chore(deps): update oryd/kratos docker tag to v1

[renovate]

This PR contains the following updates:

Package	Update	Change
oryd/kratos (source)	major	v0.13.0 -> v1.2.0

---

Release Notes

ory/kratos (oryd/kratos)

v1.2.0

Compare Source

Ory Kratos v1.2 is the most complete, scalable, and secure open-source identity server available. We are thrilled to announce its release!

This release introduces two major features: two-step registration and full PassKey with resident key support.

Passkeys provide a secure and convenient authentication method, eliminating the need for passwords while ensuring strong security. With this release, we have added support for resident keys, enabling offline authentication. Credential discovery allows users to link existing passkeys to their Ory account seamlessly.

passkeys.webm

Two-step registration improves the user experience by dividing the registration process into two steps. Users first enter their identity traits, and then choose a credential method for authentication, resulting in a streamlined process. This feature is especially useful when enabling multiple authentication strategies, as it eliminates the need to repeat identity traits for each strategy.

The 107 commits since v1.1 include several improvements:

• Webhooks now carry session information if available.
• Transient Payloads are now available across all self-service flows.
• Sign in with Twitter is now available.
• Sign in with LinkedIn now includes an additional v2 provider compatible with LinkedIn's new SSO API.
• Two-Step Registration: An improved registration experience that separates entering profile information from choosing authentication methods.
• User Credentials Meta-Information can now be included on the list endpoint.
• Social Sign-In is now resilient to double-submit issues common with Facebook and Apple mobile login.

Two-Step Registration Enabled by Default: This is now the default setting. To disable, set selfservice.flows.registration.enable_legacy_one_step to true.

• Improved account linking and credential discovery during sign-up.
• The return_to parameter is now respected in OIDC API flows.
• Adjustments to database indices.
• Enhanced error messages for security violations.
• Improved SDK types.
• The verification and verification_ui hooks are now available in the login flow.
• Webhooks now contain the correct identity state in the after-verification hook chain.

We are doing this survey to find out how we can support self-hosted Ory users better. We strive to provide you with the best product and service possible and your feedback will help us understand what we're doing well and where we can improve to better meet your needs. We truly value your opinion and thank you in advance for taking the time to share your thoughts with us!

Fill out the survey now!

Breaking Changes

This feature enables two-step registration per default. Two-step registration is a significantly improved sign up flow and recommended when using more than one sign up methods. To disable two-step registration, set selfservice.flows.registration.enable_legacy_one_step to true. This value defaults to false.

Bug Fixes

• Add login succeeded event to post registration hook (#​3739) (b685fa5)

• Add missing env vars to set up guide (#​3855) (da90502):

  Closes https://github.com/ory/kratos/issues/3828

• Add missing indexes and remove unused index (6d7372e)

• Add missing indexes and remove unused index (#​3756) (c905f02)

• Add sms mfa via parameter to spec (#​3766) (b291c95)

• Allow updating just the verified_at timestamp of addresses (#​3880) (696cc1b)

• Always issue session last (#​3876) (e942507):

  In post persist hooks, the session issuance hook always needs
  to come last. This fixes the getHooks function to ensure this.

• Audit issues (#​3797) (7017490)

• Change return urls in quickstarts (#​3928) (9730e09)

• Close res body (#​3870) (cc39f8d)

• CVEs in dependencies (#​3902) (e5d3b0a)

• Db index and duplicate credentials error (#​3896) (9f34a21):

  • fix: don't return password cred type if empty
  • fix: better index for config.user_handle on identity_credentials

• Do not require method to be passkey in settings schema (#​3862) (660f330)

• Don't require connection_uri in SMTP (#​3861) (800f8f1)

• Don't treat passkeys as AAL2 (#​3853) (8eee972)

• Drop index if exists (#​3846) (ad0619d)

• Drop trigram index on identifiers (#​3827) (8f8fd90)

• Enum type of session expandables (#​3891) (63d785e)

• Enum type of session expandables (#​3895) (c435727)

• Execute verification & verification_ui properly in login flows (#​3847) (5aad1c1)

• Ignore decrypt errors in WithDeclassifiedCredentials (#​3731) (8f5192f)

• Improve SDK discriminators (#​3844) (c08b3ad)

• Include all creds in duplicate credential err (#​3881) (e06c241)

• Linkedin issuer override (#​3875) (11d221a)

• Make sure emails can still be sent with SMS enabled (#​3795) (7c68c5a)

• Missing indices and foreign keys (#​3800) (0b32ce1)

• oidc: Grace period for continuity container on oidc callbacks (#​3915) (1a9a096)

• Passing transient payloads (#​3838) (d01b670)

• Prevent SMTP URL leak on unparsable URL (#​3770) (c5f39f4)

• Respect return_to in OIDC API flow error case (#​3893) (e8f1bcb):

  • fix: respect return_to in OIDC API flow error case

  This fix ensures that we redirect the user to the return_to URL
  when an error occurs during the OIDC login for native flows.

  Native flows are initialized through the API, and the browser
  URL is retrieved from a 422 response after a POST to submit the
  login flow. Successful OIDC flows already returned the code to
  the return_to URL. Now, unsuccessful flows return the flow with
  the current flow ID (which might have changed), so that the caller
  can retrieve the full flow and act accordingly.

  • fix: ignore trivvy CVE report

  Bump in distroless is still open

• sdk: Expand identity in session extension (#​3843) (04f0231), closes #​3842

• sdk: Improve discriminators for node and Go (#​3821) (9ddf7cc)

• Show error page on identity mismatch (#​3790) (e6db689)

• Test assertions on declassifying OIDC tokens (#​3773) (7f8a7f1)

• Tolerate more "truthy" values when creating new flows (#​3841) (49d93c0), closes #​3839:

  Use strconv.ParseBool to accept multiple "truthy" values for the
  refresh and return_session_token_exchange_code query parameters when
  creating a new login flow.

  For some SDKs (e.g.: Python), these stringification of booleans is not
  user-controlled and these endpoints could not be used fully due to the
  backend ignoring any value other than true (all lowercase).

• Tweaks to UpsertSessions (#​3878) (da51dcd)

• Use correct post-verification identity state in post-hooks (#​3863) (6e63d06)

• Webhook transient payload in OIDC login flows (#​3857) (2cdfc70):

  • fix: transient payload with OIDC login

Code Generation

• Pin v1.2.0 release commit (1a70648)

Documentation

• Remove delete reference from batch patch identity (#​3906) (cd01cb9)

Features

• Add include_credential query param to /admin/identities list call (#​3343) (d94530a)

• Add headers to web hooks (#​3849) (4642de0)

• Add session to post login webhook (#​3877) (386078e)

• Add transient payloads to all flows (#​3738) (b8b747b)

• Add twitter SSO (#​3778) (930fb19)

• Add verification hook to login flow (#​3829) (43e4ead)

• Allow admin to create API code recovery flows (#​3939) (25d1ecd)

• Control edge cache ttl (#​3808) (c9dcce5)

• Linkedin v2 provider (#​3804) (a6ad983):

  • feat: add linkedin-v2 provider

  • docs: document linkedin special-case

• PassKeys with Resident Keys and two-step registration (#​3748) (3621411)

• Send OIDC claim keys to tracing (#​3798) (04390be)

• Use authenticate endpoint for x (#​3833) (3d9ba5d):

  Improves the "Log in with X" experience by not asking the user to re-authenticate every time.

Tests

• Deflake session test (#​3864) (6b275f3)

• Resolve failing test for empty tokens (#​3775) (7277368)

• Resolve flaky e2e tests (#​3935) (a14927d):

  • test: resolve flaky code registration tests

  • chore: don't fail logout if cookie is not found

  • chore: remove .only

  • chore: reduce wait

  • chore: u

  • chore: u

  • chore: u

Unclassified

• Remove unnecessary COPY command from Dockerfile (#​3771) (087748c), closes #​3771

Changelog

• 087748c Remove unnecessary COPY command from Dockerfile (#​3771)
• d755fbb autogen(docs): generate and bump docs
• b96c6a5 autogen(docs): regenerate and update changelog
• f8fbb00 autogen(docs): regenerate and update changelog
• bdf992e autogen(docs): regenerate and update changelog
• b7fd23b autogen(docs): regenerate and update changelog
• 0f81b76 autogen(docs): regenerate and update changelog
• f696fcf autogen(docs): regenerate and update changelog
• 34399c2 autogen(docs): regenerate and update changelog
• ecbd1e3 autogen(docs): regenerate and update changelog
• 41310b3 autogen(docs): regenerate and update changelog
• fa5a112 autogen(docs): regenerate and update changelog
• 9fa25b5 autogen(docs): regenerate and update changelog
• dfc931f autogen(docs): regenerate and update changelog
• 31f77b8 autogen(docs): regenerate and update changelog
• ddbea20 autogen(docs): regenerate and update changelog
• 9c69ef2 autogen(docs): regenerate and update changelog
• 9710549 autogen(docs): regenerate and update changelog
• 264395a autogen(docs): regenerate and update changelog
• cd92f2a autogen(docs): regenerate and update changelog
• a1bf427 autogen(docs): regenerate and update changelog
• 7f1fd81 autogen(openapi): regenerate swagger spec and internal client
• 60537a9 autogen(openapi): regenerate swagger spec and internal client
• da6b38a autogen(openapi): regenerate swagger spec and internal client
• b7e5144 autogen(openapi): regenerate swagger spec and internal client
• ec90929 autogen(openapi): regenerate swagger spec and internal client
• ab8e1b5 autogen(openapi): regenerate swagger spec and internal client
• 718cb7c autogen(openapi): regenerate swagger spec and internal client
• 0b6f91e autogen(openapi): regenerate swagger spec and internal client
• fa806aa autogen(openapi): regenerate swagger spec and internal client
• 3c06689 autogen(openapi): regenerate swagger spec and internal client
• 473e17c autogen(openapi): regenerate swagger spec and internal client
• 8ebdfd2 autogen(openapi): regenerate swagger spec and internal client
• 644e669 autogen(openapi): regenerate swagger spec and internal client
• b132c94 autogen(openapi): regenerate swagger spec and internal client
• 1459403 autogen(openapi): regenerate swagger spec and internal client
• dee5844 autogen(openapi): regenerate swagger spec and internal client
• 037bdf8 autogen(openapi): regenerate swagger spec and internal client
• d9dbaad autogen(openapi): regenerate swagger spec and internal client
• b47554b autogen(openapi): regenerate swagger spec and internal client
• eb67bed autogen(openapi): regenerate swagger spec and internal client
• 5dcbb77 autogen(openapi): regenerate swagger spec and internal client
• ca7cd23 autogen(openapi): regenerate swagger spec and internal client
• 6638c3e autogen: add v1.1.0 to version.schema.json
• 1a70648 autogen: pin v1.2.0 release commit
• 2baecae autogen: pin v1.2.0-pre.0 release commit
• 49e1a39 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#​3805)
• 0f3d082 chore(deps): bump github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29 (#​3812)
• 83792ef chore: allow smtp jim config (#​3932)
• 3ecdf2b chore: fix function name in comment (#​3869)
• fbbac77 chore: improve courier logging (#​3943)
• 5288bc7 chore: make identity schema provider a proper service (#​3908)
• 63ce470 chore: remove e2e playwright env (#​3794)
• 17f9a4f chore: render CLI doc messages into their own *.md file in docs (#​3886)
• de8e59c chore: update repository templates to ory/meta@e838bee
• 050a4dc chore: upgrade nyaruka/phonenumbers to v1.3.6 (#​3940)
• 0713e2d chore: upgrade ory/x to v0.0.619 (#​3845)
• cd01cb9 docs: remove delete reference from batch patch identity (#​3906)
• 3621411 feat: PassKeys with Resident Keys and two-step registration (#​3748)
• d94530a feat: add include_credential query param to /admin/identities list call (#​3343)
• 4642de0 feat: add headers to web hooks (#​3849)
• 386078e feat: add session to post login webhook (#​3877)
• b8b747b feat: add transient payloads to all flows (#​3738)
• 930fb19 feat: add twitter SSO (#​3778)
• 43e4ead feat: add verification hook to login flow (#​3829)
• 25d1ecd feat: allow admin to create API code recovery flows (#​3939)
• c9dcce5 feat: control edge cache ttl (#​3808)
• a6ad983 feat: linkedin v2 provider (#​3804)
• 04390be feat: send OIDC claim keys to tracing (#​3798)
• 3d9ba5d feat: use authenticate endpoint for x (#​3833)
• 1a9a096 fix(oidc): grace period for continuity container on oidc callbacks (#​3915)
• 04f0231 fix(sdk): expand identity in session extension (#​3843)
• 9ddf7cc fix(sdk): improve discriminators for node and Go (#​3821)
• e5d3b0a fix: CVEs in dependencies (#​3902)
• b685fa5 fix: add login succeeded event to post registration hook (#​3739)
• da90502 fix: add missing env vars to set up guide (#​3855)
• 6d7372e fix: add missing indexes and remove unused index
• c905f02 fix: add missing indexes and remove unused index (#​3756)
• b291c95 fix: add sms mfa via parameter to spec (#​3766)
• 696cc1b fix: allow updating just the verified_at timestamp of addresses (#​3880)
• e942507 fix: always issue session last (#​3876)
• 7017490 fix: audit issues (#​3797)
• 9730e09 fix: change return urls in quickstarts (#​3928)
• cc39f8d fix: close res body (#​3870)
• 9f34a21 fix: db index and duplicate credentials error (#​3896)
• 660f330 fix: do not require method to be passkey in settings schema (#​3862)
• 800f8f1 fix: don't require connection_uri in SMTP (#​3861)
• 8eee972 fix: don't treat passkeys as AAL2 (#​3853)
• ad0619d fix: drop index if exists (#​3846)
• 8f8fd90 fix: drop trigram index on identifiers (#​3827)
• 63d785e fix: enum type of session expandables (#​3891)
• c435727 fix: enum type of session expandables (#​3895)
• 5aad1c1 fix: execute verification & verification_ui properly in login flows (#​3847)
• 8f5192f fix: ignore decrypt errors in WithDeclassifiedCredentials (#​3731)
• c08b3ad fix: improve SDK discriminators (#​3844)
• e06c241 fix: include all creds in duplicate credential err (#​3881)
• 11d221a fix: linkedin issuer override (#​3875)
• 7c68c5a fix: make sure emails can still be sent with SMS enabled (#​3795)
• 0b32ce1 fix: missing indices and foreign keys (#​3800)
• d01b670 fix: passing transient payloads (#​3838)
• c5f39f4 fix: prevent SMTP URL leak on unparsable URL (#​3770)
• e8f1bcb fix: respect return_to in OIDC API flow error case (#​3893)
• e6db689 fix: show error page on identity mismatch (#​3790)
• 7f8a7f1 fix: test assertions on declassifying OIDC tokens (#​3773)
• 49d93c0 fix: tolerate more "truthy" values when creating new flows (#​3841)
• da51dcd fix: tweaks to UpsertSessions (#​3878)
• 6e63d06 fix: use correct post-verification identity state in post-hooks (#​3863)
• 2cdfc70 fix: webhook transient payload in OIDC login flows (#​3857)
• 6b275f3 test: deflake session test (#​3864)
• 7277368 test: resolve failing test for empty tokens (#​3775)
• a14927d test: resolve flaky e2e tests (#​3935)

Artifacts can be verified with cosign using this public key.

v1.1.0

Compare Source

Ory Kratos v1.1 is the most complete, most scalable, and most secure open-source identity server on the planet, and we are thrilled to announce its release! This release comes with over 270 commits and an incredible amount of new features and capabilities!

Don't forget to leave a GitHub star and check out our other open source projects while you're here :)

• Phone Verification & 2FA with SMS: Enhance convenient security with phone verification and two-factor authentication (2FA) via SMS, integrating easily with SMS gateways like Twilio. This feature not only adds a convenient layer of security but also offers a straightforward method for user verification, increasing your trust in user accounts.
• Translations & Internationalization: Ory Kratos now supports multiple languages, making it accessible to a global audience. This improvement enhances the user experience by providing a localized interface, ensuring users interact with the system in their preferred language.
• Native Support for Sign in with Google and Apple on Android/iOS: Get more sign-ups with native support for "Sign in with Google" and "Sign in with Apple" on mobile platforms. Great user experience matters!
• Account Linking: Simplify user management with new features that facilitate account linking. If a user registers with a password and later signs in with a social account sharing the same email, new screens make account linking straightforward, enhancing user convenience and reducing support inquiries.
• Passwordless "Magic Code": Introduce a passwordless login method with "Magic Code," which sends a one-time code to the user's email for sign-up and login. This method can also serve as a fallback when users forget their password or their social login is unavailable, streamlining the login process and improving user accessibility.
• Session to JWT Conversion: Convert an Ory Session Cookie or Ory Session Token into a JSON Web Token (JWT), providing more flexibility in handling sessions and integrating with other systems. This feature allows for seamless authentication and authorization processes across different platforms and services.

Note: To ensure a seamless upgrade experience with minimal impact, some of these features are gated behind the feature_flags config parameter, allowing controlled deployment and testing.

• Better reliability when sending out emails across different providers.
• Streamlining the HTTP API and improving related SDK methods.
• Better performance when calling the whoami API endpoint, updating identities, and listing identities.
• The performance of listing identities has significantly improved with the introduction of keyset pagination. Page pagination is still available but will be fully deprecated soon.
• Ability to list multiple identities in a batch call.
• Passkeys and WebAuthn now support multiple origins, useful when working with subdomains.
• The logout flow now redirects the user back to the return_to parameter set in the API call.
• When updating their settings, the user was sometimes incorrectly asked to confirm the changes by providing their password. This issue has now been fixed.
• When signing up with an account that already exists, the user will be shown a hint helping them sign in to their existing account.
• CORS configuration can now be hot-reloaded.
• The integration with Ory OAuth2 / Ory Hydra has improved for logout, login session management, verification, and recovery flows.
• A new passwordless method has been added: "Magic code". It sends a one-time code to the user's email during sign-up and log-in. This method can additionally be used as a fallback login method when the user forgets their password.
• Integration with social sign-in has improved, and it is now possible to use the email verified status from the social sign-in provider.
• Ory Elements and the default Ory Account Experience are now internationalized with translations.
• It is now possible to convert an Ory Session Cookie or Ory Session Token into a JSON Web Token.
• Recovery on native apps has improved significantly and no longer requires the user to switch to a browser for the recovery step.
• Administrators can now find users by their identifiers with fuzzy search - this feature is still in preview.
• Importing HMAC-hashed passwords is now possible.
• Webhooks can now update identity admin metadata.
• New screens have been added to make account linking possible when a user has registered with a password and later tries signing in with a social account sharing the same email.
• Ability to revoke all sessions of a user when they change their password.
• Webhooks are now available for all login, registration, and login methods, including Passkeys, TOTP, and others.
• The login screen now longer shows “ID” for the primary identifier, but instead extracts the correct label - for example, “Email” or “Username” from the Identity Schema.
• Login hints help users with guidance when they are unable to sign in (wrong social sign-in provider) but have an active account.
• Phone numbers can now be verified via an SMS gateway like Twilio.
• SMS OTP is now a two-factor option.

The following features have been shipped exclusively to Ory Network for this version:

• B2B SSO allows your customers to connect their LDAP / Okta / AD / … to your login. Ory selects the correct login provider based on the user’s email domain.
• Significantly better API performance for expensive API operations by specifying the desired consistency (strong, eventual).
• Finding users effortlessly with our new fuzzy search for credential identifiers available for the Identity List API.

Ory Kratos 1.1 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.1 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Ory Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers enterprise support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.
We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in no particular order: moose115, K3das, sidartha, efesler, BrandonNoad ,Saancreed, jpogorzelski, dreksx, martinloesethjensen, cpoyatos1, misamu, tristankenney, nxy7, anhnmt

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.
Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory <https://github.com/ory/scoop.git>
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth login

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \
  --replace '/identity/default_schema_id="preset://username"' \
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \
  --format yaml

ory open account-experience registration

Breaking Changes

Pagination parameters for the list identities CLI command have changed from arguments to flags --page-token and page-size:

- kratos list identities 1 100
+ kratos list identities --page-size 100 --page-token ...

Furthermore, the JSON / JSON pretty output of list identities has changed:

-[
-  { "id": "..." },
-  { /* ... */ },
-  // ...
-]
+{
+  "identities": [
+    {"id": "..."},
+    { /* ... */ },
+    // ...
+  ],
+  "next_page_token": "..."
+}

Closes https://github.com/ory/sdk/issues/284
Closes https://github.com/ory/kratos/pull/3480

Bug Fixes

• oidc does not require a method in the payload (#​3564) (b299abc):

  • fix: oidc does not require a method in the payload

  • refactor: only update strategies order in test

  • chore: update audit messages and comments

• Accept all 200 responses as OK in courier (#​3401) (88237e2), closes #​3399:

  • fix: accept all 200 responses as OK in courier

• Accept login_challenge after verification (#​3427) (6b02350):

  Part of https://github.com/ory/network/issues/320

• Add caching to Jsonnet snippet during session JWT tokenization (#​3699) (1da8180)

• Add consistency flag (#​3733) (fd79950)

• Add max-age to default cors headers (#​3584) (c5b4aaa)

• Add missing tracing & attributes in oidc strategy (#​3429) (09bcb71)

• Add return_to parameter to API spec of createRecoveryLinkForIdentity (#​3711) (757a5e4)

• Add value code to authentication method enum (#​3546) (95dc7a2):

  • fix: add value code to authentication method enum

  • chore: generate sdk

• Additional_id_token_audiences key in config schema (#​3622) (9396bb0)

• Adjust tracing verbosity (976cd0d)

• Allow post recovery hooks to interrupt the flow (#​3393) (6c1d2f1)

• Allow updating admin metadata from webhook responses (#​3569) (22f61f0)

• Always return relative URLs in the Link header for pagination (fb229c9)

• Auto migrate old accounts to use code credential (#​3581) (569b14a)

• Carry oauth2_login_challenge over to registration flow (#​3419) (76241be):

  Fixes https://github.com/ory/kratos/issues/3321

• Change ListIdentities to keyset pagination (e16fed1)

• Change shebangs and makefile from /bin/bash to /usr/bin/env bash (#​3597) (1343bbb):

  • makefile fix

  • shebangs changed to /usr/bin/env bash

  Signed-off-by: nxy7 lolnoxy@gmail.com

• Check whoami aal before accepting hydra login request (#​3669) (a2f79c3)

• Code method on registration and 2fa (#​3481) (7aa2e29)

• Consider OIDC registration flows errored with duplicate credential to be completed by strategy (#​3525) (3e3c789):

  Returning anything else here may cause Kratos to respond with two concatenated JSON objects: new login flow with actual error message as the first one and a very confusing '500, aborted registration hook execution' as the second one.

• Csrf token regenerate on browser flows (#​3706) (e4908db), closes #​3705

• Data race in test (ab6dc31)

• Do not encode full config in multiple places (#​3500) (57a3273)

• Do not generate CSRF token for api flows (#​3704) (d93570d)

• Do not initialize parts of the registry in parallel (#​3534) (ff177db)

• Don't list org SSOs in settings (#​3637) (6c7068c)

• Don't require code credential for MFA flows (#​3753) (40ed809)

• Don't require session for OIDC verification (#​3443) (e08f831)

• Don't return 500 on conflict for POST /admin/identities (#​3437) (1429949)

• Don't return nil if code is invalid (#​3662) (df8ec2b):

  • fix: don't return nil if code is invalid

  • chore: add test

• Error handling on identity import (#​3520) (83bfb2d):

  When importing identities without any traits, or with malformed traits, 500s are returned. This improves the error handling and messaging.

• False-positives for requiring re-authentication on update (#​3421) (ce8139f)

• Http courier using should use lower case json (#​3740) (84149c4)

• Identity list pagination in CLI command and SDK (#​3482) (1e8b1ae):

  Adds correct pagination parameters to the SDK methods for listing identities and sessions.

• Ignore CSRF middleware on Apple OIDC callback (309c506)

• Ignore more cloudflare cookies (#​3499) (f124ab5)

• Improved SSRF protection (#​3629) (6d08576):

  This also improves tracing in the OIDC strategy.

• Incorrect login accept challenge (#​3658) (b5dede3)

• Incorrect sdk generator path (#​3488) (ed996c0)

• Incorrect SMTP error handling (#​3636) (ee138ec)

• Incorrect swagger spec for filter parameter (#​3684) (2c1470a), closes #​3676 #​3675

• Increase connection-level timeouts and shutdown timeouts (#​3570) (200b413):

  The admin API is generally expected to require longer timeouts, for example during bulk identity import.

• Issue session after verification after registration with OIDC SSO (#​3467) (a28b523)

• Lint (e8740c3)

• Lower-case recovery & verification emails on import (#​3571) (e2ac9ff):

  Emails that contained upper-case characters would be overwritten by the identity schema extension runner, because there all emails are lower-cased.

• Mark identity as optional in session struct (#​3463) (7ae02ba), closes #​3461:

  The identity is not always available in the session struct, for example when AAL2 is required.

• Omit irrelevant OIDC providers in forced refresh login flows (#​3608) (912dccd):

  Whenever an user is asked to reauthenticate (e.g. because they wish to execute settings flow touching their credentials and their session is no longer privileged) they are asked to provide their credentials again. The forced-refresh login flow generated for such cases already excludes some strategies that are enabled in Kratos but cannot be used to authenticate as current identity, and for example the form presented to the user will not have a password field if the identity does not have a password credential.

  This, however, does not currently apply to OIDC providers; the user will always see the full set even if some of them can't be used to sign in as current identity. This change causes forced refresh login flows to also omit irrelevant OIDC providers in generated form in order to avoid confunding the user about which strategies/providers are valid and can actually be used to reauthenticate.

• On verification required after registration, preserve return_to (#​3589) (6a0a914):

  • fix: on verification required after registration, preserve return_to

  • test: return_to on verification flow

  • chore: refactor

• Panic in recovery (#​3639) (c25ddff)

• Pass context (#​3452) (c492bdc)

• Properly normalize OIDC verified emails (#​3450) (703b910)

• Redirect to verification URL even if login_challenge is set (#​3412) (cd9e6a0):

  Fixes https://github.com/ory/network/issues/320

• Reduce db lookups in whoami for aal check (#​3372) (d814a48):

  Significantly improves performance by reducing the amount of queries we need to do when checking for the different AAL levels.

• Registration code ui nodes group (#​3505) (6220184):

  • fix: registration code ui nodes group

  • style: format

• Registration should accept hydra login (#​3592) (7a47827):

  • fix: registration should accept hydra login

  • fix: oauth2 registration flow with session

  • wip: registration oauth flow tests

  • wip: refactor oauth flows test

  • wip: refactor op_registration_test

  • wip: oauth provider registration test

  • wip: refactor oauth flows test

  • fix(test): oauth provider login

  • s

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.