Tags: probstal/kratos
Tags
This release addresses some minor bugs and improves the SDK experienc… …e. Please be aware that the Ory Kratos SDK v0.6.3+ have breaking changes compared to Ory Kratos SDK v0.6.2. If you do not wish to update your code, you can keep using the Ory Kratos v0.6.2 SDK and upgrade to v0.6.3+ SDKs at a later stage, as only naming conventions have changed!
This release primarily addresses issues in the SDK CI pipeline.
This release addresses issues with the SDK pipeline and also closes a… … bug related to email sending.
Today Ory Kratos v0.6 has been released! We are extremely happy with … …this release where we made many changes that pave the path for exciting future additions such as integrating 2FA more easily! We would like to thank the awesome community for the many contributions. Kratos v0.6 includes an insane amount of work spread over the last five months - 480 commits and over 4200 files changed. The team at Ory would like to thank all the amazing contributors that made this release possible! Here is a summary of the most important changes: - Ory Kratos now support highly customizable web hooks - contributed by [@dadrus](https://github.com/dadrus) and [@martinei](https://github.com/martinei); - Ory Kratos Courier can now be run as a standalone task using `kratos courier watch -c your/config.yaml`. To use the mail courier as a background task of the server run `kratos serve --watch-courier` - contributed by [@mattbonnell](https://github.com/mattbonnell); - Reworked migrations to ensure stable migrations in production systems - backward compatibility is ensured and tested; - Upgraded to Go 1.16 and removed all static file packers, greatly improving build time; - Refactored our SDK pipeline from Swagger 2.0 to OpenAPI Spec 3.0. Ory's SDKs are now properly typed and bugs can easily be addressed using a patch process. Due to this, we had to move away from go-swagger client generation for the Go SDK and replace it with openapi-generator. This, unfortunately, introduced breaking changes in the Go SDK APIs. If you have problems migrating, or have a tutorial on how to migrate, please share it with the community on GitHub! - Created reliable health and status checks by ensuring that e.g. migrations have completed; - Made resilient CLI client commands e.g. kratos identities list; - Better support for cookies in multi-domain setups called [domain aliasing](https://www.ory.sh/kratos/docs/guides/configuring-cookies); - A new, [dynamically generated FAQ](https://www.ory.sh/kratos/docs/next/faq); - Enhanced GitHub and Google claims parsing; - Faster and more resilient CI/CD pipeline; - Improvements for running Ory Kratos in secure Kubernetes environments; - Better Helm Charts for Ory Kratos; - Support for BCrypt hashing, which is now the default hashing implementation. Existing Argon2id hashes will be automatically translated to BCrypt hashes when the user signs in the next time. We recommend using Argon2id in use cases where password hashing is required to take at least 2 seconds. For regular web workloads (200ms) BCrypt is recommended - contributed by [@seremenko-wish](https://github.com/seremenko-wish); - The Argon2 memory configuration is now human readable: `hashers.argon2.memory: 131072` -> `hashers.argon2.memory: 131072B` (supports kb, mb, kib, mib, ...). - Add possibility to keep track of the return_to URLs for verification_flows after sign up using the new `after_verification_return_to` query parameter (e.g. `http://foo.com/registration?after_verification_return_to=verification_callback`) - contributed by [@mattbonnell](https://github.com/mattbonnell); - Emails are now populated at delivery time, offering more flexibility in terms of templating; - Emails contain a plaintext variant for email clients that do not display HTML emails - contributed by [@mattbonnell](https://github.com/mattbonnell); - Mitigation for password hash timing attacks by adding a random delay to login attempts where the user does not exist; - Resolving SDKs issues for whoami requests; - Simplified database schema for faster processing, significantly reducing the amount of data stored and latency as several JOINS have been removed; - Support for binding the HTTP server on UNIX sockets - contributed by [@sloonz](https://github.com/sloonz); There are even more contributions by [@NickUfer](https://github.com/NickUfer) and [harnash](https://github.com/harnash). In total, [33 people contributed to this release](https://github.com/ory/kratos/graphs/contributors?from=2020-12-09&to=2021-05-04&type=c)! Thank you all! *IMPORTANT:* Please be aware that the database schema has changed significantly. Applying migrations might, depending on the size of your tables, take a long time. If your database does not support online schema migrations, you will experience downtimes. Please test the migration process before applying it to production! The probably biggest and most significant change is the refactoring of how self-service flows work and what their payloads look like. This took the most amount of time and introduces the biggest breaking changes in our APIs. We did this refactoring to support several flows planned for Ory Kratos 0.7: 1. Displaying QR codes (images) in login, registration, settings flows - necessary for TOTP 2FA; 2. Asking the login/registration/... UI to render JavaScript - necessary for CAPTCHA, WebAuthN, and more; 3. Refactoring the form submission API to use one endpoint per flow instead of one endpoint per flow per method. This allows us to process several registration/settings/login/... methods such as password + 2FA in one Go. [Check out how we migrated the NodeJS app](ory/kratos-selfservice-ui-node@53ad90b) from the Ory Kratos 0.5 to Ory Kratos 0.6 SDK. Let's take a look into how these payloads have changed (the flows have identical configuration): **Ory Kratos v0.5** *Login* ```json { "id": "ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b", "type": "browser", "expires_at": "2020-09-13T10:49:54.8295242Z", "issued_at": "2020-09-13T10:39:54.8295242Z", "request_url": "http://127.0.0.1:4433/self-service/login/browser", "methods": { "password": { "method": "password", "config": { "action": "http://127.0.0.1:4433/self-service/login/methods/password?flow=ee6e1565-d3c3-4f3a-a6ff-0ba6b3a6481b", "method": "POST", "fields": [ { "name": "identifier", "type": "text", "required": true, "value": "" }, { "name": "password", "type": "password", "required": true }, { "name": "csrf_token", "type": "hidden", "required": true, "value": "lNrB8sW2fZY6xnnA91V7ISYrUVcJbmRCOoGHjsnsfI7MsIL5RTbuWFm5TRv1azQW+7IRCfnt2Ch6pC42/45sJQ==" } ] } } }, "forced": false } ``` *Registration* ```json { "id": "2b1f8c5d-e830-4068-97b8-35f776df9217", "type": "browser", "expires_at": "2020-09-13T10:53:15.1774019Z", "issued_at": "2020-09-13T10:43:15.1774019Z", "request_url": "http://127.0.0.1:4433/self-service/registration/browser", "active": "password", "messages": null, "methods": { "password": { "method": "password", "config": { "action": "http://127.0.0.1:4433/self-service/registration/methods/password?flow=2b1f8c5d-e830-4068-97b8-35f776df9217", "method": "POST", "fields": [ { "name": "csrf_token", "type": "hidden", "required": true, "value": "1IlHWNjkAZxuYhO82WPgNTgujKsUSaW87j6og/20i2uM4wRTWGSSUg0dJ2fbXa8C5bfM9eTKGdauGwE7y9abwA==" }, { "name": "password", "type": "password", "required": true, "messages": [ { "id": 4000005, "text": "The password can not be used because the password has been found in at least 23597311 data breaches and must no longer be used..", "type": "error", "context": { "reason": "the password has been found in at least 23597311 data breaches and must no longer be used." } } ] }, { "name": "traits.email", "type": "text", "value": "foo@ory.sh" }, { "name": "traits.name.first", "type": "text", "value": "Ory" }, { "name": "traits.name.last", "type": "text", "value": "Corp" } ] } } } } ``` **Ory Kratos v0.6** *Login* As you can see below, the input name `identifier` has changed to `password_identifier`. ```json { "id": "07016811-917d-4788-bb9c-fc297897af6c", "type": "browser", "expires_at": "2021-04-28T08:37:53.924337873Z", "issued_at": "2021-04-28T08:27:53.924337873Z", "request_url": "http://127.0.0.1:4433/self-service/login/browser", "ui": { "action": "http://127.0.0.1:4433/self-service/login?flow=07016811-917d-4788-bb9c-fc297897af6c", "method": "POST", "nodes": [ { "type": "input", "group": "default", "attributes": { "name": "csrf_token", "type": "hidden", "value": "IuiHo8fajl6Nwi2CfR33bmC7ZI+geYY44oinK/npkS9gaeV6DlkzS0voYZuyGawsCruvlawFl/pY6/Ph6d9JVg==", "required": true, "disabled": false }, "messages": null, "meta": {} }, { "type": "input", "group": "password", "attributes": { "name": "password_identifier", "type": "text", "value": "", "required": true, "disabled": false }, "messages": null, "meta": { "label": { "id": 1070004, "text": "ID", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "password", "type": "password", "required": true, "disabled": false }, "messages": null, "meta": { "label": { "id": 1070001, "text": "Password", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "method", "type": "submit", "value": "password", "disabled": false }, "messages": null, "meta": { "label": { "id": 1010001, "text": "Sign in", "type": "info", "context": {} } } } ] }, "forced": false } ``` *Registration* ```json { "id": "f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c", "type": "browser", "expires_at": "2021-04-28T08:54:12.951178972Z", "issued_at": "2021-04-28T08:44:12.951178972Z", "request_url": "http://127.0.0.1:4433/self-service/registration/browser", "ui": { "action": "http://127.0.0.1:4433/self-service/registration?flow=f0c0830a-f5b2-4c2d-a37f-2e70152a4f7c", "method": "POST", "nodes": [ { "type": "input", "group": "default", "attributes": { "name": "csrf_token", "type": "hidden", "value": "408SIAOvpKxW/WbcYfKue26MlLTMbON7T7JT1yhiSemhznD5yiwZuZDXKsWu9vU5BIxfrsAQ8rn10QcdOFSRkA==", "required": true, "disabled": false }, "messages": null, "meta": {} }, { "type": "input", "group": "password", "attributes": { "name": "traits.email", "type": "email", "disabled": false }, "messages": null, "meta": { "label": { "id": 1070002, "text": "E-Mail", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "password", "type": "password", "required": true, "disabled": false }, "messages": null, "meta": { "label": { "id": 1070001, "text": "Password", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "traits.name.first", "type": "text", "disabled": false }, "messages": null, "meta": { "label": { "id": 1070002, "text": "First Name", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "traits.name.last", "type": "text", "disabled": false }, "messages": null, "meta": { "label": { "id": 1070002, "text": "Last Name", "type": "info" } } }, { "type": "input", "group": "password", "attributes": { "name": "method", "type": "submit", "value": "password", "disabled": false }, "messages": null, "meta": { "label": { "id": 1040001, "text": "Sign up", "type": "info", "context": {} } } } ] } } ``` These changes are analogous to settings, recovery, verification as well! We hope you enjoy these new features as much as we do, even if we were not able to deliver 2FA in time for 0.6! On the last note, Ory Platform, a SaaS is launching in May as early access. It includes Ory Kratos as a managed service and we plan on adding all the other Ory open source technology soon. In our view, Ory is a 10x improvement to the existing "IAM" ecosystem: 1. The major components of Ory Platform are and will remain Apache 2.0 licensed open source. We are *not changing our approach or commitment to open source*. The SaaS model allows us to keep commercialization and open source in harmony; 2. Affordable pricing - Ory does not charge on a per identity basis; 3. Supporting migrations from the Ory Platform (SaaS) to the open-source and vice versa; 4. Offering a planet-scale service with ultra-low latencies no matter where your users are; 5. The largest set of features and APIs of any Identity Product, including Identity and Credentials Management (Ory Kratos), Permissions and Access Control (Ory Keto), Zero-Trust Networking (Ory Oathkeeper), OAuth2, and OpenID Connect (Ory Hydra) plus integrations with Stripe, Mailchimp, Salesforce, and much more. 6. Data aggregation for threat mitigation, auditing, and other use cases (e.g. integration with Snowflake, AWS RedShift, GCP BigQuery, ...) 7. All the advantages of the open source projects - headless, fully customizable, strong security, built with a community; If you wish to become a part of the preview, please write a short email to [sales@ory.sh](mailto:sales@ory.sh). Early access adopters are also eligible for Ory Hypercare - helping you integrate with Ory fast and designing your security architecture following industry best practices. Thank you for being a part of our community!
The ORY Community is proud to present you the next iteration of ORY K… …ratos. In this release, we focused on improving production stability!
This release introduces the new CLI command `kratos hashers argon2 ca… …librate 500ms`. This command will choose the best parameterization for Argon2. Check out the [Choose Argon2 Parameters for Secure Password Hashing and Login](https://www.ory.sh/choose-recommended-argon2-parameters-password-hashing/) blog article for more insights!
This release improves the developer and user experience around CSRF c… …ounter-measures. It should now be possible to use the self-service API flows without having to explicitly disable cookie features in your SDKs and integrations. Additionally, another issue in the CGO pipeline was resolved which finally allows running ORY Kratos without CGO if the target database is not SQLite. Further improvements to default config values have been made and a full end-to-end test suite for the exemplary [kratos-selfservice-ui-react-native](kratos-selfservice-ui-react-native) app. The app is now available in the iTunes store as well - just search for "ORY Profile App"!
This release addresses bugs and user experience issues.
This release resolves an issue where ORY Kratos Docker Images without… … CGO and SQLite support would fail to boot even when SQLite was not used as a data source.
PreviousNext