v26.3.2
v26.3.2
Enforce a DNS-label boundary on wildcard return URLs and CORS origins
A wildcard in a return URL or CORS origin is now honored only when the * is confined to a subdomain label and the host part
after it is a registrable domain (an eTLD+1, such as https://*.example.com or https://*.example.co.uk). The wildcard then
matches only hosts under that one customer-owned domain.
These forms are no longer honored, because each can match an attacker-registrable host:
- dot-less, e.g.
https://*foo.com(matcheshttps://evilfoo.com); - public-suffix base, e.g.
https://*.com,https://*.co.uk,https://*.vercel.app; - trailing or bare, e.g.
https://www.example.*,https://*.
Only the host is checked: wildcards in the URL path are unaffected. Exact origins, the catch-all *, and Hydra's https://*
("all hosts for a scheme") are unchanged.
What enforces it
- Return URLs: Kratos drops unsafe wildcard
allowed_return_urlsentries when it loads its config, and they never match. - CORS origins: matching across Kratos, Hydra, Keto, Oathkeeper, and Talos enforces the same boundary at request time.
Breaking changes
Replace any unsafe wildcard with the labelled https://*.example.com form, or list exact origins. Update
serve.*.cors.allowed_origins and Kratos allowed_return_urls before upgrading; otherwise cross-origin requests and post-flow
redirects from those hosts will be blocked.
First-factor device login with an app PIN
Enrolled mobile devices can now complete a full AAL2 login in one step using an app PIN or platform biometrics, without a password or SMS code. The PIN is never transmitted or stored: it unlocks an on-device secret, and the server verifies a proof bound to the device's hardware-backed key. After the configurable number of wrong PIN attempts (default 5) the key locks and the user must recover through the fallback login.
New selfservice.methods.deviceauthn.config options:
first_factor— enable first-factor device login (defaultfalse).pin_max_attempts— number of wrong PIN attempts before the key locks (default5).ios_biometric_first_factor— allow platform biometrics as a first-factor credential on iOS (defaultfalse). iOS needs this explicit opt-in because App Attest cannot prove that the key is biometric-gated; Android platform keys are attestation-verified and need no opt-in.
Breaking change: device keys enrolled before this release carry no user_verification and can no longer authenticate. Step-up
login rejects them with a dedicated "enroll your device again" message, and they no longer count as active second factors, so
affected accounts keep their first-factor login and can re-enroll the device in settings.
Faster conflict detection during OIDC login and registration
Ory Kratos now runs identity conflict lookups concurrently when checking whether an OIDC login or registration matches an existing account. Previously each credential identifier, verifiable address, and recovery address was checked one after another; now Kratos checks all candidates at once with bounded concurrency. This cuts sign-in latency, especially in multi-region deployments where each lookup crosses regions.