Table of Contents
- Unreleased (2020-08-10)
- 0.4.0-alpha.1 (2020-07-08)
- 0.3.0-alpha.1 (2020-05-15)
- 0.2.0-alpha.2 (2020-05-04)
- 0.1.0-alpha.6 (2020-02-16)
- 0.1.0-alpha.5 (2020-02-06)
- 0.1.0-alpha.4 (2020-02-06)
- 0.1.0-alpha.3 (2020-02-06)
- 0.1.0-alpha.2 (2020-02-03)
- 0.1.0-alpha.1 (2020-01-31)
- Documentation
- 0.0.3-alpha.15 (2020-01-31)
- 0.0.3-alpha.14 (2020-01-31)
- 0.0.3-alpha.13 (2020-01-31)
- 0.0.3-alpha.11 (2020-01-31)
- 0.0.3-alpha.10 (2020-01-31)
- 0.0.3-alpha.7 (2020-01-30)
- 0.0.3-alpha.5 (2020-01-30)
- 0.0.3-alpha.4 (2020-01-30)
- 0.0.3-alpha.2 (2020-01-30)
- 0.0.3-alpha.1 (2020-01-30)
- 0.0.1-alpha.9 (2020-01-29)
- 0.0.2-alpha.1 (2020-01-29)
- 0.0.1-alpha.6 (2020-01-29)
- 0.0.1-alpha.5 (2020-01-29)
- 0.0.1-alpha.3 (2020-01-28)
- 0.0.1-alpha.2 (2020-01-28)
- 0.0.1-alpha.1 (2020-01-28)
Unreleased (2020-08-10)
-
Don't resend verification emails once verified (#583) (a4d9969), closes #578
-
Fallback to default return url if logout after url is not defined (#594) (7edd367)
-
Improve makefile dependency building (8e1d69a)
-
Improve pagination when listing identities (c60bf44)
-
Recursive loop on network errors in password validator (#589) (b4d5a42), closes #316:
The old code no error when ignoreNetworkErrors was set to true, but did not set a hash result which caused an infinite loop.
-
Resolve cookie issues (6e2b6d2)
-
Resolve flaky passwort setting tests (#582) (c42d936), closes #581 #577
-
Resolve identity admin api issues (#586) (feef8a7), closes #435 #500:
This patch resolves several issues that occurred when creating or updating identities using the Admin API. Now, all hooks are running properly and updating privileged properties no longer causes errors.
-
Resolve interface type issues (064b305)
-
Resolve panic when DSN="memory" (#574) (05e55f3):
Executing the migration logic in registry.go cause a panic as the registry is not initalized at that point. Therefore we decided to move the handling to driver_default.go, after the registry has been initialized.
-
Resolves a bug that prevents sessions from expiring (#612) (86b281a), closes #611
-
Use params per_page and page for pagination (5dfb6e3)
-
Use relative threshold to judge longest common substring in password policy (#585) (3e9f8cc), closes #581
-
Add administrative user management guide (b97e0c6)
-
Add documentation for configuring cookies (e3dbc8a), closes #516
-
Add guide for dealing with login sessions (4e2718c)
-
Add identity state (fb4aedb)
-
Add login session to navbar (b212d64)
-
Add pagination docs (7fe0901)
-
Add secret key rotation guide (3d6e21a)
-
Add terminology section (29b81a7)
-
Added sidebar item (#639) (8574761):
Added Kratos Video Tutorial Transcripts document to sidebar.
-
Added transcript (#627) (cec7f1f):
Added Login with Github Transcript
-
Changed transcript location (#642) (c52764d):
Changed the location so it is in the right place.
-
Clarify kratos config snippet (e7732f3)
-
Fixed link (c2aebbd)
-
Fixed typos/readability (#620) (7fd3ce0):
Fixed a few typos, and moved some sentences around to improve readability.
-
Move to json sidebar (504af3b)
-
Rename self service and add admin section (639c424)
-
Resolve typo in message IDs (562cfc4)
-
Add ability to configure session cookie domain/path (faeb332), closes #516
-
Add nocache helpers (54dcc4d)
-
Add pagination tests (e3aa81b)
-
Add session token security definition (d36c26f):
Adds the new Session Token as a Swagger security definition to allow setting the session token as a Bearer token when calling
/sessions/whoami
. -
Add tests and helpers to test recovery/verifiable addresses (#579) (29979e6), closes #576
-
Add the already declared (and settable) tracer as a middleware (#614) (e24fffe)
-
Implement administrative account recovery (f5f9c43)
-
Reply with cache-control: 0 for browser-facing APIs (1a45b53), closes #360
- Add handler update tests (aea1fb8), closes #325
- Add test for no-cache on public router (b8aa63b)
- Replace e2e-memory with unit test (52bd839), closes #580
- Configuraiton value
session.cookie_same_site
has moved tosession.cookie.same_site
. There was no functional change.
0.4.6-alpha.1 (2020-07-13)
- Use proper binary name in dockerfile (d36bbb0)
0.4.5-alpha.1 (2020-07-13)
- Ensure default_browser_return_url for flows is configured in after (#570) (cf9753c), closes #569
- Require selfservice.default_browser_return_url to be set in config (#571) (af2af7d)
0.4.4-alpha.1 (2020-07-10)
- Add description for subkeys of serve (#562) (deae005)
- Add section about password expiry (19c2414)
- Specify the use of secrets (#565) (7680450)
- Update upgrade guide (a40b1ec)
0.4.3-alpha.1 (2020-07-08)
0.4.2-alpha.1 (2020-07-08)
- Ignore pkged generated files (1d385e4)
0.4.0-alpha.1 (2020-07-08)
-
Account recovery can't use recovery token (#526) (379f24e), closes #525
-
Add and document recovery to quickstart (c229c54)
-
Add pkger to docker builds (d3ef5a0)
-
Allow linking oidc credentials without existing oidc connection (#548) (39c1234), closes #532
-
Clear error messages after updating settings successfully (#421) (7eec388), closes #420
-
Document login refresh parameter in swagger (#482) (6b94993)
-
Enable recovery for quickstart (0ccc651)
-
Improvements to Dockerfiles (#552) (6023877):
- expose ory home as volume to simplify passing in own config file
- declare Kratos default ports in Dockerfile
-
Initialize verification request with correct state (3264ecf), closes #543
-
Re-add redirect targets for quickstart (3c48ad2)
-
Reduce docker bloat by ignoring docs and others (ecc555b)
-
Resolve broken redirect in verify flow (a9ca8fd), closes #436
-
Respect multiple secrets and fix used flag (#526) (b16c2b8), closes #525
-
Respect self-service enabled flag (#470) (b198faf), closes #417:
Respects the
enabled
flag for self-service strategies.Also a new testhelper function was needed, to defer route registration (because whether strategies are enabled or not is determined only once: at route registration)
-
Typo accent -> account (984d978)
-
Improve and simplify configuration (#536) (8e7f9f5), closes #432
-
Move schema packing to pkger (173f9d2)
-
Move verify fallback to verification (1ce6469)
-
Rename identity traits schema to identity schema (#557) (949e743), closes #531
-
Rename prompt=login to refresh=true (#478) (c04346e), closes #477
-
Replace settings update_successful with state (#488) (ca3b3f4), closes #449
-
Text errors to text messages (#476) (8106951), closes #428:
This patch implements a better way to deal with text messages by giving them a unique ID, a context, and a default message.
-
Add azure to next docs (e1dd3fa)
-
Add fixme note for viper workaround (7e3eef6):
See ory/x#169
-
Add guide for setting up account recovery (bbf3762)
-
Add guide for setting up email verification (1435cbc)
-
Add new guides to sidebar (24c5cbc)
-
Correct claims.email in github guide (#422) (052a622):
There is no email_primary in claims, and the selfservice strategy is currently using claims.email.
-
Correct claims.email in github guide (#422) (58f7e15):
There is no email_primary in claims, and the selfservice strategy is currently using claims.email.
-
Correct link in user-settings (d13317d)
-
Correct stray dot (e820f41)
-
Correct user settings render form (197e246)
-
Delete old redirect homepage (b6d9244)
-
Document new account recovery feature (2252a86), closes #436
-
Document refresh=true for login (#479) (2ab5ead), closes #464
-
Fix broken link (d20816e)
-
Fix broken link (aa9d3e6)
-
Fix broken link (#506) (dac8dfd):
The rest api is no longer under sdk but under reference.
-
Fix code sample comment (781a76b)
-
Fix copy paste errors in code docs (e456a4e)
-
Fix typos (81903a5)
-
Fix ui url keys everywhere (b75debb)
-
Fix username example by renaming property and removing format (#508) (4573426)
-
Fix wording in settings flow graph (e2a0084)
-
Fixed broken links (#451) (193a781):
Fixed a few broken links, .md in the url was the problem.
-
Format guides (407c70f)
-
Improve grammar, clarify sections, update images (#419) (79019d1)
-
Make whitelisted_return_to_urls examples an array (#426) (7ed5605), closes #425
-
Move security questions to own document (2b77fba)
-
Properly annotate forms disabled field (#486) (be1acb3), closes /github.com/ory/kratos/pull/467#discussion_r434764266
-
Rename redirect page to browser-redirect-flow-completion (ae77d48)
-
Replace mailhog references with mailslurper (#509) (d0e5a0f)
-
Run format (2b3f299)
-
Typos and stale links (29fb466)
-
Update repository templates (4c89834)
-
Use central banner repo for README (d1e8a82)
-
Use shorthand closing tag for Mermaid (f9f2dbc)
-
Add support for Multitenant Azure AD as an OIDC provider (#434) (a8f1179)
-
Add tests for defaults (a16fc51)
-
Add User ID to a header when calling whoami (#530) (183b4d0)
-
Implement account recovery (#428) (e169a3e), closes #37:
This patch implements the account recovery with endpoints such as "Init Account Recovery", a new config value
urls.recovery_ui
and so on. A new identity field has been addedidentity.recovery_addresses
containing all recovery addresses.Additionally, some refactoring was made to DRY code and make naming consistent. As part of dependency upgrades, structured logging has also improved and an audit trail prototype has been added (currently streams to stderr only).
-
Allow kratos to talk to databases in docker-compose quickstart (#522) (8bf9a1a):
All of the databases must exist on the same docker network to allow the main kratos applications to communicate with them.
- This patch renames the Identity Traits JSON Schema to Identity JSON Schema.
The identity payload has changed from
{
- "traits_schema_url": "...",
- "traits_schema_id": "...",
+ "schema_url": "...",
+ "schema_id": "...",
}
Additionally, it is now expected that your Identity JSON Schema includes a "traits" key at the root level.
Before (example)
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
After (example)
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
},
"recovery": {
"via": "email"
}
}
}
},
"required": [
"email"
],
"additionalProperties": false
}
}
}
You also need to remove the traits
key from your ORY Kratos config like this:
identity:
- traits:
- default_schema_url: http://test.kratos.ory.sh/default-identity.schema.json
- schemas:
- - id: other
- url: http://test.kratos.ory.sh/other-identity.schema.json
+ default_schema_url: http://test.kratos.ory.sh/default-identity.schema.json
+ schemas:
+ - id: other
+ url: http://test.kratos.ory.sh/other-identity.schema.json
Do not forget to also update environment variables for the Identity JSON Schema as well if set.
- To address these refactorings, the configuration had to be changed and with breaking changes as keys have moved or have been removed.
Hook configuration has also changed. It is no longer required to include hooks such as verification
to get
verification working. Instead, verification is enabled globally (selfservice.flows.verification.enabled
).
Also, the redirect
hook has been removed as it lead to confusion because there are already default redirect
URLs configurable. You will find more information in the details below.
Session Management
-ttl:
- session: 1h
-security:
- session:
- cookie:
- same_site: Lax
+session:
+ lifespan: 1h
+ cookie_same_site: Lax
Secrets
-secrets:
- session:
- - secret-to-encrypt-session-cookies
- - old-session-cookie-secret-that-has-been-rotated
+secrets:
+ default:
+ # This secret is used as default and will also be used for encrypting e.g. cookies when a dedicated cookie secret (as shown below) is not defined.
+ - default-secret-to-encrypt-stuff
+ cookie:
+ - secret-to-encrypt-session-cookies
+ - old-session-cookie-secret-that-has-been-rotated
URLs
The Base URL configuration has moved to serve.public
and serve.admin
. They are also no longer required and fall
back to defaults based on the machine's hostname, port configuration, and other settings:
-urls:
- self:
- public: https://kratos.my-website.com/
- admin: https://admin.kratos.cluster.localnet/
+serve:
+ public:
+ base_url: https://kratos.my-website.com/
+ admin:
+ base_url: https://admin.kratos.cluster.localnet/
The UI URLs have moved from urls
to their respective self-service flows:
-urls:
- login_ui: http://127.0.0.1:4455/auth/login
- registration_ui: http://127.0.0.1:4455/auth/registration
- settings_ui: http://127.0.0.1:4455/settings
- verify_ui: http://127.0.0.1:4455/verify
- error_ui: http://127.0.0.1:4455/error
+selfservice:
+ flows:
+ login:
+ ui_url: http://127.0.0.1:4455/auth/login
+ registration:
+ ui_url: http://127.0.0.1:4455/auth/registration
+ settings:
+ ui_url: http://127.0.0.1:4455/settings
+ # please note that `verify` has changed to `verification`!
+ verification:
+ ui_url: http://127.0.0.1:4455/verify
+ error:
+ ui_url: http://127.0.0.1:4455/error
The default redirect URL as well as whitelisted redirect URLs have also changed their location:
-urls:
- default_return_to: https://self-service/dashboard
- whitelisted_return_to_urls:
- - https://self-service/some-other-url
- - https://example.org/another-url
+selfservice:
+ default_browser_return_url: https://self-service/dashboard
# Please note that the `to` has been removed (`whitelisted_return_to_urls` -> `whitelisted_return_urls`)
+ whitelisted_return_urls:
+ - https://self-service/some-other-url
+ - https://example.org/another-url
Self-Service Login
selfservice.login
has moved to selfservice.flow.login
:
selfservice:
- login:
+ flows:
+ login:
On top of this change, a few keys under login
have changed as well:
selfservice
flows:
login:
+ ui_url: http://127.0.0.1:4455/auth/login
request_lifespan: 99m
- before:
- hooks:
- - hook: redirect
- config:
- default_redirect_url: http://test.kratos.ory.sh:4000/
- allow_user_defined_redirect: false
+ # The before hooks have been removed because there were no good use cases for them. If
+ # this is a problem for you feel free to open an issue!
after:
- default_return_to: https://self-service/login/return_to
+ default_browser_return_url: https://self-service/login/return_to
password:
- default_return_to: https://self-service/login/password/return_to
+ default_browser_return_url: https://self-service/login/password/return_to
hooks:
- hook: revoke_active_sessions
oidc:
- default_return_to: https://self-service/login/podc/return_to
+ default_browser_return_url: https://self-service/login/podc/return_to
hooks:
- hook: revoke_active_sessions
Self-Service Registration
selfservice.registration
has moved from to selfservice.flow.registration
:
selfservice:
- registration:
+ flows:
+ registration:
On top of this change, a few keys under registration
have changed as well:
selfservice
flows:
registration:
+ ui_url: http://127.0.0.1:4455/auth/registration
request_lifespan: 99m
- before:
- hooks:
- - hook: redirect
- config:
- default_redirect_url: http://test.kratos.ory.sh:4000/
- allow_user_defined_redirect: false
+ # The before hooks have been removed because there were no good use cases for them. If
+ # this is a problem for you feel free to open an issue!
after:
- default_return_to: https://self-service/registration/return_to
+ default_browser_return_url: https://self-service/registration/return_to
password:
- default_return_to: https://self-service/registration/password/return_to
+ default_browser_return_url: https://self-service/registration/password/return_to
hooks:
- hook: revoke_active_sessions
+ # The verify hook is now executed automatically when verification is turned on.
- - hook: verify
+ # The redirect hook was confusing as it aborts the registration flow and does not solve redirection on
+ # success. It has thus been removed.
- - hook: redirect
oidc:
- default_return_to: https://self-service/registration/podc/return_to
+ default_browser_return_url: https://self-service/registration/podc/return_to
hooks:
- hook: revoke_active_sessions
+ # The verify hook is now executed automatically when verification is turned on.
- - hook: verify
+ # The redirect hook was confusing as it aborts the registration flow and does not solve redirection on
+ # success. It has thus been removed.
- - hook: redirect
Self-Service Settings
selfservice.settings
has moved from to selfservice.flow.settings
:
selfservice:
- settings:
+ flows:
+ settings:
On top of this change, a few keys under settings
have changed as well:
selfservice
flows:
settings:
+ ui_url: http://127.0.0.1:4455/settings
request_lifespan: 99m
privileged_session_max_age: 99m
- default_return_to: https://self-service/settings/return_to
after:
+ default_browser_return_url: https://self-service/settings/return_to
+ # The profile/password after hooks have been removed as verification is now executed automatically
+ # when turned on.
- password:
- hooks:
- - hook: verify
- profile:
- hooks:
- - hook: verify
Self-Service Verification
selfservice.verify
has moved from to selfservice.flow.verification
:
selfservice:
- verify:
+ flows:
+ verification:
Instead of configuring verification with hooks and other components, it can now be enabled
in a central place. If enabled, a SMTP server must be configured in the courier
section.
You are still required to mark a field as verifiable in your Identity JSON Schema.
selfservice:
flows:
verification:
+ enabled: true # defaults to true
+ ui_url: http://127.0.0.1:4455/recovery
request_lifespan: 1m
- default_return_to: https://self-service/verification/return_to
after:
+ default_browser_return_url: https://self-service/verification/return_to
- Replaces the
update_successful
field of the settings request with a field calledstate
which can be eithershow_form
orsuccess
. - Flows, request methods, form fields have had a key errors to show e.g. validation errors such as ("not an email address", "incorrect username/password", and so on. The
errors
key is now calledmessages
. Each message now has atype
which can beerror
orinfo
, anid
which can be used to translate messages, atext
(which was previously errors[*].message). This affects all login, request, settings, and recovery flows and methods. - To refresh a login session it is now required to append
refresh=true
instead ofprompt=login
as the second has implications for revoking an existing issue and might be confusing when used in combination with OpenID Connect. -
- Applying this patch requires running SQL Migrations.
- The field
identity.addresses
has moved toidentity.verifiable_addresses
. - Configuration key
selfservice.verification.link_lifespan
has been merged withselfservice.verification.request_lifespan
.
0.3.0-alpha.1 (2020-05-15)
-
Access rules of oathkeeper for quick start (#390) (5ed6d05), closes #389:
To access
/
as dashboard -
Active field should not be required (#401) (aed2a5c), closes ory/sdk#14
-
Adopt jsonnet in e2e oidc tests (5e518fb)
-
Detect postgres unique constraint (3a777af)
-
Fix oidc strategy jsonnet test (f6c48bf)
-
Improve config validation error message (#414) (d1e6896), closes #413
-
Reset request id after parse (9550205)
-
Resolve regression issues and bugs (e6d5369)
-
Return correct error on id mismatch (5915f28)
-
Test and implement mapper_url for jsonnet (40ac3dc)
-
Transaction usage in the identity persister (#404) (7f5072d)
-
Adopt new request parser (ad16cc9)
-
Dry config and oidc tests (3e98756)
-
Improve oidc flows and payloads and add e2e tests (#381) (f9a5079), closes #387:
This patch improves the OpenID Connect login and registration user experience by simplifying the network flows and introduces e2e tests using ORY Hydra.
-
Move cypress files to test/e2e (df8e627)
-
Partition files and change creds structure (4f1eb94):
This patch changes the data model of the OpenID Connect strategy. Instead of using an array of providers as the base config item (e.g.
{"type":"oidc","config":[{"provider":"google","subject":"..."}]}
) the credentials config is now an object with aproviders
key:{"type":"oidc","config":{"providers":[{"provider":"google","subject":"..."}]}}
. This change allows introduction of future changes to the schema without breaking compatibility. -
settings: Use common request parser (ad6c402)
-
Replace oidc jsonschema with jsonnet (2b45e79), closes #380:
This patch replaces the previous methodology of merging OIDC data which used JSON Schema with Extensions and JSON Path in favor of a much easier to use approach with JSONNet.
-
Document account enumeration defenses for oidc (266329c), closes #32
-
Document oidc strategy (#415) (9f079f4), closes #409 #124 #32
-
Explain that form data is merged with oidc data (#394) (b0dbec4), closes #127
-
Improve social sign in guide (#393) (647ced3), closes #49:
This patch changes the social sign in guide to represent more use cases such as Google and Facebook. Additionally, the example has been updated to work with Jsonnet.
This patch also documents limitations around merging user data from GitHub.
-
Prepare v0.3.0-alpha.1 (d6a6f43)
-
Add format and lint for JSONNet files (0a1b244):
This patch adds two commands
kratos jsonnet format
andkratos jsonnet lint
that help with formatting and linting JSONNet code. -
Implement oidc settings e2e tests (919925c)
-
Introduce leaklog for debugging oidc map payloads (238d7a4)
-
Write tests and fix bugs for oidc settings (575a61f)
- Format code (bc7557a)
- If you upgrade and have existing Social Sign In connections, it will no longer be possible to use them to sign in. Because the oidc strategy was undocumented and not officially released we do not provide an upgrade guide. If you run into this issue on a production system you may need to use SQL to change the config of those identities. If this is a real issue for you that you're unable to solve, please create an issue on GitHub.
- This is a breaking change as previous OIDC configurations will not work. Please consult the newly written documentation on OpenID Connect to learn how to use OIDC in your login and registration flows. Since the OIDC feature was not publicly broadcasted yet we have chosen not to provide an upgrade path. If you have issues, please reach out on the forums or slack.
0.2.1-alpha.1 (2020-05-05)
0.2.0-alpha.2 (2020-05-04)
-
Allow setting new password in profile flow (3b5fd5c)
-
Automatically append multiStatements parameter to mySQL URI (#374) (39f77bb)
-
Create pop connection without parsed connection options (#366) (10b6481)
-
Decouple quickstart scenarios (#336) (17363b3), closes #262:
Creates several docker compose examples which include various scenarios of the quickstart.
The regular quickstart guide now works without ORY Oathkeeper and uses the standalone mode of the example app instead.
Additionally, the Makefile was improved and now automatically pulls required dependencies in the appropriate version.
-
Document Schema API and serve over admin endpoint (#299) (4be417c), closes #287
-
Fix swagger annotation (#331) (5c5c78f):
Closes ory/sdk#10
-
Properly annotate error API (a6f1300)
-
Resolve docker build permission issues (f3612e8)
-
Resolve failing test issues (2e968e5)
-
Resolve NULL value for seen_at (#259) (a7d1e86), closes #244:
Previously, errorx tests were not executed which caused several bugs.
-
Revert use host volume mount for sqlite (#272) (#285) (a7477ab):
This reverts commit 230ab2d83f4d187f410e267c6d68554e82514948.
-
Show log in ui only when unauthenticated or forced (df77310), closes #323
-
Use semver-regex replacer func (d5c9a47)
-
Use sqlite tag on make install (2c82784)
-
docker: Throw away build artifacts (481ec1b)
-
Remove unused returnTo (e64e5b0)
-
Resolve linux install script archive naming (#302) (c98b8aa)
-
Resolve password continuity issues (56a44fa)
-
Self-service error query parameter name (#308) (be257f5):
The query parameter for the self-service errors endpoint was named
id
in the API docs, whereas it is theerror
param that is used by the handler. -
Use resilient client for HIBP lookup (#288) (735b435), closes #261
-
Verified_at field should not be required (#353) (15d5e26):
Closes ory/sdk#11
-
session: Regenerate CSRF Token on principal change (#290) (1527ef4), closes #217
-
session: Whoami endpoint now supports all HTTP methods (#283) (4bf645b), closes #270
-
sql: Rename migrations with same version (#280) (07e46b9), closes #279
-
swagger: Move nolint,deadcode instructions to own file (#293) (1935510):
Closes ory/docs#279
-
Prepare profile management payloads for credentials (44493f3)
-
Rename traits method to profile (4f1e033)
-
Rework hooks and self-service flow completion (#349) (a7c7fef), closes #348 #347 #179 #51 #50 #31:
This patch focuses on refactoring how self-service flows terminate and changes how hooks behave and when they are executed.
Before this patch, it was not clear whether hooks run before or after an identity is persisted. This caused problems with multiple writes on the HTTP ResponseWriter and other bugs.
This patch removes certain hooks from after login, registration, and profile flows. Per default, these flows now respond with an appropriate payload ( redirect for browsers, JSON for API clients) and deprecate the
redirect
hook. This patch includes documentation which explains how these hooks work now.Additionally, the documentation was updated. Especially the sections about hooks have been refactored. The login and user registration docs have been updated to reflect the latest changes as well.
Also, some other minor, cosmetic, changes to the documentation have been made.
-
Add banner kratos (8a9dfbb)
-
Add csrf and cookie debug section (#342) (cac2948), closes #341
-
Add HA docs (2e5c591)
-
Add hook changes to upgrade guide (55b5fe0)
-
Add more examples to config schema (#372) (ed2ccb9), closes #345
-
Add quickstart notes for docker debugging (74f082a)
-
Add settings docs and improve flows (#375) (478cd9c), closes #345
-
Declare api frontmatter properly (df7591f)
-
Document 0.2.0 high-level changes (9be1064)
-
Fix broken images in quickstart (52aa4cf)
-
Fix broken mermaid links (f24fc1b)
-
Improve profile section and restructure nav (#373) (3cc0979), closes #345
-
Regenerate and update changelog (7d4ed98)
-
Regenerate and update changelog (175b626)
-
Regenerate and update changelog (e60e2df)
-
Regenerate and update changelog (41eeb75)
-
Regenerate and update changelog (468105a)
-
Regenerate and update changelog (8414520)
-
Regenerate and update changelog (85d5866)
-
Regenerate and update changelog (e8d2d10)
-
Regenerate and update changelog (4c58b6d)
-
Regenerate and update changelog (a726eb2)
-
Regenerate and update changelog (87b47ba)
-
Regenerate and update changelog (537d496)
-
Regenerate and update changelog (00e6af9)
-
Regenerate and update changelog (48a2eca)
-
Regenerate and update changelog (8a71948)
-
Regenerate and update changelog (ad3d510)
-
Regenerate and update changelog (48bcc70)
-
Regenerate and update changelog (816a55c)
-
Regenerate and update changelog (4ed74d2)
-
Regenerate and update changelog (367927e)
-
Regenerate and update changelog (38f4019)
-
Update banner url (292c986)
-
Update forum and chat links (3039191)
-
Update linux install guide (3b8e549)
-
Update self service reg docs (#367) (4cf0323), closes /github.com/ory/kratos-selfservice-ui-node/blob/489c76d1b0474ee55ef56804b28f54d8718747ba/src/routes/auth.ts#L28:
The old links pointed at
/auth/browser/(login|registration)
which seems to be outdated now. -
Use git checkout in quickstart (#339) (2d2562b), closes #335
-
concepts: Fix typo (a49184c):
Closes ory/docs#296
-
concepts: Properly close code tag (1c841c2)
-
Allow configuring same-site for session cookies (#303) (2eb2054), closes #257:
It is now possible to set SameSite for the session cookie via the key
security.session.cookie.same_site
. -
Enable CockroachDB integration (#260) (adc5153), closes #132 #155
-
Enable continuity management for settings module (009d755)
-
Enable updating auth related traits (#266) (65b88ba), closes #243
-
Implement password profile management flow (a31839a), closes #243
-
Introduce fallbacks for required configs (#376) (b3bcb25), closes #369 #352
-
Return 410 when selfservice requests expire (#289) (b414607), closes #235
-
Send verification emails on profile update (#333) (1cacc80), closes #267
-
continuity: Implement request continuity (135e047), closes #304 #311:
This patch adds a module which is capable of aborting a request, waiting for another option to complete, and then resuming the request again.
This feature makes use of a temporary cookie which keeps track of the request state.
This feature is required for several workflows that update privileged fields such as passwords, 2fa recovery codes, email addresses.
refactor: rename profile to settings flow
Renames selfservice/profile to settings. The settings flow includes a strategy for managing profile information
-
login: Forced reauthentication (#248) (344fc9c), closes #243
-
u (0b6fa48)
-
Make format (b85e5af)
-
u (03fa4f0)
-
u (a3dfd9d)
-
u (616aa0f)
-
fix:add graceful shutdown to courier handler (#296) (235d784), closes #296 #295:
Courier would not stop with the provided Background handler. This changes the methods of Courier so that the graceful package can be used in the same way as the http endpoints can be used.
-
fix(sql) change courier body to text field (#276) (ed5268d), closes #276 #269
- Please remove the
redirect
hook from both login, registration, and settings after configuration. Please remove thesession
hook from your login after configuration. Hooks have moved down a level and are now configured atselfservice.<login|registration|settings>.<after|before>.hooks
instead ofselfservice.<login|registration|settings>.<after|before>.hooks
. Hooks are now identified byhook:
instead ofjob:
. Please rename those sections accordingly. - continuity: Several profile-related URLs have and payloads been updated. Please consult the most recent documentation.
- The payloads of the Profile Management Request API
that previously were set in
{ "methods": { "traits": { ... } }}
have now moved to{ "methods": { "profile": { ... } }}
. - This patch introduces a refactor that is needed for the profile management API to be capable of handling (password, oidc, ...) credential changes as well.
To implement this, the payloads of the Profile Management Request API
that previously were set in {"form": {...} }
have now moved to
{"methods": { "traits": { ... } }}
.
In the future, as more credential updates are handled, there will
be additional keys in the forms key
{"methods": { "traits": { ... }, "password": { ... } }}
.
0.1.1-alpha.1 (2020-02-18)
- Add verify return to address (#252) (64ab9e5)
- Clean up docker quickstart (#255) (7f0996b)
- Resolve several verification problems (#253) (30d4632)
- Update verify URLs (#258) (5d4f909)
- Regenerate and update changelog (a125822)
- Regenerate and update changelog (b3a8220)
- Regenerate and update changelog (a141b30)
- Regenerate and update changelog (7e12e20)
- Regenerate and update changelog (3c1c67b)
- Regenerate and update changelog (ee07937)
0.1.0-alpha.6 (2020-02-16)
- Adapt quickstart to verify changes (#247) (24eceb7)
- Gracefully handle selfservice request expiry (#242) (4421e6b), closes #233
- Set AuthenticatedAt in session issuer hook (#246) (29c83fa), closes #224
- swagger: Sanitize before validate (c72f140)
- swagger: Use correct annotations for request methods (#237) (8473c85), closes #234
- Regenerate and update changelog (922cf0f)
- Regenerate and update changelog (e097c23)
- Regenerate and update changelog (2d1685f)
- Regenerate and update changelog (f8964e9)
- Regenerate and update changelog (92b8001)
- Regenerate and update changelog (d7083ab)
- Regenerate and update changelog (c4547dc)
- Regenerate and update changelog (d8d8bba)
- Regenerate and update changelog (b012ed9)
- Add disabled flag to identifier form fields (#238) (a2178bd), closes #227
- Add verification to quickstart (#251) (172dc87)
- Implement email verification (#245) (eed00f4), closes #27
- Improve password validation strategy (#231) (256fad3)
0.1.0-alpha.5 (2020-02-06)
- Regenerate and update changelog (e87e9c9)
- Regenerate and update changelog (d6f0794)
- Regenerate and update changelog (eb7326c)
0.1.0-alpha.4 (2020-02-06)
- Regenerate and update changelog (f02afb3)
0.1.0-alpha.3 (2020-02-06)
No significant changes have been made for this release.
0.1.0-alpha.2 (2020-02-03)
- daemon: Register error routes on admin port (#226) (decd8d8)
- Add paths to sqa middleware (#216) (130c9c2)
- Set csrf token on public endpoints (d0b15ae)
- Introduce upgrade guide (736a3b1)
- Prepare ecosystem automation (7013b6c)
- Regenerate and update changelog (f39b942)
- Regenerate and update changelog (c121601)
- Regenerate and update changelog (a947d55)
- Regenerate and update changelog (8ba2044)
- Regenerate and update changelog (9c023e1)
- Regenerate and update changelog (1e855a9)
- Regenerate and update changelog (01ce3a8)
- Updates issue and pull request templates (#222) (4daae88)
-
Update CHANGELOG [ci skip] (ce9390c)
-
refactor!: Improve user-facing error APIs (#219) (7d4054f), closes #219 #204:
This patch refactors user-facing error APIs:
- The
/errors
endpoint moved to/self-service/errors
- The endpoint is now available at both the Admin and Public API. The Public API requires CSRF Token match or a 403 error will be returned.
- The Public API endpoint no longer returns 404 errors but 403 instead.
- The response payload changed. What was
[{"code": ...}]
is now{"id": "...", "errors": [{"code": ...}]}
This patch requires running
kratos migrate sql
as a new column (csrf_token
) has been added to the user-facing error store. - The
-
Update CHANGELOG [ci skip] (c368a11)
0.1.0-alpha.1 (2020-01-31)
0.0.3-alpha.15 (2020-01-31)
- Update permissions in SQLite Dockerfile (1266e53)
0.0.3-alpha.14 (2020-01-31)
- Update README.md (db8d65b)
0.0.3-alpha.13 (2020-01-31)
0.0.3-alpha.11 (2020-01-31)
-
Clean up cmd and resolve packr2 issues (#211) (2e43ec0), closes #211:
This patch addresses issues with the build pipeline caused by an invalid import. Profiling was also added.
-
Update CHANGELOG [ci skip] (fc32207)
0.0.3-alpha.10 (2020-01-31)
0.0.3-alpha.7 (2020-01-30)
0.0.3-alpha.5 (2020-01-30)
0.0.3-alpha.4 (2020-01-30)
- Update CHANGELOG [ci skip] (018c229)
- Add and use ory docker user (cccbe09)
- Update CHANGELOG [ci skip] (0e436e5)
- Update goreleaser changelog filters (7e5af97)
- Update CHANGELOG [ci skip] (4387503)
0.0.3-alpha.2 (2020-01-30)
0.0.3-alpha.1 (2020-01-30)
- Update CHANGELOG [ci skip] (49e09ea)
- Take form field orders from JSON Schema (#205) (a880f0d), closes #205 #176
- Update CHANGELOG [ci skip] (ff52bbb)
- Adapt quickstart docker compose config (#207) (e532583), closes #207
- Update CHANGELOG [ci skip] (7f4800b)
- Update CHANGELOG [ci skip] (1b2c3f6)
- Rework public and admin fetch strategy (#203) (99aa169), closes #203 #122
- Update CHANGELOG [ci skip] (1cea427)
- ss/profile: Use request ID as query param everywhere (#202) (ed32b14), closes #202 #190
- Update CHANGELOG [ci skip] (a392027)
- Update HTTP routes for a consistent API naming (#199) (9ed4bda), closes #199 #195
0.0.1-alpha.9 (2020-01-29)
No significant changes have been made for this release.
0.0.2-alpha.1 (2020-01-29)
- Use correct build archive for homebrew (74ac29f)
0.0.1-alpha.6 (2020-01-29)
No significant changes have been made for this release.
0.0.1-alpha.5 (2020-01-29)
- Resolve build issues with CGO (#196) (298f4ea), closes #196
- ss/password: Make form fields an array (#197) (6cb0058), closes #197 #186
0.0.1-alpha.3 (2020-01-28)
No significant changes have been made for this release.
0.0.1-alpha.2 (2020-01-28)
No significant changes have been made for this release.
0.0.1-alpha.1 (2020-01-28)
- Present ORY Hive to the world (#107) (7883589)
- Updates issue and pull request templates (0441dff)
- Updates issue and pull request templates (#174) (ad405e9)
- Updates issue and pull request templates (#39) (daf5aa8)
- Updates issue and pull request templates (#40) (f5907f3)
- Updates issue and pull request templates (#59) (8c5612c)
- Updates issue and pull request templates (#7) (a1220ba)
- Updates issue and pull request templates (#8) (c56798a)
-
Remove redundant return statement (7c2989f)
-
ss/oidc: Remove obsolete request field from form (#193) (59671ba), closes #193 #180
-
Re-introduce migration plans to CLI command (#192) (bb32cd3), closes #131
-
strategy/oidc: Allow multiple OIDC Connections (#191) (8984831), closes #191 #114
-
Improve Docker Compose Quickstart (#187) (9459072), closes #187 #188
-
Fix broken import (308aa13)
-
selfservice/password: Remove request field and ensure method is set (#183) (e035adc), closes #183
-
Add tests and fixtures for the config JSON Schema (#171) (ede9c0e), closes #171
-
Add example values for config JSON Schema (12ba728)
-
Replace
url
withuri
format in config JSON Schema (68eddef) -
Replace number with integer in config JSON Schema (#177) (9eff6fd), closes #177
-
Add ability to define multiple schemas and serve them over HTTP (#164) (c65119c), closes #86:
All identity traits schemas have to be configured using a human readable ID and the corresponding URL. This PR enables multiple schemas to be used next to the default schema. It also adds the kratos.public/schemas/:id endpoint that mirrors all schemas.
-
Separate post register/login hooks (#150) (f4b7812), closes #150 #149
-
Update README badges (4f7838e)
-
Bump go-acc and resolve test issues (#154) (15b1b63), closes #154 #152 #151:
Due to a bug in
go-acc
, tests would not run if-tags sqlite
was supplied as a go tool argument togo-acc
. This patch resolves that issue and also includes several test patches from previous community PRs and some internal test issues. -
Add helper for requiring authentication (3888fbd)
-
Add session destroyer hook (#148) (d17f002), closes #139:
This patch adds a hook that destroys all active session by the identity which is being logged in. This can be useful in scenarios where only one session should be active at any given time.
-
Add ORY Kratos banner to README (#145) (23b824f), closes #145
-
Implement message templates and SMTP delivery (#146) (dc674bf), closes #99:
This patch adds a message templates (with override capabilities) and SMTP delivery.
Integration tests using MailHog test fault resilience and e2e email delivery.
This system is designed to be extended for SMS and other use cases.
-
Replace DBAL layer with gobuffalo/pop (#130) (21d08b8), closes #130:
This is a major refactoring of the internal DBAL. After a successful proof of concept and evaluation of gobuffalo/pop, we believe this to be the best DBAL for Go at the moment. It abstracts a lot of boilerplate code away.
As with all sophisticated DBALs, pop too has its quirks. There are several issues that have been discovered during testing and adoption: gobuffalo/pop#136 gobuffalo/pop#476 gobuffalo/pop#473 gobuffalo/pop#469 gobuffalo/pop#466
However, the upside of moving much of the hard database/sql plumbing into another library cleans up the code base significantly and reduces complexity.
As part of this change, the "ephermal" DBAL ("in memory") will be removed and sqlite will be used instead. This further reduces complexity of the code base and code-duplication.
To support sqlite, CGO is required, which means that we need to run tests with
go test -tags sqlite
on a machine that has g++ installed. This also means that we need a Docker Image withalpine
as opposed to purescratch
. While this is certainly a downside, the upside of less maintenance and "free" support for SQLite, PostgreSQL, MySQL, and CockroachDB simply outweighs any downsides that come with CGO. -
Replace local deps with remote ones (8605e45)
-
ss/profile: Improve success and error flows (9e0015a), closes #112:
This patch completes the profile management flow by implementing proper error and success states and adding several data integrity tests.
-
Add helpers for go-swagger (165a660):
-
Add profile management and refactor internals (3ec9263), closes #112
-
Update keyword from kratos to ory.sh/kratos (f45cbe0), closes #115
-
Update sdk generation method (24aa3d7)
-
Use JSON Schema to type assert form body (#116) (1944c7c), closes #109
-
Rebrand ORY Hive to ORY Kratos (#111) (ceda7fb), closes #111
-
Explicitly whitelist form parser keys (#105) (28b056e), closes #98:
Previously the form parser would try to detect the field type by asserting types for the whole form. That caused passwords containing only numbers to fail to unmarshal into a string value.
This patch resolves that issue by introducing a prefix option to the BodyParser
-
Handle securecookie errors appropriately (#101) (75bf6fe), closes #97:
Previously, IsNotAuthenticated would not handle securecookie errors appropriately. This has been resolved.
-
Move package to selfservice (063b767):
Because this module is primarily used in selfservice scenarios, it has been moved to the selfservice parent.
-
Omit request header from login/registration request (#106) (9b07587), closes #95:
When fetching a login and registration request, the HTTP Request Headers must not be included in the response, as they contain irrelevant information for the API caller.
-
Properly handle empty credentials config in sql (#93) (b79c5d1)
-
Resolve wrong column reference in sql (#90) (0c0eb87):
Reference ic.method instead of ici.method.
Added regression tests against this particular issue.
-
Update to ory/x 0.0.80 (#110) (64de2f8):
Removes the need for BindEnv()
-
Fix broken tests and ci linter issues (#104) (69760fe), closes #104
-
Update to Go modules 1.13 (1da4d75)
-
Resolve minor configuration issues and response errors (#85) (a44913b), closes #85
-
Update Dockerfile and related build tools (#80) (d20c701), closes #80
-
Implement SQL Database adapter (#79) (86d07c4), closes #79 #69
-
Properly decode values in error handler (5eb9088), closes #71
-
Force path and domain on CSRF cookie (#70) (a80d8b0), closes #70 #68
-
Require no session when accessing login or sign up (#67) (c0e0da1), closes #67 #63
-
Reset CSRF token on principal change (#64) (9c889ab), closes #38:
Add tests for logout.
-
Add tests for selfservice ErrorHandler (#62) (4bb9e70), closes #62
-
OIDC provider selfservice data enrichment (#56) (936970a), closes #56 #23 #55
-
Remove local jsonschema module override (cd2a5d8)
-
Implement identity management, login, and registration (#22) (bf3395e), closes #22
-
Revert incorrect license changes (fb9740b)
-
Create FUNDING.yml (3c67ac8)
-
Initial commit (ab6f24a)