Releases: logto-io/logto
v1.18.0
Note
Our public roadmap has come back. Upvote the features you need and feel free to leave comments!
Compliance
We are SOC 2 Type I compliant, officially! 🎉 A Type II audit is on the horizon.
Just-in-Time provisioning for organizations
This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for Just-in-Time provisioning.
To use this feature, head to the organization settings and find the "Just-in-Time provisioning" section. Management APIs are also available to configure this feature via routes under /api/organizations/{id}/jit
. To learn more, see Just-in-Time provisioning.
Email domains
New users will automatically join organizations with Just-in-Time provisioning if they:
- Sign up with verified email addresses, or;
- Use social sign-in with verified email addresses.
This applies to organizations that have the same email domain configured.
Click to expand
To enable this feature, you can add email domain via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/email-domains
POST /organizations/{organizationId}/jit/email-domains
PUT /organizations/{organizationId}/jit/email-domains
DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
- In the Logto Console, you can manage email domains in the organization details page -> "Just-in-Time provisioning" section.
SSO connectors
New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have Just-in-Time provisioning configured for the SSO connector.
Click to expand
To enable this feature, you can add SSO connectors via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/sso-connectors
POST /organizations/{organizationId}/jit/sso-connectors
PUT /organizations/{organizationId}/jit/sso-connectors
DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
- In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-Time provisioning" section.
Default organization roles
You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.
Click to expand
To enable this feature, you can set the default roles via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/roles
POST /organizations/{organizationId}/jit/roles
PUT /organizations/{organizationId}/jit/roles
DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
- In the Logto Console, you can manage default roles in the organization details page -> "Just-in-Time provisioning" section.
Machine-to-machine apps for organizations
This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.
OpenID Connect grant
The client_credentials
grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.
Click to expand Console updates
- Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
- You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
- You can view the associated organizations in the machine-to-machine app details page.
Click to expand Management API updates
A set of new endpoints are added to the Management API:
/api/organizations/{id}/applications
to manage machine-to-machine apps./api/organizations/{id}/applications/{applicationId}
to manage a specific machine-to-machine app in an organization./api/applications/{id}/organizations
to view the associated organizations of a machine-to-machine app.
Swagger (OpenAPI) improvements
Note
Shout out to @mostafa for bringing these amazing improvements to Logto!
Build operationId
for Management API in OpenAPI response
As per the specification:
operationId
is an optional unique string used to identify an operation. If provided, these IDs must be unique among all operations described in your API.
This greatly simplifies the creation of client SDKs in different languages, because it generates more meaningful function names instead of auto-generated ones, like the following examples:
- org, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdGet(ctx, req.GetId()).Execute()
+ org, _, err := s.Client.OrganizationsAPI.GetOrganization(ctx, req.GetId()).Execute()
- users, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdUsersGet(ctx, req.GetId()).Execute()
+ users, _, err := s.Client.OrganizationsAPI.ListOrganizationUsers(ctx, req.GetId()).Execute()
Fixed OpenAPI schema returned by the GET /api/swagger.json
endpoint
- The
:
character is invalid in parameter names, such asorganizationId:root
. These characters have been replaced with-
. - The
tenantId
parameter of the/api/.well-known/endpoints/{tenantId}
route was missing from the generated OpenAPI spec document, resulting in validation errors. This has been fixed.
Backchannel logout support
We've enabled the support of OpenID Connect Back-Channel Logout 1.0.
To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".
You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid
claim in the logout token.
For programmatic registration, you can set the backchannelLogoutUri
and backchannelLogoutSessionRequired
properties in the application oidcClientMetadata
object.
Sign-in experience
Support Google One Tap
When you added Google as a social connector, you can now enable Google One Tap to provide a smoother sign-in experience for your users with Google accounts.
Head to the Google connector settings in the Logto Console and switch on the "Google One Tap" option.
To learn more about Google One Tap, see Enable Google One Tap.
Allow skipping manual account linking during sign-in
You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking.
When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking.
Agree to terms polices for sign-in experience
We've added a new configuration to allow you to set the terms of service agreement policy for sign-in experience:
- Automatic: Users automatically agree to terms by continuing to use the service.
- ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in.
- Manual: Users must agree to terms by checking a box during registration or signing in.
Console improvements
- Added Ruby and Chrome extension guide.
- Display OIDC issuer endpoint in the application details form.
- Application guides have been reorganized to provide a better developer experience.
- Now you can view and update user's
profile
property in the user settings page. - Improved machine-to-machine application integration user experience.
- Fixed a regression bug that error toasts pop up in audit log when logs are associated with deleted applications.
Other improvements
- Added
hasPassword
to custom JWT user context. - Connector: Google and Azure AD connectors now support custom
prompt
. - Support per-organization multi-factor authentication requirement:
- An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.
- A dev panel is available after you sign in to the live preview.
- Pagination is now optional for
GET /api/organizations/{id}/users/{userId}/roles
. If you don't providepage
andlimit
query parameters, the API will return all roles. - Added user detail data payload to the
User.Deleted
webhook event.
v1.17.0
Note
The US region is now available in Logto Cloud.
New webhook events
We are introducing a series of new webhook events triggered by data updates, mostly through the Management API, which are useful for various automation scenarios. These include user events, role events, organization events, etc. For the full list of events, please see Webhook events.
![image](https://private-user-images.githubusercontent.com/14722250/335646415-2b4a211d-a622-47ea-97a3-9529b5eee5ed.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMzU2NDY0MTUtMmI0YTIxMWQtYTYyMi00N2VhLTk3YTMtOTUyOWI1ZWVlNWVkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWY3MzNmOGYwMWM2OWRkNGQ2MjRiNWY1ZTA2NzA2YjI5ZjAxZTBhYjQwY2U0ZThhMWFiMDk5ZWQzNzBlNzY4MmEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.e664HYE3P7uy3GgSXGEpYaZ_LOOrpWMElW_mM7TbPDA)
To improve clarity, the Console now displays the raw event key instead of the translated text for webhooks. For example, "Create new account" is now displayed as "PostRegister".
User default roles
You can now set default roles for users by visiting the role details page, clicking on the "General" tab, and then enabling the "Default role" switch. Once activated, all new users will automatically be assigned all the default roles upon account creation.
This enables you to configure Logto apps with resources and scopes associated with a default role, ensuring new users receive the necessary scopes right after registration.
![image](https://private-user-images.githubusercontent.com/14722250/335648260-5f7abe90-51ed-43e3-8ed3-a1e774c5698d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMzU2NDgyNjAtNWY3YWJlOTAtNTFlZC00M2UzLThlZDMtYTFlNzc0YzU2OThkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ2MWQ5MWY3YmM4MjE3ZmMxNDFiMjFiZGZhNDFjZDZjOTRkMDAxNTZhZWUzYWUxZDUyODM1NzIxOWZiMjhkZjcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.3C4i80mRweGN1snRwf615rCWNYjMZabVd_ZQ4SPc90A)
Note
All existing users will not be affected.
Improvements
- #5915 Added DingTalk web connector (credit @anyidea).
- #5908 A pre-configured role with Management API access will be created when seeding the database.
- #5955 Added
sso_identities
ID token claim to the userinfo endpoint response. It is an array of objects that stores the current user's SSO identities.- To request this claim, you can use the
identities
scope which is shared with social identities.
- To request this claim, you can use the
- #5950 In OSS, show the current version number in the top right corner.
- Improved error handling and deleted item display on Console.
- Show global loading state on page redirects to prevent user interactions.
- Updated documentation reference links.
Fixes
v1.16.0
Custom JWT
JWT access tokens can now be customized with additional claims using custom JavaScript code snippets. This feature is useful when you need to include custom data in the token for compatibility with other systems.
To use this feature, navigate to the "Custom JWT" tab in the Console. Both user and machine-to-machine (M2M) tokens can be customized.
![image](https://private-user-images.githubusercontent.com/14722250/330648004-be46e384-1b9d-4ba3-b052-37ba29c51a6b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMzA2NDgwMDQtYmU0NmUzODQtMWI5ZC00YmEzLWIwNTItMzdiYTI5YzUxYTZiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTFjYzg0ZDFhMjFmMGE2YWFkNmI5NmExNjE1NDc2MzUzMmM1YzBhOWE3NmZkODM4ZmRiN2VhZTg5MDRjMzY0MTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.JSi4JS85uQEAIvlA294XoZOtaX1MyZWwNZltvTVNEfo)
Before deploying the changes, you can use the "Run test" button to see how the token will look with the custom claims.
See 🎫 Custom JWT claims for more information.
Warning
In the open-source version, the code for custom JWT will run in the same environment as the rest of the Logto code. Be careful when adding custom code to the JWT, as it can introduce security vulnerabilities.
API resources for organization roles
You can now assign permissions (scopes) from the API resources to organization roles. Like other permissions in the organization template, these permissions are organization-level, meaning that they only apply to a specific organization.
![image](https://private-user-images.githubusercontent.com/14722250/330653648-d9f783a4-4661-42b8-b92a-3a60f07e8b51.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMzA2NTM2NDgtZDlmNzgzYTQtNDY2MS00MmI4LWI5MmEtM2E2MGYwN2U4YjUxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIzOWY4OWVmNzE0NzUyZWYwZmRhYmZhNGIwM2I0YzM3ZjIwMDFkYTZkMWU0MGNlNDRiNTJkZDIzM2JhNDFhOWQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.mhoVV1N5gFZz8VsvR2wTssdvb_MLw_frCTAUQvmKoFA)
Let's see an example:
- There is an API resource called
https://shopping.api/
. - The API resource has two scopes:
read
andwrite
. - There are two organization roles:
admin
anduser
. - The
admin
role has bothread
andwrite
scopes; theuser
role has only theread
scope. - A user Alice is assigned the
admin
role in the organizationfoo
, and theuser
role in the organizationbar
.
When Alice tries to exchange an organization token for the https://shopping.api/
resource, she will receive a token with scopes based on which organization she is requesting the token for.
For the foo
organization, Alice will receive a token with both read
and write
scopes. For the bar
organization, she will receive a token with only the read
scope.
See 🏢 Organizations (Multi-tenancy) for a comprehensive introduction to organizations.
Third-party app permissions
Organizational API resources can also be used when configuring permissions for third-party apps. User will be prompted to select an organization when configuring permissions for a third-party app.
![image](https://private-user-images.githubusercontent.com/14722250/330653354-a7b16b10-9e87-4b04-8fc1-762ab1daa47a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMzA2NTMzNTQtYTdiMTZiMTAtOWU4Ny00YjA0LThmYzEtNzYyYWIxZGFhNDdhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWMzZjEzZGQwNDkwYTMwYTE0YzdlODZiMGFkZTQ5ZWJlZDZlZTBlNjg4N2Y1NTlhYmU5ZjdkMjkxMjk1Y2E5MzAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.axQkF2IKKR45etdEDrad-ewMSYBVVKShcQW6ZjC3BHc)
Organization custom data
Now you can save additional data associated with the organization with the organization-level customData
field by:
- Editing in the Console organization details page.
- Specifying the
customData
field when using organization Management APIs.
Connectors
- Added Hugging Face connector.
- GitHub connector now has the
user:email
as part of default scope to fetch GitHub account's private email address list.- It now picks the verified primary email among private email address list as a fallback if the user does not set a public email for GitHub account.
- Removed the plus sign in front of the phone number in the feishu connector (#5801). Credit @kamto7.
Improvements
- Added support for Redis Cluster and extra TLS options for Redis connections (#5619). Credit @alekitto.
- OIDC and OAuth 2 connectors now support
client_secret_basic
andclient_secret_jwt
client authentication methods for the token endpoint. - When a user is deleted or suspended through Management API, they will be signed out in Logto and their sessions will be invalidated immediately.
- Support comma separated
resource
parameter as some libraries do not support array of resources. - Added an API to fetch user organization scopes based on user organization roles (
GET /api/organizations/:id/users/:userId/scopes
). - Added Java Spring Boot web integration guide.
- Added
zh-cn
phrases in OIDC consent page (#5606). Credit @the-pawn-2017.
Fixes
- Organization invitation APIs should handle invitee emails case insensitively.
- Management API will not return 500 in production for status codes that are not listed in the OpenAPI spec.
- Return 403 instead of 400 when Logto tries to grant an access token to a user lacking the required permissions, especially when granting for organization related resources.
- Fixed the wrong social sign-in callback that posts to the native container (e.g. WKWebView in iOS).
- Fixed the new user from SSO register hook event not triggering bug.
- Fixed a bug that API resource indicator does not work if the indicator is not followed by a trailing slash or a pathname.
v1.15.0
Direct sign-in
You can now directly invoke a sign-in method by skipping the first screen. This is useful when you have a direct link to a sign-in method, for instance, when you have a "Sign in with Google" button on your website.
To use this feature, you need to pass the direct_sign_in
parameter to the authentication request. It supports the following methods:
- A social connector
- An enterprise SSO connector
To learn more, see the Direct sign-in documentation.
First screen parameter
Sign-in experience can be initiated with a specific screen by setting the first_screen
parameter in the OIDC authentication request. This parameter is intended to replace the interaction_mode
parameter, which is now deprecated.
See the First screen documentation for more information.
Full OpenID Connect standard claims support
We have added support for the remaining OpenID Connect standard claims. Now, these claims are accessible in both ID tokens and the response from the /me
endpoint.
Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the profile
scope, and the address
claim can be obtained by using the address
scope.
For all newly introduced claims, we store them in the user.profile
field.
Note
Unlike other database fields (e.g. name
), the claims stored in the profile
field will fall back to undefined
rather than null
. We refrain from using ?? null
here to reduce the size of ID tokens, since undefined
fields will be stripped in tokens.
Social data
In addition to the claims that Logto recognizes, all social connectors now also store the raw data returned by the social provider in the rawData
field.
To access this data in a user object, you can use the user.identities.[idp-name].details.rawData
field.
Lazy password migration
When migrating users from a legacy system to Logto, you can now use the passwordAlgorithm
and passwordDigest
fields in the POST /users
API to store the user's original password hash.
Currently supported algorithms are:
- Bcrypt
- MD5
- SHA1
- SHA256
- Argon2i
When the user logs in, Logto will use the provided algorithm and digest to verify the password; if the verification succeeds, Logto will automatically migrate the password to the new Argon2 hash.
See API reference for more information.
Improvements
- Support
avatar
andcustomData
fields in thePOST /users
API. - Support signing key rotation in Logto OSS Console.
- Carry over search params to the authentication request in the live preview (demo app).
- When entering the Logto demo app with search parameters, if the user is not authenticated, the search parameters are now carried over to the authentication request. This allows manual testing of the OIDC authentication flow with specific parameters.
GET /organization-roles
can now be called with theq
query parameter to filter the results by the role id, name, or description.
Fixes
- Console: Fixed issues in the Microsoft social connector integration guide.
- Console: To create a new API resource, the indicator must be a valid absolute URI.
- Experience: Resolved third-party app's
/interaction/consent
endpoint 500 error. - Experience: Skip non-object messages in the native environment. This fixes an issue in the
WKWebView
of new iOS versions.
Development
@logto/connector-kit
: [BREAKING] updateSocialUserInfo
andGetUserInfo
types@logto/connector-kit
: [BREAKING] guard results ofparseJson
andparseJsonObject
v1.14.0
New features
- Support form post callback for social connectors
- Add the POST /callback/:connectorId endpoint to handle the form post callback for social connectors. This is useful for the connectors that require a form post callback to complete the authentication process, such as Apple.
- SMTP connector: Always show TLS configurations in Logto Console
- Apple connector: Support
scope
parameter- Now you can request for email and name during Sign in with Apple
v1.13.1
Console application guides
- Add Angular, Nuxt, SvelteKit, Expo (React Native) guides
- Update Next.js guide
v1.13.0
Logto as an OpenID Connect identity provider
From now, you can use Logto as an third-party OpenID Connect identity provider by creating an OIDC third party app during the application creating process.
This enables you to configure the permissions that the app requests and the branding for each third party app. When users sign in via this app, it will prompt for user consent:
![](https://private-user-images.githubusercontent.com/14722250/307574001-6d922c12-3178-44bc-b248-537c40c399e3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8zMDc1NzQwMDEtNmQ5MjJjMTItMzE3OC00NGJjLWIyNDgtNTM3YzQwYzM5OWUzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQ5OTljZTdiNjA4YzUzZDE5MTNlNzhmZmIwZmM4ZDA4ZmQ2OTc2NGZiNWQ2ZWRhYWE4Y2Y3M2MzYzhjZWYwMWUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.uMR4iwPOIkdRICMhyaF51U0NI70S8a9VuFTEDMMpcsc)
This feature is useful for multiple scenarios, such as integrating third party services with Logto for in-house identity management, providing an open platform for developers creating third party apps, etc. See 🌐 Logto as an Identity Provider (IdP) to learn more.
Guides
Added .NET Core Blazor WebAssembly and Blazor Server app guides.
Misc.
- Upgrade TypeScript to 5.3.3.
- Use Node v20 LTS. We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.
For detailed changelog, see this pull request.
v1.12.0
Tip
Logto is an open-source Auth0 alternative designed for modern apps and SaaS products.
Logto Organizations (Multi-tenancy)
The term "organization" is also used in other forms, such as "workspace", "team", "company", etc. In Logto, we use "organization" as the generic term to represent the concept of multi-tenancy.
![Logto Organizations banner](https://private-user-images.githubusercontent.com/14722250/288420710-3bba0c33-e2d4-4f1b-b7a6-8ef125a35b52.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8yODg0MjA3MTAtM2JiYTBjMzMtZTJkNC00ZjFiLWI3YTYtOGVmMTI1YTM1YjUyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI4ZjNkZjI3M2I5MmY2MDVmODgyNTdlYTgwYTNlYzIxYWY1ZDY4ZmExYjc1YzE0MzE3YTYxYjI3ZmUwYWE0MGEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.yfdRYxM7WkZ3Cv4w3F0at8oqETLdTbX52oYYYTVuqgw)
From now, you can create multiple organizations in Logto, each of which can have its own users, while in the same identity pool.
Plus, we also introduce the concept of "organization template". It is a set of permissions and roles that applies to all organizations, while a user can have different roles in different organizations.
We believe this is extremely useful for SaaS products with collaboration features (we love collaboration!). For more information, see 🏢 Organizations (Multi-tenancy).
Enterprise SSO (single sign-on)
Enterprise SSO is designed to support any SAML and OIDC connection, offering the simplest configuration and powered by Logto.
It automatically recognizes all registered domains in the sign-in experience and redirects users to the correct identity provider for authentication. Meanwhile, you can focus on enhancing other aspects of your product without modifying a single line of code.
![Enterprise SSO banner](https://private-user-images.githubusercontent.com/14722250/288420108-8f4cd66f-9b42-43f4-b86b-1aebd72e1b7c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNTk4NDMsIm5iZiI6MTcyMTM1OTU0MywicGF0aCI6Ii8xNDcyMjI1MC8yODg0MjAxMDgtOGY0Y2Q2NmYtOWI0Mi00M2Y0LWI4NmItMWFlYmQ3MmUxYjdjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE5VDAzMjU0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTNjOGUwNWQ3YWI4ZDg1Zjc5YTM1YzQ2MmQ1ZjExNjI2MzUxOWNmZDk4M2FlNzg4NzgxYjkxMWUwMTM0ZmM1MmYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.BeK0wowP3roLnuZKhfyPLKspXNsO50aOs2FCamp79Kw)
In this release, we have the following built-in enterprise connectors:
- Google Workspace
- Microsoft Entra ID (formerly Azure AD)
- Okta
To learn more about Enterprise SSO, see ☁️ Enterprise SSO (SAML & OIDC).
Improvements
- Bump
libphonenumber-js
to v1.10.51 to support China 19 started phone numbers. Credit @agileago. - Add user ip to webhook event payload.
- The response from /api/swagger.json now includes a summary and description for each API. We will gradually add more helpful information.
Note
Multi-factor authentication (MFA) was released in v1.11.0.
v1.11.0
Multi-factor authentication (MFA)
Now you can activate MFA with just one click and take control of the user security. We've made it easy to customize the sign-in experience with these methods:
- Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
- WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
- Backup codes: users can generate a set of backup codes to use when they don't have access to other MFA methods.
For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.
Check out our One-click MFA integration blog post to learn more.
Work in progress
Organizations and enterprise Single Sign-On (SSO) functionalities are on the horizon. With Logto, creating multi-tenancy applications and becoming enterprise-ready will not be a business blocker anymore.
v1.10.1
Fixes
fix 500 error when using search component in console to filter both roles and applications