arrow-left Back to Announcements
DATE:
AUTHOR:
Ory Team
Ory Network Ory Hydra Ory Kratos Ory Oathkeeper Ory Enterprise License

Ory Network, Ory Hydra, Ory Kratos, Ory Oathkeeper v26.2.10 released

DATE:
AUTHOR: Ory Team

Ory Network

Test an OIDC provider before rolling it out

You can now trigger a test login flow for any OIDC provider you configured on a project, either from the Console social sign-in settings page or directly from the Kratos admin API. The new POST /admin/test-login-flows endpoint returns a LoginFlow whose ID you can append to /session/test-oidc?flow=<id> on your project's Account Experience host to run a single provider round trip without affecting real user logins or creating an identity. In Console, each configured provider now has a Test connection button next to it that opens the same test flow in a new tab. The admin UI at the end of the flow shows the exact claims, mapper output, and schema validation errors, so you can debug provider and mapper issues before enabling the provider for end users.

This is now available on Ory Network.

Ory Hydra

Don't log spurious errors in Hydra OAuth 2.0 flows

This change removes spurious "the OAuth 2.0 Authorization request must be aborted" messages from Hydra's logs, which do not indicate an error but simply that the user has been redirected.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Kratos

Add unified bulk session management endpoint

The admin session API now exposes a single endpoint for bulk disable and bulk delete operations across multiple identities or sessions:

  • POST /admin/sessions (manageSessions)

The action field selects the operation:

  • action: "disable" — soft-revoke matching sessions (sets active = false, preserves audit data).

  • action: "delete" — permanently delete matching sessions.

Targets are filtered by identities (a list of identity IDs) or sessions (a list of session IDs); exactly one of the two must be provided. To scope the operation to every session in the network, pass identities: ["*"]; the wildcard is not accepted in the sessions field and may not be mixed with explicit IDs. Up to 500 explicit IDs are accepted per call.

All requests respond 200 OK with {"processed": N, "more": <bool>}. processed reports how many rows the call affected (for disable, only sessions that were active before the call). more is true only when a wildcard request reached the per-call batch limit and additional matching rows may remain; callers should re-issue the same request to continue draining. Explicit-IDs requests always return more: false.

client.manageSessions({ action: "disable", identities: ["uuid-a", "uuid-b"] })
client.manageSessions({ action: "delete",  sessions:   ["uuid-c"] })
client.manageSessions({ action: "disable", identities: ["*"] })

No existing endpoints are changed.

Fix admin identity import for TOTP, lookup-secret, and passkey credentials

This change fixes two related issues with the admin identity import API (POST /admin/identities and PUT /admin/identities/{id}).

TOTP and lookup-secret can now be used at AAL2 login after import. Previously, the import wrote the credential row but did not write the matching row in identity_credential_identifiers, so the AAL2 login flow could not resolve the credential and returned "You have no TOTP device set up." (4000015) for TOTP, or "You have not configured backup codes yet." for lookup-secret.

Passkey imports without a user_handle are now rejected with a 400. A passkey's identifier is the user_handle returned by the authenticator during the WebAuthn assertion. The userHandle is generated at registration time and stored on the authenticator, so it cannot be reconstructed by the server: the import has to supply it, or inherit it from a previously persisted passkey credential. Previously, an import that omitted user_handle would silently persist a non-functional credential. The import now rejects this case up front, and also rejects imports that supply an empty credentials.passkey.config.credentials list.

Reject imported password hashes with extreme cost parameters

Kratos now bounds the cost parameters embedded in imported password hashes. Hashes that declare cost parameters far above any sane production value are rejected at the admin identity import API with a 400 Bad Request, and at login time the comparator returns a clear error instead of allocating gigabytes of memory or running for hours.

This closes a denial-of-service class where an attacker with write access to the identity graph could persist a hash whose decoded parameters would crash the Kratos process on every subsequent login attempt for that identity.

The bounds apply to Argon2 (m, t, p), PBKDF2 (i), plain scrypt (N, r, p), Firebase scrypt (ln, r, p), and bcrypt (cost). They are set comfortably above strong real-world configurations: Argon2 memory up to 1 GiB, PBKDF2 iterations up to 10,000,000, scrypt N up to 2^20, Firebase scrypt ln up to 17, and bcrypt cost up to 17.

Imports of correctly-configured hashes are unaffected.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Oathkeeper

Add rule ID and OpenTelemetry trace context to Oathkeeper logs

Oathkeeper proxy and decision API log entries now include the matched access rule ID as rule_id and, when an OpenTelemetry span is in scope, the trace and span ID as otel.trace_id and otel.span_id. The trace fields use the same shape as other Ory services, so you can correlate Oathkeeper log entries with traces and with logs from upstream services without custom mapping.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Keto, Ory Polis, Ory Elements, and Ory Terraform

No significant changes in this release.

Powered by LaunchNotes