Ory Network, Ory Kratos, Ory Oathkeeper, Ory Elements v26.2.0 released

DATE: March 20, 2026

AUTHOR: Ory Team

Ory Network

Automatic account linking for Google and Apple providers

You can now enable automatic account linking for Google and Apple social sign-in providers. When enabled, users who sign in with a Google or Apple account that shares a verified email address with an existing identity are automatically linked to that identity without requiring additional verification.

This feature introduces a new account_linking_mode setting on OIDC provider configuration with two modes:

confirm_with_existing_credential (default) - requires the user to verify their identity with an existing credential before linking. This preserves the current behavior.
automatic - silently links the accounts when the provider has verified the user's email and a matching verified email exists on an existing identity.

Automatic linking is only available for Apple and Google consumer accounts. Google Workspace accounts (identified by the hd claim) are excluded because expired domains can be re-registered by an attacker, allowing them to take over accounts. Both the existing identity and the incoming provider identity must have a verified email for auto-linking to take effect.

Surface external ID conflicts in batch identity import

A bug was fixed that caused conflict errors on the external_id field to be hidden during batch identity imports.

This issue occurred when multiple records with the same external_id or records with an external_id that already existed in the database were imported. This made it impossible to identify the source of the conflict.

With this fix, any conflicts on the external_id field will now be properly reported, allowing for easier troubleshooting and resolution of import issues.

This is now available on Ory Network.

Ory Kratos

Automatic account linking for Google and Apple providers

This feature introduces a new account_linking_mode setting on OIDC provider configuration with two modes:

confirm_with_existing_credential (default) — requires the user to verify their identity with an existing credential before linking. This preserves the current behavior.
automatic — silently links the accounts when the provider has verified the user's email and a matching verified email exists on an existing identity.

Surface external ID conflicts in batch identity import

A bug was fixed that caused conflict errors on the external_id field to be hidden during batch identity imports.

With this fix, any conflicts on the external_id field will now be properly reported, allowing for easier troubleshooting and resolution of import issues.

This is now available for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Oathkeeper

Improved handling of forwarded headers

This release includes improvements to the handling of forwarded headers in Ory Oathkeeper. The change ensures that when the configuration serve.proxy.trust_forwarded_headers is disabled, all X-Forwarded* and the standard Forwarded headers are removed before processing and forwarding the request. Previously, only the X-Forwarded, X-Forwarded-Host, and X-Forwarded-Proto headers were removed. If the downstream service relies on any of the X-Forwarded* headers, it is recommended to enable the serve.proxy.trust_forwarded_headers configuration option to ensure proper handling of forwarded headers.

This is now available for the Ory Enterprise License and will be part of the next Ory Open Source release.

Ory Elements

Autofocus on the first input field of the auth forms

This change adds auto focusing behavior to the first input field of the authentication forms, improving user experience by allowing users to start typing immediately without having to click on the input field first.

This is now available on Ory Network and will be part of the next Ory Open Source release.

Ory Hydra, Ory Keto, Ory Polis, Ory Elements, Ory Enterprise License, and Ory Terraform

No significant changes in this release.