v1.7.0

It has been a busy month, and we just launched Logto Cloud! Meanwhile, we also improved our OSS with some new features:

Feature updates

• Added translate sync-keys command in CLI. This command is helpful for syncing keys from one language to another. See Translation for details.
• Added SMSAero connector (credit @evist0).
• Allow editing refresh token time-to-live (TTL) for applications except machine-to machine.

We are gradually shifting resources back to OSS and we'll bring more exciting features this year. Stay tuned.

v1.6.0

Features

Application details page in Console

• Added OpenID Provider configuration endpoint display
• Added application "Rotate Refresh Token" toggle
• Added application "Refresh Token TTL" configuration

Fixes

• Fix interaction issues of sign-in experience preview in Console

v1.5.0

Security update

Enabled Content Security Policy (CSP) header check

Removed the report-only flag from the Content Security Policy (CSP) header for both Console and Sign-in Experience. Ensure your endpoints are configured correctly and see no CSP error in the browser's console before upgrading, otherwise frontend may break in this version.

Feature updates

Webhook in Console

We're thrilled to introduce the new Webhook feature in Logto Console, making integration and real-time event notifications a breeze. Here's what's new:

• Easy Configuration: Configure webhooks effortlessly by multi-selecting events like user registration, sign-in, and password reset. One-click testing of payload delivery ensures smooth setup.
• Enhanced Security: Each webhook is assigned an auto-generated Signing Key, ensuring the authenticity of payload data from Logto. Customize headers to add extra context.
• Monitor Webhook Health: Keep an eye on webhook performance with success rates and request times in the last 24 hours. Access independent logs of recent requests for easy troubleshooting.

Note
If you were using Webhooks via Management API, some API details are changed with backward compatibility so you can safely upgrade to this version.

Support setting default API Resource from Console and API

Logto leverages RFC 8707: Resource Indicators for OAuth 2.0 to implement Role-Based Access Control (RBAC). While it is one of the features of OAuth 2.0, it is not yet widely supported.

In Logto's implementation, every user-defined permission (scope) must be associated with an API Resource. Otherwise, it will be treated as an OpenID Connect (or OAuth) permission. Generally, this doesn't affect your authorization process. However, when integrating with third-party apps that lack support for RFC 8707 (e.g., ChatGPT plugins), it can pose challenges since the initial authorization request may not include a resource parameter. Consequently, Logto will always issue Opaque Access Tokens.

To address this issue, now you can designate an API Resource as the tenant-level default resource by heading to the details page of an API Resource:

See the documentation to learn what will be affected after turning it on.

Support updating sign-in identifiers in user details form

Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.

Fixes

• Reset password webhooks will be correctly triggered
• Bumped oidc-provider version to v8.2.2. This version fixes a bug that prevented the revoked scopes from being removed from the access token.

v1.4.0

This version brings us one step closer to resolving issue #3344. We are actively working on a backward-compatible solution for authorization.

Below are some articles that demonstrate how to use Logto as an OAuth or OIDC Identity Provider:

• Streamline OAuth and OIDC Authentication with Logto
• Implement ChatGPT plugins user authentication with Logto
• Simplify Outline authentication with Logto

Feature updates

Introducing the "Always issue Refresh Token" configuration for web apps

Turning on this toggle ensures that Refresh Tokens are always issued, regardless of whether prompt=consent was included in the authorization request or if offline_access was specified in the scope.

Patch updates

• Improved compatibility by parsing requests with application/json content-type for /oidc APIs.
• Automated synchronization of trusted social email and phone information for newly registered users, irrespective of the sign-up identifier configuration.
  • For example: Previously, if the "email" was not set as a sign-up identifier (meaning a valid email connector had to be configured and enabled) and Google sign-in was added, the emails from new users would not be synchronized.
  • Starting from v1.4.0, this requirement has been removed, as "social sign-in only" scenarios are not uncommon in real-world cases.

v1.3.1

Patch update

• Disable PKCE requirement for Traditional Web apps. Now Logto should be able to integrated with most projects that support OAuth identity providers such as ChatGPT plugins.

We'll post some tutorials soon.

v1.3.0

Note
Our brand new blog just landed. Let's enjoy the new design and beautiful illustrations by @Rany0101.

Feature updates

• Support CLI arguments in @logto/create (#2206 #3777)

• Provide Management APIs to help link social identities to user

  • POST /users/:userId/identities to link a social identity to a user
  • POST /connectors/:connectorId/authorization-uri to get the authorization URI for a connector

Improvements

• Except interaction APIs, API response schemas and status codes are now available in /api/swagger.json. Also available in https://docs.logto.io/api/.

Bug fix

• SAML connector: Should ignore empty number input box when parsing connector config form.

v1.2.3

Connectors

• Alipay (web), Discord, Facebook, GitHub, Google, WeChat (web) connectors now support custom scope.
• Use node resolution to support crypto.getRandomValues in connectors, fixes an error in the AWS SES connector.

v1.2.2

This release contains only internal engineering improvements.

v1.2.0

Note
We've received valuable feedback from our community since launching Logto Cloud (Preview) and OSS General Availability. Thank you!

Over the past month, we've been focused on enhancing Logto's functionality, fixing bugs, and improving its security features. Additionally, we're working on developing a reasonable pricing model and finalizing the details. If you're interested, please don't hesitate to contact us.

Feature updates

1. Redis cache support: We’ve added support for Redis as a central cache for well-known data. This will allow for faster and more efficient data retrieval. See 🗄️ Enable central cache for details.

2. New CLI command: We’ve added a new CLI command logto connector link to link local connectors without downloading from the remote. See Manage connectors for details.

3. Translation updates: We’ve added Italian (it) and Polish (pl-PL) translations to make Logto more accessible to users worldwide.

4. Console updates:

   • The web console now supports creating users with multiple identifiers, such as email, phone number, and username.
     

   • On the user details page, you can now suspend or reactivate a user from the "more options" menu (accessible by clicking the three-dot button in the top right corner).
     

5. Two new Management APIs:

   1. POST /users/:userId/password/verify will allow you to verify a user's password;
   2. GET /users/:userId/has-password will allow you to check if a user has a password.

Security update

We've applied various security headers to server responses, and while the violation is currently report-only, we'll enforce them in the next version.

In most cases, no action is required. Please see #3590 #3613 for details.

Bug fix

• We've removed all deprecated values in the filter and fixed the filter functionality on the web console's Audit Logs tab.
• Fixed pt-BR phrase by @flaviofiori in #3656

Coming soon

Other important features we're planning for this year include SSO, MFA, and Organizations. Stay tuned!

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Language support

• update 한국어 translation by @Alanimdeo
• update Français and Deutsch translation
• add Русский translation for console
• add Español, 日本語, 繁體中文 translation

Note
Except 한국어, other languages are credited to GhatGPT.

Others

This release also includes various improvements and bug fixes.

Full Changelog: v1.0.3...v1.1.0