This version contains important improvements and bug fixes. Highlights include:
Facebook SSO
Facebook has been added as pre-configured Social SSO provider.
SAML IdP-initiated SSO
Hanko backend is now able to handle Identity provider initiated login requests. This is a key feature for B2B customers that require their own IdP to handle authentication to apps that use Hanko. Now, those B2B users can access apps that use Hanko via their "App directories" (e.g. Entra, Google Workspace, Okta) and initiate the authentication flow right from there. The existing SAML flow (SP-initiated SSO) can continue to be used. More info about the changes here #2046.
Email i18n
Emails sent by Hanko (e.g. passcodes) are now available in all languages supported by Hanko Elements. When sending emails, the email will use the Hanko Elements locale used in the current browser session if possible.
New webhooks
New webhook event types have been added:
user.loginuser.password.changeduser.update.username.createuser.update.username.updateuser.update.username.delete
Additionally, all webhook events now include the IP address and user agent strings.
Housekeeping
A new cleanup command has been added to remove expired database entries (flows, audit logs, webauthn credential session data).
What's Changed
- chore: add same site attribute to the device trust cookie by @bjoern-m in #2006
- feat: always persist sessions server-side, config adjustments by @bjoern-m in #1997
- feat: let quickstart use session validate endpoint by @FreddyDevelop in #2014
- fix: use lowered id to get third party provider by @FreddyDevelop in #2017
- fix: don't use config file when failed to load by @FreddyDevelop in #2022
- feat: email i18n by @lfleischmann in #2023
- feat: add facebook provider by @lfleischmann in #2007
- feat: enhance session response by @bjoern-m in #2003
- fix: error handling when using zombie passkeys by @bjoern-m in #2034
- fix: webhooks missing triggers and events by @lfleischmann in #2026
- feat: add username to session JWT and public session API responses by @lfleischmann in #2036
- fix: SAML issues by @lfleischmann in #2041
- fix: third party loading spinner shown on multiple buttons fixed by @bjoern-m in #2042
- feat: add cleanup command to remove expired db entries by @bjoern-m in #2035
- feat: use exact template names for email.send webhook types by @lfleischmann in #2037
- fix: reintroduce server-side session config by @FreddyDevelop in #2043
- feat: new webhook events & user metadata enhancements by @bjoern-m in #2048
- feat(ee): saml idp initiated sso by @lfleischmann in #2046
Full Changelog: backend/v1.3.0...backend/v1.4.0
