Ory Network, Ory Kratos v26.2.6 released

Ory Network

Carry over upstream MFA to the Ory session

Ory now trusts the authentication strength reported by upstream OpenID Connect providers. When a user signs in through an OIDC provider such as Auth0, Okta, Keycloak, PingFederate, Microsoft Entra v1, or any generic enterprise IdP, Ory reads the acr (Authentication Context Class Reference) and amr (Authentication Methods References) claims from the upstream ID token and records them on the resulting session.

You can now mark a provider's login as AAL2 based on those claims. Two new configuration fields on every OIDC provider let you specify which upstream values count as "the user already completed MFA":

• aal2_acr_values — list of upstream acr claim values (for example urn:okta:loa:2fa:any, http://schemas.openid.net/pape/policies/2007/06/multi-factor) that elevate the session to AAL2.

• aal2_amr_values — list of upstream amr claim values (mfa, otp, hwk, and other RFC 8176 values) that elevate the session to AAL2 when any of them appears in the upstream amr array.

If neither list matches, the session falls back to AAL1. If you enforce AAL2 through session.whoami_required_aal, Ory prompts the user for a second factor only when the upstream IdP did not already provide one. Both fields are optional; leave them empty to keep today's behavior.

The upstream acr and amr values are stored on the session's authentication_methods entry (upstream_acr and upstream_amr fields) for auditing. They are visible on /sessions/whoami and in webhook payloads.

You can configure the new fields for each provider in the Ory Console under Authentication → Social sign-in → Edit provider.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Kratos

Fix some incorrect WebAuthn error messages

Some WebAuthn error messages were wrong: they mentioned TOTP instead of WebAuthn. They now have been fixed. This affect errors text and ID.

Correctly clear WebAuthn UI nodes on login error

Due to a typo, WebAuthn UI nodes were not correctly cleared on login error, this has been fixed.

Breaking changes

This is technically a breaking change if you relied on the exact wording of the error message, or on specific error IDs.

Add verify_new_address settings hook

A new verify_new_address hook is available for the settings profile strategy. When configured, it defers email or phone number changes until the new address is verified. The identity's traits are only updated after the user completes verification of the new address.

This prevents immediate replacement of verified addresses and ensures the new address is reachable before applying the change.

Carry over upstream MFA to the Ory session

Ory now trusts the authentication strength reported by upstream OpenID Connect providers. When a user signs in through an OIDC provider such as Auth0, Okta, Keycloak, PingFederate, Microsoft Entra v1, or any generic enterprise IdP, Ory reads the acr (Authentication Context Class Reference) and amr (Authentication Methods References) claims from the upstream ID token and records them on the resulting session.

You can now mark a provider's login as AAL2 based on those claims. Two new configuration fields on every OIDC provider let you specify which upstream values count as "the user already completed MFA":

• aal2_acr_values — list of upstream acr claim values (for example urn:okta:loa:2fa:any, http://schemas.openid.net/pape/policies/2007/06/multi-factor) that elevate the session to AAL2.

• aal2_amr_values — list of upstream amr claim values (mfa, otp, hwk, and other RFC 8176 values) that elevate the session to AAL2 when any of them appears in the upstream amr array.

If neither list matches, the session falls back to AAL1. If you enforce AAL2 through session.whoami_required_aal, Ory prompts the user for a second factor only when the upstream IdP did not already provide one. Both fields are optional; leave them empty to keep today's behavior.

The upstream acr and amr values are stored on the session's authentication_methods entry (upstream_acr and upstream_amr fields) for auditing. They are visible on /sessions/whoami and in webhook payloads.

You can configure the new fields for each provider in the Ory Console under Authentication → Social sign-in → Edit provider.

SCIM group events now include externalId and displayName

SCIM group.created, group.updated, and group.deleted telemetry events now carry the group's externalId and displayName as attributes, alongside the existing group ID. This lets downstream consumers correlate events with the provisioning source of truth without a separate lookup.

SCIM group updates no longer rewrite unchanged members

When a SCIM group update touches a field that does not affect its members (for example, patching the group's displayName to the same value), Kratos no longer rewrites the member identities. As a result, no IdentityUpdated event is emitted for members whose SCIM data did not change.

SCIMGroupUpdated events now include added and removed identity IDs

SCIMGroupUpdated telemetry events now carry two additional attributes, SCIMGroupAddedIdentityIDs and SCIMGroupRemovedIdentityIDs, listing the identity IDs that were added to or removed from the group by the update. Downstream consumers can use this to act on the specific membership change instead of having to diff group state themselves.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Hydra, Ory Keto, Ory Oathkeeper, Ory Polis, Ory Elements, and Ory Terraform

No significant changes in this release.