Ory v25.4.3 through v26.1.3 released

Ory Network

The following improvements are now available in Ory Network.

Advanced full-text identity search for multi-region projects

Advanced identity search now works for Ory Network projects with the "Global" or "US Continental" personal data storage location settings. The search index is still geo-sharded in the same GDPR-compliant manner as all other identity data. What's new is how we internally retrieve this data. We now return correct search results even if your project has identities across the globe. You simply query the search index, we take care of data-homing requirements and geo-routing transparently in the background. We also fixed an issue which would occasionally hide some or all identities from advanced search in Ory Console when querying from a remote region.

Breaking changes

In the Advanced Identity Search API, the collection name has changed from identities-<PROJECT-ID> to simply identities. The result set size for full-text identity searches through this API is now limited to the first 1000 results, and support for pagination has been dropped. If you are frequently hitting this limit, consider refining your search query to reduce the number of hits. To paginate through all of your identities, use the ListIdentities API.

Configure provider-specific data mappings directly in the Onboarding Portal during setup

Data mappers can now be configured per provider in the Onboarding Portal. When creating or configuring an onboarding portal, admins can select an SSO or SCIM provider and define a dedicated data mapping for that provider, enabling precise control over how claims and directory attributes are mapped to identity traits.

SCIM Provisioning Now Adopts Existing Users

When provisioning a new user through SCIM, if a user with the same email already exists within the same organization, but was not previously provisioned through SCIM (for example, through self-service flows), the system will no longer return

a conflict error. Instead, the existing user identity is automatically linked to the SCIM user. The user's profile information in Ory will be updated with the data provided in the SCIM provisioning request. This change simplifies enabling SCIM for organizations that already have users in Ory Identities.

Ory Hydra

Optionally Discard Skipped Consents

This is now available for the Ory Hydra Enterprise License.

When enabled, the new feature_flags.discard_skipped_consents configuration option instructs Hydra to not store the full consent (SQL table hydra_oauth2_flow). Instead, only an identifier is stored for a short period of time to prevent reuse attacks. It is possible to skip consents for trusted OAuth2 clients per default by setting skip_consent to true for the trusted clients. Otherwise, only consents that were already granted will be skipped.

Limitations

When this feature is enabled, OAuth2 client front- and back-channel logouts will not work anymore.

Example

feature_flags:
    discard_skipped_consents: true

Ory Kratos

Accept Hydra Login Challenge in Verification Flows

This is now available in Ory Network and for the Ory Kratos Enterprise License.

Fixes a bug where Kratos would not accept the Hydra login challenge in verification flows, if they originated from a refresh login flow. This would manifest as an "unknown form state" in Ory Elements and the Ory Account Experience.

Change in Event Attributes

This is now available in Ory Network and for the Ory Kratos Enterprise License.

Login and Registration Events now include SelfServiceMethodUsed attribute. The SelfServiceStrategyUsed attribute is deprecated, and it is advised to use newly introduced SelfServiceFlowName attribute.

Support for forwarding user request headers to HTTP channel webhooks

This is now available in Ory Network and for the Ory Kratos Enterprise License.

A number of common HTTP request headers (see below) are now forwarded to the webhook when delivering one-time codes via SMS or email. These headers are available in the ctx.request_headers field in the Jsonnet templates for the webhook request body. The list of forwarded headers is the same as for the webhooks in Ory Actions:

Accept
Accept-Encoding
Accept-Language
Content-Length
Content-Type
Origin
Priority
Referer
Sec-Ch-Ua
Sec-Ch-Ua-Mobile
Sec-Ch-Ua-Platform
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
True-Client-Ip
User-Agent
X-Forwarded-Host
Ory-Base-Url-Rewrite
Ory-Base-Url-Rewrite-Token
X-Ory-Original-Host
Ory-No-Custom-Domain-Redirect
Cf-Ipcountry

Properly accept OAuth2 login challenges in account linking flows

This is now available in Ory Network and for the Ory Kratos Enterprise License.

In the account linking flows, the OAuth2 login challenge was not properly accepted and stored in the login flow. This meant that users going through account linking would not be redirected back to the OAuth2 client after logging in, but had to re-confirm their credentials a second time. This has now been fixed by properly accepting and storing the OAuth2 login challenge in the login flow.

Requests to Admin Endpoint without /admin Prefix No Longer Redirect

This is now available in the Ory Kratos Enterprise License.

The admin endpoint now serves requests that omit the /admin prefix instead of redirecting them with the correct path. This change is not expected to affect existing clients, but instead avoids unnecessary redirects.

Fix null response in OAuth2 login flow with existing session

This is now available in the Ory Kratos Enterprise License.

Fixed a bug where the /self-service/login/browser endpoint would return null instead of a proper error response when called with an existing session, a Hydra login challenge, and Accept: application/json header.

Ory Polis

This is now available for the Ory Polis Enterprise License.

Identity Federation: SAML Response expiry is now configurable

When creating an Identity Federation app, you can now control how long a SAML Response remains valid by setting the ttlInMinutes attribute. The default expiry remains 10 minutes.

Ory Oathkeeper, Ory Keto, Ory Elements

No significant changes in this release.