Ory Hydra, Ory Kratos v26.2.16 released

Ory Hydra

Accept the OpenID Connect prompt=select_account value

OAuth 2.0 authorization requests that include prompt=select_account are now accepted instead of being rejected with an invalid_request error. This brings support for all OpenID Connect prompt values defined in the specification.

Because a login session is tied to a single account, select_account is treated like login: the user is always sent to the login screen, where they can authenticate with the account of their choice.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Kratos

SCIM accepts schema-qualified attribute paths in PATCH and filters

SCIM endpoints now accept attribute paths and filters that are qualified with a full schema URN, as some identity providers (for example Microsoft Entra) send.

Previously a PATCH operation whose path was qualified with a schema URN — for example urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager — failed with Could not decode request body. Those paths now parse and apply correctly. The same applies to filter query parameters on the Users and Groups list endpoints and to value-path filters inside a patch path.

A patch path or filter qualified with a schema the resource does not support is now rejected with a clear 400 error that names the schema. The schema comparison is case-insensitive.

SCIM request bodies and filter query parameters are now size-limited; an oversized body is rejected with 413 instead of being read in full, and an over-long filter with 400.

This is now available on Ory Network and for the Ory Enterprise License.

Ory Network, Ory Keto, Ory Oathkeeper, Ory Polis, Ory Elements, and Ory Terraform

No significant changes in this release.