Ory Network, Ory Hydra, Ory Kratos, Ory Polis v26.2.22 released

Ory Network

More reliable, lower-memory identity search

Two related changes to the identity search index:

Fix — search results no longer disappear after a search-service restart. Searching identities in the Ory Console by traits, metadata, or email could silently miss some identities after an internal restart of the search service, even though those identities still existed. The affected fields are now stored durably so they survive a restart.

Memory reduction (breaking). The search index is trimmed back to roughly its previous memory footprint by dropping two capabilities that were not required:

• Faceting on metadata keys (facet_by on metadata_public / metadata_admin / traits keys) is removed; such a request now errors. Faceting on lifecycle fields (state, region, schema_id, …) is unaffected.

• Substring (infix) search on metadata is removed. Substring search on traits — notably traits.email by domain — is retained.

Token search, exact and array-membership filtering, numeric range filtering, and verbatim field return are all unchanged. Existing search collections are rebuilt automatically on rollout, restoring complete results in the new, lower-memory schema.

Fix duration validation pattern in API specs and SDKs

The NullDuration schema and other duration fields used inconsistent validation patterns across the Hydra, Kratos, and combined Ory SDKs. Some specs required exactly one time unit (^[0-9]+(ns|us|ms|s|m|h)$), which rejected valid multi-unit values such as 2m0s — the canonical form that servers return after normalizing a duration like 2m. Other specs allowed zero or more units (*), which incorrectly accepted the empty string.

All duration patterns now use a single, consistent form that matches the full range of Go duration strings a server can emit — multiple units, optional fractional values, and the micro sign: ^(\d+(\.\d+)?(ns|us|µs|ms|s|m|h))+$. Generated SDK clients (for example Python with Pydantic) no longer raise validation errors when reading values such as 2m0s, 1.5s, or 500µs returned by the API.

This also removes the unused nullDuration schema from the Hydra, Kratos, and combined SDK specs. The schema was never referenced — duration fields inline their definition — so the only effect is that an unused model no longer appears in generated SDKs.

Much faster OAuth2 logout

This change improves performance of OAuth2/OpenID Connect logout by moving to a database-free implementation. Logout challenges and verifiers are now self-contained encrypted tokens instead of database rows, and the lookup of clients registered for front- and back-channel logout uses a single indexed query.

The behavior of APIs and user interactions are unchanged. The admin endpoint GET /admin/oauth2/auth/requests/logout no longer returns 410 Gone for already-handled logout requests, because handled state no longer exists.

Upgrade notes:

• Run SQL migrations before rolling out this version. The new client lookup query requires the index added by this release; on CockroachDB the query fails if the index is missing.

• Logout flows that are in flight while the upgrade rolls out fail with "logout request expired". Users retrying complete normally on the new version.

Preserve SAML audience and ACS URL overrides when updating a connection

Updating a SAML SSO connection through the Console API project config now applies the proxy_saml_audience_override and proxy_acs_url fields. Before, these overrides were only sent when a connection was first created, so changing them on an existing connection had no effect and the connection kept its original values.

You no longer need to delete and recreate a connection to change its audience or ACS URL override, which removes the brief authentication gap that workaround caused for the affected partner.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Hydra

Fix duration validation pattern in API specs and SDKs

The NullDuration schema and other duration fields used inconsistent validation patterns across the Hydra, Kratos, and combined Ory SDKs. Some specs required exactly one time unit (^[0-9]+(ns|us|ms|s|m|h)$), which rejected valid multi-unit values such as 2m0s — the canonical form that servers return after normalizing a duration like 2m. Other specs allowed zero or more units (*), which incorrectly accepted the empty string.

All duration patterns now use a single, consistent form that matches the full range of Go duration strings a server can emit — multiple units, optional fractional values, and the micro sign: ^(\d+(\.\d+)?(ns|us|µs|ms|s|m|h))+$. Generated SDK clients (for example Python with Pydantic) no longer raise validation errors when reading values such as 2m0s, 1.5s, or 500µs returned by the API.

This also removes the unused nullDuration schema from the Hydra, Kratos, and combined SDK specs. The schema was never referenced — duration fields inline their definition — so the only effect is that an unused model no longer appears in generated SDKs.

Much faster OAuth2 logout

This change improves performance of OAuth2/OpenID Connect logout by moving to a database-free implementation. Logout challenges and verifiers are now self-contained encrypted tokens instead of database rows, and the lookup of clients registered for front- and back-channel logout uses a single indexed query.

The behavior of APIs and user interactions are unchanged. The admin endpoint GET /admin/oauth2/auth/requests/logout no longer returns 410 Gone for already-handled logout requests, because handled state no longer exists.

Upgrade notes:

• Run SQL migrations before rolling out this version. The new client lookup query requires the index added by this release; on CockroachDB the query fails if the index is missing.

• Logout flows that are in flight while the upgrade rolls out fail with "logout request expired". Users retrying complete normally on the new version.

Revoke login sessions by subject in batches

Revoking all login sessions for a subject through DELETE /admin/oauth2/auth/sessions/login?subject=... now deletes the sessions in bounded batches instead of a single statement.

Previously, a subject with a very large number of login sessions produced a single, very large delete that could exceed the database's transaction limits or time out, failing with a "context canceled" error and leaving the sessions in place. Deleting in batches keeps each transaction small, so the request completes reliably regardless of how many sessions a subject has.

The endpoint's behavior is unchanged for callers: all matching login sessions are removed. If the request is canceled partway through, the sessions deleted so far stay deleted and the call can be safely retried to finish the rest.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Kratos

Fix duration validation pattern in API specs and SDKs

The NullDuration schema and other duration fields used inconsistent validation patterns across the Hydra, Kratos, and combined Ory SDKs. Some specs required exactly one time unit (^[0-9]+(ns|us|ms|s|m|h)$), which rejected valid multi-unit values such as 2m0s — the canonical form that servers return after normalizing a duration like 2m. Other specs allowed zero or more units (*), which incorrectly accepted the empty string.

All duration patterns now use a single, consistent form that matches the full range of Go duration strings a server can emit — multiple units, optional fractional values, and the micro sign: ^(\d+(\.\d+)?(ns|us|µs|ms|s|m|h))+$. Generated SDK clients (for example Python with Pydantic) no longer raise validation errors when reading values such as 2m0s, 1.5s, or 500µs returned by the API.

This also removes the unused nullDuration schema from the Hydra, Kratos, and combined SDK specs. The schema was never referenced — duration fields inline their definition — so the only effect is that an unused model no longer appears in generated SDKs.

Support multiple passkey display-name traits in identity schemas

Identity schemas can now flag more than one trait with passkey.display_name: true or webauthn.identifier: true. Creating a registration flow no longer fails with HTTP 500 and "no identifier found" when both email and phone (or any other combination) are flagged as passkey display-name sources.

The browser picks the first form field that the user actually filled in, so the same schema can serve email-only and phone-only signup paths without breaking either one. Schemas that flag a single trait, or none at all, continue to work as before.

The fix is backward compatible. Custom registration UIs that parse passkey_create_data and read the existing displayNameFieldName field continue to work; the new displayNameFieldNames array is published alongside it for clients that want the full candidate list.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Polis

Fix cross-tenant identity provider selection via idp_hint in Polis

The idp_hint parameter on the SAML Identity Federation and SSO endpoints selected an upstream identity provider connection by id without checking that the connection belonged to the requesting tenant and product. On a multi-tenant deployment, a co-tenant could supply the id of a connection in their own tenant as idp_hint for another tenant's federation app, routing the login to an identity provider they control and obtaining a Polis-signed assertion audienced to the victim's downstream service provider.

Polis now scopes the hinted connection to the requesting flow. A hint is accepted only when the connection belongs to the requested tenant and product, to one of a multi-tenant federation app's tenants, or — for IdP-initiated SSO — to the identity provider that issued the response. Out-of-scope hints are rejected with 403. The upstream-response callback re-checks that the selected connection is within the session's tenant scope.

In-scope use of idp_hint, including for multi-tenant federation apps, is unchanged.

Preserve SAML audience and ACS URL overrides when updating a connection

Updating a SAML SSO connection through the Console API project config now applies the proxy_saml_audience_override and proxy_acs_url fields. Before, these overrides were only sent when a connection was first created, so changing them on an existing connection had no effect and the connection kept its original values.

You no longer need to delete and recreate a connection to change its audience or ACS URL override, which removes the brief authentication gap that workaround caused for the affected partner.

This is now available on Ory Network and for the Ory Enterprise License.

Ory Keto, Ory Oathkeeper, Ory Elements, and Ory Terraform

No significant changes in this release.