v1.9.1

Fixes

• fix a bug that prevents user from customizing i18n translations in sign-in experience config
• add more intuitive code samples and fix mistakes in express api guide

v1.9.0

New feature: Password policy

Summary

This newly introduced feature empowers you to customize a range of password policies specific to your Logto tenant:

• Minimum password length (default: 8)
• Minimum character types (default: 1)
• Prevention of breached passwords (default: Enabled)
• Restriction of repetitive or sequential characters (default: Enabled)
• Restriction of user information in passwords (default: Enabled)
• Custom restricted words (default: None specified)

To begin configuring these settings, simply navigate to the Logto Console under "Sign-in experience" and select "Password policy".

Note
New to password policy? Check out our blog post Design your password policy to master this feature!

For Logto Cloud users, or if you are upgrading Logto from a previous version, please take note that we are committed to ensuring a smooth upgrade. As such, we will maintain your existing password policy as follows:

• Minimum length: 8 characters
• Minimum character types: 2
  • Please be aware that, with the implementation of the new policy, combining lowercase and uppercase letters will no longer be considered as a single character type.
• Prevention of breached passwords: Disabled
• Restriction of repetitive or sequential characters: Disabled
• Restriction of user information in passwords: Disabled
• Custom restricted words: None specified

Should you wish to update your password policy manually, you can do so within the Logto Console as described above.

Impact on users

• All new users will be subject to the new policy immediately upon creation.
• Existing users will not be affected by the updated policy until they choose to change their password.

Management API changes

We have removed password restrictions for adding or updating users via the Management API.

CLI improvements

• Support region option for s3 storage (#4439).
• Keep original untranslated mark when syncing translate keys (#4443).

Refactoring

• Rename @logto/ui to @logto/experience.
• Rename @logto/phrases-ui to @logto/phrases-experience.

These renames do not affect Logto product, so we didn't mark them as breaking changes.

Fixes

• Fix the app crash when inputting verification code in Console profile page.
• Align cli output for a better looking.

v1.8.0

Note
We are busily building MFA, Organizations, Enterprise SSO, and more security features. Subscribe to our newsletter so you won't miss any updates!

---

Feature updates

New app guides design

The app guides have been completely redesigned for an even more streamlined experience. Now when you create an app, you can search for your favorite framework or integration, and enjoy the tailored interactive tutorial.

New SDKs

We've crafted four new official SDKs: Python, PHP, ASP.NET Core, and CapacitorJS.

Don't hesitate to let us know if your favorite framework is missing. :-)

Mailgun connector

We added a dedicated connector to make sending emails via Mailgun easier. It also supports Mailgun email templates.

Specify algorithm when rotating keys

The CLI command to rotate OIDC private keys now supports specifying the key type. While the default key type ec may not work in legacy platforms, you can use --type rsa to prepend a new RSA key, for example:

logto db config rotate oidc.privateKey --type rsa

Improvements

• Application CORS config now allows non-http origins. This is helpful for cross-platform frameworks like CapacitorJS.
• Remove connector link from session storage when needed (#4406 by @jay-dee7)
• Regular content updates, code improvements, bug fixes.

v1.7.0

It has been a busy month, and we just launched Logto Cloud! Meanwhile, we also improved our OSS with some new features:

Feature updates

• Added translate sync-keys command in CLI. This command is helpful for syncing keys from one language to another. See Translation for details.
• Added SMSAero connector (credit @evist0).
• Allow editing refresh token time-to-live (TTL) for applications except machine-to machine.

We are gradually shifting resources back to OSS and we'll bring more exciting features this year. Stay tuned.

v1.6.0

Features

Application details page in Console

• Added OpenID Provider configuration endpoint display
• Added application "Rotate Refresh Token" toggle
• Added application "Refresh Token TTL" configuration

Fixes

• Fix interaction issues of sign-in experience preview in Console

v1.5.0

Security update

Enabled Content Security Policy (CSP) header check

Removed the report-only flag from the Content Security Policy (CSP) header for both Console and Sign-in Experience. Ensure your endpoints are configured correctly and see no CSP error in the browser's console before upgrading, otherwise frontend may break in this version.

Feature updates

Webhook in Console

We're thrilled to introduce the new Webhook feature in Logto Console, making integration and real-time event notifications a breeze. Here's what's new:

• Easy Configuration: Configure webhooks effortlessly by multi-selecting events like user registration, sign-in, and password reset. One-click testing of payload delivery ensures smooth setup.
• Enhanced Security: Each webhook is assigned an auto-generated Signing Key, ensuring the authenticity of payload data from Logto. Customize headers to add extra context.
• Monitor Webhook Health: Keep an eye on webhook performance with success rates and request times in the last 24 hours. Access independent logs of recent requests for easy troubleshooting.

Note
If you were using Webhooks via Management API, some API details are changed with backward compatibility so you can safely upgrade to this version.

Support setting default API Resource from Console and API

Logto leverages RFC 8707: Resource Indicators for OAuth 2.0 to implement Role-Based Access Control (RBAC). While it is one of the features of OAuth 2.0, it is not yet widely supported.

In Logto's implementation, every user-defined permission (scope) must be associated with an API Resource. Otherwise, it will be treated as an OpenID Connect (or OAuth) permission. Generally, this doesn't affect your authorization process. However, when integrating with third-party apps that lack support for RFC 8707 (e.g., ChatGPT plugins), it can pose challenges since the initial authorization request may not include a resource parameter. Consequently, Logto will always issue Opaque Access Tokens.

To address this issue, now you can designate an API Resource as the tenant-level default resource by heading to the details page of an API Resource:

See the documentation to learn what will be affected after turning it on.

Support updating sign-in identifiers in user details form

Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.

Fixes

• Reset password webhooks will be correctly triggered
• Bumped oidc-provider version to v8.2.2. This version fixes a bug that prevented the revoked scopes from being removed from the access token.

v1.4.0

This version brings us one step closer to resolving issue #3344. We are actively working on a backward-compatible solution for authorization.

Below are some articles that demonstrate how to use Logto as an OAuth or OIDC Identity Provider:

• Streamline OAuth and OIDC Authentication with Logto
• Implement ChatGPT plugins user authentication with Logto
• Simplify Outline authentication with Logto

Feature updates

Introducing the "Always issue Refresh Token" configuration for web apps

Turning on this toggle ensures that Refresh Tokens are always issued, regardless of whether prompt=consent was included in the authorization request or if offline_access was specified in the scope.

Patch updates

• Improved compatibility by parsing requests with application/json content-type for /oidc APIs.
• Automated synchronization of trusted social email and phone information for newly registered users, irrespective of the sign-up identifier configuration.
  • For example: Previously, if the "email" was not set as a sign-up identifier (meaning a valid email connector had to be configured and enabled) and Google sign-in was added, the emails from new users would not be synchronized.
  • Starting from v1.4.0, this requirement has been removed, as "social sign-in only" scenarios are not uncommon in real-world cases.

v1.3.1

Patch update

• Disable PKCE requirement for Traditional Web apps. Now Logto should be able to integrated with most projects that support OAuth identity providers such as ChatGPT plugins.

We'll post some tutorials soon.

v1.3.0

Note
Our brand new blog just landed. Let's enjoy the new design and beautiful illustrations by @Rany0101.

Feature updates

• Support CLI arguments in @logto/create (#2206 #3777)

• Provide Management APIs to help link social identities to user

  • POST /users/:userId/identities to link a social identity to a user
  • POST /connectors/:connectorId/authorization-uri to get the authorization URI for a connector

Improvements

• Except interaction APIs, API response schemas and status codes are now available in /api/swagger.json. Also available in https://docs.logto.io/api/.

Bug fix

• SAML connector: Should ignore empty number input box when parsing connector config form.

v1.2.3

Connectors

• Alipay (web), Discord, Facebook, GitHub, Google, WeChat (web) connectors now support custom scope.
• Use node resolution to support crypto.getRandomValues in connectors, fixes an error in the AWS SES connector.