diff --git a/.schemastore/config.schema.json b/.schemastore/config.schema.json index 3a8297d9d1c7..cdd2190c4c77 100644 --- a/.schemastore/config.schema.json +++ b/.schemastore/config.schema.json @@ -99,7 +99,7 @@ "type": "object", "properties": { "hook": { - "const": "b2b_sso" + "enum": ["b2b_sso", "organization"] }, "config": { "type": "object", @@ -225,6 +225,10 @@ "title": "Web-Hook Configuration", "description": "Define what the hook should do", "properties": { + "id": { + "type": "string", + "description": "The ID of the hook. Used to identify the hook in logs and errors. For debugging purposes only." + }, "response": { "title": "Response Handling", "description": "How the web hook should handle the response", @@ -324,7 +328,7 @@ "response": { "properties": { "ignore": { - "enum": [true] + "const": true } }, "required": ["ignore"] @@ -336,7 +340,7 @@ { "properties": { "can_interrupt": { - "enum": [false] + "const": false } }, "require": ["can_interrupt"] @@ -453,10 +457,12 @@ "netid", "dingtalk", "patreon", + "line", "linkedin", "linkedin_v2", "lark", - "x" + "x", + "fedcm-test" ], "examples": ["google"] }, @@ -517,7 +523,7 @@ }, "subject_source": { "title": "Microsoft subject source", - "description": "Controls which source the subject identifier is taken from by microsoft provider. If set to `userinfo` (the default) then the identifier is taken from the `sub` field of OIDC ID token or data received from `/userinfo` standard OIDC endpoint. If set to `me` then the `id` field of data structure received from `https://graph.microsoft.com/v1.0/me` is taken as an identifier.", + "description": "Controls which source the subject identifier is taken from by microsoft provider. If set to `userinfo` (the default) then the identifier is taken from the `sub` field of OIDC ID token or data received from `/userinfo` standard OIDC endpoint. If set to `me` then the `id` field of data structure received from `https://graph.microsoft.com/v1.0/me` is taken as an identifier. If the value is `oid` then the the oid (Object ID) is taken to identify users across different services.", "type": "string", "enum": ["userinfo", "me", "oid"], "default": "userinfo", @@ -574,6 +580,19 @@ "type": "string", "enum": ["auto", "never", "force"], "default": "auto" + }, + "fedcm_config_url": { + "title": "Federation Configuration URL", + "description": "The URL where the FedCM IdP configuration is located for the provider. This is only effective in the Ory Network.", + "type": "string", + "format": "uri", + "examples": ["https://example.com/config.json"] + }, + "net_id_token_origin_header": { + "title": "NetID Token Origin Header", + "description": "Contains the orgin header to be used when exchanging a NetID FedCM token for an ID token", + "type": "string", + "examples": ["https://example.com"] } }, "additionalProperties": false, @@ -696,7 +715,7 @@ "uniqueItems": true, "additionalItems": false }, - "selfServiceAfterSettingsMethod": { + "selfServiceAfterSettingsProfileMethod": { "type": "object", "additionalProperties": false, "properties": { @@ -709,6 +728,12 @@ "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" + }, + { + "$ref": "#/definitions/selfServiceShowVerificationUIHook" + }, + { + "$ref": "#/definitions/b2bSSOHook" } ] }, @@ -741,6 +766,33 @@ } } }, + "selfServiceAfterDefaultLoginMethodHooks": { + "type": "array", + "items": { + "anyOf": [ + { + "$ref": "#/definitions/selfServiceSessionRevokerHook" + }, + { + "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" + }, + { + "$ref": "#/definitions/selfServiceWebHook" + }, + { + "$ref": "#/definitions/selfServiceVerificationHook" + }, + { + "$ref": "#/definitions/selfServiceShowVerificationUIHook" + }, + { + "$ref": "#/definitions/b2bSSOHook" + } + ] + }, + "uniqueItems": true, + "additionalItems": false + }, "selfServiceAfterDefaultLoginMethod": { "type": "object", "additionalProperties": false, @@ -749,28 +801,7 @@ "$ref": "#/definitions/defaultReturnTo" }, "hooks": { - "type": "array", - "items": { - "anyOf": [ - { - "$ref": "#/definitions/selfServiceSessionRevokerHook" - }, - { - "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" - }, - { - "$ref": "#/definitions/selfServiceWebHook" - }, - { - "$ref": "#/definitions/selfServiceVerificationHook" - }, - { - "$ref": "#/definitions/selfServiceShowVerificationUIHook" - } - ] - }, - "uniqueItems": true, - "additionalItems": false + "$ref": "#/definitions/selfServiceAfterDefaultLoginMethodHooks" } } }, @@ -867,7 +898,7 @@ "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "profile": { - "$ref": "#/definitions/selfServiceAfterSettingsMethod" + "$ref": "#/definitions/selfServiceAfterSettingsProfileMethod" }, "hooks": { "$ref": "#/definitions/selfServiceHooks" @@ -912,31 +943,7 @@ "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "hooks": { - "type": "array", - "items": { - "anyOf": [ - { - "$ref": "#/definitions/selfServiceWebHook" - }, - { - "$ref": "#/definitions/selfServiceSessionRevokerHook" - }, - { - "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" - }, - { - "$ref": "#/definitions/selfServiceVerificationHook" - }, - { - "$ref": "#/definitions/selfServiceShowVerificationUIHook" - }, - { - "$ref": "#/definitions/b2bSSOHook" - } - ] - }, - "uniqueItems": true, - "additionalItems": false + "$ref": "#/definitions/selfServiceAfterDefaultLoginMethodHooks" } } }, @@ -1281,8 +1288,16 @@ "enable_legacy_one_step": { "type": "boolean", "title": "Disable two-step registration", - "description": "Two-step registration is a significantly improved sign up flow and recommended when using more than one sign up methods. To revert to one-step registration, set this to `true`.", + "description": "Deprecated, please use `style` instead.", + "deprecationMessage": "Deprecated, please use `style` instead.", "default": false + }, + "style": { + "title": "Registration Flow Style", + "description": "The style of the registration flow. If set to `unified` the login flow will be a one-step process. If set to `profile_first` the registration flow will first ask for the profile information first, and then the credentials.", + "type": "string", + "enum": ["unified", "profile_first"], + "default": "profile_first" } } }, @@ -1505,6 +1520,7 @@ "base_url": { "title": "Override the base URL which should be used as the base for recovery and verification links.", "type": "string", + "deprecationMessage": "This option has no effect, because the request URL is now used as the base URL.", "examples": ["https://my-app.com"] }, "lifespan": { @@ -1582,11 +1598,17 @@ "default": "1h", "examples": ["1h", "1m", "1s"] }, + "max_submissions": { + "type": "integer", + "title": "Maximum number of times the code can be submitted before a flow is invalidated", + "minimum": 1, + "maximum": 255, + "default": 5 + }, "missing_credential_fallback_enabled": { "type": "boolean", "title": "Enable Code OTP as a Fallback", "description": "Enabling this allows users to sign in with the code method, even if their identity schema or their credentials are not set up to use the code method. If enabled, a verified address (such as an email) will be used to send the code to the user. Use with caution and only if actually needed.", - "default": false } } @@ -1696,6 +1718,18 @@ } ] }, + "body": { + "type": "string", + "format": "uri", + "pattern": "^(http|https|file|base64)://", + "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads", + "examples": [ + "file:///path/to/body.jsonnet", + "file://./body.jsonnet", + "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", + "https://oryapis.com/default_body.jsonnet" + ] + }, "additionalProperties": false } } @@ -1893,7 +1927,6 @@ "description": "A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).", "items": { "type": "string", - "format": "uri", "examples": [ "https://www.ory.sh", "https://auth.ory.sh" @@ -2043,6 +2076,9 @@ "properties": { "email": { "$ref": "#/definitions/emailCourierTemplate" + }, + "sms": { + "$ref": "#/definitions/smsCourierTemplate" } }, "required": ["email"] @@ -2135,7 +2171,7 @@ "smtps://subdomain.my-mailserver:1234/?server_name=my-mailserver (allows TLS to work if the server is hosted on a sudomain that uses a non-wildcard domain certificate)" ], "type": "string", - "pattern": "^smtps?:\\/\\/.*" + "pattern": "^smtps?://.*" }, "client_cert_path": { "title": "SMTP Client certificate path", @@ -2186,76 +2222,6 @@ }, "additionalProperties": false }, - "sms": { - "title": "SMS sender configuration", - "description": "Configures outgoing sms messages using HTTP protocol with generic SMS provider", - "type": "object", - "properties": { - "enabled": { - "description": "Determines if SMS functionality is enabled", - "type": "boolean", - "default": false - }, - "from": { - "title": "SMS Sender Address", - "description": "The recipient of a sms will see this as the sender address.", - "type": "string", - "default": "Ory Kratos" - }, - "request_config": { - "type": "object", - "properties": { - "url": { - "title": "HTTP address of API endpoint", - "description": "This URL will be used to connect to the SMS provider.", - "examples": ["https://api.twillio.com/sms/send"], - "type": "string", - "pattern": "^https?:\\/\\/.*" - }, - "method": { - "type": "string", - "description": "The HTTP method to use (GET, POST, etc)." - }, - "headers": { - "type": "object", - "description": "The HTTP headers that must be applied to request", - "additionalProperties": { - "type": "string" - } - }, - "body": { - "type": "string", - "format": "uri", - "pattern": "^(http|https|file|base64)://", - "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads", - "examples": [ - "file:///path/to/body.jsonnet", - "file://./body.jsonnet", - "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", - "https://oryapis.com/default_body.jsonnet" - ] - }, - "auth": { - "type": "object", - "title": "Auth mechanisms", - "description": "Define which auth mechanism to use for auth with the SMS provider", - "oneOf": [ - { - "$ref": "#/definitions/webHookAuthApiKeyProperties" - }, - { - "$ref": "#/definitions/webHookAuthBasicAuthProperties" - } - ] - }, - "additionalProperties": false - }, - "required": ["url", "method"], - "additionalProperties": false - } - }, - "additionalProperties": false - }, "channels": { "type": "array", "items": { @@ -2265,7 +2231,7 @@ "id": { "type": "string", "title": "Channel id", - "description": "The channel id. Corresponds to the .via property of the identity schema for recovery, verification, etc. Currently only phone is supported.", + "description": "The channel id. Corresponds to the .via property of the identity schema for recovery, verification, etc. Currently only sms is supported.", "maxLength": 32, "enum": ["sms"] }, @@ -2536,7 +2502,7 @@ "additionalProperties": false }, "tracing": { - "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.660/otelx/config.schema.json" + "$ref": "https://raw.githubusercontent.com/ory/kratos/1a0d0f71c/oryx/otelx/config.schema.json" }, "log": { "title": "Log", @@ -2623,6 +2589,12 @@ "https://foo.bar.com/path/to/identity.traits.schema.json", "base64://ewogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAicHJvcGVydGllcyI6IHsKICAgICJiYXIiOiB7CiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0KICB9LAogICJyZXF1aXJlZCI6IFsKICAgICJiYXIiCiAgXQp9" ] + }, + "selfservice_selectable": { + "type": "boolean", + "title": "Is the schema enabled in self-service flows", + "description": "If set to true, this schema can be used explicity in self-service flows by setting `identity_schema` query parameter to the schema's ID.", + "default": false } }, "required": ["id", "url"] @@ -2655,6 +2627,23 @@ }, "uniqueItems": true }, + "pagination": { + "type": "array", + "title": "Secrets to encrypt the pagination token", + "description": "To avoid clients reverse-engineering and relying on the implementation details of the pagination token, it is encrypted with these keys", + "items": { + "type": "string", + "minLength": 16 + }, + "minItems": 1, + "examples": [ + [ + "secret used for encryption", + "old secret kept for decryption", + "another old secret kept for decryption" + ] + ] + }, "cipher": { "type": "array", "title": "Secrets to use for encryption by cipher", @@ -2776,6 +2765,11 @@ "type": "string", "default": "/" }, + "secure": { + "title": "Session Cookie Secure Flag", + "description": "Sets the session secure flag. If unset, defaults to !dev mode.", + "type": "string" + }, "same_site": { "title": "HTTP Cookie Same Site Configuration", "description": "Sets the session and CSRF cookie SameSite.", @@ -2821,12 +2815,19 @@ "claims_mapper_url": { "type": "string", "format": "uri", - "title": "JsonNet mapper URL" + "title": "Jsonnet mapper URL" }, "jwks_url": { "type": "string", "format": "uri", "title": "JSON Web Key Set URL" + }, + "subject_source": { + "type": "string", + "title": "Subject source", + "description": "The source of the subject claim in the token. Can be one of: `id`, or `external_id`.", + "enum": ["id", "external_id"], + "default": "id" } } } @@ -2870,6 +2871,11 @@ "description": "Sets the session cookie path. Use with care! Overrides `cookies.path`.", "type": "string" }, + "secure": { + "title": "Session Cookie Secure Flag", + "description": "Sets the session secure flag. If unset, defaults to !dev mode.", + "type": "string" + }, "same_site": { "title": "Session Cookie SameSite Configuration", "description": "Sets the session cookie SameSite. Overrides `cookies.same_site`.", @@ -2969,6 +2975,40 @@ "default": [] } } + }, + "web_hook": { + "title": "Global web_hook HTTP client configuration", + "description": "Configure the global HTTP client of the web_hook action.", + "type": "object", + "properties": { + "header_allowlist": { + "title": "Allowed request headers", + "description": "List of request headers that are forwarded to the web hook target in canonical form.", + "type": "array", + "items": { + "type": "string" + }, + "default": [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Content-Length", + "Content-Type", + "Origin", + "Priority", + "Referer", + "Sec-Ch-Ua", + "Sec-Ch-Ua-Mobile", + "Sec-Ch-Ua-Platform", + "Sec-Fetch-Dest", + "Sec-Fetch-Mode", + "Sec-Fetch-Site", + "Sec-Fetch-User", + "True-Client-Ip", + "User-Agent" + ] + } + } } } }, @@ -2993,11 +3033,43 @@ "description": "If enabled allows new flow transitions using `continue_with` items.", "default": false }, + "choose_recovery_address": { + "type": "boolean", + "title": "Enable new recovery screens to pick which address to send a recovery code/link to", + "description": "If enabled, enable new recovery screens to pick which address to send a recovery code to, and can send a code via SMS. It is safe to toggle it back and forth, existing recovery flows will be handled with their respective logic. That is because it is decided at creation time whether a recovery flow is V1 or V2 and this cannot be changed afterwards. Thus, if a recovery flow is created with this flag enabled, it will be created as a recovery v2 flow. If this flag is disabled while this flow is still active, this flow will still be handled with the correct logic (v2).", + "default": false + }, + "legacy_continue_with_verification_ui": { + "type": "boolean", + "title": "Always include show_verification_ui in continue_with", + "description": "If true, restores the legacy behavior of always including `show_verification_ui` in the registration flow's `continue_with` when verification is enabled. If set to false, `show_verification_ui` is only set in `continue_with` if the `show_verification_ui` hook is used. This flag will be removed in the future.", + "deprecationMessage": "This behavior is deprecated and will be removed in the future. Use the `show_verification_hook` in the post-registration hook instead.", + "default": false + }, + "legacy_require_verified_login_error": { + "type": "boolean", + "title": "Return a form error if the login identifier is not verified", + "description": "If true, the login flow will return a form error if the login identifier is not verified, which restores legacy behavior. If this value is false, the `continue_with` array will contain a `show_verification_ui` hook instead.", + "deprecationMessage": "This behavior is deprecated and will be removed in the future. Please upgrade your SDKs.", + "default": false + }, "faster_session_extend": { "type": "boolean", "title": "Enable faster session extension", "description": "If enabled allows faster session extension by skipping the session lookup. Disabling this feature will be deprecated in the future.", "default": false + }, + "password_profile_registration_node_group": { + "title": "Registration node group", + "description": "The node group to use for registration flows. Previously, the node group for the password method's profile fields was `password`. Going forward, it will be `default`. This switch can toggle between those two for backwards compatibility.", + "enum": ["password", "default"], + "default": "default" + }, + "legacy_oidc_registration_node_group": { + "title": "Registration node group for OIDC", + "description": "The node group to use for registration flows. Previously, the node group for the oidc method's profile fields was `oidc`. Going forward, it will be `default`. This switch can toggle between those two for backwards compatibility and will be removed in the future.", + "default": false, + "type": "boolean" } }, "additionalProperties": false @@ -3020,6 +3092,11 @@ } }, "additionalProperties": false + }, + "revision": { + "title": "Config revision", + "description": "Set a recognizable revision. This could be the commit time or a random value. This value is exposed at the `/health/config` endpoint and allows you to ensure that the correct config is loaded.", + "type": "string" } }, "allOf": [