Tags

This patch resolves a regression issue with Facebook login, a memory leak issue introduced by an external dependency, adds a "requires verification" login hook, and improves performance for some endpoints.

Also, Ory Kratos SDKs are now published in individual [GitHub repositories for every language](https://github.com/ory?q=kratos-client).

This patch resolves a memory leak issue introduced by an external dependency, adds a "requires verification" login hook, and improves performance for some endpoints.

This release addresses regressions introduced in Ory Kratos v0.7.0 and resolves some bugs and documentation inconsistencies.

About two months ago we released Ory Kratos v0.6. Today, we are excited to announce the next iteration of Ory Kratos v0.7! This release includes 215 commits from 24 contributors with over 770 files and more than 100.000 lines of code changed!

Ory Kratos v0.7 brings massive developer experience improvements:

- A reworked, tested, and standardized SDK based on OpenAPI 3.0.3 ([#1477](https://github.com/ory/kratos/pull/1477), [#1424](https://github.com/ory/kratos/issues/1424));
- Native support of Single-Page-Apps (ReactJS, AngularJS, ...) for all self-service flows ([#1367](https://github.com/ory/kratos/pull/1367));
- Sign in with Yandex, VK, Auth0, Slack;
- An all-new, secure logout flow ([#1433](https://github.com/ory/kratos/pull/1433));
- Important security updates to the self-service GET APIs ([#1458](https://github.com/ory/kratos/pull/1458), [#1282](https://github.com/ory/kratos/issues/1282));
- Built-in support for TLS ([#1466](https://github.com/ory/kratos/pull/1466));
- Improved documentation and Go Module structure;
- Resolving a case-sensitivity bug in self-service recovery and verification flows;
- Improved performance for listing identities;
- Support for Instant tracing ([#1429](https://github.com/ory/kratos/pull/1429));
- Improved control for SMTPS, supporting SSL and STARTTLS ([#1430](https://github.com/ory/kratos/pull/1430));
- Ability to run Ory Kratos in networks without outbound requests ([#1445](https://github.com/ory/kratos/pull/1445));
- Improved control over HTTP Cookie behavior ([#1531](https://github.com/ory/kratos/pull/1531));
- Several smaller user experience improvements and bug fixes;
- Improved e2e test pipeline.

In the next iteration of Ory Kratos, we will focus on providing a NextJS example application for the SPA integration as well as the long-awaited MFA flows!

Please be aware that upgrading to Ory Kratos 0.7 requires you to apply SQL migrations. Make sure to back up your database before migration!

For more details on breaking changes and patch notes, see below.

This release addresses some minor bugs and improves the SDK experience. Please be aware that the Ory Kratos SDK v0.6.3+ have breaking changes compared to Ory Kratos SDK v0.6.2. If you do not wish to update your code, you can keep using the Ory Kratos v0.6.2 SDK and upgrade to v0.6.3+ SDKs at a later stage, as only naming conventions have changed!

Resolves an issue in the Go SDK.

This release primarily addresses issues in the SDK CI pipeline.

This release addresses issues with the SDK pipeline and also closes a bug related to email sending.

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions.

Kratos v0.6 includes an insane amount of work spread over the last five months - 480 commits and over 4200 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!

Here is a summary of the most important changes:

- Ory Kratos now support highly customizable web hooks - contributed by [@dadrus](https://github.com/dadrus) and [@martinei](https://github.com/martinei);
- Ory Kratos Courier can now be run as a standalone task using `kratos courier watch -c your/config.yaml`. To use the mail courier as a background task of the server run `kratos serve --watch-courier` - contributed by [@mattbonnell](https://github.com/mattbonnell);
- Reworked migrations to ensure stable migrations in production systems - backward compatibility is ensured and tested;
- Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
- Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
- Created reliable health and status checks by ensuring that e.g. migrations have completed;
- Made resilient CLI client commands e.g. kratos identities list;
- Better support for cookies in multi-domain setups called [domain aliasing](https://www.ory.sh/kratos/docs/guides/configuring-cookies);
- A new, [dynamically generated FAQ](https://www.ory.sh/kratos/docs/next/faq);
- Enhanced GitHub and Google claims parsing;
- Faster and more resilient CI/CD pipeline;
- Improvements for running Ory Kratos in secure Kubernetes environments;
- Better Helm Charts for Ory Kratos;
- Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by [@seremenko-wish](https://github.com/seremenko-wish);
- The Argon2 memory configuration is now human readable: `hashers.argon2.memory: 131072` ->  `hashers.argon2.memory: 131072B` (supports kb, mb, kib, mib, ...).
- Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new `after_verification_return_to` query parameter (e.g. `http://foo.com/registration?after_verification_return_to=verification_callback`) - contributed by [@mattbonnell](https://github.com/mattbonnell);
- Emails are now populated at delivery time, offering more flexibility in terms of templating;
- Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by [@mattbonnell](https://github.com/mattbonnell);
- Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
- Resolving SDKs issues for whoami requests;
- Simplified database schema for faster processing, significantly reducing the amount of data stored and latency as several JOINS have been removed;
- Support for binding the HTTP server on UNIX sockets - contributed by [@sloonz](https://github.com/sloonz);

There are even more contributions by [@NickUfer](https://github.com/NickUfer) and [harnash](https://github.com/harnash). In total, [33 people contributed to this release](https://github.com/ory/kratos/graphs/contributors?from=2020-12-09&to=2021-05-04&type=c)! Thank you all!

*IMPORTANT:* Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how self-service flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

[Check out how we migrated the NodeJS app](https://github.com/ory/kratos-selfservice-ui-node/commit/53ad90b6c82cde48994feebcc75d754ba74929ec) from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

**Ory Kratos v0.5**

*Login*

```json
{
  "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
  "type": "browser",
  "expires_at": "2020-09-13T10:49:54.8295242Z",
  "issued_at": "2020-09-13T10:39:54.8295242Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
        "method": "POST",
        "fields": [
          {
            "name": "identifier",
            "type": "text",
            "required": true,
            "value": ""
          },
          {
            "name": "password",
            "type": "password",
            "required": true
          },
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
          }
        ]
      }
    }
  },
  "forced": false
}
```

*Registration*

```json
{
  "id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
  "type": "browser",
  "expires_at": "2020-09-13T10:53:15.1774019Z",
  "issued_at": "2020-09-13T10:43:15.1774019Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "active": "password",
  "messages": null,
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
        "method": "POST",
        "fields": [
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
          },
          {
            "name": "password",
            "type": "password",
            "required": true,
            "messages": [
              {
                "id": 4000005,
                "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
                "type": "error",
                "context": {
                  "reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
                }
              }
            ]
          },
          {
            "name": "traits.email",
            "type": "text",
            "value": "foo@ory.sh"
          },
          {
            "name": "traits.name.first",
            "type": "text",
            "value": "Ory"
          },
          {
            "name": "traits.name.last",
            "type": "text",
            "value": "Corp"
          }
        ]
      }
    }
  }
}
```

**Ory Kratos v0.6**

*Login*

As you can see below, the input name `identifier` has changed to `password_identifier`.

```json
{
  "id": "07016811-917d-4788-bb9c-fc297897af6c",
  "type": "browser",
  "expires_at": "2021-04-28T08:37:53.924337873Z",
  "issued_at": "2021-04-28T08:27:53.924337873Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password_identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1010001,
            "text": "Sign in",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  },
  "forced": false
}
```

*Registration*

```json
{
  "id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
  "type": "browser",
  "expires_at": "2021-04-28T08:54:12.951178972Z",
  "issued_at": "2021-04-28T08:44:12.951178972Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.email",
          "type": "email",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.first",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "First Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.last",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "Last Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1040001,
            "text": "Sign up",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  }
}
```

These changes are analogous to settings, recovery, verification as well!

We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6!

On the last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:

1. The major components of Ory Platform are and will remain Apache 2.0 licensed open source. We are *not changing our approach or commitment to open source*. The SaaS model allows us to keep commercialization and open source in harmony;
2. Affordable pricing - Ory does not charge on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open-source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2, and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community;
If you wish to become a part of the preview, please write a short email to [sales@ory.sh](mailto:sales@ory.sh). Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.

Thank you for being a part of our community!

The ORY Community is proud to present you the next iteration of ORY Kratos. In this release, we focused on improving production stability!

This release introduces the new CLI command `kratos hashers argon2 calibrate 500ms`. This command will choose the best parameterization for Argon2. Check out the [Choose Argon2 Parameters for Secure Password Hashing and Login](https://www.ory.sh/choose-recommended-argon2-parameters-password-hashing/) blog article for more insights!

This release improves the developer and user experience around CSRF counter-measures. It should now be possible to use the self-service API flows without having to explicitly disable cookie features in your SDKs and integrations. Additionally, another issue in the CGO pipeline was resolved which finally allows running ORY Kratos without CGO if the target database is not SQLite.

Further improvements to default config values have been made and a full end-to-end test suite for the exemplary [kratos-selfservice-ui-react-native](kratos-selfservice-ui-react-native) app. The app is now available in the iTunes store as well - just search for "ORY Profile App"!

This release addresses bugs and user experience issues.

This release resolves an issue where ORY Kratos Docker Images without CGO and SQLite support would fail to boot even when SQLite was not used as a data source.

The ORY team and community is very proud to present the next ORY Kratos iteration!

ORY Kratos is now capable of handling native (iOS, Android, Windows, macOS, ...) login, registration, settings, recovery, and verification flows. As a goodie on top, we released a reference React Native application which you can find on [GitHub](http://github.com/ory/kratos-selfservice-ui-react-native).

We co-released our reference React Native application which acts as a reference on implementing these flows:

![Registration](http://ory.sh/images/newsletter/kratos-0.5.0/registration-screen.png)

![Welcome](http://ory.sh/images/newsletter/kratos-0.5.0/welcome-screen.png)

![Settings](http://ory.sh/images/newsletter/kratos-0.5.0/settings-screen.png)

In total, almost 1200 files were changed in about 480 commits. While you can find a list of all changes in the changelist below, these are the changes we are most proud of:

- We renamed login, registration, ... requests to "flows" consistently across the code base, APIs, and data storage. We now:
  - Initiate a login, registration, ... flow;
  - Fetch a login, registration, ... flow; and
  - Complete a login, registration, ... flow using a login flow method such as "Log in with username and password".
- All self-service flows are now capable of handling API-based requests that do not originate from Browser such as Chrome. This is set groundwork for handling native flows (see above)!
- The self service documentation has been refactored and simplified. We added code samples, screenshots, payloads, and curl commands to make things easier and clearer to understand. Video guides have also been added to help you and the community get things done faster!
- Documentation for rotating important secrets such as the cookie and session secrets was added.
- The need for reverse proxies was removed by adding the ability to change the ORY Kratos Session Cookie domain and path! The [kratos-selfservice-ui-node](https://github.com/ory/kratos-selfservice-ui-node) reference implementation no longer requires HTTP Request piping which greatly simplifies the network layout and codebase!
- The ORY Kratos CLI is now capable of managing identities with an interface that works almost like the Docker CLI we all love!
- Admins are now able to initiate account recovery for identities.
- Email verification and account recovery were refactored. It is now possible to add additional strategies (e.g. recovery codes) in the future, greatly increasing the feature set and security capabilities of future ORY Kratos versions!
- Lookup to Have I Been Pwnd is no longer a hard requirement, allowing registration processes to complete when the service is unavailable or the network is slow.
- We contributed several issues and features in upstream projects such as justinas/nosurf, gobuffalo/pop, and many more!
- The build pipeline has been upgraded to support cross-compilation of CGO with Go 1.15+.
- Fetching flows no longer requires CSRF cookies to be set, improving developer experience while not compromising on security!
- ORY Kratos now has ORY Kratos Session Cookies (set in the HTTP Cookie header) and ORY Kratos Session Tokens (set as a HTTP Bearer Authorization token or the `X-Session-Token` HTTP Header).

Additionally tons of bugs were fixed, tests added, documentation improved, and much more. Please note that several things have changed in a breaking fashion. You can find details for the individual breaking changes in the changelog below.

We would like to thank all community members who contributed towards this release (in no particular order):

- https://github.com/kevgo
- https://github.com/NickUfer
- https://github.com/drwatsno
- https://github.com/alsuren
- https://github.com/wezzle
- https://github.com/sherbang
- https://github.com/perryao
- https://github.com/jikunchong
- https://github.com/err0r500
- https://github.com/debrutal
- https://github.com/c0depwn
- https://github.com/aschepis
- https://github.com/jakhog

Have fun exploring the new release, we hope you like it! If you haven't already, join the [ORY Community Slack](http://slack.ory.sh) where we hold weekly community hangouts via video chat and answer your questions, exchange ideas, and present new developments!

Resolves build and install issues and includes a few bugfixes.

Resolves build and install issues and includes a few bugfixes.

The purpose of this release is to resolve issues with install scripts, homebrew, and scoop.