[pull] master from ory:master #7
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a new config flag for session and all other cookies. Falls back to the previous behavior of using the dev mode to decide if the cookie should be secure or not.
This fixes some edge cases with OIDC account linking for accounts with 2FA enabled.
…dex hint for credentials lookup (#4193) This patch reduces duplicate GetIdentity queries as part of submitting the settings flow, and improves an index to significantly reduce credential lookup. For better debugging, more tracing ha been added to the settings module.
…4189) Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.5.0 to 4.5.1. - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](golang-jwt/jwt@v4.5.0...v4.5.1) --- updated-dependencies: - dependency-name: github.com/golang-jwt/jwt/v4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
BREAKING CHANGES: Account linking incorrectly returned a 200 OK status code even though the login flow was not completed successfully. Going forward, the correct 400 OK status code will be sent when using the API flow or `Accept: application/json`.
We now emit an event containing the Jsonnet input and output in anonymized form when mapping the claims in the OIDC flow fails.
This enables JSONNet body templating for the password migration hook. There is also a significant refactoring of some internals around webhook config handling.
`make quickstart-dev` uses the make variable `QUICKSTART_OPTIONS` which is set to `""` by default. This will result in two double quotes (`""`) in the final shell command e.g. `docker-compose "" up` when the variable is not set on the make command line, which fails at the shell level. The fix is to leave the variable empty by default. No semantic changes.
…cli (#4397) Bumps [@nestjs/common](https://github.com/nestjs/nest/tree/HEAD/packages/common) to 11.0.20 and updates ancestor dependency [@openapitools/openapi-generator-cli](https://github.com/OpenAPITools/openapi-generator-cli). These dependencies need to be updated together. Updates `@nestjs/common` from 10.4.15 to 11.0.20 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nestjs/nest/releases"><code>@nestjs/common</code>'s releases</a>.</em></p> <blockquote> <h2>v11.0.20</h2> <h2>What's Changed</h2> <ul> <li>refactor(common): Prevent JavaScript being wrapped in <code>eval</code> by <a href="https://github.com/Borewit"><code>@Borewit</code></a> in <a href="https://redirect.github.com/nestjs/nest/pull/14974">nestjs/nest#14974</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Borewit"><code>@Borewit</code></a> made their first contribution in <a href="https://redirect.github.com/nestjs/nest/pull/14974">nestjs/nest#14974</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nestjs/nest/compare/v11.0.19...v11.0.20">https://github.com/nestjs/nest/compare/v11.0.19...v11.0.20</a></p> <h2>v11.0.18</h2> <h2>What's Changed</h2> <ul> <li>chore(common): temporarily move file-type to regular deps <a href="https://github.com/nestjs/nest/commit/d9a69a32a4d560f82112e63a28c26445d4277c44">https://github.com/nestjs/nest/commit/d9a69a32a4d560f82112e63a28c26445d4277c44</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nestjs/nest/compare/v11.0.17...v11.0.18">https://github.com/nestjs/nest/compare/v11.0.17...v11.0.18</a></p> <h2>v11.0.16 (2025-04-11)</h2> <ul> <li>fix(common): use <code>file-type</code> to validate file mimetypes by <a href="https://github.com/Chathula"><code>@Chathula</code></a> in <a href="https://redirect.github.com/nestjs/nest/pull/14881">nestjs/nest#14881</a></li> </ul> <h2>v11.0.15 (2025-04-10)</h2> <h4>Bug fixes</h4> <ul> <li><code>platform-fastify</code> <ul> <li><a href="https://redirect.github.com/nestjs/nest/pull/14935">#14935</a> fix(fastify): methods comparison (<a href="https://github.com/johaven"><code>@johaven</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Johan Legrand (<a href="https://github.com/johaven"><code>@johaven</code></a>)</li> </ul> <h2>v11.0.14 (2025-04-09)</h2> <h4>Bug fixes</h4> <ul> <li><code>platform-fastify</code> <ul> <li><a href="https://redirect.github.com/nestjs/nest/pull/14511">#14511</a> fix(fastify): adds the non-standard http methods to the instance (<a href="https://github.com/johaven"><code>@johaven</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Johan Legrand (<a href="https://github.com/johaven"><code>@johaven</code></a>)</li> </ul> <h2>v11.0.13 (2025-04-03)</h2> <h4>Bug fixes</h4> <ul> <li><code>platform-fastify</code> <ul> <li><a href="https://redirect.github.com/nestjs/nest/pull/14895">#14895</a> fix(fastify-adapter): global prefix exclusion path handling w/middleware (<a href="https://github.com/KyleLilly"><code>@KyleLilly</code></a>)</li> </ul> </li> <li><code>microservices</code> <ul> <li><a href="https://redirect.github.com/nestjs/nest/pull/14869">#14869</a> fix(microservices): do not re-create client connection once get client by service name (<a href="https://github.com/mingo023"><code>@mingo023</code></a>)</li> </ul> </li> </ul> <h4>Dependencies</h4> <ul> <li><code>platform-express</code> <ul> <li><a href="https://redirect.github.com/nestjs/nest/pull/14883">#14883</a> fix(deps): update dependency express to v5.1.0 (<a href="https://github.com/apps/renovate"><code>@renovate[bot]</code></a>)</li> <li><a href="https://redirect.github.com/nestjs/nest/pull/14817">#14817</a> fix(deps): update dependency multer to v1.4.5-lts.2 (<a href="https://github.com/apps/renovate"><code>@renovate[bot]</code></a>)</li> </ul> </li> <li><code>platform-fastify</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nestjs/nest/commit/d5bca8871cfb16e18bb9c9814fc7d7df7b3896c3"><code>d5bca88</code></a> chore(<a href="https://github.com/nestjs"><code>@nestjs</code></a>) publish v11.0.20 release</li> <li><a href="https://github.com/nestjs/nest/commit/8250be8cd6ba77af7bde7a9eb42be7c4f26e36eb"><code>8250be8</code></a> chore: add load-esm to common deps</li> <li><a href="https://github.com/nestjs/nest/commit/1e43fcb6d39f52e8921311aa20fe3250a4f3aa97"><code>1e43fcb</code></a> refactor(common): Prevent JavaScript wrapping in <code>eval</code></li> <li><a href="https://github.com/nestjs/nest/commit/a6bdfd16f44d3bb7c269fee5f313a4ef55b5a5f6"><code>a6bdfd1</code></a> chore(<a href="https://github.com/nestjs"><code>@nestjs</code></a>) publish v11.0.19 release</li> <li><a href="https://github.com/nestjs/nest/commit/9c29ace8e174310c04b4a7bebf5fe1988cb8cf82"><code>9c29ace</code></a> fix(common): remove leftovers</li> <li><a href="https://github.com/nestjs/nest/commit/11acc5946b4438a63491a2c299207386e3937438"><code>11acc59</code></a> chore(<a href="https://github.com/nestjs"><code>@nestjs</code></a>) publish v11.0.18 release</li> <li><a href="https://github.com/nestjs/nest/commit/d9a69a32a4d560f82112e63a28c26445d4277c44"><code>d9a69a3</code></a> chore(common): temporarily move file-type to regular deps</li> <li><a href="https://github.com/nestjs/nest/commit/f8a171c4cb3f663a7e949fdc8fe1e4c9b49640e6"><code>f8a171c</code></a> chore(<a href="https://github.com/nestjs"><code>@nestjs</code></a>) publish v11.0.17 release</li> <li><a href="https://github.com/nestjs/nest/commit/8a287a5005bf24db1490890a78deac3a094d8fc3"><code>8a287a5</code></a> chore(common): mark file-type as optional peer dep</li> <li><a href="https://github.com/nestjs/nest/commit/b6edf9ada7c6436cc978978a6e1892e44b815b98"><code>b6edf9a</code></a> chore(<a href="https://github.com/nestjs"><code>@nestjs</code></a>) publish v11.0.16 release</li> <li>Additional commits viewable in <a href="https://github.com/nestjs/nest/commits/v11.0.20/packages/common">compare view</a></li> </ul> </details> <br /> Updates `@openapitools/openapi-generator-cli` from 2.18.4 to 2.20.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/OpenAPITools/openapi-generator-cli/releases"><code>@openapitools/openapi-generator-cli</code>'s releases</a>.</em></p> <blockquote> <h2>v2.20.0</h2> <h1><a href="https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.19.1...v2.20.0">2.20.0</a> (2025-04-27)</h1> <h3>Features</h3> <ul> <li><strong>release:</strong> v7.13.0 release (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/914">#914</a>) (<a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/a2b567b3795d2ee6219a64bac824ebd033ff3041">a2b567b</a>)</li> </ul> <h2>v2.19.1</h2> <h2><a href="https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.19.0...v2.19.1">2.19.1</a> (2025-04-17)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> update nest monorepo to v11.0.20 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/912">#912</a>) (<a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/f76522503d01a6692e43f7c9a2fce3ae4fb4514d">f765225</a>)</li> </ul> <h2>v2.19.0</h2> <h1><a href="https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.18.4...v2.19.0">2.19.0</a> (2025-04-16)</h1> <h3>Features</h3> <ul> <li><strong>release:</strong> trigger a release (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/908">#908</a>) (<a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/e17e4b561b9858864489b02d689c29cb17881274">e17e4b5</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/a2b567b3795d2ee6219a64bac824ebd033ff3041"><code>a2b567b</code></a> feat(release): v7.13.0 release (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/914">#914</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/f76522503d01a6692e43f7c9a2fce3ae4fb4514d"><code>f765225</code></a> fix(deps): update nest monorepo to v11.0.20 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/912">#912</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/66820a20ec976ec9df6eb351de1e4c3e76112dce"><code>66820a2</code></a> chore: bump <code>@types/node</code> package (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/911">#911</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/c049f02343c4f089fc830bddb531ccabace22b9d"><code>c049f02</code></a> chore(deps): update dependency typescript to v5.8.3 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/910">#910</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/b3adf2cac6293b99e3d284b811f6e24e9a9a6d04"><code>b3adf2c</code></a> chore(deps): update dependency eslint-config-prettier to v10.1.2 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/909">#909</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/f956568151e07f64854f453c1ee046a726645764"><code>f956568</code></a> chore(deps): update dependency <code>@types/node</code> to v18.19.86 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/907">#907</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/e17e4b561b9858864489b02d689c29cb17881274"><code>e17e4b5</code></a> feat(release): trigger a release (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/908">#908</a>)</li> <li><a href="https://github.com/OpenAPITools/openapi-generator-cli/commit/c1faf74098c3cd7d7b87a83dca8ec9638a651de9"><code>c1faf74</code></a> chore: update NestJS dependency to v11 (<a href="https://redirect.github.com/OpenAPITools/openapi-generator-cli/issues/870">#870</a>)</li> <li>See full diff in <a href="https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.18.4...v2.20.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ory/kratos/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This patch modifies the self-service registration flow so that the show_verification_ui continue_with element is only returned when the relevant post‑registration hook is defined (or when legacy behavior is enabled via configuration). It also adds a new attribute key and internal context handling for the registration flow and updates related tests and API signatures. BREAKING CHANGES: Before this change, `show_verification_ui` would always be included in `continue_with` for the registration flow when verification was enabled. After this change, `show_verification_ui` is only included when the `show_verification_ui` post-registration hook is defined.
<!-- This text will be used for the merge commit. Please read https://www.notion.so/Merging-PRs-998760750c5740debdb6d7ea1661ac01 --> **Changes:** - Add `LoginStarted` and ` 1E0A RegistrationStarted` events along their required attributes - Sort all event attributes alphabetically - Emit these events when a new login/registration flow is created, *after* basic validation passed - It is unclear yet how many of these events will be emitted, as such it is suggested that in a first phase, they remain internal and are not yet sent externally to avoid surprises (note: sometimes, these events can be emitted without user action such as simply visiting/being redirected to the sign-in page, etc) **Documentation PR:** [ory/docs#2144](ory/docs#2144) **Issue:** ory-corp/cloud#7895 <!-- Dependency update: https://github.com/ory/{repo}/compare/{old-commit-hash}...{new-commit-hash} --> Examples in Grafana: - LoginStarted: <img width="955" alt="Screenshot 2025-05-06 at 14 54 32" src="https://github.com/user-attachments/assets/f066f0a7-4b03-4f71-b6e9-385c3f772425" /> - RegistrationStarted: <img width="953" alt="Screenshot 2025-05-06 at 14 46 17" src="https://github.com/user-attachments/assets/e4e07f59-ecbb-4bfb-a01e-72412adca2f5" />
- Fix typo: parital -> partial - Document with comments why an event is not emitted or not documented - Emit `JsonnetMappingFailed` events on jsonnet failure when templating a jwt (see https://www.ory.sh/docs/identities/session-to-jwt-cors). After review it seems we otherwise always emit events in all the right places, except in this very case. Tested end-to-end manually with the UI. ## Related issue(s) ory-corp/cloud#7291 ## Checklist - [x] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md). - [x] I have referenced an issue containing the design document if my change introduces a new feature. - [x] I am following the [contributing code guidelines](../blob/master/CONTRIBUTING.md#contributing-code). - [x] I have read the [security policy](../security/policy). - [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [security@ory.sh](mailto:security@ory.sh)) from the maintainers to push the changes. - [ ] I have added tests that prove my fix is effective or that my feature works. - [ ] I have added or changed [the documentation](https://github.com/ory/docs). ## Further Comments
For OIDC Line Login, you only need to add id_token_key_type=JWK in the exchange step to issue tokens in ES256 format. #1116 --------- Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com> Co-authored-by: Arne Luenser <arne.luenser@ory.sh>
Fixed+expanded relevant comment. Fixed some tracing issues. Added error info and missing res.Body.Close() in courier. --------- Co-authored-by: ory-bot <60093411+ory-bot@users.noreply.github.com>
BREAKING CHANGE: Going forward, the node group of fields that are failing validation during oidc sign up are `default` and no longer `oidc`. For now, you can get the legacy behavior back by turning on `feature_flags.legacy_oidc_registration_node_group=true`. Co-authored-by: Jonas Hungershausen <jonas.hungershausen@ory.sh>
BREAKING CHANGE: The `require_verified_address` hook no longer returns a plain error. Previously, users had to manually start the verification flow, which caused a poor experience. Now, Ory Kratos automatically creates a verification flow and redirects the user using `continue_with` or an HTTP redirect. The verification flow starts with the first verified address found for the user. This aligns the behavior of `require_verified_address` with using the `verification` and `show_verification_ui` hook combination for login.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )