Skip to main content

v26.2.7

v26.2.7

Add security.disallow_ref_in_identity_schemas to lock down schema loading

Introduces an opt-in config flag, security.disallow_ref_in_identity_schemas (default false), intended for multi-tenant deployments where identity-schema URLs come from untrusted operators.

When enabled, $ref URLs inside identity schemas may no longer resolve to file://, http://, or https://. This blocks server-side file reads and request forgery attempts via malicious identity schemas. Internal JSON-pointer refs (#/definitions/...) and self-contained base64:// refs remain allowed. Operator-configured top-level schema URLs are unaffected.

Ory Network forces the flag on. Existing self-hosted deployments keep their current behavior unless they explicitly opt in.

Support for required traits during OIDC on native applications

On native applications, Kratos now supports asking the user to supply additional traits during the registration flow, if the traits are required by the identity schema, but not supplied by the OIDC mapper.

Additionally, you can use the updateRegistrationFlow to supply traits to be merged with the OIDC mapper data.

This aligns the functionality with the browser version of the registration flow.

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free