| id | title |
|---|---|
milestones |
Milestones and Roadmap |
Something isn't working
New feature or request
- Selfservice account deletion (kratos#596)
- Implement Hydra integration (kratos#273)
Extra attention is needed
Good for newcomers
Affects session components
Affects identity components
Affects 2FA components
Affects the CLI
Affects the OpenID Connect Self Service Strategy
Affects the documentation
Affects verification components
Affects JSON Schema components
Affects the Password Self Service Strategy
Affects selfservice components
Affects the broadcast system
- Implement Hydra integration (kratos#273)
Something isn't working
- Sending JSON to complete oidc/password strategy flows causes CSRF issues (kratos#378)
- Unmable to use Auth0 as a generic OIDC provider (kratos#609)
- Password reset emails sent twice by each of the two kratos pods in my cluster (kratos#652)
New feature or request
- Implement Security Questions MFA (kratos#469)
- Feature request: adjustable thresholds on how many times a password has been in a breach according to haveibeenpwned (kratos#450)
- Do not send credentials to hooks (kratos#77) - @hackerman
- Implement immutable keyword in JSON Schema for Identity Traits (kratos#117)
- Add filters to admin api (kratos#249)
- Feature Request: Webhooks (kratos#271)
- Support email verification paswordless login (kratos#286)
- Support remote argon2 execution (kratos#357) - @hackerman
- Implement identity state and administrative deactivation, deletion of identities (kratos#598) - @hackerman
- SMTP Error spams the server logs (kratos#402)
- Gracefully handle CSRF errors (kratos#91) - @hackerman
- How to sign in with Twitter (kratos#517)
- Add ability to import user credentials (kratos#605) - @hackerman
- Throttling repeated login requests (kratos#654)
- Admin/Selfservice session management (kratos#655)
Extra attention is needed
- Document that identity information (traits, etc) are available to token holders and backend systems (kratos#43) - @hackerman
Good for newcomers
- SMTP Error spams the server logs (kratos#402)
Affects session components
Affects identity components
- Document that identity information (traits, etc) are available to token holders and backend systems (kratos#43) - @hackerman
- Implement immutable keyword in JSON Schema for Identity Traits (kratos#117)
Affects 2FA components
- Implement 2FA capabilities (kratos#26)
- Grace period for 2FA enrollment (kratos#143)
Affects the CLI
Affects the OpenID Connect Self Service Strategy
Affects the documentation
- Document that identity information (traits, etc) are available to token holders and backend systems (kratos#43) - @hackerman
- Config JSON Schema needs example values (kratos#179) - @hackerman
- Elaborate on security practices against DoS and Brute Force (kratos#134)
Affects verification components
Affects JSON Schema components
- Add caching to served JSON schemas (kratos#161)
Affects the Password Self Service Strategy
- Require recaptcha on suspicious login and signup (kratos#65) - @hackerman
- password validation: require Levenshtein distance between password and any other trait (kratos#232)
- Throttling repeated login requests (kratos#654)
Affects selfservice components
- Enforce password reset (kratos#35)
- Require recaptcha on suspicious login and signup (kratos#65) - @hackerman
- Implement immutable keyword in JSON Schema for Identity Traits (kratos#117)
- Feature Request: Webhooks (kratos#271)
- Gracefully handle CSRF errors (kratos#91) - @hackerman
Affects the broadcast system
- Ensure that login, registration and recovery do not leak identity information (Account Enumeration Attack) (kratos#133) - @hackerman
- Require recaptcha on suspicious login and signup (kratos#65) - @hackerman
- Do not send credentials to hooks (kratos#77) - @hackerman
- Implement Password Strength Meter API (kratos#136)
- Define anti-automation policies with CAPTCHA (kratos#138)
- Updating recovery address should require confirmation (kratos#141)
- Grace period for 2FA enrollment (kratos#143)
- Prevent account enumeration for profile updates (kratos#292)
- Elaborate on security practices against DoS and Brute Force (kratos#134)
- Prevent request scanning attacks (kratos#613)
- Throttling repeated login requests (kratos#654)
- Introduce prevent extension in Identity JSON schema (kratos#47)
- Fix broken schema tests (kratos#347) - @Patrik
- Feature Request: Webhooks (kratos#271)
This release focuses on Admin API capabilities
Something isn't working
- Logout does not use new cookie domain setting (kratos#645)
- Refresh Sessions Without Having to Log In Again (kratos#615) - @hackerman
- Generate a new UUID/token after every interaction (kratos#236) - @hackerman
- UNIQUE constraint failure when updating identities via Admin API (kratos#325) - @hackerman
- Can not update an identity using PUT /identities/{id} (kratos#435)
- Verification email is sent after password recovery (kratos#578) - @hackerman
- Do not return expired sessions in
/sessions/whoami(kratos#611) - @hackerman
New feature or request
- Implement JSON capabilities in ErrorHandler (kratos#61) - @hackerman
- Allow attaching credentials to identities in CRUD create (kratos#200)
- Move away from UUID-based challenges and responses (kratos#241) - @hackerman
- Add tests to prevent duplicate migration files (kratos#282) - @Patrik
- Session cookie (ory_kratos_session) expired time should be configurable (kratos#326) - @hackerman
- Can not update an identity using PUT /identities/{id} (kratos#435)
- Make session cookie 'domain' property configurable (kratos#516)
- Remove one of in-memory/on-disk SQLite e2e runners and replace with faster test (kratos#580) - @Andreas Bucksteeg
- Password similarity policy is too strict (kratos#581) - @Patrik
- Implement a test-error for implementing the Error UI (kratos#610)
Extra attention is needed
Good for newcomers
Affects session components
- Allow users to decide if they want to stay signed in on this device (kratos#42) - @hackerman
Affects identity components
- Implement administrative identity management (kratos#34)
- Allow attaching credentials to identities in CRUD create (kratos#200)
Affects 2FA components
Affects the CLI
Affects the OpenID Connect Self Service Strategy
- Allow users to decide if they want to stay signed in on this device (kratos#42) - @hackerman
Affects the documentation
- Document multi-tenant set up (kratos#370)
Affects verification components
Affects JSON Schema components
Affects the Password Self Service Strategy
- Support JSON body in registration (kratos#44) - @hackerman
- Allow users to decide if they want to stay signed in on this device (kratos#42) - @hackerman
Affects selfservice components
- Implement JSON capabilities in ErrorHandler (kratos#61) - @hackerman
Affects the broadcast system
- Require CSRF Token for logout (kratos#142)
- Generate a new UUID/token after every interaction (kratos#236) - @hackerman
- Move away from UUID-based challenges and responses (kratos#241) - @hackerman
- Rename login/registration/recovery/... request to flow (kratos#635) - @hackerman
- Add tests to prevent duplicate migration files (kratos#282) - @Patrik
- Remove one of in-memory/on-disk SQLite e2e runners and replace with faster test (kratos#580) - @Andreas Bucksteeg
- Investigate what happens when recovery/verified email are removed from traits (kratos#576) - @hackerman
- initializeSelfServiceBrowserLoginFlow: Request Header Fields Too Large (kratos#599)
Something isn't working
- Investigate flaky tests (kratos#577) - @hackerman
New feature or request
- SelfService/HTMLForm: array types are rendered very primitive from jsonschema (kratos#239)
- LDAP authentication (kratos#274)
- SAML authentication (kratos#275)
- Confirm verified address changes by the initial holder (kratos#306)
- Missing password omits other validation errors during sign up (kratos#368)
- Required fields aren't actually required (kratos#400) - @Patrik
- Kerberos authentication (kratos#418)
- Auto-register OAuth2 Clients for popular services (kratos#24)
- Courier messages polling the database (kratos#466)
- Support deploying HTTPS and auto-certs with certbot (kratos#529)
- Support Discord as OIDC Provider (kratos#533)
- Support GitLab as OIDC Provider (kratos#518)
- Send invite links directly via email (kratos#595)
- If credentials can be unlinked, prevent unliking of the last credential (kratos#119)
- Improve JSON Schema Validation Errors (kratos#413)
- Add the config schema to schemastore.org (kratos#590)
Extra attention is needed
- Missing password omits other validation errors during sign up (kratos#368)
- Testing Jsonnet snippets (kratos#391)
- Add versioning to identity models (kratos#396)
- Keep track of Access and Refresh Tokens from OIDC flows (kratos#397)
- Support deploying HTTPS and auto-certs with certbot (kratos#529)
- docs: add config excerpts with file names to quickstart guide (kratos#344)
- Improve JSON Schema Validation Errors (kratos#413)
- Document
refresh=truefor login endpoint (kratos#464)
Good for newcomers
Affects session components
Affects identity components
Affects 2FA components
Affects the CLI
- Testing Jsonnet snippets (kratos#391)
Affects the OpenID Connect Self Service Strategy
- Testing Jsonnet snippets (kratos#391)
- Auto-register OAuth2 Clients for popular services (kratos#24)
Affects the documentation
- Clarify request sequence for client-side apps (kratos#487) - @hackerman
- REST Api document is not expected (kratos#560)
- Document identity hooks (kratos#31)
- docs: add config excerpts with file names to quickstart guide (kratos#344)
- Document
refresh=truefor login endpoint (kratos#464)
Affects verification components
Affects JSON Schema components
- Implement JSON Schema Caching (kratos#28) - @hackerman
Affects the Password Self Service Strategy
Affects selfservice components
- Implement RPC After Hook (kratos#30)
- If credentials can be unlinked, prevent unliking of the last credential (kratos#119)
Affects the broadcast system
- Implement Broadcasting (kratos#33)
- Require re-authentication when modifying sensitive traits via the Admin API (kratos#537)
- Evaluate replacing GJSON/SJSON syntax with JSON Pointer (kratos#181)
- Consider switching to okon to search HIBP database (kratos#301)
- SelfService/HTMLForm: array types are rendered very primitive from jsonschema (kratos#239)
- Testing Jsonnet snippets (kratos#391)
- Add versioning to identity models (kratos#396)
- Keep track of Access and Refresh Tokens from OIDC flows (kratos#397)
- Make the session cookie name configurable (kratos#268)
- docs: add config excerpts with file names to quickstart guide (kratos#344)
- Improve JSON Schema Validation Errors (kratos#413)
- Add the config schema to schemastore.org (kratos#590)
- Investigate flaky tests (kratos#577) - @hackerman