Skip to main content

Kratos

v25.3.8

Add 'Login with Amazon'

Amazon is added to the list of OIDC providers to enable 'Login with Amazon'.

Note that 'Code Based Linking' and 'Login and Pay with Amazon' are not part of this release.


v25.3.6

Extended Language Support for Ory Elements

Ory Elements now supports 82 languages in total, expanding from the original 9 languages (English, German, Spanish, French, Dutch, Polish, Portuguese, Swedish, Norwegian) to include 73 additional translations:

Major languages: Chinese (zh), Hindi (hi), Russian (ru), Japanese (ja), Korean (ko), Indonesian (id), Italian (it), Turkish (tr), Vietnamese (vi), Thai (th), Ukrainian (uk) Indian languages: Punjabi (pa), Marathi (mr), Telugu (te), Tamil (ta), Gujarati (gu), Kannada (kn), Malayalam (ml), Odia (or), Urdu (ur), Assamese (as), Bengali (bn) European languages: Catalan (ca), Bulgarian (bg), Czech (cs), Danish (da), Romanian (ro), Greek (el), Hungarian (hu), Finnish (fi), Slovak (sk), Croatian (hr), Serbian (sr), Lithuanian (lt), Slovenian (sl), Latvian (lv), Macedonian (mk), Estonian (et), Belarusian (be), Albanian (sq) Middle Eastern languages: Arabic (ar), Persian (fa), Hebrew (he), Kurdish (ku) African languages: Afrikaans (af), Akan (ak), Amharic (am), Bambara (bm), Hausa (ha), Yoruba (yo), Igbo (ig), Swahili (sw), Somali (so), Zulu (zu), Xhosa (xh) Central and East Asian languages: Azerbaijani (az), Filipino (tl), Malay (ms), Pashto (ps), Sundanese (su), Uzbek (uz), Burmese (my), Sindhi (sd), Sinhala (si), Nepali (ne), Khmer (km), Kazakh (kk), Uyghur (ug), Tajik (tg), Turkmen (tk), Mongolian (mn), Kyrgyz (ky), Georgian (ka), Armenian (hy)


v25.3.5

Change of base image

The base image for OEL images is now set to "gcr.io/distroless/static-debian12:nonroot". Previously, it was "gcr.io/distroless/static-debian12:debug-nonroot", which included BusyBox (a minimal shell and basic debugging utilities). Debug images are still available using the "-debug" tag suffix.


v25.3.4

Remove counting courier messages in /admin/courier/messages

We've removed the X-Total-Count HTTP response header from the /admin/courier/messages endpoint. This change prevents a costly, linear scan of the database on every request, which was defeating the purpose of pagination.

Additionally, there is a new configuration field in Kratos: secrets.pagination which is a list of encryption keys used to encrypt/decrypt the pagination token. This is not security sensitive and only used to avoid having API clients relying on the specific implementation of the pagination token. This way the implementation is free to change in the future. If no keys are configured, a fallback key is transparently used.

Breaking changes

  • Clients can no longer rely on the X-Total-Count HTTP response header.
  • The total number of messages is now indeterminate. You can determine the last page when the number of returned items is less than the page size. But note that due to the real-time nature of this data, subsequent calls with identical filters may return different results as the total number of messages can change rapidly.

v25.3.3

FedCM Sign-In Now Triggers Login Hooks

We updated the Federated Credential Management (FedCM) sign-in flow to correctly trigger any "after login" hooks configured for the OIDC (OpenID Connect) method.

This change ensures that when a returning user signs in using a FedCM provider, the system behaves consistently with other OIDC-based logins.

Improved tracing and metrics for the high-performance SQL connection pool

This change adds distributed tracing and advanced metrics for the high-performance SQL connection pool in all Ory OEL products.


2025-07-25

Tag: beebb63c5cd4a58b218a792027b34d231735dc05

Support for External Identity IDs

Identity admins can now set an external_id field on an identity. If set, the external ID must be unique within the project. Admins can retrieve an identity by external ID through the /admin/identities/by/external/{id} endpoint. In responses, the external_id is contained in all identity and session responses. When tokenizing a session, the external_id is available in the Jsonnet context. Optionally, admins can set the subject_source option on the tokenization config to external_id, in which case the sub claim will be the external ID. Note that in this case tokenization fails if the external ID is not set for the identity bound to that session.

Read more about the external ID feature in our documentation: https://www.ory.sh/docs/kratos/manage-identities/external-id

info

This release needs previous version (097934fff2bda05c808d962a92f52140f80dff83) to be applied first

Tag: 097934fff2bda05c808d962a92f52140f80dff83

Improved SQL queries to gracefully handle new columns added via future migrations, preventing upgrade-time failures due to schema changes.

2025-06-11

Tag: 290abca8469dc46c1ba07708849fed28fdbc1b69

Make code submission attempt limit configurable

Previously the maximum number of submission attempts for codes (e.g., 2FA codes, email verification codes) was set to 5 in Ory Kratos. This release allows the submission attempts to be configurable for system administrators based on specific security policies or business requirements, the default value of 5 remains. To find out more how to configure it please read our documentation https://www.ory.sh/docs/identities/sign-in/code-submission-limit

2025-05-27

Initial Ory Kratos OEL release

Changes:

  • fix high security vulnerability CVE-2025-22871

No specific upgrade steps are required for this release. The Ory Kratos OEL image is now available in the Ory Enterprise Docker Registry.