search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.24k stars 963 forks source link

Ory Kratos v0.9 release notes #2319

Closed aeneasr closed 2 years ago

aeneasr commented 2 years ago

We are honored to present the next major iteration of Ory Kratos with incredible contributions from the community. This release

  1. introduces 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud;
  2. refactors the architecture to introduce passwordless login using YubiKeys, TouchID, FaceID, Microsoft Hello, and all other WebAuthn-supported authentication mechanisms;
  3. centralizes the documentation for all of Ory in the ory/docs repository;
  4. supports loading custom email templates e.g. password recovery emails;
  5. adding the basis for SMS-related flows in the future;
  6. security-related changes and updates (e.g. CSP nonces, SSRF defenses, session invalidation hooks, ...);
  7. gracefully handles cookie errors;
  8. makes password policies configurable;
  9. moves the CI 100% from CircleCI to GitHub Actions;
  10. allows importing identities with their credentials (password, social sign-in connections, WebAuthn, ...);
  11. resolves several bugs in various self-service flows;
  12. resolves a bug in the secret handling - please read the breaking change note with care!
  13. moves the admin API from / to /admin - please read the breaking change note with care!
  14. adds configuration to control the flow of web hooks (cancel flows & run them in the background);

Please note that this release introduces several breaking changes. We have tried to keep the HTTP API as backward compatible as possible, by introducing HTTP redirects and other measures, but please read the notes with great care!

This release requires applying SQL migrations. Please make a backup before applying them!

With Ory Kratos 0.9, we are getting so much closer to version 1.0! Most planned refactorings and breaking changes have already been implemented and there are few planned API changes left!

Enjoy the release, and a big thank you to everyone involved in Ory Kratos v0.9!

tomekpapiernik commented 2 years ago

Here's my take on the release notes:

The Ory Kratos v0.9 is here! We're extremely happy to announce that the new release is out and once again it's been made even better thanks to the incredible contributions from our awesome community. <3

Enjoy!

Here's an overview of things you can expect from the v0.9 release:

  1. We introduced 1:1 compatibility between self-hosting Ory Kratos and using Ory Cloud. The configuration works the same across all modes of operation and deployment!
  2. Passwordless login with WebAuthn is now available! Authentication with YubiKeys, TouchID, FaceID, Microsoft Hello, and other WebAuthn-supported methods is now available. The refactored infrastructure lays a foundation for more passwordless flows to come.
  3. All the docs are now available in a single repo. Go to the ory/docs repository to find docs for all Ory projects.
  4. You can now load custom email templates that'll make your essential messaging like project invitations or password recovery emails look slick.
  5. We've laid the foundation for adding SMS-dependant flows.
  6. Security is always a top priority. We've made changes and updates such as CSP nonces, SSRF defenses, session invalidation hooks, and more.
  7. Kratos now gracefully handles cookie errors.
  8. Password policies are now configurable.
  9. Added configuration to control the flow of webhooks. Now you can cancel flows & run them in the background.
  10. You can import identities along with their credentials (password, social sign-in connections, WebAuthn, ...).
  11. Infra: we migrated all of our CIs from CircleCI to GitHub Actions.
  12. We moved the admin API from / to admin. This is a breaking change. Please read the explanation and proceed with caution!
  13. Bugfix: fixed a bug in the handling of secrets. This is a breaking change. Please read the explanation and proceed with caution!
  14. Bugfix: several bugs in different self-service flows are no more.

About Breaking Changes

As you can see, this release introduces breaking changes. We tried to keep the HTTP API as backward-compatible as possible by introducing HTTP redirects and other measures, but this update requires you to take extra care. Make sure you've read the release notes and understand the risk before updating.

You must apply SQL migrations for this release. Make sure to create backup before you start!

aeneasr commented 2 years ago

thank you!

aeneasr commented 2 years ago

release triggered!