diff --git a/.changeset/early-numbers-attend.md b/.changeset/early-numbers-attend.md
new file mode 100644
index 000000000..91746d332
--- /dev/null
+++ b/.changeset/early-numbers-attend.md
@@ -0,0 +1,16 @@
+---
+"@logto/console": minor
+"@logto/core": minor
+"@logto/phrases": minor
+---
+
+add `trustUnverifiedEmail` setting for the Microsoft EntraID OIDC SSO connector
+
+Since we launched the **EntraID OIDC SSO connector** we have received several feedbacks that their customer's email address can not be populated to Logto's user profile when signing up through the EntraID OIDC SSO connector.
+This is because Logto only syncs verified email addresses, meaning the `email_verified` claim must be `true` in the user info response from the OIDC provider.
+
+However, based on Microsoft's documentation, since the user's email address in manually managed by the organization, they are not verified guaranteed. This means that the `email_verified` claim will not be included in their user info response.
+
+To address this issue, we have added a new `trustUnverifiedEmail` exclusively for the Microsoft EntraID OIDC SSO connector. When this setting is enabled, Logto will trust the email address provided by the Microsoft EntraID OIDC SSO connector even if the `email_verified` claim is not included in the user info response. This will allow users to sign up and log in to Logto using their email address without any issues. Please note this may introduce a security risk as the email address is not verified by the OIDC provider. You should only enable this setting if you trust the email address provided by the Microsoft EntraID OIDC SSO connector.
+
+You can configure this setting in the **EntraID OIDC SSO connector** settings page in the Logto console or through the management API.
diff --git a/.changeset/four-deers-divide.md b/.changeset/four-deers-divide.md
new file mode 100644
index 000000000..2537324a1
--- /dev/null
+++ b/.changeset/four-deers-divide.md
@@ -0,0 +1,15 @@
+---
+"@logto/console": minor
+"@logto/core": minor
+"@logto/experience": minor
+"@logto/experience-legacy": minor
+"@logto/phrases": minor
+"@logto/phrases-experience": minor
+"@logto/schemas": minor
+---
+
+display support email and website info on experience error pages.
+
+Added support email and website info to the error pages of the experience app. E.g. when a user tries to access a page that doesn't exist, or when the social session is not found in a social callback page. This will help users to contact support easily when they encounter an error.
+
+You may configure the support email and website info in the sign-in experience settings page in the Logto console or through the management API.
diff --git a/.changeset/wet-nails-guess.md b/.changeset/wet-nails-guess.md
new file mode 100644
index 000000000..243c9b495
--- /dev/null
+++ b/.changeset/wet-nails-guess.md
@@ -0,0 +1,12 @@
+---
+"@logto/console": minor
+"@logto/core": minor
+"@logto/phrases": minor
+"@logto/schemas": minor
+---
+
+add unknown session redirect url in the sign-in experience settings
+
+In certain cases, Logto may be unable to properly identify a user’s authentication session when they land on the sign-in page. This can happen if the session has expired, if the user bookmarks the sign-in URL for future access, or if they directly share the sign-in link. By default, an "unknown session" 404 error is displayed.
+
+To improve user experience, we have added a new `unknownSessionRedirectUrl` field in the sign-in experience settings.You can configure this field to redirect users to a custom URL when an unknown session is detected. This will help users to easily navigate to your client application or website and reinitiate the authentication process automatically.
diff --git a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
index 6bbbbd751..d4fa8fda4 100644
--- a/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
+++ b/packages/console/src/pages/EnterpriseSsoDetails/Connection/OidcMetadataForm/index.tsx
@@ -2,7 +2,6 @@ import { SsoProviderName } from '@logto/schemas';
import { useFormContext } from 'react-hook-form';
import { useTranslation } from 'react-i18next';
-import { isDevFeaturesEnabled } from '@/consts/env';
import CopyToClipboard from '@/ds-components/CopyToClipboard';
import FormField from '@/ds-components/FormField';
import InlineNotification from '@/ds-components/InlineNotification';
@@ -85,7 +84,7 @@ function OidcMetadataForm({ providerConfig, config, providerName }: Props) {
- {isDevFeaturesEnabled && providerName === SsoProviderName.AZURE_AD_OIDC && (
+ {providerName === SsoProviderName.AZURE_AD_OIDC && (
{isActive && }
- {isDevFeaturesEnabled && }
+
);
diff --git a/packages/console/src/pages/SignInExperience/PageContent/SignUpAndSignIn/AdvancedOptions/index.tsx b/packages/console/src/pages/SignInExperience/PageContent/SignUpAndSignIn/AdvancedOptions/index.tsx
index dd0b88598..1e3453dfa 100644
--- a/packages/console/src/pages/SignInExperience/PageContent/SignUpAndSignIn/AdvancedOptions/index.tsx
+++ b/packages/console/src/pages/SignInExperience/PageContent/SignUpAndSignIn/AdvancedOptions/index.tsx
@@ -1,7 +1,6 @@
import { useFormContext } from 'react-hook-form';
import { useTranslation } from 'react-i18next';
-import { isDevFeaturesEnabled } from '@/consts/env';
import Card from '@/ds-components/Card';
import FormField from '@/ds-components/FormField';
import Switch from '@/ds-components/Switch';
@@ -49,22 +48,18 @@ function AdvancedOptions() {
)}
/>
- {isDevFeaturesEnabled && (
-
- !value || uriValidator(value) || t('errors.invalid_uri_format'),
- })}
- error={errors.unknownSessionRedirectUrl?.message}
- placeholder="https://"
- />
-
- )}
+
+ !value || uriValidator(value) || t('errors.invalid_uri_format'),
+ })}
+ error={errors.unknownSessionRedirectUrl?.message}
+ placeholder="https://"
+ />
+
);
}
diff --git a/packages/core/src/middleware/koa-spa-session-guard.test.ts b/packages/core/src/middleware/koa-spa-session-guard.test.ts
index 2ee0539ab..7d79ff1c7 100644
--- a/packages/core/src/middleware/koa-spa-session-guard.test.ts
+++ b/packages/core/src/middleware/koa-spa-session-guard.test.ts
@@ -96,11 +96,6 @@ describe('koaSpaSessionGuard', () => {
}
it('should redirect to configured unknown session redirect URL in SIE if session not found for a selected path', async () => {
- const stub = Sinon.stub(EnvSet, 'values').value({
- ...EnvSet.values,
- isDevFeaturesEnabled: true,
- });
-
const unknownSessionRedirectUrl = 'https://foo.bar/redirect';
interactionDetails.mockRejectedValue(new Error('session not found'));
@@ -113,8 +108,6 @@ describe('koaSpaSessionGuard', () => {
});
await koaSpaSessionGuard(provider, queries)(ctx, next);
expect(ctx.redirect).toBeCalledWith(unknownSessionRedirectUrl);
-
- stub.restore();
});
it('should redirect to configured URL if session not found for a selected path', async () => {
diff --git a/packages/core/src/middleware/koa-spa-session-guard.ts b/packages/core/src/middleware/koa-spa-session-guard.ts
index 0fcb750b4..3f1fefb56 100644
--- a/packages/core/src/middleware/koa-spa-session-guard.ts
+++ b/packages/core/src/middleware/koa-spa-session-guard.ts
@@ -37,17 +37,14 @@ export default function koaSpaSessionGuard<
try {
await provider.interactionDetails(ctx.req, ctx.res);
} catch {
- // TODO: remove this check after the feature is stable
- if (EnvSet.values.isDevFeaturesEnabled) {
- // For unknown session, check if there is a redirect URL set in the SignInExperience
- const { unknownSessionRedirectUrl } =
- await queries.signInExperiences.findDefaultSignInExperience();
+ // For unknown session, check if there is a redirect URL set in the SignInExperience
+ const { unknownSessionRedirectUrl } =
+ await queries.signInExperiences.findDefaultSignInExperience();
- if (unknownSessionRedirectUrl) {
- ctx.redirect(unknownSessionRedirectUrl);
+ if (unknownSessionRedirectUrl) {
+ ctx.redirect(unknownSessionRedirectUrl);
- return;
- }
+ return;
}
// If not, check if there is a redirect URL set in the tenant level LogtoConfigs