v1.11.0

Multi-factor authentication (MFA)

Now you can activate MFA with just one click and take control of the user security. We've made it easy to customize the sign-in experience with these methods:

• Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
• WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
• Backup codes: users can generate a set of backup codes to use when they don't have access to other MFA methods.

For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.

Check out our One-click MFA integration blog post to learn more.

Work in progress

Organizations and enterprise Single Sign-On (SSO) functionalities are on the horizon. With Logto, creating multi-tenancy applications and becoming enterprise-ready will not be a business blocker anymore.

v1.10.1

Fixes

fix 500 error when using search component in console to filter both roles and applications

v1.10.0

New feature: machine-to-machine role-based access control

Role-based access control (RBAC) now extends to machine-to-machine apps. This update allows you to effectively manage permissions for your machine-to-machine apps using the same approach for user authorization.

Note
If you have switched on the "Enable admin access" toggle for machine-to-machine apps, it has been retired in favor of a new "Management API access" role; if you haven't enabled it, a new role with Management API permissions is needed to access the Logto Management API. See 🚝 Interact with Management API to learn more.

Starting today, when you create a new role, you can select either a "user role" or a "machine-to-machine app role" by expanding more options. All existing roles have automatically been converted to "user roles".

Constraints

• After creating a role, you cannot modify its type.
• The Logto Management API resource can only be accessed by machine-to-machine application roles.

Management API updates

Added APIs

Applications

• POST /applications/:appId/roles assigns role(s) to the M2M application
• DELETE /applications/:appId/roles/:roleId deletes the role from the M2M application
• GET /applications/:appId/roles lists all roles assigned to the M2M application

Roles

• POST /roles/:roleId/applications assigns the role to multiple M2M applications
• DELETE /roles/:roleId/applications/:appId removes the M2M application assigned to the role
• GET /roles/:roleId/applications lists all M2M applications granted with the role

Updated APIs

Roles

• POST /roles to specify the role type (either user or machine-to-machine role)

Users

• POST /users/:userId/roles to prevent assigning M2M roles to end-users

Support roles scope for issuing the roles claim in ID tokens

When you include the roles in the scope parameter of the Logto SDK config (or manually append to the OpenID Connect auth request), the ID token will include a roles claim containing an array of the user's roles. This may resolve #3411.

Security update

If an identifier (username, email, or phone number) experiences five authentication failures within an hour, it will be temporarily blocked from the authentication process for ten minutes.

v1.9.1

Fixes

• fix a bug that prevents user from customizing i18n translations in sign-in experience config
• add more intuitive code samples and fix mistakes in express api guide

v1.9.0

New feature: Password policy

Summary

This newly introduced feature empowers you to customize a range of password policies specific to your Logto tenant:

• Minimum password length (default: 8)
• Minimum character types (default: 1)
• Prevention of breached passwords (default: Enabled)
• Restriction of repetitive or sequential characters (default: Enabled)
• Restriction of user information in passwords (default: Enabled)
• Custom restricted words (default: None specified)

To begin configuring these settings, simply navigate to the Logto Console under "Sign-in experience" and select "Password policy".

Note
New to password policy? Check out our blog post Design your password policy to master this feature!

For Logto Cloud users, or if you are upgrading Logto from a previous version, please take note that we are committed to ensuring a smooth upgrade. As such, we will maintain your existing password policy as follows:

• Minimum length: 8 characters
• Minimum character types: 2
  • Please be aware that, with the implementation of the new policy, combining lowercase and uppercase letters will no longer be considered as a single character type.
• Prevention of breached passwords: Disabled
• Restriction of repetitive or sequential characters: Disabled
• Restriction of user information in passwords: Disabled
• Custom restricted words: None specified

Should you wish to update your password policy manually, you can do so within the Logto Console as described above.

Impact on users

• All new users will be subject to the new policy immediately upon creation.
• Existing users will not be affected by the updated policy until they choose to change their password.

Management API changes

We have removed password restrictions for adding or updating users via the Management API.

CLI improvements

• Support region option for s3 storage (#4439).
• Keep original untranslated mark when syncing translate keys (#4443).

Refactoring

• Rename @logto/ui to @logto/experience.
• Rename @logto/phrases-ui to @logto/phrases-experience.

These renames do not affect Logto product, so we didn't mark them as breaking changes.

Fixes

• Fix the app crash when inputting verification code in Console profile page.
• Align cli output for a better looking.

v1.8.0

Note
We are busily building MFA, Organizations, Enterprise SSO, and more security features. Subscribe to our newsletter so you won't miss any updates!

---

Feature updates

New app guides design

The app guides have been completely redesigned for an even more streamlined experience. Now when you create an app, you can search for your favorite framework or integration, and enjoy the tailored interactive tutorial.

New SDKs

We've crafted four new official SDKs: Python, PHP, ASP.NET Core, and CapacitorJS.

Don't hesitate to let us know if your favorite framework is missing. :-)

Mailgun connector

We added a dedicated connector to make sending emails via Mailgun easier. It also supports Mailgun email templates.

Specify algorithm when rotating keys

The CLI command to rotate OIDC private keys now supports specifying the key type. While the default key type ec may not work in legacy platforms, you can use --type rsa to prepend a new RSA key, for example:

logto db config rotate oidc.privateKey --type rsa

Improvements

• Application CORS config now allows non-http origins. This is helpful for cross-platform frameworks like CapacitorJS.
• Remove connector link from session storage when needed (#4406 by @jay-dee7)
• Regular content updates, code improvements, bug fixes.

v1.7.0

It has been a busy month, and we just launched Logto Cloud! Meanwhile, we also improved our OSS with some new features:

Feature updates

• Added translate sync-keys command in CLI. This command is helpful for syncing keys from one language to another. See Translation for details.
• Added SMSAero connector (credit @evist0).
• Allow editing refresh token time-to-live (TTL) for applications except machine-to machine.

We are gradually shifting resources back to OSS and we'll bring more exciting features this year. Stay tuned.

v1.6.0

Features

Application details page in Console

• Added OpenID Provider configuration endpoint display
• Added application "Rotate Refresh Token" toggle
• Added application "Refresh Token TTL" configuration

Fixes

• Fix interaction issues of sign-in experience preview in Console

v1.5.0

Security update

Enabled Content Security Policy (CSP) header check

Removed the report-only flag from the Content Security Policy (CSP) header for both Console and Sign-in Experience. Ensure your endpoints are configured correctly and see no CSP error in the browser's console before upgrading, otherwise frontend may break in this version.

Feature updates

Webhook in Console

We're thrilled to introduce the new Webhook feature in Logto Console, making integration and real-time event notifications a breeze. Here's what's new:

• Easy Configuration: Configure webhooks effortlessly by multi-selecting events like user registration, sign-in, and password reset. One-click testing of payload delivery ensures smooth setup.
• Enhanced Security: Each webhook is assigned an auto-generated Signing Key, ensuring the authenticity of payload data from Logto. Customize headers to add extra context.
• Monitor Webhook Health: Keep an eye on webhook performance with success rates and request times in the last 24 hours. Access independent logs of recent requests for easy troubleshooting.

Note
If you were using Webhooks via Management API, some API details are changed with backward compatibility so you can safely upgrade to this version.

Support setting default API Resource from Console and API

Logto leverages RFC 8707: Resource Indicators for OAuth 2.0 to implement Role-Based Access Control (RBAC). While it is one of the features of OAuth 2.0, it is not yet widely supported.

In Logto's implementation, every user-defined permission (scope) must be associated with an API Resource. Otherwise, it will be treated as an OpenID Connect (or OAuth) permission. Generally, this doesn't affect your authorization process. However, when integrating with third-party apps that lack support for RFC 8707 (e.g., ChatGPT plugins), it can pose challenges since the initial authorization request may not include a resource parameter. Consequently, Logto will always issue Opaque Access Tokens.

To address this issue, now you can designate an API Resource as the tenant-level default resource by heading to the details page of an API Resource:

See the documentation to learn what will be affected after turning it on.

Support updating sign-in identifiers in user details form

Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.

Fixes

• Reset password webhooks will be correctly triggered
• Bumped oidc-provider version to v8.2.2. This version fixes a bug that prevented the revoked scopes from being removed from the access token.

v1.4.0

This version brings us one step closer to resolving issue #3344. We are actively working on a backward-compatible solution for authorization.

Below are some articles that demonstrate how to use Logto as an OAuth or OIDC Identity Provider:

• Streamline OAuth and OIDC Authentication with Logto
• Implement ChatGPT plugins user authentication with Logto
• Simplify Outline authentication with Logto

Feature updates

Introducing the "Always issue Refresh Token" configuration for web apps

Turning on this toggle ensures that Refresh Tokens are always issued, regardless of whether prompt=consent was included in the authorization request or if offline_access was specified in the scope.

Patch updates

• Improved compatibility by parsing requests with application/json content-type for /oidc APIs.
• Automated synchronization of trusted social email and phone information for newly registered users, irrespective of the sign-up identifier configuration.
  • For example: Previously, if the "email" was not set as a sign-up identifier (meaning a valid email connector had to be configured and enabled) and Google sign-in was added, the emails from new users would not be synchronized.
  • Starting from v1.4.0, this requirement has been removed, as "social sign-in only" scenarios are not uncommon in real-world cases.