Tags

Ory Kratos v0.9 is here! We're extremely happy to announce that the new release is out and once again it's been made even better thanks to the incredible contributions from our awesome community. <3

Enjoy!

Here's an overview of things you can expect from the v0.9 release:

1. We introduced 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud. The configuration works the same across all modes of operation and deployment!
2. Passwordless login with WebAuthn is now available! Authentication with YubiKeys, TouchID, FaceID, Microsoft Hello, and other WebAuthn-supported methods is now available. The refactored infrastructure lays a foundation for more passwordless flows to come.
3. All the docs are now available in a single repo. Go to the [ory/docs](https://github.com/ory/docs) repository to find docs for all Ory projects.
4. You can now load custom email templates that'll make your essential messaging like project invitations or password recovery emails look slick.
5. We've laid the foundation for adding SMS-dependant flows.
6. Security is always a top priority. We've made changes and updates such as CSP nonces, SSRF defenses, session invalidation hooks, and more.
7. Kratos now gracefully handles cookie errors.
8. Password policies are now configurable.
9. Added configuration to control the flow of webhooks. Now you can cancel flows & run them in the background.
10. You can import identities along with their credentials (password, social sign-in connections, WebAuthn, ...).
11. Infra: we migrated all of our CIs from CircleCI to GitHub Actions.
12. We moved the admin API from `/` to `admin`. **This is a breaking change**. Please read the explanation and proceed with caution!
13. Bugfix: fixed a bug in the handling of secrets. **This is a breaking change**. Please read the explanation and proceed with caution!
14. Bugfix: several bugs in different self-service flows are no more.

As you can see, this release introduces breaking changes. We tried to keep the HTTP API as backward-compatible as possible by introducing HTTP redirects and other measures, but this update requires you to take extra care. Make sure you've read the release notes and understand the risk before updating.

You must apply SQL migrations for this release. **Make sure to create backup before you start!**

This release addresses further important security updates in the base Docker Images. We also resolved all issues related to ARM support on both Linux and macOS and fixed a bug that prevent the binary from compiling on FreeBSD.

This release also makes use of our new build architecture which means that the Docker Images names have changed. We removed the "scratch" images as we received frequent complaints about them. Additionally,
all Docker Images have now, per default, SQLite support built-in. If you are relying on the SQLite images, update your Docker Pull commands as follows:

```patch
- docker pull oryd/kratos:{version}-sqlite
+ docker pull oryd/kratos:{version}
```

Additionally, all passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

In v0.8.1-alpha.1 we failed to include all the exciting things that landed, so we'll cover them now!

1. Advanced E-Mail templating support with sprig - makes it possible to translate emails as well!
2. Support wildcards for allowing redirection targets.
3. Account Recovery initiated by the Admin API now works even if identities have no email address.

Enjoy this release!

This maintenance release important security updates for the base Docker Images (e.g. Alpine). Additionally, several hiccups with the new ARM support have been resolved and the binaries are now downloadable for all major platforms. Please note that passwords now have to be at least 8 characters long, following recommendations from Microsoft and others.

Enjoy this release!

Resolves issues in the quickstart.

Resolves an issue in the SDK release pipeline.

We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the [**Ory Summit is happening tomorrow and on Friday!**](https://events.hubilo.com/ory-summit/register?mtm_campaign=ory-summit-2021&mtm_kwd=banner-landingpage) You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- [A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS](https://github.com/ory/kratos-react-nextjs-ui).
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for `return_to` across flows (e.g. OIDC) and in custom UIs.
- SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from `v0alpha1` to `v0alpha2`.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:
- SMTP Cleartext: `smtp://foo:bar@my-mailserver:1234/?disable_starttls=true`
- SMTP with StartTLS: `smtps://foo:bar@my-mailserver:1234/` -> `smtp://foo:bar@my-mailserver:1234/`
- SMTP with implicit TLS: `smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true` -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the [**Ory Summit is happening tomorrow and on Friday!**](https://events.hubilo.com/ory-summit/register?mtm_campaign=ory-summit-2021&mtm_kwd=banner-landingpage) You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- [A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS](https://github.com/ory/kratos-react-nextjs-ui).
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for `return_to` across flows (e.g. OIDC) and in custom UIs.
- SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from `v0alpha1` to `v0alpha2`.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:
- SMTP Cleartext: `smtp://foo:bar@my-mailserver:1234/?disable_starttls=true`
- SMTP with StartTLS: `smtps://foo:bar@my-mailserver:1234/` -> `smtp://foo:bar@my-mailserver:1234/`
- SMTP with implicit TLS: `smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true` -> `smtps://foo:bar@my-mailserver:1234/We are extremely excited to share this next generation of Ory Kratos! The project is truly maturing and the community is getting larger by the hour.

On this special occasion, we would like to bring to your attention that the [**Ory Summit is happening tomorrow and on Friday!**](https://events.hubilo.com/ory-summit/register?mtm_campaign=ory-summit-2021&mtm_kwd=banner-landingpage) You will hear gripping talks from the Ory Community and Ory maintainers! And the best part, tickets are free and we are covering multiple time zones!

This release is truly the best version of Ory Kratos to date and we want to give you a tl;dr of the 345 commits and 1152 files changed, and what you can expect from this release:

- Full multi-factor authentication with different enforcement policies (soft/hard MFA).
- Support for WebAuthn (FIDO2 / U2F) two-factor authentication - from fingerprints to hardware tokens every FIDO2 device is supported!
- Ability to fetch the initial OAuth2 Access and Refresh and OpenID Connect ID Tokens an identity receives when performing social sign up. Optionally, these tokens are stored encrypted in the database (XChaCha20Poly1305 or AES-GCM)!
- Support for TOTP (Google Authenticator) two-factor verification/authentication.
- Advanced two-factor recovery with lookup secrets.
- [A complete reference implementation of the Ory Kratos end-user (self-service) facing UI in ReactJS & VercelJS](https://github.com/ory/kratos-react-nextjs-ui).
- "Native" support for Single-Page App Single Sign-On.
- Much improved single-page app and native app APIs for all self-service flows.
- Support for PKBDF2 password hashing, which will help import user passwords from other systems in the future.
- Bugfixes and improvements to the OpenAPI spec and auto-generated SDKs.
- ARM Docker Images.
- Greatly improved internal e2e test pipeline using Cypress 8.x.
- Improved functional tests with cupaloy snapshot testing.
- Documentation on different error codes and message identifiers to easier translate messages in your own UI.
- Better form decoding and ability to mark required JSON Schema fields as required in the UI.
- Bug fixes that could result in users ending up in irrecoverable UI states.
- Better support for `return_to` across flows (e.g. OIDC) and in custom UIs.
- SBOM Software Supply Chain scanning & reporting.
- Docker Image vulnerability checking as part of the release pipeline.
- Support sending emails via AWS SES SMTP.
- A REST endpoint to invalidate all an identity's sessions.

As you can see, much has happened and we are grateful for all the great interactions we have with you, every day!

Let's take a look at some of the breaking changes. Even though much was added, little has changed in breaking ways! This is a testament that Ory Kratos' internals and APIs are becoming more stable!

This release requires you to run SQL migrations. Please, as always, create a backup of your database first!

The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from `v0alpha1` to `v0alpha2`.

The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.

Example:
- SMTP Cleartext: `smtp://foo:bar@my-mailserver:1234/?disable_starttls=true`
- SMTP with StartTLS: `smtps://foo:bar@my-mailserver:1234/` -> `smtp://foo:bar@my-mailserver:1234/`
- SMTP with implicit TLS: `smtps://foo:bar@my-mailserver:1234/?legacy_ssl=true` -> `smtps://foo:bar@my-mailserver:1234/`

Resolves further issues in the SDK and release pipeline.

Primarily resolves issues in the SDK pipeline.

This release adds the GitHub-app provider, improves SQL instrumentation, resolves an expired flow bug, and resolves documentation issues.