Launch v1.0.0 · ory/kratos · GitHub

We’re thrilled to announce Ory Kratos v1.0, the highly effective Id, Person Administration, and Authentication system! With this main replace, Ory Kratos brings a bunch of enhancements and fixes that vastly enhance the consumer expertise and total efficiency.

Ory Kratos 1.0 is steady and strong

A number of compelling causes led to label Ory Kratos as a significant launch and graduated mission: Ory Identities on Ory Community, powered by Ory Kratos, has been serving manufacturing site visitors for nicely over a 12 months, flawlessly. Ory Kratos is efficiently processing over 100 million API requests every day and has about 100 million Docker Pulls. We’ve got maintained stability inside the Ory Kratos APIs for almost two years, demonstrating their robustness and reliability. No breaking modifications imply that builders can belief the soundness of Ory Kratos in manufacturing.

Notable modifications

Ory Kratos 1.0 introduces a wide range of new options whereas specializing in stability, robustness, and improved efficiency. Main enhancements embody assist for social login and single-sign-on by way of OpenID join in native apps, emails despatched by means of HTTP relatively than SMTP, and full compatibility with Ory Hydra v2.2.0. Customers can even discover multi-region assist within the Ory Community for broader geographic attain, improved export performance for all credential sorts, and enhanced session administration with the introduction of the “supplier ID” parameter. Different additions comprise distroless pictures for leaner useful resource utilization and sooner deployment and assist for the Lark OIDC supplier.

New options and full multi-region assist in Ory Community

Important enhancements and fixes accompany these new options. Enhanced OIDC flows now embody the flexibility to ahead immediate upstream parameters, providing builders elevated flexibility and customization choices. The logout move additionally helps the return_to parameter, facilitating extra versatile redirection post-user logout. Efficiency has been a key focus, with Ory Kratos 1.0 now able to dealing with tons of of tens of millions of energetic customers month-to-month. Vital bug fixes have been utilized to forestall customers from being redirected to incorrect locations, guaranteeing smoother authentication and authorization. Moreover, there’s extra assist for legacy techniques by way of applied crypt(3) hashers and a repair for metadata patching has been deployed to make sure constant consumer metadata administration. For an in depth view of all modifications, discuss with the changelog on GitHub. Suggestions and assist are, as at all times, vastly appreciated.

Help choices for Ory Kratos 1.0

Ory Kratos 1.0 is a significant launch that marks a major milestone in our journey.

We sincerely hope that you just discover these new options and enhancements in Ory Kratos 1.0 worthwhile in your tasks. To expertise the facility of the most recent launch, we encourage you to get the most recent model of Ory Kratos here or leverage Kratos in Ory Network — the simplest, easiest, and most cost-effective technique to run Ory.

For organizations in search of to improve their self-hosted resolution, Ory presents devoted assist companies to make sure a clean transition. Our staff is able to help you all through the migration course of, guaranteeing uninterrupted entry to the most recent options and enhancements. Moreover, we offer varied support plans particularly tailor-made for self-hosting organizations. These plans provide complete help and steerage to optimize your Ory deployments and meet your distinctive necessities.

A Shoutout to the Ory Neighborhood

We prolong our heartfelt gratitude to the colourful and supportive Ory Neighborhood. With out your fixed assist, suggestions, and contributions, reaching this important milestone wouldn’t have been potential. As we proceed on this journey, your suggestions and ideas are invaluable to us. Collectively, we’re shaping the way forward for id administration and authentication within the digital panorama.

Contributors to this launch in alphabetical order: borisroman, ci42, CNLHC, David-Wobrock, giautm, IchordeDionysos, indietyp, jossbnd, kralicky, PhakornKiong, sunakan, steverusso

Are you keen about safety and need to make a significant affect in one of many largest open-source communities? Be a part of the Ory community and turn into part of the brand new ID stack. Collectively, we’re constructing the following technology of IAM options that empower organizations and people to safe their identities successfully.

Give it a go

Wish to take a look at Ory Kratos your self? Use these instructions to get your Ory Kratos mission operating on the Ory Community:

brew set up ory/faucet/cli

scoop bucket add ory https://github.com/ory/scoop.git
scoop set up ory

bash <(curl <https://uncooked.githubusercontent.com/ory/meta/grasp/set up.sh>) -b . ory
sudo mv ./ory /usr/native/bin/

ory auth

ory create mission --name "My first Kratos mission"

ory open account-experience registration

ory patch identity-config 
  --replace '/id/default_schema_id="preset://username"' 
  --replace '/id/schemas=[{"id":"preset://username","url":"preset://username"}]' 
  --format yaml

ory open account-experience registration

Bug Fixes

• Means to patch metadata even whether it is null (#3304) (3c04d8f)

• Settle for OIDC login request in browser+JSON login move (#3271) (ad54093):

• Add error checking when creating verification code (#3328) (7182eca)

• Add lacking SessionIssued occasion for api flows (#3348) (adf78e0):

  • repair: lacking SessionIssued occasion for api flows
  • chore: add SessionIssued occasion to put up registration hook
  • chore: format
  • chore: transfer sessionissued occasion to persister

• Bump quickstart model (#3257) (6db70a8)

• Cypress TOTP take a look at (eac908c)

• Don’t require objects to be distinctive (#3349) (17be30d)

• Do not assume the login problem to be a UUID (#3317) (3172862):

  For compatibility with ory/hydra#3515, which
  now encodes the entire move within the login problem, we can not additional
  assume that the problem is a UUID.

• e2e: Set up kratos-selfservice-ui-node peer deps (#3354) (ce20063)

• Id record pagination (#3325) (9d3ef0d):

  Resolves a pesky difficulty that might skip the final web page.

• IdentityCreated occasion (#3314) (78e31cb)

• Incorrect override in id hydrate (#3368) (eaa3f3c)

• Enhance dimension for request url (#3366) (10713cc)

• Minor refactorings in bundle hash (#3186) (831fb19)

• Lacking id for login occasion (#3315) (b6b80a3)

• Correctly normalize uppercase mail addresses (4984e0f):

  Fixes #3187
  Fixes #3289

• Present index trace in QueryForCredentials (#3329) (4ba530e):

  • repair: present index trace in QueryForCredentials

  • feat: take away customizable be part of predicate in QueryForCredentials

  • chore: take away out of date config tracer

• Cut back lookups in whoami name (#3364) (5bb7b0c)

• Reintroduce ExpandAll (#3369) (8f9bff5)

• Take away codeball (aa29606)

• Take away duplicate SessionIssued occasion (#3351) (b1e78ad)

• Return HTTP 400 as a substitute of 500 for dangerous question parameters (58258eb)

• sdk: Add cookie for updateLogoutFlow (#3284) (95ed2b9):

  Closes ory/sdk#255

• sdk: Replace the API spec to mirror the 204 NoContent in DeleteIdentityCredentials (#3347) (f3dee86)

• Settings ought to persist return_to after required mfa login move (#3263) (0ed1abd):

  • repair: get settings ought to persist return_to when redirecting to aal2

  • feat(e2e): confirm return_to persists in restoration flows

  • take a look at: restoration technique with mfa account

  • take a look at: code restoration return to persists to settings with aal2

  • u

  • repair: return to settings move after mfa login

  • repair(take a look at): login handler

  • repair: move between settings and mfa

  • repair: get settings endpoint ought to redirect to settings ui as a substitute of to itself

  • feat(take a look at): protect URL from varied settings flows by means of login mfa move

  • chore: cleanup

  • repair(e2e): restoration return to spa assessments

  • repair: e2e proxy

  • repair: don’t at all times redirect again to settings on mfa

  • repair: new settings move with required mfa should not be added to login move return_to until it incorporates a return_to parameter

  • repair(e2e): let take a look at dynamically deal with required_aal

  • chore: cleanup unused code

  • take a look at: DoesSessionSatisfy with methodology choices

  • take a look at: restoration technique with aal2

• String to enum for updateVerificationFlowWithLinkMethod Technique (#3279) (34ff1d2), closes #2943

• Replace right typo (#3281) (0fea75c):

  The textual content for verification code enter ought to be Verification code not Confirm code.

• Replace README (#3363) (c426014)

• Use RETURNING clause for batch create (#3293) (8ae8783)

• Use the right redirect_uri for linkedin social login (#3269) (27ccecc)

• Webhook config parse for settings move (#3305) (95ad94d)

Code Technology

• Pin v1.0.0 launch commit (41b7c51)

Documentation

Options

• Add “supplier id” parameter to kratos session (#3292) (387f5a2), closes #3283

• Add distroless and static pictures (#3350) (1e65662)

• Add return_to parameters to the createLogout handler (#3336) (08fed36):

  • feat: add return_to parameters to the createLogout handler

  • take a look at: logout take over return_to from create to replace

  • take a look at(e2e): logout return to

  • take a look at(e2e): logout return to

  • take a look at: logout return_to isnt relevant to react

• Permit customization of JOIN predicate in QueryForCredentials (#3253) (8785166)

• Emit occasions for login/logout and registration (#3235) (c784b7e)

• Ahead immediate upstream parameter throughout OIDC move (#3276) (d290cb0), closes #2709

• Implement crypt(3) hashers (#3303) (afe06db), closes #3291:

  This PR implements md5crypt, sha256crypt, sha512crypt, that are thought of legacy (like md5), however are utilized in legacy techniques trying to convert to ory. They use the prevailing format of crypt(5) (which is compliant to PHC).

• Enhance occasion sorts and seize extra occasions (#3297) (835fe13)

• Lark OIDC supplier (#2925) (f884dfb)

• Return to oauth move after switching from login to different flows (#3212) (a1fea6c):

  • feat: return to oauth move after switching from login to different flows

  • feat(e2e): flows ought to have return_to set to hydra request_url

  • u

  • repair: override return_to URL on OAuth flows

  • model: format

  • repair: TestOAuth2Provider

  • feat: config to decide into utilizing OAuth request url as return_to

  • chore: cleanup

  • repair(e2e): oauth2 login move switching to restoration

  • feat(take a look at): oauth2 login move to restoration by means of oidc supplier

  • repair(e2e): oidc-provider registration

  • chore: rename oauth2_provider.return_to_enabled to oauth2_provider.override_return_to

  • model: format

  • chore: nit config description

• Kind classes by authenticated_at (#3324) (46f92ff):

  Closes ory/network#295

• Sqa metrics v2 (#3300) (98fe73f)

• Help exporting of all credential sorts (#3290) (de6c857):

  It is now potential to export all credential sorts (together with passwords) when calling the getIdentity SDK methodology.

• Help OIDC flows for native apps (#3216) (cb10609), closes #707:

  Implements Social Signal In and OpenID Join for native apps.

Assessments

• Run Playwright in CI (#3259) (342edec):

  This improves the compatibility between OIDC+code and different
  flows corresponding to TOTP, settings, password auth.

  • Replace persistence/sql/persister_cleanup_test.go

  • repair: error dealing with with OIDC+Code

  • repair: improve playwright timeout

Unclassified

• @barnarddt @hperl feat: ship emails by way of http api endpoint as a substitute of smtp (#1030) (#3341) (28b7b04), closes #1030 #3341 #1030 #3008:

  This alteration provides a brand new supply methodology to the courier referred to as mailer. Just like SMS performance it posts a templated Information mannequin to a API endpoint. This API can then ship emails by way of a CRM or some other mechanism that it desires.

  Mailer nonetheless makes use of the prevailing e-mail information fashions so any new e-mail added will routinely be despatched to the API/CRM as nicely.

  Associated difficulty(s)

  Resolves #2825

Changelog

• 28b7b04 @barnarddt @hperl feat: ship emails by way of http api endpoint as a substitute of smtp (#1030) (#3341)
• 9fd60ee autogen(docs): generate and bump docs
• b1f18d9 autogen(docs): regenerate and replace changelog
• 7c14f29 autogen(docs): regenerate and replace changelog
• 3485204 autogen(docs): regenerate and replace changelog
• 697be03 autogen(docs): regenerate and replace changelog
• daa0bef autogen(docs): regenerate and replace changelog
• d3f3be3 autogen(docs): regenerate and replace changelog
• 9750278 autogen(docs): regenerate and replace changelog
• 7f232bf autogen(docs): regenerate and replace changelog
• 9b95693 autogen(docs): regenerate and replace changelog
• ba55f38 autogen(docs): regenerate and replace changelog
• c48f20e autogen(docs): regenerate and replace changelog
• 1064b32 autogen(docs): regenerate and replace changelog
• 1def410 autogen(docs): regenerate and replace changelog
• 45485c3 autogen(docs): regenerate and replace changelog
• b7192dc autogen(docs): regenerate and replace changelog
• b43c50c autogen(docs): regenerate and replace changelog
• 2f844ec autogen(docs): regenerate and replace changelog
• 567e5a7 autogen(docs): regenerate and replace changelog
• 5535fcb autogen(docs): regenerate and replace changelog
• c842a69 autogen(docs): regenerate and replace changelog
• a4f74bc autogen(docs): regenerate and replace changelog
• 071db1d autogen(docs): regenerate and replace changelog
• 8d406b1 autogen(docs): regenerate and replace changelog
• f2bf296 autogen(docs): regenerate and replace changelog
• 5f33b08 autogen(docs): regenerate and replace changelog
• 61cb722 autogen(docs): regenerate and replace changelog
• 0f3cf22 autogen(docs): regenerate and replace changelog
• 8e760ca autogen(docs): regenerate and replace changelog
• 868ea54 autogen(docs): regenerate and replace changelog
• 9bb4d5c autogen(docs): regenerate and replace changelog
• a6d3d5b autogen(docs): regenerate and replace changelog
• 4083e44 autogen(docs): regenerate and replace changelog
• ae22c7c autogen(docs): regenerate and replace changelog
• 6de1cb3 autogen(openapi): regenerate swagger spec and inside consumer
• 4b0dead autogen(openapi): regenerate swagger spec and inside consumer
• a439df7 autogen(openapi): regenerate swagger spec and inside consumer
• 0a6235d autogen(openapi): regenerate swagger spec and inside consumer
• 7291c89 autogen: add v0.13.0 to model.schema.json
• b75313e autogen: pin v0.14.0-pre.0 launch commit
• 41b7c51 autogen: pin v1.0.0 launch commit
• ad271d2 autogen: pin v1.0.0-pre.0 launch commit
• a17bcb8 chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#3242)
• 950b41a chore(deps): bump github.com/knadh/koanf to v2.0.1 (#3308)
• a046778 chore: add launch config for VSCode (#3239)
• 22e8daf chore: bump ory/x (#3319)
• b2ecb10 chore: bump ory/x (#3338)
• 3469773 chore: repair typo (#3370)
• 6fe4dac chore: minor enhancements round safe redirect helpers (#3240)
• bcdcf45 chore: assist in README (#3373)
• ac96a96 chore: replace safety scanners (#3295)
• b40544e docs: repair typo in readme (#3299)
• 1e65662 feat: add distroless and static pictures (#3350)
• 08fed36 feat: add return_to parameters to the createLogout handler (#3336)
• 387f5a2 feat: add “supplier id” parameter to kratos session (#3292)
• 8785166 feat: permit customization of JOIN predicate in QueryForCredentials (#3253)
• c784b7e feat: emit occasions for login/logout and registration (#3235)
• d290cb0 feat: ahead immediate upstream parameter throughout OIDC move (#3276)
• afe06db feat: implement crypt(3) hashers (#3303)
• 835fe13 feat: enhance occasion sorts and seize extra occasions (#3297)
• f884dfb feat: lark OIDC supplier (#2925)
• a1fea6c feat: return to oauth move after switching from login to different flows (#3212)
• 46f92ff feat: type classes by authenticated_at (#3324)
• 98fe73f feat: sqa metrics v2 (#3300)
• cb10609 feat: assist OIDC flows for native apps (#3216)
• de6c857 feat: assist exporting of all credential sorts (#3290)
• ce20063 repair(e2e): set up kratos-selfservice-ui-node peer deps (#3354)
• 95ed2b9 repair(sdk): add cookie for updateLogoutFlow (#3284)
• f3dee86 repair(sdk): replace the API spec to mirror the 204 NoContent in DeleteIdentityCredentials (#3347)
• eac908c repair: Cypress TOTP take a look at
• 78e31cb repair: IdentityCreated occasion (#3314)
• 3c04d8f repair: capability to patch metadata even whether it is null (#3304)
• ad54093 repair: settle for OIDC login request in browser+JSON login move (#3271)
• 7182eca repair: add error checking when creating verification code (#3328)
• adf78e0 repair: add lacking SessionIssued occasion for api flows (#3348)
• 6db70a8 repair: bump quickstart model (#3257)
• 17be30d repair: don’t require objects to be distinctive (#3349)
• 3172862 repair: do not assume the login problem to be a UUID (#3317)
• 9d3ef0d repair: id record pagination (#3325)
• eaa3f3c repair: incorrect override in id hydrate (#3368)
• 10713cc repair: improve dimension for request url (#3366)
• 831fb19 repair: minor refactorings in bundle hash (#3186)
• b6b80a3 repair: lacking id for login occasion (#3315)
• 4984e0f repair: correctly normalize uppercase mail addresses
• 4ba530e repair: present index trace in QueryForCredentials (#3329)
• 5bb7b0c repair: cut back lookups in whoami name (#3364)
• 8f9bff5 repair: reintroduce ExpandAll (#3369)
• aa29606 repair: take away codeball
• b1e78ad repair: take away duplicate SessionIssued occasion (#3351)
• 58258eb repair: return HTTP 400 as a substitute of 500 for dangerous question parameters
• 0ed1abd repair: settings ought to persist return_to after required mfa login move (#3263)
• 34ff1d2 repair: string to enum for updateVerificationFlowWithLinkMethod Technique (#3279)
• c426014 repair: replace README (#3363)
• 0fea75c repair: replace right typo (#3281)
• 8ae8783 repair: use RETURNING clause for batch create (#3293)
• 27ccecc repair: use the right redirect_uri for linkedin social login (#3269)
• 95ad94d repair: webhook config parse for settings move (#3305)
• 342edec take a look at: run Playwright in CI (#3259)

Artifacts could be verified with cosign utilizing this public key.