Ory v25.4.0 released!

Combined release notes for v25.4.0 of Ory Enterprise License, Ory Hydra, Ory Kratos, Ory Keto, and Ory Oathkeeper.

Ory Hydra v25.4

This release brings first-class support for agentic authorization with the Device Authorization Grant (RFC 8628) and OAuth 2.1 discovery endpoint, making it easier for agents, IoT devices, and headless clients to obtain and manage access securely. Combined with new consent-chain revocation and migration fixes for CockroachDB v25+, Hydra v25.4 strengthens its role as the web and AI scale-ready OAuth 2.1 and OpenID Connect server for modern applications.

Ory has moved to a new versioning scheme. Read about our new version scheme here. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Highlights

Agentic authentication use cases

This release makes Ory Hydra a stronger foundation for agentic authentication, where autonomous agents or constrained devices need to obtain and manage access without a full browser or direct human interaction. Two key updates enable this:

• Device authorization grant (RFC 8628): Essential for headless or limited-input clients (e.g., smart TVs, IoT devices, AI agents). It allows users to securely authorize agents through a secondary device, solving a common gap in agentic workflows.

• OAuth 2.1 discovery endpoint: Hydra now serves both OpenID Connect and OAuth 2.1 discovery documents, aligning with emerging standards. This simplifies integration for agents that expect OAuth 2.1 metadata and removes friction in federated or automated flows.

Together, these features address longstanding issues for agentic use cases by combining standards compliance with Hydra’s production-grade session and consent handling.

Device authorization grant (RFC 8628)

Adds full device flow support for devices without a browser or with limited input (smart TVs, consoles, agents).

Revoke token chains by consent challenge ID

New capability to revoke the entire token chain (refresh token and all derived access tokens) produced by a specific consent session.

OAuth 2.1 discovery endpoint

Hydra now serves /.well-known/oauth-authorization-server in addition to /.well-known/openid-configuration to aid OAuth 2.1 and certain integrations (per RFC 8414).

Improvements

• Lower latency when revoking linked Kratos sessions by making revocation asynchronous.

• Client updates with JWKS URI: PATCH/PUT no longer blocked when json_web_keys_uri is set (and json_web_keys present).

• JWT query performance: added an index for faster JWT-related lookups.

• CLI: clearer usage/help examples.

Fixes

• CockroachDB v25+ migrations: corrected/updated migration scripts; includes device-flow down/auto-commit fixes.

• Postgres UUIDs: use uuid_generate_v4() instead of MD5-based generation (enable the uuid-ossp extension if not already).

• Case-insensitive user_code scrubbing in device flow.

• Validation: tos_uri validation corrected.

• Docs: fixed JWT access token documentation link.

Security and dependencies

• go-jose v3.0.4 with a backport for CVE-2025-27144.

• Go toolchain upgrades (1.24.x) and crypto stack updates (e.g., ThalesGroup/crypto11, circl) addressing advisories.

• General dependency hygiene and CI hardening.

Upgrade notes

1. Run migrations before rolling out v2.4.0.

   • CockroachDB users on v25+: this release includes specific migration fixes; ensure your migration runner picks up the updated scripts.

   • Postgres users: ensure uuid-ossp is enabled (CREATE EXTENSION IF NOT EXISTS "uuid-ossp";) to support native UUIDs.

2. Device flow UI: add the two required screens/routes in your login/consent app to use RFC 8628.

3. Monitoring: if you scrape Prometheus on public endpoints, expect additional metrics.

Ory Kratos v25.4

This release introduces passwordless authentication via SMS, expanded passkey and WebAuthn support, new SAML and OIDC features, extended event emission for observability, and significant database and API optimizations. Ory Kratos v25.4 also prepares for compatibility with the new Ory Elements v1.0 by introducing improvements to self-service flows.

Operators gain better migration tooling, performance improvements, and more robust hooks.

Ory has moved to a new versioning scheme. Read about our new version scheme here. Interested in self-hosting Ory with support, SLAs, and advanced features (b2b sso, organization login, FedCM, multi-tenancy …)? Check out our offerings.

Highlights

Passwordless and recovery improvements

• Added passwordless login and registration via SMS.

• Recovery codes can now be delivered by SMS.

• Significantly improved recovery flows that now work with any and multiple address types (email or SMS).

• Added resend node for verification after registration.

Passkeys and other credentials

• Support for Android WebAuthn origins, enabling secure passkeys on Android.

• Emission of oryWebAuthnInitialized event when WebAuthn is ready in the browser.

• Graceful handling of failing password rehashing during login, improving reliability for long passwords.

• Conditional passkey handling improved (better retry behavior).

OIDC and SAML

• Added support for importing SAML credentials (Enterprise/Network only).

• Added support for Line v2.1 OIDC provider.

• Microsoft OIDC now uses oid instead of sub for stable identifiers.

• Added caching of OIDC providers to reduce calls to discovery endpoints.

• New policy callbacks for customizing OIDC credential linking.

• Added more extension points to the registry.

User flow enhancements

• require_verified_address now automatically starts a verification flow instead of failing.

• Captcha improvements: first-step captcha groups and domain allowlists (Ory Enterprise License / Ory Network only).

• Improved error reporting and handling across login, registration, and linking flows (Ory Enterprise License / Ory Network only).

• OIDC signup and account linking flows more robust, including better handling of login challenges in SPAs.

• alreadyAuthenticated cases in native login/registration flows now handled correctly.

• Verification hooks improved: correct status handling in recovery hooks and support in settings flows.

• Auto-linking and identifier updates fixed to ensure identities remain consistent.

• Division UI nodes added for dynamic script hooks.

• Console UI now supports multiple identity schemas.

• Admin API now allows deleting password credentials if not the last factor.

Events and observability

• New events: LoginStarted, RegistrationStarted.

• New courier events: CourierMessageAbandoned, CourierMessageDispatched.

• Events now emitted on Jsonnet mapping failures (OIDC claims, JWT templating).

• Admin recovery code events are logged.

• More attributes added to webhook events for better debugging.

• Extended tracing in settings, courier, and credential linking flows.

Operational and performance improvements

• Optimized secondary indices for self-service, session, and identity tables.

• Removed unused indices and improved query plans for CockroachDB.

• Reduced duplicate queries in settings and credential flows.

• Faster lookups for credential types and session handling.

• Added index hints for CockroachDB identity credential deletion.

• Improved handling of identity imports with reduced DB load.

• Recovery and OTP code submit count mechanism redesigned to prevent brute-forcing.

• New kratos migrate sql up|down|status commands replace old migration CLI commands.

• OIDC sessions now loaded only once when middleware is used.

• Courier improved with HTML email support and more reliable tracing.

• Added explicit config flag for secure cookies.

• External ID support for identities via API and webhooks.

• New endpoint to tokenize JWTs using webhooks.

• Improved domain telemetry for OSS deployments.

• Autoconfiguration for kratos-changefeed (Ory Enterprise License / Ory Network only).

• High-performance SQL connection pool with tracing and metrics (Ory Enterprise License / Ory Network only).

Developer and extension improvements

• More extension points available in registry and OIDC flows.

• Jsonnet body templating enabled for password migration hook.

• New attributes available for Login and Registration events.

• Webhook configuration handling refactored and extended.

• New division node attributes for UI extensibility.

• Added email domain matcher for flows.

• Added external IDs and webhook configurability.

• Console support for choosing identity schema during registration/login (Enterprise).

Documentation and tooling

• Improved docs for OAS verification, Facebook Graph API, and OIDC subject sources.

• Clarified error messages in security-related contexts.

• Better migration error handling and improved messages for operators.

• Added help text for new migration commands.

• CI/CD stability fixes, improved code coverage configuration, and dependency updates.

Breaking changes

• Sessions API: The x-total-count header has been removed from GET /admin/sessions.

  Commit: e24f993ea

• Account linking: Failed OIDC account linking flows now return HTTP 400 instead of 200 OK.

  Commit: ed4fba3ef

• Verification flow: The show_verification_ui element is only included if the hook is explicitly configured.

  Commit: 5b00fe15d

• OIDC registration: Failing fields are now placed in the default node group instead of oidc. Legacy behavior can be restored with feature_flags.legacy_oidc_registration_node_group=true.

  Commit: dc8b32e00

Ory Keto v25.4

This release of Ory Keto brings important security updates, improved pagination, and new functionality for encrypted page tokens. It also includes a Go runtime upgrade addressing a CVE.

Ory has moved to a new versioning scheme. Read about our new version scheme here. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Highlights

Encrypted page tokens

Pagination tokens are now encrypted, improving privacy and resilience against tampering. This change ensures that sensitive pagination state is never exposed in plaintext.

Go 1.24.4 upgrade (CVE-2025-4673)

Keto now runs on Go 1.24.4, which fixes CVE-2025-4673. All deployments should upgrade promptly to benefit from the security fix.

Improvements

• Adopted helpers from ory/x for pagination, reducing code duplication and simplifying maintenance.

• Fallback keys are now hard-coded to avoid panics if no configuration is present.

• Vendored ory/x is now used, ensuring consistent builds and dependency stability.

• Database meta functions moved to the root ory/x package to improve reusability across Ory projects.

• Tests expanded to ensure end-to-end pagination behavior.

• Various migration fixes:

  • Correct content in down migrations is now printed.

  • Deduplication of down migrations avoids duplicate application.

  • Invalid migration names are rejected early.

  • Non-SQL files are ignored when applying migrations.

• Updated OTLP tracing defaults and improved reliability in observability.

Security

• Go runtime upgraded to 1.24.4 to address CVE-2025-4673.

• Dependency updates, including @grpc/grpc-js and other libraries.

Ory Oathkeeper v25.4

This release brings internal improvements to configuration handling, observability, and repo management. It also aligns Oathkeeper more closely with the rest of the Ory ecosystem by migrating to vendored libraries, modernizing infrastructure, and improving CI/CD pipelines.

Ory has moved to a new versioning scheme. Read about our new version scheme here. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Features

• Monorepo migration: Oathkeeper has been consolidated into the Ory monorepo for better cross-project consistency and maintainability.

• Vendored Ory/x: Oathkeeper now uses vendored versions of ory/x to reduce dependency issues and simplify builds.

• Goreleaser integration: Release builds are now managed via goreleaser, improving reproducibility across platforms.

• Config helpers moved to ory/x: Shared configuration test helpers were migrated for reuse across the ecosystem.

• OTLP tracing improvements: Enhanced telemetry support with better defaults and sampling control.