v26.2.4

Fix settings flow requiring reauthentication when editing non-privileged traits on verified identities

Users with a verified email address can now update non-privileged traits (such as first name or last name) through the settings flow without being prompted to reauthenticate. Previously, the privileged-session check incorrectly triggered whenever any verifiable address on the identity had a non-nil verification timestamp, because the internal deep copy of the identity corrupted the timestamp's representation.

Fixes ory/kratos#4435.

Improve the performance of finding identity credentials

Kratos now loads identity credential type mappings from the database once at startup and caches them in memory for the lifetime of the process. This eliminates a JOIN on the identity_credential_types table from every call to FindByCredentialsIdentifier, reducing query cost and improving login performance.

This also works for self-hosted installations that have non-standard UUIDs in the identity_credential_types table, from a time where these UUIDs were dynamic (they now are constants).

Include `metadata_admin` in admin session endpoint responses

Admin session endpoints now include metadata_admin in the expanded identity, consistent with admin identity endpoints. Previously, metadata_admin was stripped from session responses even on admin endpoints.

Affected endpoints:

GET /admin/sessions?expand=identity
GET /admin/sessions/{id}?expand=Identity
GET /admin/identities/{id}/sessions

Public endpoints remain unchanged and continue to exclude metadata_admin.

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

Support importing all credential types when updating an identity

The PUT /admin/identities/{id} and PATCH /admin/identities endpoints now support importing credentials for all credential types, consistent with what is already available when creating an identity.

You can now import the following credential types via the update endpoint:

totp: Replaces existing TOTP credentials.
lookup_secret: Adds new lookup secret codes to the existing set.
webauthn: Preserves existing credentials, adds new ones, and updates credentials with matching IDs.
passkey: Preserves existing credentials, adds new ones, and updates credentials with matching IDs. New user handles are appended to the identifiers list.
oidc, saml: Keeps existing credentials and adds the new ones to the list.

v26.2.4​

Fix settings flow requiring reauthentication when editing non-privileged traits on verified identities​

Improve the performance of finding identity credentials​

Include metadata_admin in admin session endpoint responses​

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com​

Support importing all credential types when updating an identity​

Ory Network