release: version packages

[silverhand-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated.

Releases

@logto/connector-kit@4.0.0

Major Changes

• 6308ee1: remove .catchall() for connectorMetadataGuard

  .catchall() allows unknown keys to be parsed as metadata. This is troublesome when we want to strip out unknown keys (Zod provides .strip() for this purpose but somehow it doesn't work with .catchall()).

  For data extensibility, we added customData field to ConnectorMetadata type to store unknown keys. For example, the fromEmail field in connector-logto-email is not part of the standard metadata, so it should be stored in customData in the future.

Minor Changes

• 1595360: add OIDC prompt enum, prompt guard, and multi-select typed configuration field

• 6308ee1: support Google One Tap

  • support parsing and validating Google One Tap data in connector-google
  • add Google connector constants in connector-kit for reuse

@logto/connector-azuread@1.3.0

Minor Changes

• 1595360: support config of prompt

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-google@1.4.0

Minor Changes

• 6308ee1: support Google One Tap

  • support parsing and validating Google One Tap data in connector-google
  • add Google connector constants in connector-kit for reuse

• 1595360: support config of prompt

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/phrases@1.12.0

Minor Changes

• 87615d5: support machine-to-machine apps for organizations

  This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

  Console

  • Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
  • You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
  • You can view the associated organizations in the machine-to-machine app details page.

  OpenID Connect grant

  The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

  Management API

  A set of new endpoints are added to the Management API:

  • /api/organizations/{id}/applications to manage machine-to-machine apps.
  • /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
  • /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

• efa884c: feature: just-in-time user provisioning for organizations

  This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

  Email domains

  New users will automatically join organizations with just-in-time provisioning if they:

  • Sign up with verified email addresses, or;
  • Use social sign-in with verified email addresses.

  This applies to organizations that have the same email domain configured.

  To enable this feature, you can add email domain via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/email-domains
    • POST /organizations/{organizationId}/jit/email-domains
    • PUT /organizations/{organizationId}/jit/email-domains
    • DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
  • In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.

  SSO connectors

  New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

  To enable this feature, you can add SSO connectors via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/sso-connectors
    • POST /organizations/{organizationId}/jit/sso-connectors
    • PUT /organizations/{organizationId}/jit/sso-connectors
    • DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
  • In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.

  Default organization roles

  You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

  To enable this feature, you can set the default roles via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/roles
    • POST /organizations/{organizationId}/jit/roles
    • PUT /organizations/{organizationId}/jit/roles
    • DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
  • In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.

Patch Changes

• 942780f: support Google One Tap

  • core: GET /api/.well-known/sign-in-exp now returns googleOneTap field with the configuration when available
  • core: add Google Sign-In (GSI) url to the security headers
  • core: verify Google One Tap CSRF token in verifySocialIdentity()
  • phrases: add Google One Tap phrases
  • schemas: migrate sign-in experience types from core to schemas

• 9f33d99: view and update user's profile property in the user settings page

• ef21c7a: support per-organization multi-factor authentication requirement

  An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.

• 1363205: allow skipping manual account linking during sign-in

  You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking.

  When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking.

• b50ba0b: enable backchannel logout support

  Enable the support of OpenID Connect Back-Channel Logout 1.0.

  To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".

  You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid claim in the logout token.

  For programmatic registration, you can set the backchannelLogoutUri and backchannelLogoutSessionRequired properties in the application oidcClientMetadata object.

• d81e13d: display OIDC issuer endpoint in the application details form

@logto/phrases-experience@1.7.0

Minor Changes

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

@logto/schemas@1.18.0

Minor Changes

• 87615d5: support machine-to-machine apps for organizations

  This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

  Console

  • Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
  • You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
  • You can view the associated organizations in the machine-to-machine app details page.

  OpenID Connect grant

  The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

  Management API

  A set of new endpoints are added to the Management API:

  • /api/organizations/{id}/applications to manage machine-to-machine apps.
  • /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
  • /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

• ef21c7a: support per-organization multi-factor authentication requirement

  An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.

• b52609a: add hasPassword to custom JWT user context

• efa884c: feature: just-in-time user provisioning for organizations

  This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

  Email domains

  New users will automatically join organizations with just-in-time provisioning if they:

  • Sign up with verified email addresses, or;
  • Use social sign-in with verified email addresses.

  This applies to organizations that have the same email domain configured.

  To enable this feature, you can add email domain via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/email-domains
    • POST /organizations/{organizationId}/jit/email-domains
    • PUT /organizations/{organizationId}/jit/email-domains
    • DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
  • In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.

  SSO connectors

  New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

  To enable this feature, you can add SSO connectors via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/sso-connectors
    • POST /organizations/{organizationId}/jit/sso-connectors
    • PUT /organizations/{organizationId}/jit/sso-connectors
    • DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
  • In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.

  Default organization roles

  You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

  To enable this feature, you can set the default roles via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/roles
    • POST /organizations/{organizationId}/jit/roles
    • PUT /organizations/{organizationId}/jit/roles
    • DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
  • In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.

• b50ba0b: enable backchannel logout support

  Enable the support of OpenID Connect Back-Channel Logout 1.0.

  To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".

  You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid claim in the logout token.

  For programmatic registration, you can set the backchannelLogoutUri and backchannelLogoutSessionRequired properties in the application oidcClientMetadata object.

Patch Changes

• 942780f: support Google One Tap

  • core: GET /api/.well-known/sign-in-exp now returns googleOneTap field with the configuration when available
  • core: add Google Sign-In (GSI) url to the security headers
  • core: verify Google One Tap CSRF token in verifySocialIdentity()
  • phrases: add Google One Tap phrases
  • schemas: migrate sign-in experience types from core to schemas

• Updated dependencies [6308ee1]

• Updated dependencies [1595360]

• Updated dependencies [6308ee1]

• Updated dependencies [942780f]

• Updated dependencies [87615d5]

• Updated dependencies [9f33d99]

• Updated dependencies [061a30a]

• Updated dependencies [ef21c7a]

• Updated dependencies [1363205]

• Updated dependencies [efa884c]

• Updated dependencies [b50ba0b]

• Updated dependencies [d81e13d]

  • @logto/connector-kit@4.0.0
  • @logto/phrases@1.12.0
  • @logto/phrases-experience@1.7.0

@logto/cli@1.18.0

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
• Updated dependencies [942780f]
• Updated dependencies [87615d5]
• Updated dependencies [9f33d99]
• Updated dependencies [061a30a]
• Updated dependencies [ef21c7a]
• Updated dependencies [1363205]
• Updated dependencies [b52609a]
• Updated dependencies [efa884c]
• Updated dependencies [b50ba0b]
• Updated dependencies [d81e13d]
  • @logto/connector-kit@4.0.0
  • @logto/phrases@1.12.0
  • @logto/schemas@1.18.0
  • @logto/phrases-experience@1.7.0

@logto/connector-alipay-native@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-alipay-web@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-aliyun-dm@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-aliyun-sms@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-apple@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-aws-ses@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-dingtalk-web@0.1.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-discord@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-facebook@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-feishu-web@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-github@1.4.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-huggingface@0.1.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0
  • @logto/connector-oauth@1.3.1

@logto/connector-kakao@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-logto-email@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-logto-sms@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-logto-social-demo@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-mailgun@1.2.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-mock-email@2.0.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-mock-standard-email@2.0.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-mock-sms@2.0.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-mock-social@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-naver@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-oauth@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-oidc@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0
  • @logto/connector-oauth@1.3.1

@logto/connector-saml@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-sendgrid-email@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-smsaero@1.2.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-smtp@1.1.3

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-tencent-sms@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-twilio-sms@1.1.2

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-wechat-native@1.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-wechat-web@1.3.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/connector-wecom@0.2.1

Patch Changes

• Updated dependencies [6308ee1]
• Updated dependencies [1595360]
• Updated dependencies [6308ee1]
  • @logto/connector-kit@4.0.0

@logto/create@1.18.0

Patch Changes

• @logto/cli@1.18.0

@logto/console@1.16.0

Minor Changes

• eacec10: improve machine-to-machine application integration user experience

  • Display a role assignment modal to facilitate setting permissions for the newly created machine-to-machine app.
  • In the role assignment modal, add a Logto icon to roles that carry the Logto Management API access permission, making it easier for users to select roles with Logto Management API access permission.
  • Add a notification for machine-to-machine roles to guide users in using the machine-to-machine role by creating a machine-to-machine application.
  • Improve machine-to-machine application integration guide.

• 87615d5: support machine-to-machine apps for organizations

  This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

  Console

  • Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
  • You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
  • You can view the associated organizations in the machine-to-machine app details page.

  OpenID Connect grant

  The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

  Management API

  A set of new endpoints are added to the Management API:

  • /api/organizations/{id}/applications to manage machine-to-machine apps.
  • /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
  • /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

• ead51e5: add Ruby app guide

• ef21c7a: support per-organization multi-factor authentication requirement

  An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.

• 0ef712e: support Google One Tap configuration

• 1595360: support the dynamic config rendering for connector multi-select configuration

• b52609a: add hasPassword to custom JWT user context

• efa884c: feature: just-in-time user provisioning for organizations

  This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

  Email domains

  New users will automatically join organizations with just-in-time provisioning if they:

  • Sign up with verified email addresses, or;
  • Use social sign-in with verified email addresses.

  This applies to organizations that have the same email domain configured.

  To enable this feature, you can add email domain via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/email-domains
    • POST /organizations/{organizationId}/jit/email-domains
    • PUT /organizations/{organizationId}/jit/email-domains
    • DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
  • In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.

  SSO connectors

  New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

  To enable this feature, you can add SSO connectors via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/sso-connectors
    • POST /organizations/{organizationId}/jit/sso-connectors
    • PUT /organizations/{organizationId}/jit/sso-connectors
    • DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
  • In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.

  Default organization roles

  You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

  To enable this feature, you can set the default roles via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/roles
    • POST /organizations/{organizationId}/jit/roles
    • PUT /organizations/{organizationId}/jit/roles
    • DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
  • In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.

• b50ba0b: enable backchannel logout support

  Enable the support of OpenID Connect Back-Channel Logout 1.0.

  To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".

  You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid claim in the logout token.

  For programmatic registration, you can set the backchannelLogoutUri and backchannelLogoutSessionRequired properties in the application oidcClientMetadata object.

Patch Changes

• 9f33d99: view and update user's profile property in the user settings page

• 06ef199: fix a regression bug that error toasts pop up in audit log when logs are associated with deleted applications

• af44e87: add Chrome extension guide

• 1363205: allow skipping manual account linking during sign-in

  You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking.

  When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking.

• d81e13d: display OIDC issuer endpoint in the application details form

@logto/core@1.18.0

Minor Changes

• 942780f: support Google One Tap

  • core: GET /api/.well-known/sign-in-exp now returns googleOneTap field with the configuration when available
  • core: add Google Sign-In (GSI) url to the security headers
  • core: verify Google One Tap CSRF token in verifySocialIdentity()
  • phrases: add Google One Tap phrases
  • schemas: migrate sign-in experience types from core to schemas

• 754d0e1: pagination is now optional for GET /api/organizations/:id/users/:userId/roles

  The default pagination is now removed. This isn't considered a breaking change, but we marked it as minor to get your attention.

• 87615d5: support machine-to-machine apps for organizations

  This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

  Console

  • Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
  • You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
  • You can view the associated organizations in the machine-to-machine app details page.

  OpenID Connect grant

  The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

  Management API

  A set of new endpoints are added to the Management API:

  • /api/organizations/{id}/applications to manage machine-to-machine apps.
  • /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
  • /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

• ef21c7a: support per-organization multi-factor authentication requirement

  An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.

• b52609a: add hasPassword to custom JWT user context

• efa884c: feature: just-in-time user provisioning for organizations

  This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

  Email domains

  New users will automatically join organizations with just-in-time provisioning if they:

  • Sign up with verified email addresses, or;
  • Use social sign-in with verified email addresses.

  This applies to organizations that have the same email domain configured.

  To enable this feature, you can add email domain via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/email-domains
    • POST /organizations/{organizationId}/jit/email-domains
    • PUT /organizations/{organizationId}/jit/email-domains
    • DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
  • In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.

  SSO connectors

  New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

  To enable this feature, you can add SSO connectors via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/sso-connectors
    • POST /organizations/{organizationId}/jit/sso-connectors
    • PUT /organizations/{organizationId}/jit/sso-connectors
    • DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
  • In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.

  Default organization roles

  You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

  To enable this feature, you can set the default roles via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/roles
    • POST /organizations/{organizationId}/jit/roles
    • PUT /organizations/{organizationId}/jit/roles
    • DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
  • In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.

• b50ba0b: enable backchannel logout support

  Enable the support of OpenID Connect Back-Channel Logout 1.0.

  To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".

  You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid claim in the logout token.

  For programmatic registration, you can set the backchannelLogoutUri and backchannelLogoutSessionRequired properties in the application oidcClientMetadata object.

Patch Changes

• d60f6ce: build operationId for Management API in OpenAPI response (credit to @mostafa)

  As per the specification:

  operationId is an optional unique string used to identify an operation. If provided, these IDs must be unique among all operations described in your API.

  This greatly simplifies the creation of client SDKs in different languages, because it generates more meaningful function names instead of auto-generated ones, like the following examples:

  - org, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdGet(ctx, req.GetId()).Execute()
  + org, _, err := s.Client.OrganizationsAPI.GetOrganization(ctx, req.GetId()).Execute()

  - users, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdUsersGet(ctx, req.GetId()).Execute()
  + users, _, err := s.Client.OrganizationsAPI.ListOrganizationUsers(ctx, req.GetId()).Execute()

• 7a279be: add user detail data payload to the User.Deleted webhook event

• d51e839: fix OpenAPI schema returned by the GET /api/swagger.json endpoint

  1. The : character is invalid in parameter names, such as organizationId:root. These characters have been replaced with -.
  2. The tenantId parameter of the /api/.well-known/endpoints/{tenantId} route was missing from the generated OpenAPI spec document, resulting in validation errors. This has been fixed.

• Updated dependencies [6308ee1]

• Updated dependencies [1595360]

• Updated dependencies [6308ee1]

• Updated dependencies [eacec10]

• Updated dependencies [942780f]

• Updated dependencies [f78b176]

• Updated dependencies [87615d5]

• Updated dependencies [9f33d99]

• Updated dependencies [06ef199]

• Updated dependencies [061a30a]

• Updated dependencies [ead51e5]

• Updated dependencies [af44e87]

• Updated dependencies [ef21c7a]

• Updated dependencies [1363205]

• Updated dependencies [0ef712e]

• Updated dependencies [50c35a2]

• Updated dependencies [1595360]

• Updated dependencies [b52609a]

• Updated dependencies [efa884c]

• Updated dependencies [b50ba0b]

• Updated dependencies [d81e13d]

  • @logto/connector-kit@4.0.0
  • @logto/console@1.16.0
  • @logto/phrases@1.12.0
  • @logto/schemas@1.18.0
  • @logto/demo-app@1.3.0
  • @logto/phrases-experience@1.7.0
  • @logto/experience@1.7.0
  • @logto/cli@1.18.0

@logto/demo-app@1.3.0

Minor Changes

• f78b176: add dev panel

@logto/experience@1.7.0

Minor Changes

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

• 50c35a2: support Google One Tap

  • Conditionally load Google One Tap script if it's enabled in the config.
  • Support callback from Google One Tap.

Patch Changes

• 1363205: allow skipping manual account linking during sign-in

  You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking.

  When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking.

@logto/integration-tests@1.7.0

Minor Changes

• 061a30a: support agree to terms polices for Logto’s sign-in experiences

  • Automatic: Users automatically agree to terms by continuing to use the service
  • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
  • Manual: Users must agree to terms by checking a box during registration or signing in

Patch Changes

• 87615d5: support machine-to-machine apps for organizations

  This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

  Console

  • Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
  • You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
  • You can view the associated organizations in the machine-to-machine app details page.

  OpenID Connect grant

  The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

  Management API

  A set of new endpoints are added to the Management API:

  • /api/organizations/{id}/applications to manage machine-to-machine apps.
  • /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
  • /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.

• ef21c7a: support per-organization multi-factor authentication requirement

  An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.

• efa884c: feature: just-in-time user provisioning for organizations

  This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

  Email domains

  New users will automatically join organizations with just-in-time provisioning if they:

  • Sign up with verified email addresses, or;
  • Use social sign-in with verified email addresses.

  This applies to organizations that have the same email domain configured.

  To enable this feature, you can add email domain via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/email-domains
    • POST /organizations/{organizationId}/jit/email-domains
    • PUT /organizations/{organizationId}/jit/email-domains
    • DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
  • In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.

  SSO connectors

  New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

  To enable this feature, you can add SSO connectors via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/sso-connectors
    • POST /organizations/{organizationId}/jit/sso-connectors
    • PUT /organizations/{organizationId}/jit/sso-connectors
    • DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
  • In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.

  Default organization roles

  You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

  To enable this feature, you can set the default roles via the Management API or the Logto Console:

  • We added the following new endpoints to the Management API:
    • GET /organizations/{organizationId}/jit/roles
    • POST /organizations/{organizationId}/jit/roles
    • PUT /organizations/{organizationId}/jit/roles
    • DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
  • In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +30.47 KB

Diff by File

Name	Diff
.changeset/breezy-bags-help.md	📈 +558 Bytes
.changeset/breezy-dodos-cheer.md	📈 +118 Bytes
.changeset/brown-cobras-know.md	📈 +950 Bytes
.changeset/cold-masks-film.md	📈 +233 Bytes
.changeset/cool-cows-relax.md	📈 +624 Bytes
.changeset/cyan-garlics-tan.md	📈 +449 Bytes
.changeset/few-moose-sniff.md	📈 +48 Bytes
.changeset/fresh-gorillas-obey.md	📈 +241 Bytes
.changeset/fuzzy-eyes-add.md	📈 +95 Bytes
.changeset/gentle-camels-film.md	📈 +1.15 KB
.changeset/gold-bulldogs-draw.md	📈 +125 Bytes
.changeset/good-shrimps-cover.md	📈 +143 Bytes
.changeset/heavy-badgers-jog.md	📈 +416 Bytes
.changeset/heavy-rabbits-own.md	📈 +564 Bytes
.changeset/large-gifts-cross.md	📈 +52 Bytes
.changeset/long-worms-refuse.md	📈 +60 Bytes
.changeset/lucky-rocks-bow.md	📈 +450 Bytes
.changeset/mean-dogs-pump.md	📈 +562 Bytes
.changeset/mean-pumpkins-scream.md	📈 +70 Bytes
.changeset/nine-carrots-roll.md	📈 +174 Bytes
.changeset/orange-dryers-joke.md	📈 +103 Bytes
.changeset/quick-schools-obey.md	📈 +111 Bytes
.changeset/sharp-cooks-explain.md	📈 +123 Bytes
.changeset/smart-laws-compare.md	📈 +2.63 KB
.changeset/stale-shrimps-compare.md	📈 +774 Bytes
.changeset/tiny-teachers-hug.md	📈 +118 Bytes
packages/cli/CHANGELOG.md	📈 +605 Bytes
packages/cli/package.json	0 Bytes
packages/connectors/connector-alipay-native/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-alipay-native/package.json	0 Bytes
packages/connectors/connector-alipay-web/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-alipay-web/package.json	0 Bytes
packages/connectors/connector-aliyun-dm/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-aliyun-dm/package.json	0 Bytes
packages/connectors/connector-aliyun-sms/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-aliyun-sms/package.json	0 Bytes
packages/connectors/connector-apple/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-apple/package.json	0 Bytes
packages/connectors/connector-aws-ses/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-aws-ses/package.json	0 Bytes
packages/connectors/connector-azuread/CHANGELOG.md	📈 +226 Bytes
packages/connectors/connector-azuread/package.json	0 Bytes
packages/connectors/connector-dingtalk-web/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-dingtalk-web/package.json	0 Bytes
packages/connectors/connector-discord/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-discord/package.json	0 Bytes
packages/connectors/connector-facebook/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-facebook/package.json	0 Bytes
packages/connectors/connector-feishu-web/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-feishu-web/package.json	0 Bytes
packages/connectors/connector-github/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-github/package.json	0 Bytes
packages/connectors/connector-google/CHANGELOG.md	📈 +405 Bytes
packages/connectors/connector-google/package.json	0 Bytes
packages/connectors/connector-huggingface/CHANGELOG.md	📈 +199 Bytes
packages/connectors/connector-huggingface/package.json	0 Bytes
packages/connectors/connector-kakao/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-kakao/package.json	0 Bytes
packages/connectors/connector-logto-email/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-logto-email/package.json	0 Bytes
packages/connectors/connector-logto-sms/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-logto-sms/package.json	0 Bytes
packages/connectors/connector-logto-social-demo/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-logto-social-demo/package.json	0 Bytes
packages/connectors/connector-mailgun/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-mailgun/package.json	0 Bytes
packages/connectors/connector-mock-email-alternative/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-mock-email-alternative/package.json	0 Bytes
packages/connectors/connector-mock-email/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-mock-email/package.json	0 Bytes
packages/connectors/connector-mock-sms/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-mock-sms/package.json	0 Bytes
packages/connectors/connector-mock-social/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-mock-social/package.json	0 Bytes
packages/connectors/connector-naver/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-naver/package.json	0 Bytes
packages/connectors/connector-oauth2/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-oauth2/package.json	0 Bytes
packages/connectors/connector-oidc/CHANGELOG.md	📈 +199 Bytes
packages/connectors/connector-oidc/package.json	0 Bytes
packages/connectors/connector-saml/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-saml/package.json	0 Bytes
packages/connectors/connector-sendgrid-email/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-sendgrid-email/package.json	0 Bytes
packages/connectors/connector-smsaero/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-smsaero/package.json	0 Bytes
packages/connectors/connector-smtp/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-smtp/package.json	0 Bytes
packages/connectors/connector-tencent-sms/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-tencent-sms/package.json	0 Bytes
packages/connectors/connector-twilio-sms/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-twilio-sms/package.json	0 Bytes
packages/connectors/connector-wechat-native/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-wechat-native/package.json	0 Bytes
packages/connectors/connector-wechat-web/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-wechat-web/package.json	0 Bytes
packages/connectors/connector-wecom/CHANGELOG.md	📈 +166 Bytes
packages/connectors/connector-wecom/package.json	0 Bytes
packages/console/CHANGELOG.md	📈 +6.67 KB
packages/console/package.json	0 Bytes
packages/core/CHANGELOG.md	📈 +8.06 KB
packages/core/package.json	0 Bytes
packages/create/CHANGELOG.md	📈 +51 Bytes
packages/create/package.json	0 Bytes
packages/demo-app/CHANGELOG.md	📈 +57 Bytes
packages/demo-app/package.json	0 Bytes
packages/experience/CHANGELOG.md	📈 +1.06 KB
packages/experience/package.json	0 Bytes
packages/integration-tests/CHANGELOG.md	📈 +4.38 KB
packages/integration-tests/package.json	0 Bytes
packages/phrases-experience/CHANGELOG.md	📈 +415 Bytes
packages/phrases-experience/package.json	0 Bytes
packages/phrases/CHANGELOG.md	📈 +6.08 KB
packages/phrases/package.json	0 Bytes
packages/schemas/CHANGELOG.md	📈 +6 KB
packages/schemas/alterations/1.18.0-1717567857-social-sign-in-linking.ts	📈 +476 Bytes
packages/schemas/alterations/1.18.0-1717597875-add-organization-email-domains-table.ts	📈 +1.04 KB
packages/schemas/alterations/1.18.0-1717818597-organization-mfa-requirement.ts	📈 +462 Bytes
packages/schemas/alterations/1.18.0-1718340884-rename-org-email-domains-and-add-jit-roles-table.ts	📈 +2.87 KB
packages/schemas/alterations/1.18.0-1718594164-add-agree-to-terms-policy.ts	📈 +1.33 KB
packages/schemas/alterations/1.18.0-1718785576-organization-application-relations.ts	📈 +1.44 KB
packages/schemas/alterations/1.18.0-1718786576-organization-jit-sso-connectors.ts	📈 +1.07 KB
packages/schemas/alterations/1.18.0-1718807616-organization-role-application-relations.ts	📈 +1.39 KB
packages/schemas/alterations/1.18.0-1718865814-add-subject-tokens.ts	📈 +1.19 KB
packages/schemas/alterations/1.18.0-1719014832-organization-role-types.ts	📈 +1.41 KB
packages/schemas/alterations/1.18.0-1719221205-fix-functions.ts	📈 +788 Bytes
packages/schemas/alterations/1.18.0-1719312694-custom-ui-assets.ts	📈 +461 Bytes
packages/schemas/alterations/next-1717567857-social-sign-in-linking.ts	📈 +476 Bytes
packages/schemas/alterations/next-1717597875-add-organization-email-domains-table.ts	📈 +1.04 KB
packages/schemas/alterations/next-1717818597-organization-mfa-requirement.ts	📈 +462 Bytes
packages/schemas/alterations/next-1718340884-rename-org-email-domains-and-add-jit-roles-table.ts	📈 +2.87 KB
packages/schemas/alterations/next-1718594164-add-agree-to-terms-policy.ts	📈 +1.33 KB
packages/schemas/alterations/next-1718785576-organization-application-relations.ts	📈 +1.44 KB
packages/schemas/alterations/next-1718786576-organization-jit-sso-connectors.ts	📈 +1.07 KB
packages/schemas/alterations/next-1718807616-organization-role-application-relations.ts	📈 +1.39 KB
packages/schemas/alterations/next-1718865814-add-subject-tokens.ts	📈 +1.19 KB
packages/schemas/alterations/next-1719014832-organization-role-types.ts	📈 +1.41 KB
packages/schemas/alterations/next-1719221205-fix-functions.ts	📈 +788 Bytes
packages/schemas/alterations/next-1719312694-custom-ui-assets.ts	📈 +461 Bytes
packages/schemas/package.json	0 Bytes
packages/toolkit/connector-kit/CHANGELOG.md	📈 +856 Bytes
packages/toolkit/connector-kit/package.json	0 Bytes
pnpm-lock.yaml	📈 +1.03 KB