Ory Kratos v0.6 pre-release list

[aeneasr]

• [x] https://github.com/ory/sdk/pull/66
• [x] https://github.com/ory/kratos/pull/1293
• [x] https://github.com/ory/ci/pull/53
• [x] Document SDK changes in release notes

---

Release notes

Finally, Ory Kratos v0.6 has been released! We are extremely happy with this release and even if we were not able to add 2FA in time, we have made many changes which pave the path for integrating 2FA more easily!

This release includes an insane amount of work spread over the last five months - 400 commits and over 4000 files changed. The team at Ory would like to thank all the amazing contributors that have contributed to this release!

Let's look at the most important changes:

- The Ory Kratos Courier can now be run as a standalone task using `kratos courier watch -c your/config.yaml`;
- Completely reworked migrations to ensure stable migrations in production systems - backwards compatibility is ensured and tested;
- Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
- Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Our SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduces significant breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
- More reliable health and status checks by ensuring that e.g. migrations have completed;
- Resilient CLI client commands (e.g. `kratos identities list`);
- Better support for cookies in multi-domain set ups called [domain aliasing](https://www.ory.sh/kratos/docs/guides/configuring-cookies);
- A new, [dynamically generated FAQ](https://www.ory.sh/kratos/docs/next/faq);
- Improved GitHub and Google claims parsing;
- Faster and more resilient CI/CD pipeline;
- Improvements for running Ory Kratos in secure Kubernetes environments;
- Better Helm Charts for Ory Kratos;
- Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended;
- Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new `after_verification_return_to` query parameter (e.g. `https://public.kratos/self-service/registration/browser?after_verification_return_to=verification_callback`);
- Emails are now populated at delivery time, offering more flexibility in terms of templating;
- Emails contain a plaintext variant for email clients that do not display HTML emails;
- Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
- Resolving SDKs issues for `whoami` reuqests;
- Simplified database schema for faster processing, significantly reducing amount of data stored and latency as several `JOINS` have been removed.

**IMPORTANT:** Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how selfservice flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

[Check out how we migrated the NodeJS app](https://github.com/ory/kratos-selfservice-ui-node/commit/53ad90b6c82cde48994feebcc75d754ba74929ec) from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

**Ory Kratos v0.5**

```json
TBD

Ory Kratos v0.6

TBD

We hope you enjoy these changes!

On a last note, Ory Platform (a SaaS) is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:

1. The major components of Ory Platform be Apache 2.0 licensed open source and not changing our approach or commitment to open source with open core or enterprise models;
2. Affordable pricing by not charging on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including: Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2 and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community;

If you wish to become a part of the preview, please write a short email to sales@ory.sh. Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.

Thank you for being a part of our community!

---

- [x] Document breaking change `identifier` -> `identifier_password` in login
- [x] https://github.com/ory/kratos-selfservice-ui-react-native/pull/35
- [x] https://github.com/ory/kratos-selfservice-ui-node/pull/116
- [x] Update CI and SDK pipeline for Swagger 3.0
- [x] https://github.com/ory/cli/pull/64
- [x] https://github.com/ory/cli/pull/63
- [x] https://github.com/ory/sdk/pull/52
- [x] reenable sdk/generate task in ci

Other todos:

- [x] Document `http://foo.com/registration?after_verification_return_to=verification_callback`
- [x] search for docs on argon2 and update with bcrypt
- [x] make bcrypt default
- [x] ~write tests for domain aliasing, especially in session manager and form actions~ -> https://github.com/ory/kratos/issues/1292
- [x] hooks exxecute per strat and after everything is done too
- [x] make sure hooks dont execute twice then
- [x] Before applying strategy we need to be sure that it is actually enabled (e.g. login -> password)
- [x] Update docs
  - [x] SDK usage examples
  - [x] Form rendering
  - [x] Explain UI nodes
- [x] In ORY CLI revert

//ctx = context.WithValue(ctx, cliclient.HTTPClientContextKey, func(cmd *cobra.Command) *http.Client {
//  return remote.NewHTTPClient(cmd)
//})
 ```

• [x] Protect against ID guessing / sharing -> https://github.com/ory/kratos/issues/1282
• [x] // TODO replace "payload.Identifier"
• [x] testhelpers.EncodeFormAsJSON no longer escapes .
• [x] // TODO merge
• [x] feature overview page? include login delay time for non-existing accounts
• [x] // TODO: check prefix only password group?
• [x] document that individual redirect urls for login / reg methods no longer exist

[aeneasr]

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we  made many changes that pave the path for exciting future additions such as integrating 2FA more easily!
Kratos v0.6 includes an insane amount of work spread over the last five months - 400 commits and over 4000 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!
Here is a summary of the the most important changes:
- Ory Kratos Courier can now be run as a standalone task using kratos courier watch -c your/config.yaml;
- Reworked migrations to ensure stable migrations in production systems - backwards compatibility is ensured and tested;
- Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
- Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
- Created reliable health and status checks by ensuring that e.g. migrations have completed;
- Made resilient CLI client commands e.g. kratos identities list;
- Better support for cookies in multi-domain set ups called [domain aliasing](https://www.ory.sh/kratos/docs/guides/configuring-cookies);
- A new, [dynamically generated FAQ](https://www.ory.sh/kratos/docs/next/faq);
- Enhanced GitHub and Google claims parsing;
- Faster and more resilient CI/CD pipeline;
- Improvements for running Ory Kratos in secure Kubernetes environments;
- Better Helm Charts for Ory Kratos;
- Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended;
- Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new after_verification_return_to query parameter (e.g. http://foo.com/registration?after_verification_return_to=verification_callback);
- Emails are now populated at delivery time, offering more flexibility in terms of templating;
- Emails contain a plaintext variant for email clients that do not display HTML emails;
- Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
- Resolving SDKs issues for whoami reuqests;
- Simplified database schema for faster processing, significantly reducing amount of data stored and latency as several JOINS have been removed.
*IMPORTANT:* Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!
The probably biggest and most significant change is the refactoring of how selfservice flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:
1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.
[Check out how we migrated the NodeJS app](https://github.com/ory/kratos-selfservice-ui-node/commit/53ad90b6c82cde48994feebcc75d754ba74929ec) from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.
Let's take a look into how these payloads have changed (the flows have identical configuration):
*Ory Kratos v0.5*
json
TBD
*Ory Kratos v0.6*
json
TBD
We hope you enjoy these changes!
On a last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:
1. The major components of Ory Platform be Apache 2.0 licensed open source and *not changing our approach or commitment to open source* with open core or enterprise models;
2. Affordable pricing by not charging on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including: Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2 and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community;
If you wish to become a part of the preview, please write a short email to [sales@ory.sh](mailto:sales@ory.sh). Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.
Thank you for being a part of our community! (edited) 
even if we were not able to add 2FA in time

[und3fined]

@aeneasr any estimate for release v0.6.0?

[nerrixde]

I would suggest to put 2FA as no. 1 prio. Captchas and all those other awesome things for 0.7 are cool, but I think many (incl me) are waiting for 2FA soo long now. You're advertising it already for months and putting it in Q3 2021 or even later would be a dealbreaker for me and I would've to leave kratos and use an other solution. Better put a working OTP in v0.7 and the other stuff in v0.8 then.

[aeneasr]

I understand, but we simply can not deliver it in 0.6. 2FA is next up after 0.6 release.

[aeneasr]

Using another stack is completely fine by the way! But you can't expect people to deliver stuff in open source on your timeline. Happily accept contribs though ;)

[aeneasr]

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily!

Kratos v0.6 includes an insane amount of work spread over the last five months - 400 commits and over 4000 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!

Here is a summary of the the most important changes:

• Ory Kratos Courier can now be run as a standalone task using kratos courier watch -c your/config.yaml;
• Reworked migrations to ensure stable migrations in production systems - backwards compatibility is ensured and tested;
• Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
• Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
• Created reliable health and status checks by ensuring that e.g. migrations have completed;
• Made resilient CLI client commands e.g. kratos identities list;
• Better support for cookies in multi-domain set ups called domain aliasing;
• A new, dynamically generated FAQ;
• Enhanced GitHub and Google claims parsing;
• Faster and more resilient CI/CD pipeline;
• Improvements for running Ory Kratos in secure Kubernetes environments;
• Better Helm Charts for Ory Kratos;
• Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended;
• The Argon2 memory configuration is now human readable: hashers.argon2.memory: 131072 -> hashers.argon2.memory: 131072B (supports kb, mb, kib, mib, ...).
• Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new after_verification_return_to query parameter (e.g. http://foo.com/registration?after_verification_return_to=verification_callback);
• Emails are now populated at delivery time, offering more flexibility in terms of templating;
• Emails contain a plaintext variant for email clients that do not display HTML emails;
• Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
• Resolving SDKs issues for whoami reuqests;
• Simplified database schema for faster processing, significantly reducing amount of data stored and latency as several JOINS have been removed.

IMPORTANT: Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how selfservice flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

Check out how we migrated the NodeJS app from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

Ory Kratos v0.5

Login

{
  "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
  "type": "browser",
  "expires_at": "2020-09-13T10:49:54.8295242Z",
  "issued_at": "2020-09-13T10:39:54.8295242Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
        "method": "POST",
        "fields": [
          {
            "name": "identifier",
            "type": "text",
            "required": true,
            "value": ""
          },
          {
            "name": "password",
            "type": "password",
            "required": true
          },
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
          }
        ]
      }
    }
  },
  "forced": false
}

Registration

{
  "id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
  "type": "browser",
  "expires_at": "2020-09-13T10:53:15.1774019Z",
  "issued_at": "2020-09-13T10:43:15.1774019Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "active": "password",
  "messages": null,
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
        "method": "POST",
        "fields": [
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
          },
          {
            "name": "password",
            "type": "password",
            "required": true,
            "messages": [
              {
                "id": 4000005,
                "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
                "type": "error",
                "context": {
                  "reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
                }
              }
            ]
          },
          {
            "name": "traits.email",
            "type": "text",
            "value": "foo@ory.sh"
          },
          {
            "name": "traits.name.first",
            "type": "text",
            "value": "Ory"
          },
          {
            "name": "traits.name.last",
            "type": "text",
            "value": "Corp"
          }
        ]
      }
    }
  }
}

Ory Kratos v0.6

Login

As you can see below, the input name identifier has changed to password_identifier.

{
  "id": "07016811-917d-4788-bb9c-fc297897af6c",
  "type": "browser",
  "expires_at": "2021-04-28T08:37:53.924337873Z",
  "issued_at": "2021-04-28T08:27:53.924337873Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password_identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1010001,
            "text": "Sign in",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  },
  "forced": false
}

Registration

{
  "id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
  "type": "browser",
  "expires_at": "2021-04-28T08:54:12.951178972Z",
  "issued_at": "2021-04-28T08:44:12.951178972Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.email",
          "type": "email",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.first",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "First Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.last",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "Last Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1040001,
            "text": "Sign up",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  }
}

These changes are analogous to settings, recovery, verification as well!

We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6!

On a last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:

1. The major components of Ory Platform be Apache 2.0 licensed open source and not changing our approach or commitment to open source with open core or enterprise models;
2. Affordable pricing by not charging on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including: Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2 and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community; If you wish to become a part of the preview, please write a short email to sales@ory.sh. Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.

Thank you for being a part of our community!

[nerrixde]

@aeneasr I completely understand it, I watched all the commits in recent months and I know what's behind all this. I really would like to stick with kratos, what I meant is to have 2FA/OTP on v0.7 and other new features should be after 2FA (i.e. in 0.8). It's not about v0.6, I think releasing v0.6 without 2FA is indeed the right way as the structural changes made deserve an own update. What I'm suggesting it is just to prioritize 2FA over other Features, simply because it's announced for a long time, many wish it and it's just on the roadmap soo long.

Also I do not expect stuff to be delivered in a timeline in FOSS, however it's a fact that ory advetises this and is working on this for literally years, thus asking to have this key feature prioritized is a fair thing.

Also I probably will contribute, however I am currently learning go first tho

[aeneasr]

@aeneasr I completely understand it, I watched all the commits in recent months and I know what's behind all this. I really would like to stick with kratos, what I meant is to have 2FA/OTP on v0.7 and other new features should be after 2FA (i.e. in 0.8). It's not about v0.6, I think releasing v0.6 without 2FA is indeed the right way as the structural changes made deserve an own update. What I'm suggesting it is just to prioritize 2FA over other Features, simply because it's announced for a long time, many wish it and it's just on the roadmap soo long.

RIght, I misunderstood then. I've cleaned up the 0.7 milestone to avoid confusion - I hope that clears up things: https://github.com/ory/kratos/milestone/9

MFA is next on the list as we need it for the SaaS, but it made sense to make 0.6 an interim release as there are many bugfixes and stuff people are waiting for.

[johanforssell]

Some Argon2 config settings have changed format (number '128' to string '128B') - is that important enough to merit mention in the release notes?

ory_kratos@swarm1 | The configuration contains values or keys which are invalid:
ory_kratos@swarm1 | hashers.argon2.memory: 131072
ory_kratos@swarm1 |                        ^-- expected string, but got number

I just noticed it when updating my little demo setup

[aeneasr]

Ha, thank you!

[aeneasr]

Updated draft

---

Today Ory Kratos v0.6 has been released! We are extremely happy with this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions.

Kratos v0.6 includes an insane amount of work spread over the last five months - 400 commits and over 4000 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible!

Here is a summary of the the most important changes:

• Ory Kratos now support highly customizable web hooks - contributed by @dadrus and @martinei;
• Ory Kratos Courier can now be run as a standalone task using kratos courier watch -c your/config.yaml - contributed by @mattbonnell;
• Reworked migrations to ensure stable migrations in production systems - backwards compatibility is ensured and tested;
• Upgraded to Go 1.16 and removed all static file packers, greatly improving build time;
• Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub!
• Created reliable health and status checks by ensuring that e.g. migrations have completed;
• Made resilient CLI client commands e.g. kratos identities list;
• Better support for cookies in multi-domain set ups called domain aliasing;
• A new, dynamically generated FAQ;
• Enhanced GitHub and Google claims parsing;
• Faster and more resilient CI/CD pipeline;
• Improvements for running Ory Kratos in secure Kubernetes environments;
• Better Helm Charts for Ory Kratos;
• Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by @seremenko-wish;
• The Argon2 memory configuration is now human readable: hashers.argon2.memory: 131072 -> hashers.argon2.memory: 131072B (supports kb, mb, kib, mib, ...).
• Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new after_verification_return_to query parameter (e.g. http://foo.com/registration?after_verification_return_to=verification_callback) - contributed by @mattbonnell;
• Emails are now populated at delivery time, offering more flexibility in terms of templating;
• Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by @mattbonnell;
• Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist;
• Resolving SDKs issues for whoami reuqests;
• Simplified database schema for faster processing, significantly reducing amount of data stored and latency as several JOINS have been removed;
• Support for binding the HTTP server on UNIX sockets - contributed by @sloonz;

There are even more contributions by @NickUfer and harnash. In total, 33 people contributed to this release! Thank you all!

IMPORTANT: Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production!

The probably biggest and most significant change is the refactoring of how selfservice flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7:

1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA;
2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more;
3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go.

Check out how we migrated the NodeJS app from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK.

Let's take a look into how these payloads have changed (the flows have identical configuration):

Ory Kratos v0.5

Login

{
  "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
  "type": "browser",
  "expires_at": "2020-09-13T10:49:54.8295242Z",
  "issued_at": "2020-09-13T10:39:54.8295242Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b",
        "method": "POST",
        "fields": [
          {
            "name": "identifier",
            "type": "text",
            "required": true,
            "value": ""
          },
          {
            "name": "password",
            "type": "password",
            "required": true
          },
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ=="
          }
        ]
      }
    }
  },
  "forced": false
}

Registration

{
  "id": "2b1f8c5d-e830-4068-97b8-35f776df9217",
  "type": "browser",
  "expires_at": "2020-09-13T10:53:15.1774019Z",
  "issued_at": "2020-09-13T10:43:15.1774019Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "active": "password",
  "messages": null,
  "methods": {
    "password": {
      "method": "password",
      "config": {
        "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217",
        "method": "POST",
        "fields": [
          {
            "name": "csrf_token",
            "type": "hidden",
            "required": true,
            "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA=="
          },
          {
            "name": "password",
            "type": "password",
            "required": true,
            "messages": [
              {
                "id": 4000005,
                "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..",
                "type": "error",
                "context": {
                  "reason": "the password has been found in at least 23597311 data breaches and must no longer be used."
                }
              }
            ]
          },
          {
            "name": "traits.email",
            "type": "text",
            "value": "foo@ory.sh"
          },
          {
            "name": "traits.name.first",
            "type": "text",
            "value": "Ory"
          },
          {
            "name": "traits.name.last",
            "type": "text",
            "value": "Corp"
          }
        ]
      }
    }
  }
}

Ory Kratos v0.6

Login

As you can see below, the input name identifier has changed to password_identifier.

{
  "id": "07016811-917d-4788-bb9c-fc297897af6c",
  "type": "browser",
  "expires_at": "2021-04-28T08:37:53.924337873Z",
  "issued_at": "2021-04-28T08:27:53.924337873Z",
  "request_url": "http://127.0.0.1:4433/self-service/login/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password_identifier",
          "type": "text",
          "value": "",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070004,
            "text": "ID",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1010001,
            "text": "Sign in",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  },
  "forced": false
}

Registration

{
  "id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
  "type": "browser",
  "expires_at": "2021-04-28T08:54:12.951178972Z",
  "issued_at": "2021-04-28T08:44:12.951178972Z",
  "request_url": "http://127.0.0.1:4433/self-service/registration/browser",
  "ui": {
    "action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {}
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.email",
          "type": "email",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "E-Mail",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "password",
          "type": "password",
          "required": true,
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070001,
            "text": "Password",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.first",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "First Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "traits.name.last",
          "type": "text",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1070002,
            "text": "Last Name",
            "type": "info"
          }
        }
      },
      {
        "type": "input",
        "group": "password",
        "attributes": {
          "name": "method",
          "type": "submit",
          "value": "password",
          "disabled": false
        },
        "messages": null,
        "meta": {
          "label": {
            "id": 1040001,
            "text": "Sign up",
            "type": "info",
            "context": {}
          }
        }
      }
    ]
  }
}

These changes are analogous to settings, recovery, verification as well!

We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6!

On a last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem:

1. The major components of Ory Platform be Apache 2.0 licensed open source and not changing our approach or commitment to open source with open core or enterprise models;
2. Affordable pricing by not charging on a per identity basis;
3. Supporting migrations from the Ory Platform (SaaS) to the open source and vice versa;
4. Offering a planet-scale service with ultra-low latencies no matter where your users are;
5. The largest set of features and APIs of any Identity Product, including: Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2 and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more.
6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...)
7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community; If you wish to become a part of the preview, please write a short email to sales@ory.sh. Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices.

Thank you for being a part of our community!

[johanforssell]

I found another issue: if you upgrade your simple setup without adding --watch-courier to the Kratos serve command then emails will not be sent.

Adding the flag and restarting the server pushed out all the emails that was waiting

The compose file now looks like

...
  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v0.6.0-alpha.1.pre.2-sqlite
    ports:
      - "4433:4433" # public
      - "4434:4434" # admin
    restart: unless-stopped
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
      - LOG_LEVEL=debug
    command:
      serve -c /etc/config/kratos/kratos.yml --watch-courier --dev
...

Can we write something about this in the upgrade documentation? Is there one? I can write something if you point me in the right direction

[aeneasr]

Thank you - I'll add it to the big list. Usually these should also be included in the "BREAKING CHANGES" section which is automatically generated but it is still good to have them in the overview as well :)

[aeneasr]

Released 🎉