v26.2.6
v26.2.6
Fix some incorrect WebAuthn error messages
Some WebAuthn error messages were wrong: they mentioned TOTP instead of WebAuthn. They now have been fixed. This affect errors text and ID.
Correctly clear WebAuthn UI nodes on login error
Due to a typo, WebAuthn UI nodes were not correctly cleared on login error, this has been fixed.
Breaking changes
This is technically a breaking change if you relied on the exact wording of the error message, or on specific error IDs.
Add verify_new_address settings hook
A new verify_new_address hook is available for the settings profile strategy. When configured, it defers email or phone number
changes until the new address is verified. The identity's traits are only updated after the user completes verification of the new
address.
This prevents immediate replacement of verified addresses and ensures the new address is reachable before applying the change.
Carry over upstream MFA to the Ory session
Ory now trusts the authentication strength reported by upstream OpenID Connect providers. When a user signs in through an OIDC
provider such as Auth0, Okta, Keycloak, PingFederate, Microsoft Entra v1, or any generic enterprise IdP, Ory reads the acr
(Authentication Context Class Reference) and amr (Authentication Methods References) claims from the upstream ID token and
records them on the resulting session.
You can now mark a provider's login as AAL2 based on those claims. Two new configuration fields on every OIDC provider let you specify which upstream values count as "the user already completed MFA":
aal2_acr_values— list of upstreamacrclaim values (for exampleurn:okta:loa:2fa:any,http://schemas.openid.net/pape/policies/2007/06/multi-factor) that elevate the session to AAL2.aal2_amr_values— list of upstreamamrclaim values (mfa,otp,hwk, and other RFC 8176 values) that elevate the session to AAL2 when any of them appears in the upstreamamrarray.
If neither list matches, the session falls back to AAL1. If you enforce AAL2 through session.whoami_required_aal, Ory prompts
the user for a second factor only when the upstream IdP did not already provide one. Both fields are optional; leave them empty to
keep today's behavior.
The upstream acr and amr values are stored on the session's authentication_methods entry (upstream_acr and upstream_amr
fields) for auditing. They are visible on /sessions/whoami and in webhook payloads.
You can configure the new fields for each provider in the Ory Console under Authentication → Social sign-in → Edit provider.
SCIM group events now include externalId and displayName
SCIM group.created, group.updated, and group.deleted telemetry events now carry the group's externalId and displayName
as attributes, alongside the existing group ID. This lets downstream consumers correlate events with the provisioning source of
truth without a separate lookup.
SCIM group updates no longer rewrite unchanged members
When a SCIM group update touches a field that does not affect its members (for example, patching the group's displayName to the
same value), Kratos no longer rewrites the member identities. As a result, no IdentityUpdated event is emitted for members whose
SCIM data did not change.
SCIMGroupUpdated events now include added and removed identity IDs
SCIMGroupUpdated telemetry events now carry two additional attributes, SCIMGroupAddedIdentityIDs and
SCIMGroupRemovedIdentityIDs, listing the identity IDs that were added to or removed from the group by the update. Downstream
consumers can use this to act on the specific membership change instead of having to diff group state themselves.