Releases · logto-io/logto

08 Feb 13:51

v1.13.0

3f28e9a

v1.13.0

Logto as an OpenID Connect identity provider

From now, you can use Logto as an third-party OpenID Connect identity provider by creating an OIDC third party app during the application creating process.

This enables you to configure the permissions that the app requests and the branding for each third party app. When users sign in via this app, it will prompt for user consent:

This feature is useful for multiple scenarios, such as integrating third party services with Logto for in-house identity management, providing an open platform for developers creating third party apps, etc. See 🌐 Logto as an Identity Provider (IdP) to learn more.

Guides

Added .NET Core Blazor WebAssembly and Blazor Server app guides.

Misc.

Upgrade TypeScript to 5.3.3.
Use Node v20 LTS. We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.

For detailed changelog, see this pull request.

Assets 3

06 Dec 09:10

silverhand-bot

v1.12.0

4865610

v1.12.0

Tip

Logto is an open-source Auth0 alternative designed for modern apps and SaaS products.

Logto Organizations (Multi-tenancy)

The term "organization" is also used in other forms, such as "workspace", "team", "company", etc. In Logto, we use "organization" as the generic term to represent the concept of multi-tenancy.

From now, you can create multiple organizations in Logto, each of which can have its own users, while in the same identity pool.

Plus, we also introduce the concept of "organization template". It is a set of permissions and roles that applies to all organizations, while a user can have different roles in different organizations.

We believe this is extremely useful for SaaS products with collaboration features (we love collaboration!). For more information, see 🏢 Organizations (Multi-tenancy).

Enterprise SSO (single sign-on)

Enterprise SSO is designed to support any SAML and OIDC connection, offering the simplest configuration and powered by Logto.

It automatically recognizes all registered domains in the sign-in experience and redirects users to the correct identity provider for authentication. Meanwhile, you can focus on enhancing other aspects of your product without modifying a single line of code.

In this release, we have the following built-in enterprise connectors:

Google Workspace
Microsoft Entra ID (formerly Azure AD)
Okta

To learn more about Enterprise SSO, see ☁️ Enterprise SSO (SAML & OIDC).

Improvements

Bump libphonenumber-js to v1.10.51 to support China 19 started phone numbers. Credit @agileago.
Add user ip to webhook event payload.
The response from /api/swagger.json now includes a summary and description for each API. We will gradually add more helpful information.

Note

Multi-factor authentication (MFA) was released in v1.11.0.

Contributors

agileago

Assets 3

14 Nov 13:14

silverhand-bot

v1.11.0

76c8bb2

v1.11.0

Multi-factor authentication (MFA)

Now you can activate MFA with just one click and take control of the user security. We've made it easy to customize the sign-in experience with these methods:

Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
Backup codes: users can generate a set of backup codes to use when they don't have access to other MFA methods.

For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.

Check out our One-click MFA integration blog post to learn more.

Work in progress

Organizations and enterprise Single Sign-On (SSO) functionalities are on the horizon. With Logto, creating multi-tenancy applications and becoming enterprise-ready will not be a business blocker anymore.

Assets 3

03 Nov 05:40

silverhand-bot

v1.10.1

a5a0d44

v1.10.1

Fixes

fix 500 error when using search component in console to filter both roles and applications

Assets 3

08 Oct 06:03

silverhand-bot

v1.10.0

6993b15

v1.10.0

New feature: machine-to-machine role-based access control

Role-based access control (RBAC) now extends to machine-to-machine apps. This update allows you to effectively manage permissions for your machine-to-machine apps using the same approach for user authorization.

Note
If you have switched on the "Enable admin access" toggle for machine-to-machine apps, it has been retired in favor of a new "Management API access" role; if you haven't enabled it, a new role with Management API permissions is needed to access the Logto Management API. See 🚝 Interact with Management API to learn more.

Starting today, when you create a new role, you can select either a "user role" or a "machine-to-machine app role" by expanding more options. All existing roles have automatically been converted to "user roles".

Constraints

After creating a role, you cannot modify its type.
The Logto Management API resource can only be accessed by machine-to-machine application roles.

Management API updates

Added APIs

Applications

POST /applications/:appId/roles assigns role(s) to the M2M application
DELETE /applications/:appId/roles/:roleId deletes the role from the M2M application
GET /applications/:appId/roles lists all roles assigned to the M2M application

Roles

POST /roles/:roleId/applications assigns the role to multiple M2M applications
DELETE /roles/:roleId/applications/:appId removes the M2M application assigned to the role
GET /roles/:roleId/applications lists all M2M applications granted with the role

Updated APIs

Roles

POST /roles to specify the role type (either user or machine-to-machine role)

Users

POST /users/:userId/roles to prevent assigning M2M roles to end-users

Support `roles` scope for issuing the `roles` claim in ID tokens

When you include the roles in the scope parameter of the Logto SDK config (or manually append to the OpenID Connect auth request), the ID token will include a roles claim containing an array of the user's roles. This may resolve #3411.

Security update

If an identifier (username, email, or phone number) experiences five authentication failures within an hour, it will be temporarily blocked from the authentication process for ten minutes.

Assets 3

21 Sep 14:25

silverhand-bot

v1.9.1

d254dae

v1.9.1

Fixes

fix a bug that prevents user from customizing i18n translations in sign-in experience config
add more intuitive code samples and fix mistakes in express api guide

Assets 3

18 Sep 11:15

silverhand-bot

v1.9.0

e69f941

v1.9.0

New feature: Password policy

Summary

This newly introduced feature empowers you to customize a range of password policies specific to your Logto tenant:

Minimum password length (default: 8)
Minimum character types (default: 1)
Prevention of breached passwords (default: Enabled)
Restriction of repetitive or sequential characters (default: Enabled)
Restriction of user information in passwords (default: Enabled)
Custom restricted words (default: None specified)

To begin configuring these settings, simply navigate to the Logto Console under "Sign-in experience" and select "Password policy".

Note
New to password policy? Check out our blog post Design your password policy to master this feature!

For Logto Cloud users, or if you are upgrading Logto from a previous version, please take note that we are committed to ensuring a smooth upgrade. As such, we will maintain your existing password policy as follows:

Minimum length: 8 characters
Minimum character types: 2
- Please be aware that, with the implementation of the new policy, combining lowercase and uppercase letters will no longer be considered as a single character type.
Prevention of breached passwords: Disabled
Restriction of repetitive or sequential characters: Disabled
Restriction of user information in passwords: Disabled
Custom restricted words: None specified

Should you wish to update your password policy manually, you can do so within the Logto Console as described above.

Impact on users

All new users will be subject to the new policy immediately upon creation.
Existing users will not be affected by the updated policy until they choose to change their password.

Management API changes

We have removed password restrictions for adding or updating users via the Management API.

CLI improvements

Support region option for s3 storage (#4439).
Keep original untranslated mark when syncing translate keys (#4443).

Refactoring

Rename @logto/ui to @logto/experience.
Rename @logto/phrases-ui to @logto/phrases-experience.

These renames do not affect Logto product, so we didn't mark them as breaking changes.

Fixes

Fix the app crash when inputting verification code in Console profile page.
Align cli output for a better looking.

Assets 3

30 Aug 14:48

silverhand-bot

v1.8.0

f416ec3

v1.8.0

Note
We are busily building MFA, Organizations, Enterprise SSO, and more security features. Subscribe to our newsletter so you won't miss any updates!

Feature updates

New app guides design

The app guides have been completely redesigned for an even more streamlined experience. Now when you create an app, you can search for your favorite framework or integration, and enjoy the tailored interactive tutorial.

New SDKs

We've crafted four new official SDKs: Python, PHP, ASP.NET Core, and CapacitorJS.

Don't hesitate to let us know if your favorite framework is missing. :-)

Mailgun connector

We added a dedicated connector to make sending emails via Mailgun easier. It also supports Mailgun email templates.

Specify algorithm when rotating keys

The CLI command to rotate OIDC private keys now supports specifying the key type. While the default key type ec may not work in legacy platforms, you can use --type rsa to prepend a new RSA key, for example:

logto db config rotate oidc.privateKey --type rsa