- DATE:
- AUTHOR:
- Ory Team
Ory Network, Ory Hydra, Ory Kratos v26.2.1 released
Ory Network
Fix identity disabled error handling during self-service flows
Previously, when attempting to recover or login as an identity that had been disabled (state set to "inactive"), Ory Kratos would return a generic unauthorized error for API and SPA clients.
Instead, Ory Kratos now adds a newly introduced UI message (with ID 4010011) to the flow's UI messages indicating the identity is disabled.
Breaking changes
For API and SPA clients, the error response when interacting with recovery and login flows for disabled identities has been changed from a generic unauthorized error to a specific error indicating that the identity is disabled. This allows clients to handle this case more gracefully.
Upgrade instructions:
If your application already handles "invalid credentials", and other similar errors, no change will be required.
If your application specifically checks for the previous generic unauthorized error during recovery or login flows, you will need to update your error handling logic to check for the new specific "identity disabled" error message in the UI messages of the respective flow objects.
Add CAPTCHA protection to Enterprise plans
All Enterprise plans now include support for CAPTCHA challenges to protect self-service flows against credential stuffing, brute force, and other automated attacks.
Two modes are available:
Managed CAPTCHA: No external account required — Ory manages the Cloudflare Turnstile integration for you.
Bring Your Own CAPTCHA: Connect your existing Cloudflare Turnstile account using your own Site Key and Secret Key to get detailed security analytics in the Cloudflare dashboard.
This is now available on Ory Network.
Ory Hydra
Accept custom domain issuer as valid audience in JWT Bearer Grant
When using a custom domain (CNAME) as the OAuth2 issuer URL, Hydra now accepts the issuer-derived token URL as a valid audience in JWT Bearer Grant assertions. Previously, only the internal public URL was accepted, causing JWT Bearer Grant requests to fail when clients set the audience to the custom domain token endpoint.
This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.
Ory Kratos
Fix identity disabled error handling during self-service flows
Previously, when attempting to recover or login as an identity that had been disabled (state set to "inactive"), Ory Kratos would return a generic unauthorized error for API and SPA clients.
Instead, Ory Kratos now adds a newly introduced UI message (with ID 4010011) to the flow's UI messages indicating the identity is disabled.
Breaking changes
For API and SPA clients, the error response when interacting with recovery and login flows for disabled identities has been changed from a generic unauthorized error to a specific error indicating that the identity is disabled. This allows clients to handle this case more gracefully.
Upgrade instructions:
If your application already handles "invalid credentials", and other similar errors, no change will be required.
If your application specifically checks for the previous generic unauthorized error during recovery or login flows, you will need to update your error handling logic to check for the new specific "identity disabled" error message in the UI messages of the respective flow objects.
This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.
Ory Keto, Ory Oathkeeper, Ory Polis, Ory Elements, Ory Enterprise License, and Ory Terraform
No significant changes in this release.