and latency as several JOINS have been removed;
• Support for binding the HTTP server on UNIX sockets - contributed by @sloonz;

There are even more contributions by @NickUfer and harnash. In total, 33 people contributed to this release! Thank you all!

IMPORTANT: Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how self-service flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

Check out how we migrated the NodeJS app from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

Ory Kratos v0.5

Login

{
  "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
  "type": "browser",
  "expires_at": "2020-09-13T10:49:54.8295242Z",
  "issued_at": "2020-09-13T10:39:54.8295242Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
        "method": "POST",
        "fields": [
          {
            "name": "identifier",
            "type": "text",
            "required": true,
            "value": ""
          },
          {
            "name": "password",
            "type": "password",
            "required": true
          },
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
          }
        ]
      }
    }
  },
  "forced": false
}

Registration

{
  "id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
  "type": "browser",
  "expires_at": "2020-09-13T10:53:15.1774019Z",
  "issued_at": "2020-09-13T10:43:15.1774019Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "active": "password",
  "messages": null,
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
        "method": "POST",
        "fields": [
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
          },
          {
            "name": "password",
            "type": "password",
            "required": true,
            "messages": [
              {
                "id": 4000005,
                "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
                "type": "error",
                "context": {
                  "reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
                }
              }
            ]
          },
          {
            "name": "traits.email",
            "type": "text",
            "value": "[email protected]"
          },
          {
            "name": "traits.name.first",
            "type": "text",
            "value": "Ory"
          },
          {
            "name": "traits.name.last",
            "type": "text",
            "value": "Corp"
          }
        ]
      }
    }
  }
}

Ory Kratos v0.6

Login

As you can see below, the input name identifier has changed to password_identifier.

{
  "id": "07016811-917d-4788-bb9c-fc297897af6c",
  "type": "browser",
  "expires_at": "2021-04-28T08:37:53.924337873Z",
  "issued_at": "2021-04-28T08:27:53.924337873Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password_identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attri...

v0.5.5-alpha.1

The ORY Community is proud to present you the next iteration of ORY Kratos. In this release, we focused on improving production stability!

0.5.5-alpha.1 (2020-12-09)

Bug Fixes

• CSRF token is required when using the Revoke Session API endpoint (#839) (d3218a0), closes #838

• Incorrect home path (#848) (5265af0)

• Make password policy configurable (#888) (7a00483), closes #450 #316:

  Allows configuring password breach thresholds and optionally enforces checks against the HIBP API.

• Remove obsolete types (#887) (b8bac7a), closes #716

• Set samesite attribute to lax if in dev mode (#824) (91d6698), closes #821

• Use working cache-control header for cdn/proxies/cache (#869) (d8e3d40), closes #601

Documentation

• Add contributing to sidebar (#866) (44f33f9):

  The same change as in ory/hydra#2209

• Add newsletter to config (1735ca2)

• Add recovery flow (#868) (d95cfe9), closes #864:

  Added a short section for the recovery flow on managing-user-identities.

• Fix account recovery click instruction (#870) (383de9e)

• Fix broken link (#893) (dec38a2), closes #835

• Fix oidc config example structure (#845) (c102a68)

• Fix redirect (#802) (b868782)

• Fix typo (#847) (9b3da9f)

• Fix typo (#881) (3078293)

• Fix typo MKFA to MFA (#826) (a5613d0)

• Remove workaround note (#886) (05409bc), closes #718

• Swagger specs for selfservice settings browser flow (#825) (28d50f4)

• Update oidc provider with json conf support (#833) (670eb37)

Features

• Add return_to parameter to logout flow (#823) (1c146dd), closes #702
• Add selinux compatible quickstart config (#889) (0f87948), closes #831

Tests

• Ensure registration runs only once (#872) (5ffc036)

Unclassified

• docs: fix link and typo in Configuring Cookies (#883) (c51ed6b), closes #883

Changelog

f0caf51 autogen(docs): generate and format documentation
62faa5f autogen(docs): generate and format documentation
faf0bf1 autogen(docs): generate and format documentation
6530457 autogen(docs): generate and format documentation
51dc593 autogen(docs): generate and format documentation
5279e04 autogen(docs): generate and format documentation
37ac90c autogen(docs): generate and format documentation
991e967 autogen(docs): generate and format documentation
263e364 autogen(docs): generate and format documentation
62b4d63 autogen(docs): generate and format documentation
5aaef91 autogen(docs): generate cli docs
ed32fc6 autogen(docs): regenerate and update changelog
b008e87 autogen(docs): regenerate and update changelog
7466708 autogen(docs): regenerate and update changelog
c700c2d autogen(docs): regenerate and update changelog
105181d autogen(docs): regenerate and update changelog
a9cac1c autogen(docs): regenerate and update changelog
6c7779c autogen(docs): regenerate and update changelog
bbaebd7 autogen(docs): regenerate and update changelog
3ecdc02 autogen(docs): regenerate and update changelog
9b8da55 autogen(docs): regenerate and update changelog
0ba72e9 autogen(docs): regenerate and update changelog
096c44d autogen(docs): regenerate and update changelog
5121fa0 autogen(docs): update milestone document
347ad05 autogen(docs): update milestone document
14bc665 autogen(docs): update milestone document
c7b8011 autogen(docs): update milestone document
5beb7b0 autogen(docs): update milestone document
ba525c6 autogen(docs): update milestone document
624b7f7 autogen: add v0.5.4-alpha.1 to version.schema.json
83aedcb autogen: pin v0.5.5-alpha.1 release commit
42c4d3d autogen: pin v0.5.5-alpha.1.pre.1 release commit
f742074 chore: bump ory/x and use pkgerx migration box (#860)
260f644 chore: format docs
5eb799f chore: remove .DS_Store (#819)
0943ff6 chore: update docusaurus template
4b540cf chore: update docusaurus template (#827)
9c90d5c chore: update docusaurus template (#836)
946632a chore: update docusaurus template (#837)
2adc275 chore: update docusaurus template (#840)
09c12a2 chore: update docusaurus template (#841)
3e2d852 chore: update docusaurus template (#843)
ad05e04 chore: update docusaurus template (#850)
ad1a662 chore: update docusaurus template (#852)
4c92ff8 chore: update docusaurus template (#855)
35b748f chore: update docusaurus template (#856)
a6e1a17 chore: update docusaurus template (#857)
b4ec7af chore: update docusaurus template (#859)
117245d chore: update docusaurus template (#867)
9f2cefa chore: update docusaurus template (#871)
7e4435d chore: update docusaurus template (#876)
a724372 chore: update docusaurus template (#877)
3244ff6 chore: update docusaurus template (#878)
7620f97 chore: update docusaurus template (#880)
566a91b chore: update docusaurus template (#884)
678c1d1 chore: update docusaurus template (#885)
b97861d chore: update repository templates (#844)
aa8b5c6 chore: update repository templates (#851)
e92ed17 chore: update repository templates (#853)
c9253cf ci: always build docs
3ab9e9d ci: bump ory-prettier-styles and run format check in validate
04cb93b ci: disable dupl due to false positives (#892)
44f33f9 docs: add contributing to sidebar (#866)
1735ca2 docs: add newsletter to config
d95cfe9 docs: add recovery flow (#868)
383de9e docs: fix account recovery click instruction (#870)
dec38a2 docs: fix broken link (#893)
c102a68 docs: fix oidc config example structure (#845)
b868782 docs: fix redirect (#802)
9b3da9f docs: fix typo (#847)
3078293 docs: fix typo (#881)
a5613d0 docs: fix typo MKFA to MFA (#826)
05409bc docs: remove workaround note (#886)
28d50f4 docs: swagger specs for selfservice settings browser flow (#825)
670eb37 docs: update oidc provider with json conf support (#833)
c51ed6b docs: fix link and typo in Configuring Cookies (#883)
1c146dd feat: add return_to parameter to logout flow (#823)
0f87948 feat: add selinux compatible quickstart config (#889)
d3218a0 fix: CSRF token is required when using the Revoke Session API endpoint (#839)
5265af0 fix: incorrect home path (#848)
7a00483 fix: make password policy configurable (#888)
b8bac7a fix: remove obsolete types (#887)
91d6698 fix: set samesite attribute to lax if in dev mode (#824)
d8e3d40 fix: use working cache-control header for cdn/proxies/cache (#869)
a87dd81 style: format
76f371f style: format
5ffc036 test: ensure registration runs only once (#872)

Docker images

• docker pull oryd/kratos:v0
• docker pull oryd/kratos:v0.5
• docker pull oryd/kratos:v0.5.5
• docker pull oryd/kratos:v0.5.5-alpha.1
• docker pull oryd/kratos:latest
• docker pull oryd/kratos:v0-sqlite
• `doc...