- DATE:
- AUTHOR:
- Ory Team
Ory Network, Ory Hydra, Ory Kratos, Ory Keto, Ory Oathkeeper, Ory Elements v26.2.8 released
Ory Network
Hide Ory branding on qualifying plans
Customers on the Growth and Enterprise plans can now hide the Ory badge on the
Account Experience by setting hide_ory_branding on their project. The flag is
returned from the Account Experience configuration endpoints and is respected
by the elements-react DefaultCard component, which omits the badge when the
flag is set.
Projects on plans that do not include the feature keep the badge. If a project
has the flag set and later moves to a plan without the entitlement, the flag is
silently reset to false on the next project upsert.
This is now available on Ory Network.
Ory Hydra
Fix 409 Conflict errors on fresh CockroachDB v26.1 installs
Fresh Hydra installs on CockroachDB v26.1 returned a
409 Conflict: Unable to insert or update resource because a resource with
that value exists already error on the first request to
/.well-known/jwks.json after running migrations. The error blocked Hydra
from auto-generating its JSON Web Key Sets, which in turn prevented OAuth
token verification by relying parties.
Only fresh installs are affected. Existing deployments that ran the initial migrations on an earlier CockroachDB version and later upgraded their cluster to v26.1 are not affected, because the problematic behavior happens at migration time rather than at cluster upgrade time. Deployments on PostgreSQL, MySQL, or SQLite are also unaffected.
A new CockroachDB-only migration drops both phantom indexes if they are present. No operator action is required beyond applying migrations.
SSRF protection improvements
Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.
Ory Kratos
SSRF protection improvements
Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.
Ory Keto
SSRF protection improvements
Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.
Ory Oathkeeper
SSRF protection improvements
Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.
Ory Elements
Hide Ory branding on qualifying plans
Customers on the Growth and Enterprise plans can now hide the Ory badge on the
Account Experience by setting hide_ory_branding on their project. The flag is
returned from the Account Experience configuration endpoints and is respected
by the elements-react DefaultCard component, which omits the badge when the
flag is set.
Projects on plans that do not include the feature keep the badge. If a project
has the flag set and later moves to a plan without the entitlement, the flag is
silently reset to false on the next project upsert.
This is now available on Ory Network.
Ory Polis and Ory Terraform
No significant changes in this release.