v1.0.0

We are thrilled to announce Ory Kratos v1.0, the powerful Identity, User Management, and Authentication system! With this major update, Ory Kratos brings a host of enhancements and fixes that greatly improve the user experience and overall performance.

Ory Kratos 1.0 is stable and robust

Several compelling reasons led to label Ory Kratos as a major release and graduated project: Ory Identities on Ory Network, powered by Ory Kratos, has been serving production traffic for well over a year, flawlessly. Ory Kratos is successfully processing over 100 million API requests daily and has about 100 million Docker Pulls. We have maintained stability within the Ory Kratos APIs for nearly two years, demonstrating their robustness and reliability. No breaking changes mean that developers can trust the stability of Ory Kratos in production.

Notable changes

Ory Kratos 1.0 introduces a variety of new features while focusing on stability, robustness, and improved performance. Major enhancements include support for social login and single-sign-on via OpenID connect in native apps, emails sent through HTTP rather than SMTP, and full compatibility with Ory Hydra v2.2.0. Users will also find multi-region support in the Ory Network for broader geographic reach, improved export functionality for all credential types, and enhanced session management with the introduction of the "provider ID" parameter. Other additions comprise distroless images for leaner resource utilization and faster deployment and support for the Lark OIDC provider.

New features and full multi-region support in Ory Network

Significant improvements and fixes accompany these new features. Enhanced OIDC flows now include the ability to forward prompt upstream parameters, offering developers increased flexibility and customization options. The logout flow also supports the return_to parameter, facilitating more flexible redirection post-user logout. Performance has been a key focus, with Ory Kratos 1.0 now capable of handling hundreds of millions of active users monthly. Critical bug fixes have been applied to prevent users from being redirected to incorrect destinations, ensuring smoother authentication and authorization. Additionally, there's more support for legacy systems via implemented crypt(3) hashers and a fix for metadata patching has been deployed to ensure consistent user metadata management. For a detailed view of all changes, refer to the changelog on GitHub. Feedback and support are, as always, greatly appreciated.

Support options for Ory Kratos 1.0

Ory Kratos 1.0 is a major release that marks a significant milestone in our journey.

We sincerely hope that you find these new features and improvements in Ory Kratos 1.0 valuable for your projects. To experience the power of the latest release, we encourage you to get the latest version of Ory Kratos here or leverage Kratos in Ory Network — the easiest, simplest, and most cost-effective way to run Ory.

For organizations seeking to upgrade their self-hosted solution, Ory offers dedicated support services to ensure a smooth transition. Our team is ready to assist you throughout the migration process, ensuring uninterrupted access to the latest features and improvements. Additionally, we provide various support plans specifically tailored for self-hosting organizations. These plans offer comprehensive assistance and guidance to optimize your Ory deployments and meet your unique requirements.

A Shoutout to the Ory Community

We extend our heartfelt gratitude to the vibrant and supportive Ory Community. Without your constant support, feedback, and contributions, reaching this significant milestone would not have been possible. As we continue on this journey, your feedback and suggestions are invaluable to us. Together, we are shaping the future of identity management and authentication in the digital landscape.

Contributors to this release in alphabetical order: borisroman, ci42, CNLHC, David-Wobrock, giautm, IchordeDionysos, indietyp, jossbnd, kralicky, PhakornKiong, sunakan, steverusso

Are you passionate about security and want to make a meaningful impact in one of the biggest open-source communities? Join the Ory community and become a part of the new ID stack. Together, we are building the next generation of IAM solutions that empower organizations and individuals to secure their identities effectively.

Give it a go

Want to check out Ory Kratos yourself? Use these commands to get your Ory Kratos project running on the Ory Network:

brew install ory/tap/cli

scoop bucket add ory https://github.com/ory/scoop.git
scoop install ory

bash <(curl <https://raw.githubusercontent.com/ory/meta/master/install.sh>) -b . ory
sudo mv ./ory /usr/local/bin/

ory auth

ory create project --name "My first Kratos project"

ory open account-experience registration

ory patch identity-config \\
  --replace '/identity/default_schema_id="preset://username"' \\
  --replace '/identity/schemas=[{"id":"preset://username","url":"preset://username"}]' \\
  --format yaml

ory open account-experience registration

Bug Fixes

• Ability to patch metadata even if it is null (#3304) (3c04d8f)

• Accept OIDC login request in browser+JSON login flow (#3271) (ad54093):

  • fix: OIDC login in browser JSON flow

  • test: add test for OIDC+JSON continuity cookie

• Add error checking when creating verification code (#3328) (7182eca)

• Add missing SessionIssued event for api flows (#3348) (adf78e0):

  • fix: missing SessionIssued event for api flows
  • chore: add SessionIssued event to post registration hook
  • chore: format
  • chore: move sessionissued event to persister

• Bump quickstart version (#3257) (6db70a8)

• Cypress TOTP test (eac908c)

• Do not require items to be unique (#3349) (17be30d)

• Don't assume the login challenge to be a UUID (#3317) (3172862):

  For compatibility with ory/hydra#3515, which
  now encodes the whole flow in the login challenge, we cannot further
  assume that the challenge is a UUID.

• e2e: Install kratos-selfservice-ui-node peer deps (#3354) (ce20063)

• Identity list pagination (#3325) (9d3ef0d):

  Resolves a pesky issue that would skip the last page.

• IdentityCreated event (#3314) (78e31cb)

• Incorrect override in identity hydrate (#3368) (eaa3f3c)

• Increase size for request url (#3366) (10713cc)

• Minor refactorings in package hash (#3186) (831fb19)

• Missing id for login event (#3315) (b6b80a3)

• Properly normalize uppercase mail addresses (4984e0f):

  Fixes #3187
  Fixes #3289

• Provide index hint in QueryForCredentials (#3329) (4ba530e):

  • fix: provide index hint in QueryForCredentials

  • feat: remove customizable join predicate in QueryForCredentials

  • chore: remove obsolete config tracer

• Reduce lookups in whoami call (#3364) (5bb7b0c)

• Reintroduce ExpandAll (#3369) (8f9bff5)

• Remove codeball (aa29606)

• Remove duplicate SessionIssued event (#3351) (b1e78ad)

• Return HTTP 400 instead of 500 for bad query parameters (58258eb)

• sdk: Add cookie for updateLogoutFlow (#3284) (95ed2b9):

  Closes ory/sdk#255

• sdk: Update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347) (f3dee86)

• Settings should persist return_to after required mfa login flow (#3263) (0ed1abd):

  • fix: get settings should persist return_to when redirecting to aal2

  • feat(e2e): verify return_to persists in recovery flows

  • test: recovery strategy with mfa account

  • test: code recovery return to persists to settings with aal2

  • u

  • fix: return to settings flow after mfa login

  • fix(test): login handler

  • fix: flow between settings and mfa

  • fix: get settings endpoint should redirect to settings ui instead of to itself

  • feat(test): preserve URL from various settings flows through login mfa flow

  • chore: cleanup

  • fix(e2e): recovery return to spa tests

  • fix: e2e proxy

  • fix: do not always redirect back to settings on mfa

  • fix: new settings flow with required mfa shouldn't be added to login flow return_to unless it contains a return_to parameter

  • fix(e2e): let test dynamically handle required_aal

  • chore: cleanup unused code

  • test: DoesSessionSatisfy with method options

  • test: recovery strategy with aal2

• String to enum for updateVerificationFlowWithLinkMethod Method (#3279) (34ff1d2), closes #2943

• Update correct typo (#3281) (0fea75c):

  The text for verification code input should be Verification code not Verify code.

• Update README (#3363) (c426014)

• Use RETURNING clause for batch create (#3293) (8ae8783)

• Use the correct redirect_uri for linkedin social login (#3269) (27ccecc)

• Webhook config parse for settings flow (#3305) (95ad94d)

Code Generation

• Pin v1.0.0 release commit (41b7c51)

Documentation

• Fix typo in readme (#3299) (b40544e)

Features

• Add “provider id” parameter to kratos session (#3292) (387f5a2), closes #3283

• Add distroless and static images (#3350) (1e65662)

• Add return_to parameters to the createLogout handler (#3336) (08fed36):

  • feat: add return_to parameters to the createLogout handler

  • test: logout take over return_to from create to update

  • test(e2e): logout return to

  • test(e2e): logout return to

  • test: logout return_to isnt applicable to react

• Allow customization of JOIN predicate in QueryForCredentials (#3253) (8785166)

• Emit events for login/logout and registration (#3235) (c784b7e)

• Forward prompt upstream parameter during OIDC flow (#3276) (d290cb0), closes #2709

• Implement crypt(3) hashers (#3303) (afe06db), closes #3291:

  This PR implements md5crypt, sha256crypt, sha512crypt, which are considered legacy (like md5), but are used in legacy systems looking to convert to ory. They use the existing format of crypt(5) (which is compliant to PHC).

• Improve event types and capture more events (#3297) (835fe13)

• Lark OIDC provider (#2925) (f884dfb)

• Return to oauth flow after switching from login to other flows (#3212) (a1fea6c):

  • feat: return to oauth flow after switching from login to other flows

  • feat(e2e): flows should have return_to set to hydra request_url

  • u

  • fix: override return_to URL on OAuth flows

  • style: format

  • fix: TestOAuth2Provider

  • feat: config to opt into using OAuth request url as return_to

  • chore: cleanup

  • fix(e2e): oauth2 login flow switching to recovery

  • feat(test): oauth2 login flow to recovery through oidc provider

  • fix(e2e): oidc-provider registration

  • chore: rename oauth2_provider.return_to_enabled to oauth2_provider.override_return_to

  • style: format

  • chore: nit config description

• Sort sessions by authenticated_at (#3324) (46f92ff):

  Closes ory/network#295

• Sqa metrics v2 (#3300) (98fe73f)

• Support exporting of all credential types (#3290) (de6c857):

  It's now possible to export all credential types (including passwords) when calling the getIdentity SDK method.

• Support OIDC flows for native apps (#3216) (cb10609), closes #707:

  Implements Social Sign In and OpenID Connect for native apps.

Tests

• Run Playwright in CI (#3259) (342edec):

  • run Playwright in CI

  • add cleanup for session token exchangers

  • fixup: ci

  • fix: compatibility between OIDC+code and other flows

  This improves the compatibility between OIDC+code and other
  flows such as TOTP, settings, password auth.

  • Update persistence/sql/persister_cleanup_test.go

  • fix: error handling with OIDC+Code

  • fix: increase playwright timeout

Unclassified

• @barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341) (28b7b04), closes #1030 #3341 #1030 #3008:

  This change adds a new delivery method to the courier called mailer. Similar to SMS functionality it posts a templated Data model to a API endpoint. This API can then send emails via a CRM or any other mechanism that it wants.

  Mailer still uses the existing email data models so any new email added will automatically be sent to the API/CRM as well.

  Related issue(s)

  Resolves #2825

Changelog

• 28b7b04 @barnarddt @hperl feat: send emails via http api endpoint instead of smtp (#1030) (#3341)
• 9fd60ee autogen(docs): generate and bump docs
• b1f18d9 autogen(docs): regenerate and update changelog
• 7c14f29 autogen(docs): regenerate and update changelog
• 3485204 autogen(docs): regenerate and update changelog
• 697be03 autogen(docs): regenerate and update changelog
• daa0bef autogen(docs): regenerate and update changelog
• d3f3be3 autogen(docs): regenerate and update changelog
• 9750278 autogen(docs): regenerate and update changelog
• 7f232bf autogen(docs): regenerate and update changelog
• 9b95693 autogen(docs): regenerate and update changelog
• ba55f38 autogen(docs): regenerate and update changelog
• c48f20e autogen(docs): regenerate and update changelog
• 1064b32 autogen(docs): regenerate and update changelog
• 1def410 autogen(docs): regenerate and update changelog
• 45485c3 autogen(docs): regenerate and update changelog
• b7192dc autogen(docs): regenerate and update changelog
• b43c50c autogen(docs): regenerate and update changelog
• 2f844ec autogen(docs): regenerate and update changelog
• 567e5a7 autogen(docs): regenerate and update changelog
• 5535fcb autogen(docs): regenerate and update changelog
• c842a69 autogen(docs): regenerate and update changelog
• a4f74bc autogen(docs): regenerate and update changelog
• 071db1d autogen(docs): regenerate and update changelog
• 8d406b1 autogen(docs): regenerate and update changelog
• f2bf296 autogen(docs): regenerate and update changelog
• 5f33b08 autogen(docs): regenerate and update changelog
• 61cb722 autogen(docs): regenerate and update changelog
• 0f3cf22 autogen(docs): regenerate and update changelog
• 8e760ca autogen(docs): regenerate and update changelog
• 868ea54 autogen(docs): regenerate and update changelog
• 9bb4d5c autogen(docs): regenerate and update changelog
• a6d3d5b autogen(docs): regenerate and update changelog
• 4083e44 autogen(docs): regenerate and update changelog
• ae22c7c autogen(docs): regenerate and update changelog
• 6de1cb3 autogen(openapi): regenerate swagger spec and internal client
• 4b0dead autogen(openapi): regenerate swagger spec and internal client
• a439df7 autogen(openapi): regenerate swagger spec and internal client
• 0a6235d autogen(openapi): regenerate swagger spec and internal client
• 7291c89 autogen: add v0.13.0 to version.schema.json
• b75313e autogen: pin v0.14.0-pre.0 release commit
• 41b7c51 autogen: pin v1.0.0 release commit
• ad271d2 autogen: pin v1.0.0-pre.0 release commit
• a17bcb8 chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#3242)
• 950b41a chore(deps): bump github.com/knadh/koanf to v2.0.1 (#3308)
• a046778 chore: add launch config for VSCode (#3239)
• 22e8daf chore: bump ory/x (#3319)
• b2ecb10 chore: bump ory/x (#3338)
• 3469773 chore: fix typo (#3370)
• 6fe4dac chore: minor improvements around secure redirect helpers (#3240)
• bcdcf45 chore: support in README (#3373)
• ac96a96 chore: update security scanners (#3295)
• b40544e docs: fix typo in readme (#3299)
• 1e65662 feat: add distroless and static images (#3350)
• 08fed36 feat: add return_to parameters to the createLogout handler (#3336)
• 387f5a2 feat: add “provider id” parameter to kratos session (#3292)
• 8785166 feat: allow customization of JOIN predicate in QueryForCredentials (#3253)
• c784b7e feat: emit events for login/logout and registration (#3235)
• d290cb0 feat: forward prompt upstream parameter during OIDC flow (#3276)
• afe06db feat: implement crypt(3) hashers (#3303)
• 835fe13 feat: improve event types and capture more events (#3297)
• f884dfb feat: lark OIDC provider (#2925)
• a1fea6c feat: return to oauth flow after switching from login to other flows (#3212)
• 46f92ff feat: sort sessions by authenticated_at (#3324)
• 98fe73f feat: sqa metrics v2 (#3300)
• cb10609 feat: support OIDC flows for native apps (#3216)
• de6c857 feat: support exporting of all credential types (#3290)
• ce20063 fix(e2e): install kratos-selfservice-ui-node peer deps (#3354)
• 95ed2b9 fix(sdk): add cookie for updateLogoutFlow (#3284)
• f3dee86 fix(sdk): update the API spec to reflect the 204 NoContent in DeleteIdentityCredentials (#3347)
• eac908c fix: Cypress TOTP test
• 78e31cb fix: IdentityCreated event (#3314)
• 3c04d8f fix: ability to patch metadata even if it is null (#3304)
• ad54093 fix: accept OIDC login request in browser+JSON login flow (#3271)
• 7182eca fix: add error checking when creating verification code (#3328)
• adf78e0 fix: add missing SessionIssued event for api flows (#3348)
• 6db70a8 fix: bump quickstart version (#3257)
• 17be30d fix: do not require items to be unique (#3349)
• 3172862 fix: don't assume the login challenge to be a UUID (#3317)
• 9d3ef0d fix: identity list pagination (#3325)
• eaa3f3c fix: incorrect override in identity hydrate (#3368)
• 10713cc fix: increase size for request url (#3366)
• 831fb19 fix: minor refactorings in package hash (#3186)
• b6b80a3 fix: missing id for login event (#3315)
• 4984e0f fix: properly normalize uppercase mail addresses
• 4ba530e fix: provide index hint in QueryForCredentials (#3329)
• 5bb7b0c fix: reduce lookups in whoami call (#3364)
• 8f9bff5 fix: reintroduce ExpandAll (#3369)
• aa29606 fix: remove codeball
• b1e78ad fix: remove duplicate SessionIssued event (#3351)
• 58258eb fix: return HTTP 400 instead of 500 for bad query parameters
• 0ed1abd fix: settings should persist return_to after required mfa login flow (#3263)
• 34ff1d2 fix: string to enum for updateVerificationFlowWithLinkMethod Method (#3279)
• c426014 fix: update README (#3363)
• 0fea75c fix: update correct typo (#3281)
• 8ae8783 fix: use RETURNING clause for batch create (#3293)
• 27ccecc fix: use the correct redirect_uri for linkedin social login (#3269)
• 95ad94d fix: webhook config parse for settings flow (#3305)
• 342edec test: run Playwright in CI (#3259)

Artifacts can be verified with cosign using this public key.