60 KiB
Change Log
1.22.0
Minor Changes
-
640425414
: display support email and website info on experience error pages.Added support email and website info to the error pages of the experience app. E.g. when a user tries to access a page that doesn't exist, or when the social session is not found in a social callback page. This will help users to contact support easily when they encounter an error.
You may configure the support email and website info in the sign-in experience settings page in the Logto console or through the management API.
-
7ebef18e3
: add account apiIntroduce the new Account API, designed to give end users direct API access without needing to go through the Management API, here is the highlights:
- Direct access: The Account API empowers end users to directly access and manage their own account profile without requiring the relay of Management API.
- User profile and identities management: Users can fully manage their profiles and security settings, including the ability to update identity information like email, phone, and password, as well as manage social connections. MFA and SSO support are coming soon.
- Global access control: Admin has full, global control over access settings, can customize each fields.
- Seamless authorization: Authorizing is easier than ever! Simply use
client.getAccessToken()
to obtain an opaque access token for OP (Logto), and attach it to the Authorization header asBearer <access_token>
.
Get started
![Note] Go to the Logto Docs to find full API reference.
- Use
/api/account-center
endpoint to enable the feature, for security reason, it is disabled by default. And set fields permission for each field. - Use
client.getAccessToken()
to get the access token. - Attach the access token to the Authorization header of your request, and start interacting with the Account API directly from the frontend.
- You may need to setup
logto-verification-id
header as an additional verification for some requests related to identity verification.
What you can do with Account API
- Get user account profile
- Update basic information including name, avatar, username and other profile information
- Update password
- Update primary email
- Update primary phone
- Manage social identities
-
640425414
: add unknown session redirect url in the sign-in experience settingsIn certain cases, Logto may be unable to properly identify a user’s authentication session when they land on the sign-in page. This can happen if the session has expired, if the user bookmarks the sign-in URL for future access, or if they directly share the sign-in link. By default, an "unknown session" 404 error is displayed.
To improve user experience, we have added a new
unknownSessionRedirectUrl
field in the sign-in experience settings.You can configure this field to redirect users to a custom URL when an unknown session is detected. This will help users to easily navigate to your client application or website and reinitiate the authentication process automatically.
Patch Changes
- Updated dependencies [
640425414
] - Updated dependencies [
640425414
] - Updated dependencies [
7ebef18e3
] - Updated dependencies [
640425414
]- @logto/phrases@1.15.0
- @logto/phrases-experience@1.9.0
- @logto/connector-kit@4.1.0
1.21.0
Patch Changes
- Updated dependencies [
bc2a0ac03
] - Updated dependencies [
3c993d59c
]- @logto/shared@3.1.2
- @logto/phrases@1.14.1
1.20.0
Minor Changes
-
e0326c96c
: Add personal access token (PAT)Personal access tokens (PATs) provide a secure way for users to grant access tokens without using their credentials and interactive sign-in.
You can create a PAT by going to the user's detail page in Console or using the Management API
POST /users/:userId/personal-access-tokens
.To use a PAT, call the token exchange endpoint
POST /oidc/token
with the following parameters:grant_type
: REQUIRED. The value of this parameter must beurn:ietf:params:oauth:grant-type:token-exchange
indicates that a token exchange is being performed.resource
: OPTIONAL. The resource indicator, the same as other token requests.scope
: OPTIONAL. The requested scopes, the same as other token requests.subject_token
: REQUIRED. The user's PAT.subject_token_type
: REQUIRED. The type of the security token provided in thesubject_token
parameter. The value of this parameter must beurn:logto:token-type:personal_access_token
.client_id
: REQUIRED. The client identifier of the client application that is making the request, the returned access token will contain this client_id claim.
And the response will be a JSON object with the following properties:
access_token
: REQUIRED. The access token of the user, which is the same as other token requests likeauthorization_code
orrefresh_token
.issued_token_type
: REQUIRED. The type of the issued token. The value of this parameter must beurn:ietf:params:oauth:token-type:access_token
.token_type
: REQUIRED. The type of the token. The value of this parameter must beBearer
.expires_in
: REQUIRED. The lifetime in seconds of the access token.scope
: OPTIONAL. The scopes of the access token.
-
25187ef63
: add support forlogin_hint
parameter in sign-in methodThis feature allows you to provide a suggested identifier (email, phone, or username) for the user, improving the sign-in experience especially in scenarios where the user's identifier is known or can be inferred.
Example:
// Example usage (React project using React SDK) void signIn({ redirectUri, loginHint: "user@example.com", firstScreen: "signIn", // or 'register' });
Patch Changes
479d5895a
: bump @withtyped dependency version- Updated dependencies [
f150a67d5
] - Updated dependencies [
e0326c96c
] - Updated dependencies [
53060c203
]- @logto/phrases@1.14.0
- @logto/phrases-experience@1.8.0
1.19.0
Minor Changes
-
6477c6dee
: addcustom_data
to applicationsIntroduce a new property
custom_data
to theApplication
schema. This property is an arbitrary object that can be used to store custom data for an application.Added a new API to update the custom data of an application:
PATCH /applications/:applicationId/custom-data
-
d203c8d2f
: support experience data server-side renderingLogto now injects the sign-in experience settings and phrases into the
index.html
file for better first-screen performance. The experience app will still fetch the settings and phrases from the server if:- The server didn't inject the settings and phrases.
- The parameters in the URL are different from server-rendered data.
-
b188bb161
: support multiple app secrets with expirationNow secure apps (machine-to-machine, traditional web, Protected) can have multiple app secrets with expiration. This allows for secret rotation and provides an even safer experience.
To manage your application secrets, go to Logto Console -> Applications -> Application Details -> Endpoints & Credentials.
We've also added a set of Management APIs (
/api/applications/{id}/secrets
) for this purpose.Important
You can still use existing app secrets for client authentication, but it is recommended to delete the old ones and create new secrets with expiration for enhanced security.
-
62f5e5e0c
: support dark faviconThe favicon for the dark theme now can be set in the sign-in experience branding settings.
-
d56bc2f73
: add support for new password digest algorithm argon2d and argon2idIn
POST /users
, thepasswordAlgorithm
field now acceptsArgon2d
andArgon2id
.Users with those algorithms will be migrated to
Argon2i
upon succussful sign in. -
510f681fa
: use tsup for buildingWe've updated some of the packages to use
tsup
for building. This will make the build process faster, and should not affect the functionality of the packages.Use minor version bump to catch your attention.
Patch Changes
-
3a839f6d6
: support organization logo and sign-in experience overrideNow it's able to set light and dark logos for organizations. You can upload the logos in the organization settings page.
Also, it's possible to override the sign-in experience logo from an organization. Simply add the
organization_id
parameter to the authentication request. In most Logto SDKs, it can be done by using theextraParams
field in thesignIn
method.For example, in the JavaScript SDK:
import LogtoClient from "@logto/client"; const logtoClient = new LogtoClient(/* your configuration */); logtoClient.signIn({ redirectUri: "https://your-app.com/callback", extraParams: { organization_id: "<organization-id>", }, });
The value
<organization-id>
can be found in the organization settings page.If you could not find the
extraParams
field in the SDK you are using, please let us know. -
Updated dependencies [
3a839f6d6
] -
Updated dependencies [
b91ec0cd6
] -
Updated dependencies [
b188bb161
]- @logto/phrases@1.13.0
1.18.0
Minor Changes
-
87615d58c
: support machine-to-machine apps for organizationsThis feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.
Console
- Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
- You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
- You can view the associated organizations in the machine-to-machine app details page.
OpenID Connect grant
The
client_credentials
grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.Management API
A set of new endpoints are added to the Management API:
/api/organizations/{id}/applications
to manage machine-to-machine apps./api/organizations/{id}/applications/{applicationId}
to manage a specific machine-to-machine app in an organization./api/applications/{id}/organizations
to view the associated organizations of a machine-to-machine app.
-
061a30a87
: support agree to terms polices for Logto’s sign-in experiences- Automatic: Users automatically agree to terms by continuing to use the service
- ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
- Manual: Users must agree to terms by checking a box during registration or signing in
-
ef21c7a99
: support per-organization multi-factor authentication requirementAn organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.
-
b52609a1e
: addhasPassword
to custom JWT user context -
efa884c40
: feature: just-in-time user provisioning for organizationsThis feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.
Email domains
New users will automatically join organizations with just-in-time provisioning if they:
- Sign up with verified email addresses, or;
- Use social sign-in with verified email addresses.
This applies to organizations that have the same email domain configured.
To enable this feature, you can add email domain via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/email-domains
POST /organizations/{organizationId}/jit/email-domains
PUT /organizations/{organizationId}/jit/email-domains
DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
- In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.
SSO connectors
New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.
To enable this feature, you can add SSO connectors via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/sso-connectors
POST /organizations/{organizationId}/jit/sso-connectors
PUT /organizations/{organizationId}/jit/sso-connectors
DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
- In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.
Default organization roles
You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.
To enable this feature, you can set the default roles via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
GET /organizations/{organizationId}/jit/roles
POST /organizations/{organizationId}/jit/roles
PUT /organizations/{organizationId}/jit/roles
DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
- In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.
-
b50ba0b7e
: enable backchannel logout supportEnable the support of OpenID Connect Back-Channel Logout 1.0.
To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".
You can also enable session requirements for backchannel logout. When enabled, Logto will include the
sid
claim in the logout token.For programmatic registration, you can set the
backchannelLogoutUri
andbackchannelLogoutSessionRequired
properties in the applicationoidcClientMetadata
object.
Patch Changes
-
942780fcf
: support Google One Tap- core:
GET /api/.well-known/sign-in-exp
now returnsgoogleOneTap
field with the configuration when available - core: add Google Sign-In (GSI) url to the security headers
- core: verify Google One Tap CSRF token in
verifySocialIdentity()
- phrases: add Google One Tap phrases
- schemas: migrate sign-in experience types from core to schemas
- core:
-
Updated dependencies [
6308ee185
] -
Updated dependencies [
15953609b
] -
Updated dependencies [
6308ee185
] -
Updated dependencies [
942780fcf
] -
Updated dependencies [
87615d58c
] -
Updated dependencies [
9f33d997b
] -
Updated dependencies [
061a30a87
] -
Updated dependencies [
ef21c7a99
] -
Updated dependencies [
136320584
] -
Updated dependencies [
efa884c40
] -
Updated dependencies [
b50ba0b7e
] -
Updated dependencies [
d81e13d21
]- @logto/connector-kit@4.0.0
- @logto/phrases@1.12.0
- @logto/phrases-experience@1.7.0
1.17.0
Minor Changes
-
25d67f33f
: create a pre-configured role with Management API access when seeding the database -
b5104d8c1
: add new webhook eventsWe introduce a new event type
DataHook
to unlock a series of events that can be triggered by data updates (mostly Management API):- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
DataHook events are triggered when the data associated with the event is updated via management API request or user interaction actions.
Management API triggered events
API endpoint Event POST /users User.Created DELETE /users/:userId User.Deleted PATCH /users/:userId User.Data.Updated PATCH /users/:userId/custom-data User.Data.Updated PATCH /users/:userId/profile User.Data.Updated PATCH /users/:userId/password User.Data.Updated PATCH /users/:userId/is-suspended User.SuspensionStatus.Updated POST /roles Role.Created, (Role.Scopes.Update) DELETE /roles/:id Role.Deleted PATCH /roles/:id Role.Data.Updated POST /roles/:id/scopes Role.Scopes.Updated DELETE /roles/:id/scopes/:scopeId Role.Scopes.Updated POST /resources/:resourceId/scopes Scope.Created DELETE /resources/:resourceId/scopes/:scopeId Scope.Deleted PATCH /resources/:resourceId/scopes/:scopeId Scope.Data.Updated POST /organizations Organization.Created DELETE /organizations/:id Organization.Deleted PATCH /organizations/:id Organization.Data.Updated PUT /organizations/:id/users Organization.Membership.Updated POST /organizations/:id/users Organization.Membership.Updated DELETE /organizations/:id/users/:userId Organization.Membership.Updated POST /organization-roles OrganizationRole.Created, (OrganizationRole.Scopes.Updated) DELETE /organization-roles/:id OrganizationRole.Deleted PATCH /organization-roles/:id OrganizationRole.Data.Updated POST /organization-scopes OrganizationScope.Created DELETE /organization-scopes/:id OrganizationScope.Deleted PATCH /organization-scopes/:id OrganizationScope.Data.Updated PUT /organization-roles/:id/scopes OrganizationRole.Scopes.Updated POST /organization-roles/:id/scopes OrganizationRole.Scopes.Updated DELETE /organization-roles/:id/scopes/:organizationScopeId OrganizationRole.Scopes.Updated User interaction triggered events
User interaction action Event User email/phone linking User.Data.Updated User MFAs linking User.Data.Updated User social/SSO linking User.Data.Updated User password reset User.Data.Updated User registration User.Created -
76fd33b7e
: support default roles for users
Patch Changes
- Updated dependencies [
e04d9523a
] - Updated dependencies [
0c70d65c7
] - Updated dependencies [
76fd33b7e
]- @logto/phrases@1.11.0
- @logto/core-kit@2.5.0
1.16.0
Minor Changes
-
21bb35b12
: refactor the definition of hook event types- Add
DataHook
event types.DataHook
are triggered by data changes. - Add "interaction" prefix to existing hook event types. Interaction hook events are triggered by end user interactions, e.g. completing sign-in.
- Add
-
e8c41b164
: support organization custom dataNow you can save additional data associated with the organization with the organization-level
customData
field by:- Edit in the Console organization details page.
- Specify
customData
field when using organization Management APIs.
Patch Changes
- Updated dependencies [
5b03030de
] - Updated dependencies [
21bb35b12
] - Updated dependencies [
3486b12e8
]- @logto/phrases@1.10.1
- @logto/shared@3.1.1
1.15.0
Minor Changes
-
abffb9f95
: full oidc standard claims supportWe have added support for the remaining OpenID Connect standard claims. Now, these claims are accessible in both ID tokens and the response from the
/me
endpoint.Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the
profile
scope, and theaddress
claim can be obtained by using theaddress
scope.For all newly introduced claims, we store them in the
user.profile
field.![Note] Unlike other database fields (e.g.
name
), the claims stored in theprofile
field will fall back toundefined
rather thannull
. We refrain from using?? null
here to reduce the size of ID tokens, sinceundefined
fields will be stripped in tokens. -
2cbc591ff
: add oidc params variables and types- Add
ExtraParamsKey
enum for all possible OIDC extra parameters that Logto supports. - Add
FirstScreen
enum for thefirst_screen
parameter. - Add
extraParamsObjectGuard
guard andExtraParamsObject
type for shaping the extra parameters object in the OIDC authentication request.
- Add
-
cc01acbd0
: Create a new user through API with password digest and corresponding algorithm
Patch Changes
-
951865859
: ## Resolve third-party app's /interaction/consent endpoint 500 errorReproduction steps
- Create an organization scope with an empty description and assign this scope to a third-party application.
- Login to the third-party application and request the organization scope.
- Proceed through the interaction flow until reaching the consent page.
- An internal server error 500 is returned.
Root cause
For the
/interaction/consent
endpoint, the organization scope is returned alongside other resource scopes in themissingResourceScopes
property.In the
consentInfoResponseGuard
, we utilize the resource Scopes zod guard to validate themissingResourceScopes
property. However, the description field in the resource scope is mandatory while organization scopes'description is optional. An organization scope with an empty description will not pass the validation.Solution
Alter the resource scopes table to make the description field nullable. Related Scope zod guard and the consentInfoResponseGuard will be updated to reflect this change. Align the resource scopes table with the organization scopes table to ensure consistency.
-
Updated dependencies [
5758f84f5
] -
Updated dependencies [
57d97a4df
] -
Updated dependencies [
abffb9f95
] -
Updated dependencies [
746483c49
] -
Updated dependencies [
57d97a4df
] -
Updated dependencies [
cc01acbd0
] -
Updated dependencies [
57d97a4df
] -
Updated dependencies [
2c10c2423
]- @logto/phrases@1.10.0
- @logto/connector-kit@3.0.0
- @logto/core-kit@2.4.0
- @logto/phrases-experience@1.6.1
- @logto/shared@3.1.0
1.14.0
1.13.1
1.13.0
Minor Changes
-
a2ce0be46
: add tenant role enum and scope enum -
31e60811d
: use Node 20 LTS for engine requirement.Note: We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.
-
32df9acde
: update Logto application schemas to support the new third-party application feature (Logto as IdP)- Applications table alteration. Add new column
is_third_party
to indicate if the application is a third-party application. - Create new table
application_user_consent_resource_scopes
to store the enabled user consent resource scopes for the third-party application. - Create new table
application_user_consent_organization_scopes
to store the enabled user consent organization scopes for the third-party application. - Create new table
application_user_consent_user_scopes
to store the enabled user consent user scopes for the third-party application. - Create new table
application_user_consent_organizations
to store the user granted organizations for the third-party application. - Create new table
application_sign_in_experiences
to store the application level sign-in experiences for the third-party application.
- Applications table alteration. Add new column
Patch Changes
9089dbf84
: upgrade TypeScript to 5.3.3- Updated dependencies [
acb7fd3fe
] - Updated dependencies [
9089dbf84
] - Updated dependencies [
04ec78a91
] - Updated dependencies [
32df9acde
] - Updated dependencies [
31e60811d
] - Updated dependencies [
570a4ea9e
] - Updated dependencies [
570a4ea9e
] - Updated dependencies [
6befe6014
]- @logto/shared@3.1.0
- @logto/connector-kit@2.1.0
- @logto/language-kit@1.1.0
- @logto/phrases-experience@1.6.0
- @logto/core-kit@2.3.0
- @logto/phrases@1.9.0
1.12.0
Minor Changes
-
9a7b19e49
: Add single sign-on (SSO) table and schema definitions- Add new sso_connectors table, which is used to store the SSO connector data.
- Add new user_sso_identities table, which is used to store the user's SSO identity data received from IdP through a SSO interaction.
- Add new single_sign_on_enabled column to the sign_in_experiences table, which is used to indicate if the SSO feature is enabled for the sign-in experience.
- Define new SSO feature related types
Patch Changes
3e92a2032
: refactor: add user ip to webhook event payload- Updated dependencies [
9a7b19e49
] - Updated dependencies [
becf59169
] - Updated dependencies [
b4f702a86
] - Updated dependencies [
9a7b19e49
]- @logto/phrases@1.8.0
- @logto/core-kit@2.2.1
- @logto/phrases-experience@1.5.0
1.11.0
Minor Changes
-
6727f629d
: feature: introduce multi-factor authenticationWe're excited to announce that Logto now supports multi-factor authentication (MFA) for your sign-in experience. Navigate to the "Multi-factor auth" tab to configure how you want to secure your users' accounts.
In this release, we introduce the following MFA methods:
- Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
- WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
- Backup codes:users can generate a set of backup codes to use when they don't have access to other MFA methods.
For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.
Patch Changes
- Updated dependencies [
6727f629d
]- @logto/phrases@1.7.0
- @logto/phrases-experience@1.4.0
1.10.1
Patch Changes
46d0d4c0b
: convert private signing key type from string to JSON object, in order to provide additional information such as key ID and creation timestamp.- Updated dependencies [
87df417d1
] - Updated dependencies [
d24aaedf5
]- @logto/phrases@1.6.0
- @logto/connector-kit@2.0.0
- @logto/shared@3.0.0
1.10.0
Patch Changes
- Updated dependencies [
2c340d379
]- @logto/core-kit@2.2.0
1.9.2
Patch Changes
-
18181f892
: standardize id and secret generators- Remove
buildIdGenerator
export from@logto/shared
- Add
generateStandardSecret
andgenerateStandardShortId
exports to@logto/shared
- Align comment and implementation of
buildIdGenerator
in@logto/shared
- The comment stated the function will include uppercase letters by default, but it did not; Now it does.
- Use
generateStandardSecret
for all secret generation
- Remove
-
Updated dependencies [
18181f892
]- @logto/shared@3.0.0
- @logto/core-kit@2.1.2
1.9.1
Patch Changes
- Updated dependencies [
6f5a0acad
]- @logto/phrases-experience@1.3.1
- @logto/core-kit@2.1.1
1.9.0
Minor Changes
-
e8b0b1d02
: feature: password policySummary
This feature enables custom password policy for users. Now it is possible to guard with the following rules when a user is creating a new password:
- Minimum length (default:
8
) - Minimum character types (default:
1
) - If the password has been pwned (default:
true
) - If the password is exactly the same as or made up of the restricted phrases:
- Repetitive or sequential characters (default:
true
) - User information (default:
true
) - Custom words (default:
[]
)
- Repetitive or sequential characters (default:
If you are an existing Logto Cloud user or upgrading from a previous version, to ensure a smooth experience, we'll keep the original policy as much as possible:
The original password policy requires a minimum length of 8 and at least 2 character types (letters, numbers, and symbols).
Note in the new policy implementation, it is not possible to combine lower and upper case letters into one character type. So the original password policy will be translated into the following:
- Minimum length:
8
- Minimum character types:
2
- Pwned:
false
- Repetitive or sequential characters:
false
- User information:
false
- Custom words:
[]
If you want to change the policy, you can do it:
- Logto Console -> Sign-in experience -> Password policy.
- Update
passwordPolicy
property in the sign-in experience via Management API.
Side effects
- All new users will be affected by the new policy immediately.
- Existing users will not be affected by the new policy until they change their password.
- We removed password restrictions when adding or updating a user via Management API.
- Minimum length (default:
-
17fd64e64
: Support region option for s3 storage -
5d78c7271
: Addtype
field toroles
schema.type
can be either 'User' or 'MachineToMachine' in our case, this change distinguish between the two types of roles. Roles with type 'MachineToMachine' are not allowed to be assigned to users and 'User' roles can not be assigned to machine-to-machine apps. It's worth noting that we do not differentiate byscope
(orpermission
in Admin Console), so a scope can be assigned to both the 'User' role and the 'MachineToMachine' role simultaneously.
Patch Changes
f8408fa77
: rename the packagephrases-ui
tophrases-experience
f6723d5e2
: rename the packageui
toexperience
- Updated dependencies [
e8b0b1d02
] - Updated dependencies [
f8408fa77
] - Updated dependencies [
f6723d5e2
] - Updated dependencies [
310698b0d
]- @logto/phrases@1.5.0
- @logto/phrases-experience@1.3.0
- @logto/core-kit@2.1.0
- @logto/shared@2.0.1
1.8.0
Patch Changes
0b519e548
: allow non-http origins for application CORS
1.7.0
Minor Changes
5ccdd7f31
: Record daily active users
1.6.0
Minor Changes
-
ecbecd8e4
: various application improvements- Show OpenID Provider configuration endpoint in Console
- Configure "Rotate Refresh Token" in Console
- Configure "Refresh Token TTL" in Console
Patch Changes
- Updated dependencies [
e9c2c9a6d
] - Updated dependencies [
ecbecd8e4
]- @logto/core-kit@2.0.1
- @logto/phrases@1.4.1
1.5.0
Minor Changes
-
2cab3787c
: Add cloudflare configurations to system -
73666f8fa
: Provide new features for webhooksFeatures
- Manage webhooks via the Admin Console
- Securing webhooks by validating signature
- Allow to enable/disable a webhook
- Track recent execution status of a webhook
- Support multi-events for a webhook
Updates
- schemas: add
name
,events
,signingKey
, andenabled
fields to thehook
schema - core: change the
user-agent
value fromLogto (https://logto.io)
toLogto (https://logto.io/)
in the webhook request headers - core: deprecate
event
field in all hook-related APIs, useevents
instead - core: deprecate
retries
field in theHookConfig
for all hook-related APIs, now it will fallback to3
if not specified and will be removed in the future - core: add new APIs for webhook management
GET /api/hooks/:id/recent-logs
to retrieve recent execution logs(24h) of a webhookPOST /api/hooks/:id/test
to test a webhookPATCH /api/hooks/:id/signing-key
to regenerate the signing key of a webhook
- core: support query webhook execution stats(24h) via
GET /api/hooks/:id
andGET /api/hooks/:id
by specifyingincludeExecutionStats
query parameter - console: support webhook management
-
268dc50e7
: Support setting default API Resource from Console and API- New API Resources will not be treated as default.
- Added
PATCH /resources/:id/is-default
to settingisDefault
for an API Resource.- Only one default API Resource is allowed per tenant. Setting one API default will reset all others.
-
fa0dbafe8
: Add custom domain support
Patch Changes
497d5b526
: Support updating sign-in identifiers in user details form- Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.
- Other trivial improvements and fixes, e.g. input field placeholder, error handling, etc.
- Updated dependencies [
268dc50e7
] - Updated dependencies [
fa0dbafe8
] - Updated dependencies [
497d5b526
]- @logto/phrases@1.4.0
1.4.0
Minor Changes
-
5d6720805
: add configalwaysIssueRefreshToken
for web apps to unblock OAuth integrations that are not strictly conform OpenID Connect.when it's enabled, Refresh Tokens will be always issued regardless if
prompt=consent
was present in the authorization request.
Patch Changes
- Updated dependencies [
5d6720805
]- @logto/phrases@1.3.0
1.3.1
1.3.0
Patch Changes
-
beb6ebad5
: ## Add min length 1 type guard for all string typed db schema fieldsUpdate the
@logto/schemas
zod guard generation method to include a min length of 1 for all the required string typed db fields.
1.2.3
1.2.2
1.2.1
1.2.0
Patch Changes
457cb2822
: Adding social connectors will now mark the related get-started action item as completed.- Updated dependencies [
ae6a54993
] - Updated dependencies [
206fba2b5
] - Updated dependencies [
4945b0be2
] - Updated dependencies [
c5eb3a2ba
] - Updated dependencies [
5553425fc
] - Updated dependencies [
30033421c
]- @logto/phrases@1.2.0
- @logto/phrases-ui@1.2.0
- @logto/shared@2.0.0
- @logto/core-kit@2.0.0
- @logto/connector-kit@1.1.1
1.1.0
Patch Changes
- Updated dependencies [
f9ca7cc49
] - Updated dependencies [
37714d153
] - Updated dependencies [
f3d60a516
] - Updated dependencies [
5c50957a9
] - Updated dependencies [
e9e8a6e11
]- @logto/phrases@1.1.0
- @logto/phrases-ui@1.1.0
1.0.7
Patch Changes
5b4da1e3d
: force bump to fix npm publishment
1.0.1
Patch Changes
621b09ba1
: force version bump
1.0.0
Major Changes
-
c12717412
: Decouple users and admins💥 BREAKING CHANGES 💥
Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.
From this version, Logto now listens to two ports by default, one for normal users (
3001
), and one for admins (3002
).- Nothing changed for normal users. No adaption is needed.
- For admin users:
- The default Admin Console URL has been changed to
http://localhost:3002/console
. - To change the admin port, set the environment variable
ADMIN_PORT
. For instance,ADMIN_PORT=3456
. - You can specify a custom endpoint for admins by setting the environment variable
ADMIN_ENDPOINT
. For example,ADMIN_ENDPOINT=https://admin.your-domain.com
. - You can now completely disable admin endpoints by setting
ADMIN_DISABLE_LOCALHOST=1
and leavingADMIN_ENDPOINT
unset. - Admin Console and admin user data are not accessible via normal user endpoints, including
localhost
andENDPOINT
from the environment. - Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
- Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded).
- The default Admin Console URL has been changed to
If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.
Note
DID YOU KNOW
Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.
-
1c9160112
: Packages are now ESM. -
f41fd3f05
: drop settings table and add systems tableBREAKING CHANGES
- core: removed
GET /settings
andPATCH /settings
API - core: added
GET /configs/admin-console
andPATCH /configs/admin-console
API/configs/*
APIs are config/key-specific now. they may have different logic per key
- cli: change valid
logto db config
keys by removingalterationState
and addingadminConsole
since:- OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
- alteration state is still a system-wide config
- core: removed
Minor Changes
-
343b1090f: Add demo social connectors for new tenant
-
f41fd3f05
: Replacepasscode
naming convention in the interaction APIs and main flow ui withverificationCode
. -
343b1090f: ### Add dynamic favicon and html title
-
Add the favicon field in the sign-in-experience branding settings. Users would be able to upload their own favicon. Use local logto icon as a fallback
-
Set different html title for different pages.
- sign-in
- register
- forgot-password
- logto
-
-
343b1090f: Allow admin tenant admin to create tenants without limitation
-
343b1090f: ### Add privacy policy url
In addition to the terms of service url, we also provide a privacy policy url field in the sign-in-experience settings. To better support the end-users' privacy declaration needs.
-
343b1090f: Add
sessionNotFoundRedirectUrl
tenant config- User can use this optional config to designate the URL to redirect if session not found in Sign-in Experience.
- Session guard now works for root path as well.
-
343b1090f: remove the branding style config and make the logo URL config optional
-
1c9160112
: ### Features- Enhanced user search params #2639
- Web hooks
Improvements
- Refactored Interaction APIs and Audit logs
-
343b1090f: ### Add custom content sign-in-experience settings to allow insert custom static html content to the logto sign-in pages
- feat: combine with the custom css, give the user the ability to further customize the sign-in pages
-
f41fd3f05
: Replace thesms
naming convention usingphone
cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.
Patch Changes
-
e63f5f8b0
: Bump connector kit version to fix "Continue" issues on sending email/sms. -
38970fb88
: Fix a Sign-in experience bug that may block some users to sign in. -
343b1090f: Seed data for cloud
- cli!: remove
oidc
option fordatabase seed
command as it's unused - cli: add hidden
--cloud
option fordatabase seed
command to init cloud data - cli, cloud: appending Redirect URIs to Admin Console will deduplicate values before update
- move
UrlSet
andGlobalValues
to@logto/shared
- cli!: remove
-
7fb689b73
: Fix version lifecycle script -
2d45cc3e6
: Update alteration script names after versioning -
Updated dependencies [343b1090f]
-
Updated dependencies [343b1090f]
-
Updated dependencies [
c12717412
] -
Updated dependencies [
68f2d56a2
] -
Updated dependencies [343b1090f]
-
Updated dependencies [343b1090f]
-
Updated dependencies [343b1090f]
-
Updated dependencies [
38970fb88
] -
Updated dependencies [
c12717412
] -
Updated dependencies [343b1090f]
-
Updated dependencies [
c12717412
] -
Updated dependencies [343b1090f]
-
Updated dependencies [343b1090f]
-
Updated dependencies [
1c9160112
] -
Updated dependencies [343b1090f]
-
Updated dependencies [
1c9160112
]- @logto/phrases-ui@1.0.0
- @logto/phrases@1.0.0
- @logto/connector-kit@1.1.0
- @logto/core-kit@1.1.0
1.0.0-rc.1
Major Changes
-
c12717412
: Decouple users and admins💥 BREAKING CHANGES 💥
Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.
From this version, Logto now listens to two ports by default, one for normal users (
3001
), and one for admins (3002
).- Nothing changed for normal users. No adaption is needed.
- For admin users:
- The default Admin Console URL has been changed to
http://localhost:3002/console
. - To change the admin port, set the environment variable
ADMIN_PORT
. For instance,ADMIN_PORT=3456
. - You can specify a custom endpoint for admins by setting the environment variable
ADMIN_ENDPOINT
. For example,ADMIN_ENDPOINT=https://admin.your-domain.com
. - You can now completely disable admin endpoints by setting
ADMIN_DISABLE_LOCALHOST=1
and leavingADMIN_ENDPOINT
unset. - Admin Console and admin user data are not accessible via normal user endpoints, including
localhost
andENDPOINT
from the environment. - Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
- Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded).
- The default Admin Console URL has been changed to
If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.
Note
DID YOU KNOW
Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.
Patch Changes
- Updated dependencies [
c12717412
] - Updated dependencies [
c12717412
] - Updated dependencies [
c12717412
]- @logto/phrases@1.0.0-rc.1
- @logto/phrases-ui@1.0.0-rc.1
1.0.0-rc.0
Major Changes
-
f41fd3f0
: drop settings table and add systems tableBREAKING CHANGES
- core: removed
GET /settings
andPATCH /settings
API - core: added
GET /configs/admin-console
andPATCH /configs/admin-console
API/configs/*
APIs are config/key-specific now. they may have different logic per key
- cli: change valid
logto db config
keys by removingalterationState
and addingadminConsole
since:- OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
- alteration state is still a system-wide config
- core: removed
Minor Changes
f41fd3f0
: Replacepasscode
naming convention in the interaction APIs and main flow ui withverificationCode
.f41fd3f0
: Replace thesms
naming convention usingphone
cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.
1.0.0-beta.18
Patch Changes
df9e98dc
: Fix version lifecycle script
1.0.0-beta.17
Major Changes
1c916011
: Packages are now ESM.
Minor Changes
-
1c916011
: ### Features- Enhanced user search params #2639
- Web hooks
Improvements
- Refactored Interaction APIs and Audit logs
Patch Changes
- Updated dependencies [
1c916011
] - Updated dependencies [
1c916011
]- @logto/phrases@1.0.0-beta.17
- @logto/phrases-ui@1.0.0-beta.17
1.0.0-beta.16
Patch Changes
38970fb8
: Fix a Sign-in experience bug that may block some users to sign in.- Updated dependencies [
38970fb8
]- @logto/phrases@1.0.0-beta.16
1.0.0-beta.15
Patch Changes
- Bump connector kit version to fix "Continue" issues on sending email/sms.
1.0.0-beta.14
Patch Changes
2d45cc3e
: Update alteration script names after versioning
1.0.0-beta.13
Patch Changes
- Updated dependencies [
68f2d56a
]- @logto/phrases@1.0.0-beta.13
- @logto/phrases-ui@1.0.0-beta.13
All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.
1.0.0-beta.12 (2022-10-19)
Bug Fixes
- add tables to schemas files (582f3d6)
- handle versioning when no
next-*.ts
found (#2202) (61336df) - make packages public (e24fd04)
1.0.0-beta.11 (2022-10-19)
Features
- cli:
db alteration deploy
command (a5280a2) - cli:
db seed oidc
command (911117a) - cli: get/set db config key (0eff1e3)
Bug Fixes
- add redirectURI validation on frontend & backend (#1874) (4b0970b)
- alteration script in dev (9ebb3dd)
1.0.0-beta.10 (2022-09-28)
Features
- core,schemas: add phrases schema and GET /custom-phrases/:languageKey route (#1905) (7242aa8)
- core,schemas: migration deploy cli (#1966) (7cc2f4d)
- core,schemas: use timestamp to version migrations (bb4bfd3)
- core: add POST /session/forgot-password/{email,sms}/send-passcode (#1963) (af2600d)
- core: add POST /session/forgot-password/{email,sms}/verify-passcode (#1968) (1ea39f3)
- core: add POST /session/forgot-password/reset (#1972) (acdc86c)
- core: machine to machine apps (cd9c697)
- schemas: add logto configs table (#1940) (577ca48)
Bug Fixes
- bump react sdk and essentials toolkit to support CJK characters in idToken (2f92b43)
- core,schemas: move alteration types into schemas src (#2005) (10c1be6)
1.0.0-beta.9 (2022-09-07)
Note: Version bump only for package @logto/schemas
1.0.0-beta.8 (2022-09-01)
Note: Version bump only for package @logto/schemas
1.0.0-beta.6 (2022-08-30)
Note: Version bump only for package @logto/schemas
1.0.0-beta.5 (2022-08-19)
Note: Version bump only for package @logto/schemas
1.0.0-beta.4 (2022-08-11)
Features
- core,schemas: add application secret (#1715) (543ee04)
- schemas: guard string max length (#1737) (cdf210d)
1.0.0-beta.3 (2022-08-01)
Note: Version bump only for package @logto/schemas
1.0.0-beta.2 (2022-07-25)
Note: Version bump only for package @logto/schemas
1.0.0-beta.1 (2022-07-19)
Features
1.0.0-beta.0 (2022-07-14)
Note: Version bump only for package @logto/schemas
1.0.0-alpha.4 (2022-07-08)
Features
1.0.0-alpha.3 (2022-07-07)
Note: Version bump only for package @logto/schemas
1.0.0-alpha.2 (2022-07-07)
Bug Fixes
1.0.0-alpha.1 (2022-07-05)
Note: Version bump only for package @logto/schemas
1.0.0-alpha.0 (2022-07-04)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.5 (2022-07-03)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.4 (2022-07-03)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.3 (2022-07-03)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.2 (2022-07-02)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.1 (2022-07-02)
Note: Version bump only for package @logto/schemas
0.1.2-alpha.0 (2022-07-02)
Note: Version bump only for package @logto/schemas
0.1.1-alpha.0 (2022-07-01)
Features
- console,ui: generate dark mode color in console (#1231) (f72b21d)
- console: add application column in user management (#728) (a035587)
- console: add column lastSignIn in user management (#679) (a0b4b98)
- console: audit log table (#1000) (fdd12de)
- console: configure cors-allowed-origins (#695) (4a0577a)
- console: dark logo (#860) (664a218)
- console: hide get-started page on clicking 'Hide this' button (7fd42fd)
- console: integrate dark mode settings (a04f818)
- console: log details page (#1064) (0421195)
- console: sie form reorg (#1218) (2c41334)
- console: sign in exp guide (#755) (bafd094)
- console: support persisting get-started progress in settings config (43b2309)
- core,console: social connector targets (#851) (127664a)
- core,schemas: koaLogSession middleware (#767) (4e60446)
- core,schemas: log IP and user agent (#682) (0ecb7e4)
- core,schemas: log token exchange success (#809) (3b048a8)
- core,schemas: save application id that the user first consented (#688) (4521c3c)
- core: add experience configs (#745) (08904b8)
- core: add role table seed (#1145) (837ad52)
- core: add sign-in-mode (#1132) (f640dad)
- core: grantRevokedListener for logging revocation of access and refresh token (#900) (e5196fc)
- core: log error body (#1065) (2ba1121)
- core: log sending passcode with connector id (#824) (82c7138)
- core: update connector db schema (#732) (8e1533a)
- demo-app: implementation (#982) (7f4f4f8)
- demo-app: implementation (3/3) (#1021) (91e2f05)
- demo-app: show notification in main flow (#1038) (90ca76e)
- remove target, platform from connector schema and add id to metadata (#930) (054b0f7)
- schemas: create log indices on application id and user id (#933) (bf6e08c)
- schemas: make users.avatar URL length 2048 (#1141) (3ac01d7)
- update field check rules (#854) (85a407c)
- use user level custom data to save preferences (#1045) (f2b44b4)