Ory Network, Ory Hydra, Ory Kratos, Ory Keto, Ory Oathkeeper, Ory Elements v26.2.4 released

Ory Network

Add break-glass account recovery for organization identities

Organization members can now be designated for break-glass account recovery. These users can recover their account through email-based recovery, bypassing SSO enforcement. This is useful for users whose SSO provider is (temporarily) unavailable.

The recovery address stores the organization UUID in break_glass_for_organization, scoping the bypass to a specific organization. If the user changes organizations, the flag doesn't carry over. The identity admin API also supports setting this field directly via PATCH /admin/identities/{id} on the recovery_addresses array.

Configure password migration hook in the Ory Console

Admins can now configure a password migration webhook directly from the Ory Console under Developers → Actions.

Select the new Password migration flow type to set up a webhook that Ory calls at login time to verify a user's password against a legacy system. The execution and method fields are hidden for this flow type, and the Jsonnet body is pre-filled with ctx.identifier and ctx.password — the fields Ory passes to the hook.

Identities imported with use_password_migration_hook: true now show a Migration pending warning badge on the identity detail page, making it clear that the user has not yet completed their password migration.

Include metadata_admin in admin session endpoint responses

Admin session endpoints now include metadata_admin in the expanded identity, consistent with admin identity endpoints. Previously, metadata_admin was stripped from session responses even on admin endpoints.

Affected endpoints:

• GET /admin/sessions?expand=identity

• GET /admin/sessions/{id}?expand=Identity

• GET /admin/identities/{id}/sessions

Public endpoints remain unchanged and continue to exclude metadata_admin.

Project members page now accessible to all project members

The project members page (/settings/collaborators) previously returned a 403 error for users who were invited directly to a project but were not members of the parent workspace. The page now works for all project members.

The project members API (GET /projects/{project}/members) now returns all users with access to the project, including those who inherit access through workspace membership. Each member includes a source field ("project" or "workspace") indicating how they gained access.

SSO enforcement bypass for organization identities

For workspaces with Console SSO enabled, administrators can toggle account recovery per member in the workspace settings members page.

Show all additional traits in the identity schema confirmation dialog

When you create a custom identity schema, the confirmation dialog lists the traits that are not identifiers under Additional traits. Previously, the dialog only listed traits that declared an ory.sh/kratos configuration, so traits without that configuration (such as plain string, number, or boolean fields) were silently omitted. The dialog now also lists these traits, giving you an accurate summary of your schema before you save it.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Hydra

Add oauth2.preserve_ext_claims configuration option

When mirror_top_level_claims is disabled, custom claims not promoted to the top level of the access token were silently dropped. The new oauth2.preserve_ext_claims setting (default false) keeps those claims in the ext object instead.

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

Remove CGO requirement by switching to modernc.org/sqlite

Migrates SQLite support from mattn/go-sqlite3 (CGO) to modernc.org/sqlite (pure Go) and fixes several timestamp comparison bugs that caused incorrect pagination results. This migration is fully backwards compatible. Going forward, the -tags sqlite tag is no longer required to compile Ory Hydra.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Kratos

Add break-glass account recovery for organization identities

Organization members can now be designated for break-glass account recovery. These users can recover their account through email-based recovery, bypassing SSO enforcement. This is useful for users whose SSO provider is (temporarily) unavailable.

The recovery address stores the organization UUID in break_glass_for_organization, scoping the bypass to a specific organization. If the user changes organizations, the flag doesn't carry over. The identity admin API also supports setting this field directly via PATCH /admin/identities/{id} on the recovery_addresses array.

Fix settings flow requiring reauthentication when editing non-privileged traits on verified identities

Users with a verified email address can now update non-privileged traits (such as first name or last name) through the settings flow without being prompted to reauthenticate. Previously, the privileged-session check incorrectly triggered whenever any verifiable address on the identity had a non-nil verification timestamp, because the internal deep copy of the identity corrupted the timestamp's representation.

Fixes ory/kratos#4435.

Improve the performance of finding identity credentials

Kratos now loads identity credential type mappings from the database once at startup and caches them in memory for the lifetime of the process. This eliminates a JOIN on the identity_credential_types table from every call to FindByCredentialsIdentifier, reducing query cost and improving login performance.

This also works for self-hosted installations that have non-standard UUIDs in the identity_credential_types table, from a time where these UUIDs were dynamic (they now are constants).

Include metadata_admin in admin session endpoint responses

Admin session endpoints now include metadata_admin in the expanded identity, consistent with admin identity endpoints. Previously, metadata_admin was stripped from session responses even on admin endpoints.

Affected endpoints:

• GET /admin/sessions?expand=identity

• GET /admin/sessions/{id}?expand=Identity

• GET /admin/identities/{id}/sessions

Public endpoints remain unchanged and continue to exclude metadata_admin.

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

Support importing all credential types when updating an identity

The PUT /admin/identities/{id} and PATCH /admin/identities endpoints now support importing credentials for all credential types, consistent with what is already available when creating an identity.

You can now import the following credential types via the update endpoint:

• totp: Replaces existing TOTP credentials.

• lookup_secret: Adds new lookup secret codes to the existing set.

• webauthn: Preserves existing credentials, adds new ones, and updates credentials with matching IDs.

• passkey: Preserves existing credentials, adds new ones, and updates credentials with matching IDs. New user handles are appended to the identifiers list.

• oidc, saml: Keeps existing credentials and adds the new ones to the list.

Remove CGO requirement by switching to modernc.org/sqlite

Migrates SQLite support from mattn/go-sqlite3 (CGO) to modernc.org/sqlite (pure Go) and fixes several timestamp comparison bugs that caused incorrect pagination results. This migration is fully backwards compatible. Going forward, the -tags sqlite tag is no longer required to compile Ory Kratos.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Keto

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

Remove CGO requirement by switching to modernc.org/sqlite

Migrates SQLite support from mattn/go-sqlite3 (CGO) to modernc.org/sqlite (pure Go) and fixes several timestamp comparison bugs that caused incorrect pagination results. This migration is fully backwards compatible. Going forward, the -tags sqlite tag is no longer required to compile Ory Keto.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Oathkeeper

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Elements

Add transientPayload prop to Elements React flow components

The @ory/elements-react flow components (Login, Registration, Recovery, Verification, Settings) and OryProvider now accept a transientPayload prop. This lets you include arbitrary data in the transient_payload field of Kratos flow submissions, which is forwarded to webhooks and available in email templates.

The prop accepts either a static object or a function that receives the current form values at submission time. User-provided values are merged with any existing transient payload fields from UI nodes (such as captcha responses), with user-provided values taking priority.

Event lifecycle callback props in Ory Elements

The self-service flow components in Ory Elements now expose onSuccess, onValidationError, and onError props that allow you to handle form submissions and receive events for success, validation errors and failed flows. This allows you to forward these events to your own analytics or tracking tools, giving you better insights into user interactions with the self-service flows.

Fix missing styling on the settings page user menu

The user menu on the settings page now renders with the correct styling. Previously, opening the menu showed an unstyled list because the dropdown's portaled content rendered outside the .ory-elements CSS scope, so none of the Tailwind utility classes matched. The dropdown portal now re-establishes that scope internally, so the menu items, background, borders, and spacing all render as intended.

This will be available in the next Ory Open Source release.

Ory Polis and Ory Terraform

No significant changes in this release.