Skip to content

v0.9.0-alpha.1

Pre-release
Pre-release
Compare
Choose a tag to compare
@ory-bot ory-bot released this 21 Mar 22:20
· 1427 commits to master since this release
72bd2ed

Ory Kratos v0.9 is here! We're extremely happy to announce that the new release is out and once again it's been made even better thanks to the incredible contributions from our awesome community. <3

Enjoy!

Here's an overview of things you can expect from the v0.9 release:

  1. We introduced 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud. The configuration works the same across all modes of operation and deployment!
  2. Passwordless login with WebAuthn is now available! Authentication with YubiKeys, TouchID, FaceID, Microsoft Hello, and other WebAuthn-supported methods is now available. The refactored infrastructure lays a foundation for more passwordless flows to come.
  3. All the docs are now available in a single repo. Go to the ory/docs repository to find docs for all Ory projects.
  4. You can now load custom email templates that'll make your essential messaging like project invitations or password recovery emails look slick.
  5. We've laid the foundation for adding SMS-dependant flows.
  6. Security is always a top priority. We've made changes and updates such as CSP nonces, SSRF defenses, session invalidation hooks, and more.
  7. Kratos now gracefully handles cookie errors.
  8. Password policies are now configurable.
  9. Added configuration to control the flow of webhooks. Now you can cancel flows & run them in the background.
  10. You can import identities along with their credentials (password, social sign-in connections, WebAuthn, ...).
  11. Infra: we migrated all of our CIs from CircleCI to GitHub Actions.
  12. We moved the admin API from / to admin. This is a breaking change. Please read the explanation and proceed with caution!
  13. Bugfix: fixed a bug in the handling of secrets. This is a breaking change. Please read the explanation and proceed with caution!
  14. Bugfix: several bugs in different self-service flows are no more.

As you can see, this release introduces breaking changes. We tried to keep the HTTP API as backward-compatible as possible by introducing HTTP redirects and other measures, but this update requires you to take extra care. Make sure you've read the release notes and understand the risk before updating.

You must apply SQL migrations for this release. Make sure to create backup before you start!

Breaking Changes

Configuration key selfservice.whitelisted_return_urls has been renamed to allowed_return_urls.

All endpoints at the Admin API are now exposed at /admin/. For example, endpoint https://kratos:4434/identities is now exposed at https://kratos:4434/admin/identities. This change makes it easier to configure reverse proxies and API Gateways. Additionally, it introduces 1:1 compatibility between Ory Cloud's APIs and self-hosted Ory Kratos. Please note that nothing has changed in terms of the port. To make the migration less painful, we have set up redirects from the old endpoints to the new /admin endpoints, so your APIs, SDKs, and clients should continue working as they were working before. This change is marked as a breaking change as it touches many endpoints and might be confusing when encountering the redirect for the first time.

If you are using two or more secrets for the secrets.session, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

The password_identifier form field of the password login strategy has been renamed to identifier to make compatibility with passwordless flows possible. Field name password_identifier will still be accepted. Please note that the UI node for displaying the "username" / "email" field has this name="identifier" going forward. Additionally, the traits of the password strategy are no longer within group password but instead in group profile going forward!

The following OpenID Connect configuration keys have been renamed to better explain their purpose:

- private_key_id
+ apple_private_key_id

- private_key
+ apple_private_key

- team_id
+ apple_team_id

- tenant
+ microsoft_tenant

A major issue has been lingering in the configuration for a while. What happens to your identities when you update a schema? The answer was, it depends on the change. If the change is incompatible, some things might break!

To resolve this problem we changed the way you define schemas. Instead of having a global default_schema_url which developers used to update their schema, you now need to define the default_schema_id which must reference schema ID in your config. To update your existing configuration, check out the patch example below:

identity:
-  default_schema_url: file://stub/identity.schema.json
+  default_schema_id: default
+  schemas:
+  - id: default
+    url: file://stub/identity.schema.json

Ideally, you would version your schema and update the default_schema_id with every change to the new version:

identity:
  default_schema_id: user_v1
  schemas:
    - id: user_v0
      url: file://path/to/user_v0.json
    - id: user_v1
      url: file://path/to/user_v1.json

This patch removes the ability to use domain aliases, an obscure feature rarely used that had several issues and inconsistencies.

Bug Fixes

  • Add identity_id index to identity_verifiable_addresses table (#2147) (86fd942):

    The verifiable addresses are loaded eagerly into the identity. When that happens, the identity_verifiable_addresses table is queried by nid and identity_id. This index should greatly improve performance, especially of the /sessions/whoami endpoint.

  • Add ability to resume continuity sessions from several cookies (#2131) (8b87bdb), closes #2016 #1786

  • Add CourierConfig to default registry (#2243) (2e1fba3)

  • Add DispatchMessage to interface (df2ca7a)

  • Add hiring notice to README (#2074) (0c1e816)

  • Add missing enum (#2223) (4b7d7d0):

    Closes ory/sdk#147

  • Add missing version tag in quickstart.yml (#2110) (1d281ea)

  • Add output-dir input to cli-next (#2230) (1eb3f18)

  • Added malformed config test (5a3c9c1)

  • Adjust scan configuration (#2140) (8506fcf), closes #2083

  • Admin endpoint /schemas not redirecting to public endpoint (#2133) (413833f), closes #2084

  • Appropriately pass context around (#2241) (668f6b2):

    Closes ory/network#56

  • Base redirect URL decoding (acdefa7)

  • Base64 encode identity schema URLs (ad44e4d):

    Previously, identity schema IDs with special characters could lead to broken URLs. This patch introduces a change where identity schema IDs are base64 encoded to address this issue. Schema IDs that are not base64 encoded will continue working.

  • Broken links API spec (e1e7516)

  • Choose correct CSRF cookie when multiple are set (633076b), closes ory/kratos#2121 ory-corp/cloud#1786:

    Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store.

  • Cloud config issue (135b29c)

  • continuity: Properly reset cookies that became invalid (8e4b4fb), closes #2121 ory-corp/cloud#1786:

    Resolves several reports related to incorrect handling of invalid continuity issues.

  • continuity: Remove cookie on any error (428ac03)

  • Correct recovery hook (c7682a8)

  • courier: Improve composability (d47150e)

  • Do not error when HIBP behaves unexpectedly (#2251) (a431c1e), closes #2145

  • Do not remove all credentials when remove all security keys (#2233) (ecd715a)

  • Do not send session after registration without hook (#2094) (3044229), closes #2093

  • Docker-compose standalone definition (3c7065a)

  • Don't inherit flow type in recovery and verification flows (#2250) (c5b444a), closes #2049

  • embed: Disallow additional props (b2018ce)

  • embed: Do not require plaintext/html in email config (dfe4140)

  • Ensure no internal networks can be called in SMS sender (65e42e5)

  • Explain mitigations in cookie error messages (ef4b01a)

  • Expose network wrapper (a570607)

  • Faq (#2101) (311f906):

    This patch

    • moves the FAQ to the Debug & Help section
    • renames it to Tips & Troubleshooting
    • moves many of the questions to documents where they fit better, reformatted and with added information where needed.
    • also some other spelling/format fixes

    See also ory/docusaurus-template#87

  • identity: Slow query performance on MySQL (731b3c7), closes #2278

  • Ignore whitespace around identifier with password strategy (#2160) (45335c5), closes #2158

  • Improve courier test signature (b8888e3)

  • Improve password error resilience on settings flow (e614f6e)

  • Improve soundness of credential identifier normalization (e475163)

  • Include missing type string in config schema (#2142) (ec2c88a):

    Inside the config.schema.json under the CORS setting, add the missing type (string) for the items of the allowed_origins array

  • Incorrect makefile rule (#2222) (83a0ce7)

  • login: Error handling when failed to prepare for an expired flow (#2120) (fdad834)

  • login: Put passwordless login before password (df9245f)

  • lookup: Resolve credentials counting regression (50782c6)

  • Lower-case jsonnet context for sms (8c58e94)

  • Mark struct as used (33f3dfe)

  • Mark width and height as required (#2322) (37f2f22):

    Closes ory/sdk#157

  • Minor fixes in FAQ update (#2130) (b53eec7)

  • Move to new post-release steps (#2206) (10778fd)

  • Mr comment fix (96c917e)

  • oidc: Improve empty credential handling (124d4ce)

  • oidc: Incorrect error handling (c8d789c)

  • Order regression (2cb5d2b)

  • Pass context to registration flow (c8d55b3)

  • Pass docs output dir as a separate argument (78c69a2)

  • Pass token to render-version-schema (#2246) (4d117e5)

  • password: Schema regressions (271d5fa)

  • Properly check for not found (77ac199)

  • Properly pass context (#2300) (fab8a93)

  • Provide access to root path and error page (#2317) (f360ee8)

  • Quickstart standalone service definition (#2149) (872b06e)

  • Rebase regressions (d1c5085)

  • registration: Order for passwordless webauthn (8427322)

  • Remove non-hermetic sprig functions (#2201) (17e0acc):

    Closes #2087

  • Resolve configx regression (672c0ff)

  • Resolve issues with the CI pipeline (d15bd90)

  • Resolve merge regression (d8ca4f3)

  • Resolve prettier issues (32bf052)

  • Resolve remaining passwordless regressions (151c8cf)

  • Resovle lint errors (afb7aaf)

  • Return 400 instead of 404 on admin recovery (ae2509c), closes #1664

  • sdk: Add all available discriminators (5d70f9c), closes #2287 #2288

  • sdk: Add webauth and lookup_secret to identityCredentialsType (#2276) (61ce3c0)

  • sdk: Correct minimum page to 1 (a28362e), closes #2286

  • selfservice: Cannot login after remove security keys and all other 2FA settings (#2181) (5ff6773), closes #2180

  • selfservice: Login self service flow with TOTP does not pass on return_to URL (#2175) (3eaa88e), closes #2172

  • selfservice: Recovery self service flow passes on return_to URL (#1920) (b925d35), closes #914

  • Send 404 instead of null response for unknown verification flows (#2102) (c9490c8), closes #2099:

    Fixes the verification handler to write the error, instead of nil object, when the flow does not exist. Adds tests for every handler to check proper behavior in that regard.

  • session: Correctly calculate aal for passwordless webauthn (c7eb970)

  • session: Properly declare session secrets (6312afd), closes #2272:

    Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

  • Snapshot regression (6481441)

  • Static analysis (a1d3254)

  • Support setting complex configs from the environment (c45bf83):

    Closes #1535
    Closes #1792
    Closes #1801

  • test: Parallelization issues (dbcf3fb)

  • text: Incorrect IDs for different messages (0833321), closes #2277

  • totp: Resolve credentials counting regression (737bb3f)

  • Typo (fbc8b4f)

  • Typo (3bb0d41)

  • Unstable ordering (bee26c6)

  • Unstable webauthn order (6262160)

  • Update download urls according to the new names (#2078) (86ae016)

  • Updated oathkeeper+kratos example (#2273) (567a3d7)

  • URL with hash sign in after_verification_return_to stays encoded (#2173) (fb1cb8a), closes #2068

  • Use actions/checkout for ui repos (f0136ca)

  • Use correct dir for clidoc (8c8a1ab)

  • Use HTTP 303 instead of 302 for selfservice redirects (#2215) (50b6bd8), closes #1969

  • Use latest hydra version (ffb3f20)

  • webauthn: Resolve missing identifier bug (93a1ae4)

  • webauthn: Schema regressions (970e861)

  • webauth: SPA regressions for login (be378ff)

  • Yq version (41b6f18)

Code Generation

  • Pin v0.9.0-alpha.1 release commit (72bd2ed)

Code Refactoring

  • All admin endpoints are now exposed under /admin/ on the admin port (8acb4cf)
  • Deprecate domain aliases (894a2cc)
  • Distinguish between first and multi factor credentials (8de9d01)
  • Identity.default_schema_url is now identity.default_schema_id (#1964) (e4f205d)
  • identity: Move credentials counter (c9875a7)
  • Mimic credentials config on import (c3eb7ce)
  • Move credential configs for oidc and password (50ac851)
  • Move docs to ory/docs (57151da)
  • oidc: Credentials counting (b75a639)
  • password: DRY up registration helpers (8a51839)
  • password: Internals and deprecated fields (a7784bd)
  • Rename password_identifier field to identifier (4dbe0ea)
  • Rename whitelisted_return_urls to allowed_return_urls (#2299) (686c9ba)
  • session: Aal computation (a136de9)
  • Update apple and microsoft config key names (#2261) (6da2370), closes #1979

Documentation

Features

  • Abandon courier messages after configurable timeout (#2257) (bff92f7)

  • Add webauthn to list of identifiers (1a8b256):

    This patch adds the key webauthn to the list of possible identifiers in the Identity JSON Schema. Use this key to specify what field is used to find the WebAuthn credentials on passwordless login flows.

  • Add credential migrator pattern (77afc6f)

  • Add message for missing webauthn credentials (303dc6b)

  • Add new messages (09e6fd1)

  • Add npm install step (3d253e5)

  • Add preset CSP nonce (#2096) (8913292):

    Closes ory/kratos-selfservice-ui-node#162

  • Add versioning and improve compatibility for credential migrations (78ce668)

  • Added phone number identifier (#1938) (294dfa8), closes #137

  • Added sms sending support to courier (687eca2)

  • Allow empty version string (419f94b)

  • Allow registration to be disabled (#2081) (864b00d), closes #882

  • Cancelable web hooks (44a5323):

    Introduces the ability to cancel web hooks by calling error "cancel" in JsonNet.

  • config: Add option to mark webauthn as passwordless-able (0455e3f):

    Adds option passwordless to selfservice.methods.webauthn.config, making it possible to use WebAuthn for first-factor authentication, or so-called "passwordless" authentication.

  • Courier template configs (#2156) (799b6a8), closes #2054:

    It is now possible to override individual courier email templates using the configuration system!

  • Courier templates fs support (#2164) (13689a7)

  • courier: Expose setters again (598dc3a)

  • courier: Override default link base URL (cc99096):

    Added a new configuration value selfservice.methods.link.config.base_url which allows to change the default base URL of recovery and verification links. This is useful when the email should send a link which does not match the globally configured base URL.

    See ory-corp/cloud#1766

  • docker: Add jaeger (27ec2b7)

  • e2e: Add passwordless flows and fix bugs (ef3871b)

  • Enable Buildkit (#2079) (f40df5c):

    Looks like this was attempted before but the magic comment was not on the first line.

  • Expose courier template load (#2082) (790716e)

  • Generalise courier tests (#2125) (75c6053)

  • identity: Add identity credentials helpers (b7be327)

  • identity: Add versioning to credentials (aaf779a)

  • Ignore web hook response (ae87914):

    Introduces the ability to ignore responses from web hooks in favor of faster and non-blocking execution.

  • Make sensitive log value redaction text configurable (#2321) (9b66e43)

  • Make the password policy more configurable (#2118) (70c627b), closes #970

  • oidc: Customizable base redirect uri (fa1f234):

    Closes ory-corp/cloud#2003

  • Password, social sign, verified email in import (41a27b1), closes #605:

    This patch introduces the ability to import passwords (cleartext, PKBDF2, Argon2, BCrypt) and Social Sign In connections when creating identities!

  • recovery: Allow invalidation of existing sessions (5029884), closes #1077:

    You can now use the revoke_active_sessions hook in the recovery flow. It invalidates all of an identity's sessions on successful account recovery.

  • schema: Add functionality to disallow internal HTTP requests (6e08416):

    See ory-corp/cloud#1261

  • security: Add e2e tests for various private network SSRF defenses (b049bc3)

  • security: Add option to disallow private IP ranges in webhooks (05f1e5a), closes #2152

  • security: Add SSRF defenses in OIDC (d37dc5d)

  • Selfservice and administrative session management (#2011) (0fe4155), closes #655 #2007

  • session: Add webauthn to extension validation (049fd8e)

  • session: Webauthn can now be a first factor as well (861bee0)

  • Trace web hook calls (#2154) (98ee300)

  • webauthn: Add error preventing deleting last webauthn credential (1209eda)

  • webauthn: Add new decoder schemas (c3e1501)

  • webauthn: Add passwordless credentials indicator (6e3057a)

  • webauthn: Add swagger type (14c2b74)

  • webauthn: Count passwordless credentials (145af23)

  • webauthn: Implement refresh using webauth (bf10868), closes #2284:

    This change introduces the ability to refresh a session (for example when entering "sudo" mode") using WebAuthn credentials. In this case, it does not matter whether the WebAuthN credentials are for MFA or passwordless flows.

  • webauthn: Improve schema (790dcf3)

  • webauthn: Manage webauthn passwordless keys (5a62ced)

  • webauthn: Passwordless login (b4c4fd2)

  • webauthn: Update messages and nodes (22534d8)

  • webauthn: Use plain bytes for wrapped user (97c8c9e)

Tests

  • Add data for new migration (b0488ef)
  • Add tests for new sms options (799fa10)
  • cmd: Fix regressions (4b92be9)
  • driver: Fix regressions (c6f5137)
  • e2e: Add import tests (ed90f39)
  • e2e: Reenable hydra (055a491)
  • e2e: Resolve privileged regression (f7dd5ab)
  • e2e: Resolve regression (b5053c9)
  • e2e: Resolve regressions (da154c5)
  • e2e: Resolve regressions (d46d435)
  • e2e: Resolve regressions and flakes (a607385)
  • e2e: Wait for initial network requests (#2242) (c5a04b5)
  • Extract common registration helpers to library (5c1f11b)
  • Fix concurrent database access (46f6fb7)
  • Fix regression (f96e48f)
  • identity: Ensure migrations run when fetching identities (322d467)
  • identity: Fix regressions (f492f0e)
  • Re-enable MySQL (cbe8f6e)
  • Remove obsolete test (cd644ae)
  • Remove obsolete test failure (f8fd480)
  • Remove only (87b3bce)
  • Remove unnecessary test (2fa33e4)
  • Resolve potential panic (d44af28)
  • schema: Resolve regressions (c6d0810)
  • Significantly reduce persister run time (647d6ef)
  • Update cypress (#2090) (883a1b1)
  • Update fixtures (21462b7)
  • Update fixtures (299c6e3)
  • webauthn: Add passwordless profile (88199ea)
  • webauthn: Passwordless registration (c9b6280)

Unclassified

  • Move login hinting to own package (1eb2604)

0.8.2-alpha.1 (2021-12-17)

This release addresses further important security updates in the base Docker Images. We also resolved all issues related to ARM support on both Linux and macOS and fixed a bug that prevent the binary from compiling on FreeBSD.

This release also makes use of our new build architecture which means that the Docker Images names have changed. We removed the "scratch" images as we received frequent complaints about them. Additionally,
all Docker Images have now, per default, SQLite support built-in. If you are relying on the SQLite images, update your Docker Pull commands as follows:

- docker pull oryd/kratos:{version}-sqlite
+ docker pull oryd/kratos:{version}

Additionally, all passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

In v0.8.1-alpha.1 we failed to include all the exciting things that landed, so we'll cover them now!

  1. Advanced E-Mail templating support with sprig - makes it possible to translate emails as well!
  2. Support wildcards for allowing redirection targets.
  3. Account Recovery initiated by the Admin API now works even if identities have no email address.

Enjoy this release!

Bug Fixes

Code Generation

  • Pin v0.8.2-alpha.1 release commit (627f4a1)

Documentation

0.8.1-alpha.1 (2021-12-13)

This maintenance release important security updates for the base Docker Images (e.g. Alpine). Additionally, several hiccups with the new ARM support have been resolved and the binaries are now downloadable for all major platforms. Please note that passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

Enjoy this release!

Breaking Changes

To celebrate this change, we cleaned up the ways you install Ory software, and will roll this out to all other projects soon:

There is now one central brew / bash curl repository:

-brew install ory/kratos/kratos
+brew install ory/tap/kratos

-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) kratos

Bug Fixes

Code Generation

  • Pin v0.8.1-alpha.1 release commit (8247416)

Documentation

Features

  • Add alpine dockerfile (587eaee)

  • Add new goreleaser build chain (#1932) (cf1714d):

    This patch adds full compatibility with ARM architectures, including Apple Silicon (M1). We additionally added cryptographically signed signatures verifiable using cosign for both binaries as well as docker images.

  • Add quickstart mimicking hosted ui (813fb4c)

  • Add x-total-count to paginated pages (b633ec3)

  • Advanced e-mail templating support (#1859) (54b97b4), closes #834 #925

  • Allow wildcard domains for redirect_to checks (#1528) (349cdcf), closes #943:

    Support wildcard domains in redirect_to checks.

  • Buildkit with multi stage build (#2025) (57ab7f7)

  • cmd: Add OIDC credential include (#2017) (1482844):

    With this change, the kratos identities get CLI can additionally fetch OIDC credentials.

  • Configurable health endpoints access logging (#1934) (1301f68):

    This PR introduces a new boolean configuration parameter that allows turning off logging of health endpoints requests in the access log. The implementation is basically a rip-off from Ory Hydra and the configuration parameter is the same:

    serve.public.request_log.disable_for_health
    serve.admin.request_log.disable_for_health
    

    The default value is false.

  • Generalise courier (#2019) (1762a73)

  • Integrate sbom generation to goreleaser (#1850) (305bb28)

  • Make admin recovery to work without emails #1419 (#1750) (db00e85)

  • oidc: Add spotify provider (#2024) (0064e35)

Tests

Artifacts can be verified with cosign using this public key.