chore(deps): update svhd/logto docker tag to v1.36.0

[renovate]

This PR contains the following updates:

Package	Update	Change
svhd/logto	minor	1.35.0 → 1.36.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

logto-io/logto (svhd/logto)

v1.36.0

Compare Source

Highlights

• Wildcard redirect URIs: Support wildcard patterns (*) in redirect URIs for dynamic environments like preview deployments, making development workflows easier. (Thanks @​Arochka!)
• Token exchange app-level control: Fine-grained control over token exchange grant type per application, with M2M apps now supporting this feature.
• Trust unverified email for SSO: OIDC social connectors and enterprise SSO connectors can now sync emails even when email_verified is missing or false.

New features & enhancements

Wildcard patterns in redirect URIs

Added support for wildcard patterns (*) in redirect URIs to better support dynamic environments like preview deployments. (Contributed by @​Arochka in #​8094)

Rules (web only):

• Wildcards are allowed for http/https redirect URIs in the hostname and/or pathname
• Wildcards are rejected in scheme, port, query, and hash
• Hostname wildcard patterns must contain at least one dot to avoid overly broad patterns

Token exchange grant type with app-level control

• Add allowTokenExchange field to customClientMetadata to control whether an application can initiate token exchange requests
• Machine-to-machine applications now support token exchange
• All new applications will have token exchange disabled by default; enable it in application settings
• For backward compatibility, existing first-party Traditional, Native, and SPA applications will have this enabled
• Third-party applications are not allowed to use token exchange
• Added UI toggle in Console with risk warning for public clients (SPA / native application)

Trust unverified email for OIDC connectors

• Add trustUnverifiedEmail to the OIDC social connector config (default false) to allow syncing emails when email_verified is missing or false
• Apply the setting in core OIDC/Azure OIDC SSO connectors and expose it in the Admin Console

Skip required identifiers for social sign-in

A new option skipRequiredIdentifiers is available for social sign-in and sign-up flows. When enabled, users can bypass the mandatory identifier collection step during social sign-in and sign-up.

This is particularly useful for iOS apps where Apple App Store guidelines mandate that social sign-in options like "Sign in with Apple" should not require additional information collection beyond what is provided by the social IdP.

In the Logto Console, this option is represented as a checkbox labeled "Require users to provide missing sign-up identifier" under the "Social sign-in" section.

User role API improvements

• POST /users/:userId/roles now returns { roleIds: string[]; addedRoleIds: string[] } where roleIds echoes the requested IDs, and addedRoleIds includes only the IDs that were newly created
• PUT /users/:userId/roles now returns { roleIds: string[] } to confirm the final assigned roles

@​logto/api SDK enhancement

Added createApiClient function for custom token authentication. This new function allows you to create a type-safe API client with your own token retrieval logic, useful for scenarios like custom authentication flows.

Bug fixes & stability

Postgres statement timeout configuration

Allow disabling Postgres statement_timeout for PgBouncer/RDS Proxy compatibility:

• Set DATABASE_STATEMENT_TIMEOUT=DISABLE_TIMEOUT to omit the startup parameter

Enterprise SSO error code fix

Fixed the enterprise SSO account not exist error code to use a specific one instead of the generic social account error.

JIT email domains pagination fix

Removed default pagination from GET /organizations/:id/jit/email-domains to ensure all JIT email domains are returned in the Console's Organization details page.

Direct sign-in stability

Prevented repeated auto sign-in requests on direct sign-in page that could cause unexpected behavior in certain scenarios.

Console audit log fixes

• Removed deprecated interaction log events from the Console audit log filter menu
• Fixed dropdown event key typo that caused empty filter results for several events

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[f2c-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment