Ory Kratos v26.2.7 released

Ory Kratos

Add security.disallow_ref_in_identity_schemas to lock down schema loading

Introduces an opt-in config flag, security.disallow_ref_in_identity_schemas (default false), intended for multi-tenant deployments where identity-schema URLs come from untrusted operators.

When enabled, $ref URLs inside identity schemas may no longer resolve to file://, http://, or https://. This blocks server-side file reads and request forgery attempts via malicious identity schemas. Internal JSON-pointer refs (#/definitions/...) and self-contained base64:// refs remain allowed. Operator-configured top-level schema URLs are unaffected.

Ory Network forces the flag on. Existing self-hosted deployments keep their current behavior unless they explicitly opt in.

Support for required traits during OIDC on native applications

On native applications, Kratos now supports asking the user to supply additional traits during the registration flow, if the traits are required by the identity schema, but not supplied by the OIDC mapper.

Additionally, you can use the updateRegistrationFlow to supply traits to be merged with the OIDC mapper data.

This aligns the functionality with the browser version of the registration flow.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Network, Ory Hydra, Ory Keto, Ory Oathkeeper, Ory Polis, Ory Elements, and Ory Terraform

No significant changes in this release.