v0.13.0

We’re excited to announce the release of Ory Kratos v0.13.0! This update brings many enhancements and fixes, improving the user experience and overall performance. In general, Ory Kratos is reaching complete API stability and we're adding some missing features next, paving the road to v1.0.

Ory Kratos serves over 500M users monthly in various companies, and is the backbone of the Ory Network (the best, cheapest, easiest way to run Ory).

Here are the highlights:

We’ve added new social sign-in options with Patreon OIDC and LinkedIn providers, making it even easier for your users to register and log in. Furthermore, we’ve introduced a new admin API that allows you to remove specific 2nd factor credentials, giving you more control over your user accounts.
Performance has been a key focus in this release. We’ve optimized the whoami calls, parallelized the getIdentity and getSession calls, and made asynchronous webhooks fully async. These improvements will result in faster response times and a smoother experience for your users. Additionally, we’ve implemented better tracing to help you diagnose and resolve issues more effectively.
We’ve also made several updates to the webhook system. A new response.parse configuration has been introduced, allowing you to update identity data during registration. This includes admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses. Please note that can_interrupt is now deprecated in favor of response.parse.
Lastly, we’ve made several important fixes, such as resolving the wrong message ID on resend code buttons, implementing the offline scope as Google expects, and improving the OIDC flow on duplicate account registration. We’ve also added the ability to configure whether the system should notify unknown recipients when attempting to recover an account or verify an address, enhancing security with “anti-account-enumeration measures.”

We hope you enjoy these new features and improvements in Ory Kratos v0.13.0! All features are already live on the Ory Network - the simplest, fastest and most scalable way to run Ory.

Please note that the v0.12.0 release was skipped due to CI issues.

Head over to the changelog at https://github.com/ory/kratos/blob/master/CHANGELOG.md to read all the details. As always, we appreciate your feedback and support!

Breaking Changes

By default, Kratos no longer sends out these Emails. If you want to keep notifying unknown addresses (keep the current behavior), set selfservice.flows.recovery.notify_unknown_recipients to true for recovery, or selfservice.flows.verification.notify_unknown_recipients for verification flows.

Bug Fixes

Access rules example (#3178) (a206772)
Account experience redirects to verification page (#3195) (2e96d75)
Account settings broken on OIDC removal (#3185) (61ae531), closes ory-corp/cloud#3514
Add after_verification_return_to to sdk and api docs (#3097) (c70704c), closes #3096
Add HydraLoginRequest on flow creation (#3152) (09312dd), closes #3108:

The oauth2_login_request field was missing when initially creating the login flow.
Add missing code discriminator in updateVerificationFlow (#3213) (21576be)
Add missing index (#3181) (756bed4)
Add mutex to test SMTP server setup/teardown (20c2359)
Avoid unchecked casts from IdentityPool to PrivilegedIdentityPool (71d35dd)
Correctly apply patches to identity metadata (#3103) (1193a56), closes #2950
Do not omit last page on identity list (#3169) (f95f48a)
Don't return 500 if active strategy is disabled (#3197) (3a734c2)
Don't reuse ports in courier/SMTP tests (#3156) (e260fcf)
Don't treat missing session as error in tracing (290d28a)
Error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218) (b1bdcd3)
Handle upstream errors in patreon provider (#3032) (39fa31f)
Identity.CopyWithoutCredentials (989c99d)
Implement offline scope in the way google expects (#3088) (39043d4)
Improve webhook resilience (#3200) (0a05d99):
- fix: improve webhook logging
- chore: bump x
- feat: decouple context in PostRegistrationPostPersist hook
Invalid SQL syntax in ListIdentities (#3202) (162ab9b):

PostgresQL does not support ... WHERE x IN ( ) with an empty argument list.
Issuer missing from netid claims (#3080) (dec7cbc):

The NetID provider omits the issuer claim in the userinfo response. To resolve this issue, the ID token returned by NetID is now validated and its sub and iss values are used.
Lint errors and unused code (ae49ef0)
Make async webhooks fully async (#3111) (342bfb0)
Make session AAL satisfaction check resilient against a nil identity in the session (5ab1a56):

Also fix tracing.
Missing issuer regression in OIDC (#3220) (52f0740):

Closes #3182
Closes #3040
Nolint comment (93e6501)
Only return one result set for credentials_identifier (#3107) (59f35d1), closes #3105
Orphaned webhook spans (a7f9414)
Re-use existing CSRF token in verification flows (#3188) (08a3447):
- fix: re-use existing CSRF token in verification flows
- chore: fix if/else
Reduce SQL tracing noise (1650426)
Remove http.Redirect from show_verification_ui hook (#3238) (054705b)
Remove network omit flag (#3066) (c629b72)

Report correct errors for json schema validation (#3085) (9477ea4):

Implemented the translation of jsonschema.ValidationError to errors codes documented here

Added missing error codes for relevant schema errors

Validation	Name	ID
`maxLength`	ErrorValidationMaxLength	4000017
`minimum`	ErrorValidationMinimum.	4000018
`exclusiveMinimum`	ErrorValidationExclusiveMinimum	4000019
`maximum`	ErrorValidationMaximum	4000020
`exclusiveMaximum`	ErrorValidationExclusiveMaximum	4000021
`multipleOf`	ErrorValidationMultipleOf	4000022
`maxItems`	ErrorValidationMaxItems	4000023
`minItems`	ErrorValidationMinItems	4000024
`uniqueItems`	ErrorValidationUniqueItems	4000025
`type`	ErrorValidationWrongType	4000026

Updated e2e tests to check these IDs explicitly

Respect the after recovery return to URL from config (#3141) (3467fd3):

Fixes ory-corp/cloud#1405
Set DB connection max idle time (8d4762c)
Set proper maxAge for session cookies (#3209) (1180c05), closes #3208
Sqa config values unified across projects (#3237) (523b93f)
Test contract names (e9ac00b)
Use correct names in WebAuthN dialogs (#3215) (3bc1ff0)
Use type alias instead of type definition (#3148) (dba3803)
Webhook tracing and missing defers (#3145) (46eb063)
Wrong context in logout trace span (#3168) (b9ccccf)

Code Generation

Pin v0.13.0 release commit (349d0ee)

Code Refactoring

Identity persistence (#3101) (ceb5cc2)

Documentation

Fix broken docs links and code example to get verification flow (#3170) (bdbddcc)
Update security email (#3164) (9252f5a)

Features

Add a new admin API to remove a specific 2nd factor credential (#2962) (44556a4), closes #2505
Add API to batch insert identities (#3157) (829bda7), closes ory/network#266
Add Inspect option to driver (8aa75e9)
Add patreon oidc provider (#3021) (20ea29e)
Add test to verify GetIdentityConfidential expands everything (#3217) (f088ccd)
Add token prefixes to session and logout tokens (#3132) (8210cd0):

This feature adds token prefixes to Ory session and logout tokens:
- ory_st_: Ory session token prefix
- ory_lt_: Logout token prefix
Add upstream parameters to oidc provider (#3138) (b6b1679), closes #3127 #2069:

This PR introduces the upstream OIDC query parameters login_hint and hd.

To send additional upstream parameters the form can post this on a login, registration or settings link submit.
For example the form below does an OIDC flow to Google. We can now add additional parameters such as login_hint and hd to the upstream request to Google login with a pre-filled email email@example.com:
```
<form action="https://kratos/self-service/login?flow=">
  <input type="submit" name="provider" value="google" />
  <input
    type="hidden"
    name="upstream_parameters.login_hint"
    value="email@example.com"
  />
  <input type="hidden" name="upstream_parameters.hd" value="example.com" />
</form>
```
Allow importing (salted) SHA hashing algorithms (#2741) (132255e), closes #2422
Allow passing transient data from registration to webhook (#3104) (4a3a076)
Don't pre-generate UUIDs for transient objects (e17f307)
Drop unused index (#3165) (852dea9)
Even more tracing of hidden HTTP requests (9d8b1e2)
Identity by identifier (#3077) (c288d4d)
Improve tracing span naming in hooks (bf828d3)
Improve webhook diagnostics (d4eb2f6)
Improved oidc flow on duplicate account registration (#3151) (4d2fda4):

This PR improves the OIDC registration flow when a duplicate account error happens.

Currently the flow looks as follows:
1. User registers with password (or other credentials)
2. User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
3. Kratos attempts a registration since the OIDC credentials do not exist
4. (optional) User needs to add missing traits (e.g. full name) which could not be retrieved from the OIDC provider
5. User gets a duplicate account error with a "Continue" button.
6. After submitting the "Continue" button the flow continues again to the OIDC provider, back to Kratos and redirects to UI with duplicate error (Steps 3 to 5)
Instead of causing a confusing redirect loop we should show the user the error with a fresh login flow (since the account exists). This also gives the user the option to do a recovery flow.
1. User registers with password (or other credentials)
2. User forgot they registered with password and tries to login through an OIDC provider (e.g. Google)
3. Kratos attempts a registration since the OIDC credentials do not exist
4. (optional) User needs to add missing traits
5. User is returned to a Login flow with the duplication error
Let DB generate ID for session devices (62402c7)
Make notification to unknown recipients configurable (#3075) (1a5ead4), closes #2345 #2585:

Added the ability to configure whether the system should notify unknown recipients, if some tries to recover their account or verify their address ("anti-account-enumeration measures").
Make password validator (HIBP check) cancelable and add tracing (28f8914)
Parallelize get identity and session calls (#3023) (6393519)
Refactor credentials fetching (#3183) (590269f):

This change revamps the way we fetch identity credentials. We no longer need most of the helper fields for gobuffalo/pop inside the Identity and Credentials structures, and we collect all the credentials in one joined query rather than using pop's EagerPreload functionality.
Return hydra error messages (b3d037b)
Return verification flow ID after registration flow (#3144) (eb854be), closes #2975
Show "continue" screen after successful verification (#3090) (fb6b160), closes /github.com/ory-corp/cloud#3925 /github.com/ory/network#228:

The link strategy for verification now shows a confirmation screen with a "continue" link after successful verification, aligning its behavior to the code strategy.

Also fixes a bug, where the default_browser_return_url of the verification flow was not respected when using the code strategy.
Social sign in via linkedin (#3079) (5de6bf4), closes #2856:

Adds LinkedIn as a social sign in provider.
Webhooks that update identities (2cbee3e), closes #2161:

Introduces a new configuration response.parse in webhooks. This enables updating of identity data during registration, including admin/public metadata, identity traits, enabling/disabling identity, and modifying verified/recovery addresses.

Please note that can_interrupt is being deprecated in favor of response.parse.

Tests

e2e: Fix compile errors in commands (#3179) (0002668)
Parallelize several unit tests (#3081) (5403f86)

Unclassified

Revert "fix: do not omit last page on identity list (#3169)" (#3184) (73b5f13), closes #3169 #3184:

This reverts commit f95f48a.

Changelog

73b5f13 Revert "fix: do not omit last page on identity list (#3169)" (#3184)
af3f9e5 autogen(docs): generate and bump docs
9322677 autogen(docs): regenerate and update changelog
f3123ec autogen(docs): regenerate and update changelog
59aa38a autogen(docs): regenerate and update changelog
5b88a99 autogen(docs): regenerate and update changelog
9c0b68c autogen(docs): regenerate and update changelog
4181fbc autogen(docs): regenerate and update changelog
cca36f8 autogen(docs): regenerate and update changelog
dbe3d83 autogen(docs): regenerate and update changelog
acf9261 autogen(docs): regenerate and update changelog
586eaf9 autogen(docs): regenerate and update changelog
17f0de4 autogen(docs): regenerate and update changelog
59b1ce5 autogen(docs): regenerate and update changelog
9c3bfe3 autogen(docs): regenerate and update changelog
db066b7 autogen(docs): regenerate and update changelog
5a78fd4 autogen(docs): regenerate and update changelog
5740b9d autogen(docs): regenerate and update changelog
6f908b9 autogen(docs): regenerate and update changelog
ddea641 autogen(docs): regenerate and update changelog
bda6bc8 autogen(docs): regenerate and update changelog
74ae852 autogen(docs): regenerate and update changelog
40ab76a autogen(docs): regenerate and update changelog
48a4469 autogen(docs): regenerate and update changelog
90977ca autogen(docs): regenerate and update changelog
033b19c autogen(docs): regenerate and update changelog
debc487 autogen(docs): regenerate and update changelog
79c94d5 autogen(docs): regenerate and update changelog
e916a74 autogen(docs): regenerate and update changelog
a542164 autogen(docs): regenerate and update changelog
b87b723 autogen(docs): regenerate and update changelog
17dd35d autogen(docs): regenerate and update changelog
411633d autogen(docs): regenerate and update changelog
fd37383 autogen(docs): regenerate and update changelog
b69981a autogen(docs): regenerate and update changelog
d6ad787 autogen(docs): regenerate and update changelog
b3370a5 autogen(docs): regenerate and update changelog
8c6e3a1 autogen(docs): regenerate and update changelog
3d07161 autogen(docs): regenerate and update changelog
fb9add5 autogen(docs): regenerate and update changelog
a49d7e6 autogen(docs): regenerate and update changelog
bb12fe7 autogen(docs): regenerate and update changelog
a577036 autogen(docs): regenerate and update changelog
851abc1 autogen(docs): regenerate and update changelog
5535171 autogen(docs): regenerate and update changelog
f905408 autogen(docs): regenerate and update changelog
6d83dc9 autogen(docs): regenerate and update changelog
9d59fd7 autogen(docs): regenerate and update changelog
ea6ad2a autogen(docs): regenerate and update changelog
601b7fc autogen(docs): regenerate and update changelog
d250650 autogen(docs): regenerate and update changelog
8396a55 autogen(docs): regenerate and update changelog
ee1f02e autogen(docs): regenerate and update changelog
022f053 autogen(openapi): regenerate swagger spec and internal client
5e18b02 autogen(openapi): regenerate swagger spec and internal client
122f2a2 autogen(openapi): regenerate swagger spec and internal client
f296012 autogen: add v0.11.1 to version.schema.json
349d0ee autogen: pin v0.13.0 release commit
2e72c5b autogen: pin v0.13.0 release commit
9b51200 chore(ci): don't run pm workflow on forks (#3229)
0cc50c6 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3198)
2d489e7 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3120)
3b8f426 chore: bump hydra to v2 (#3083)
03ef8bf chore: bump ory/jsonschema/v3
c15de85 chore: clarift documentation on code strategy payloads (#3228)
e3eb39e chore: fix wrong message id on resend code button (#3067)
3bf6ec3 chore: one uuid library ought to be enough for everybody
a4f8f3a chore: remove obsolete packages and dependencies
ba1aecf chore: unset email and name after release hook (#3026)
8e87693 chore: update GHA versions (#3078)
0ba0bd6 chore: update ory/x (#3221)
bdbddcc docs: fix broken docs links and code example to get verification flow (#3170)
9252f5a docs: update security email (#3164)
829bda7 feat: add API to batch insert identities (#3157)
8aa75e9 feat: add Inspect option to driver
44556a4 feat: add a new admin API to remove a specific 2nd factor credential (#2962)
20ea29e feat: add patreon oidc provider (#3021)
f088ccd feat: add test to verify GetIdentityConfidential expands everything (#3217)
8210cd0 feat: add token prefixes to session and logout tokens (#3132)
b6b1679 feat: add upstream parameters to oidc provider (#3138)
132255e feat: allow importing (salted) SHA hashing algorithms (#2741)
4a3a076 feat: allow passing transient data from registration to webhook (#3104)
e17f307 feat: don't pre-generate UUIDs for transient objects
852dea9 feat: drop unused index (#3165)
9d8b1e2 feat: even more tracing of hidden HTTP requests
c288d4d feat: identity by identifier (#3077)
bf828d3 feat: improve tracing span naming in hooks
d4eb2f6 feat: improve webhook diagnostics
4d2fda4 feat: improved oidc flow on duplicate account registration (#3151)
62402c7 feat: let DB generate ID for session devices
1a5ead4 feat: make notification to unknown recipients configurable (#3075)
28f8914 feat: make password validator (HIBP check) cancelable and add tracing
6393519 feat: parallelize get identity and session calls (#3023)
590269f feat: refactor credentials fetching (#3183)
b3d037b feat: return hydra error messages
eb854be feat: return verification flow ID after registration flow (#3144)
fb6b160 feat: show "continue" screen after successful verification (#3090)
5de6bf4 feat: social sign in via linkedin (#3079)
2cbee3e feat: webhooks that update identities
a206772 fix: access rules example (#3178)
2e96d75 fix: account experience redirects to verification page (#3195)
61ae531 fix: account settings broken on OIDC removal (#3185)
09312dd fix: add HydraLoginRequest on flow creation (#3152)
c70704c fix: add after_verification_return_to to sdk and api docs (#3097)
21576be fix: add missing code discriminator in updateVerificationFlow (#3213)
756bed4 fix: add missing index (#3181)
20c2359 fix: add mutex to test SMTP server setup/teardown
71d35dd fix: avoid unchecked casts from IdentityPool to PrivilegedIdentityPool
1193a56 fix: correctly apply patches to identity metadata (#3103)
f95f48a fix: do not omit last page on identity list (#3169)
3a734c2 fix: don't return 500 if active strategy is disabled (#3197)
e260fcf fix: don't reuse ports in courier/SMTP tests (#3156)
290d28a fix: don't treat missing session as error in tracing
b1bdcd3 fix: error messages in OpenAPI/Swagger / improve error messages from failed webhooks and client timeouts (#3218)
39fa31f fix: handle upstream errors in patreon provider (#3032)
989c99d fix: identity.CopyWithoutCredentials
39043d4 fix: implement offline scope in the way google expects (#3088)
0a05d99 fix: improve webhook resilience (#3200)
162ab9b fix: invalid SQL syntax in ListIdentities (#3202)
dec7cbc fix: issuer missing from netid claims (#3080)
ae49ef0 fix: lint errors and unused code
342bfb0 fix: make async webhooks fully async (#3111)
5ab1a56 fix: make session AAL satisfaction check resilient against a nil identity in the session
52f0740 fix: missing issuer regression in OIDC (#3220)
93e6501 fix: nolint comment
59f35d1 fix: only return one result set for credentials_identifier (#3107)
a7f9414 fix: orphaned webhook spans
08a3447 fix: re-use existing CSRF token in verification flows (#3188)
1650426 fix: reduce SQL tracing noise
054705b fix: remove http.Redirect from show_verification_ui hook (#3238)
c629b72 fix: remove network omit flag (#3066)
9477ea4 fix: report correct errors for json schema validation (#3085)
3467fd3 fix: respect the after recovery return to URL from config (#3141)
8d4762c fix: set DB connection max idle time
1180c05 fix: set proper maxAge for session cookies (#3209)
523b93f fix: sqa config values unified across projects (#3237)
e9ac00b fix: test contract names
3bc1ff0 fix: use correct names in WebAuthN dialogs (#3215)
dba3803 fix: use type alias instead of type definition (#3148)
46eb063 fix: webhook tracing and missing defers (#3145)
b9ccccf fix: wrong context in logout trace span (#3168)
ceb5cc2 refactor: identity persistence (#3101)
0002668 test(e2e): fix compile errors in commands (#3179)
5403f86 test: parallelize several unit tests (#3081)

Artifacts can be verified with cosign using this public key.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly