ory · aeneasr · Jul 11, 2024 · May 7, 2024 · Mar 26, 2024 · Apr 22, 2024
@@ -65,3 +65,4 @@ test/e2e/kratos.*.yml
 # VSCode debug artifact
 __debug_bin
 .debug.sqlite.db
+.last-run.json
@@ -43,6 +43,7 @@
       set_ory_session_token: "#/components/schemas/continueWithSetOrySessionToken"
       show_settings_ui: "#/components/schemas/continueWithSettingsUi"
       show_recovery_ui: "#/components/schemas/continueWithRecoveryUi"
+      redirect_browser_to: "#/components/schemas/continueWithRedirectBrowserTo"
 
 - op: add
   path: /components/schemas/continueWith/oneOf
@@ -51,3 +52,4 @@
     - "$ref": "#/components/schemas/continueWithSetOrySessionToken"
     - "$ref": "#/components/schemas/continueWithSettingsUi"
     - "$ref": "#/components/schemas/continueWithRecoveryUi"
+    - "$ref": "#/components/schemas/continueWithRedirectBrowserTo"
@@ -19,6 +19,7 @@
     - "$ref": "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod"
     - "$ref": "#/components/schemas/updateRegistrationFlowWithCodeMethod"
     - "$ref": "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+    - "$ref": "#/components/schemas/updateRegistrationFlowWithProfileMethod"
 - op: add
   path: /components/schemas/updateRegistrationFlowBody/discriminator
   value:
@@ -28,7 +29,8 @@
       oidc: "#/components/schemas/updateRegistrationFlowWithOidcMethod"
       webauthn: "#/components/schemas/updateRegistrationFlowWithWebAuthnMethod"
       code: "#/components/schemas/updateRegistrationFlowWithCodeMethod"
-      passKey: "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+      passkey: "#/components/schemas/updateRegistrationFlowWithPasskeyMethod"
+      profile: "#/components/schemas/updateRegistrationFlowWithProfileMethod"
 - op: add
   path: /components/schemas/registrationFlowState/enum
   value:
@@ -50,6 +52,7 @@
     - "$ref": "#/components/schemas/updateLoginFlowWithLookupSecretMethod"
     - "$ref": "#/components/schemas/updateLoginFlowWithCodeMethod"
     - "$ref": "#/components/schemas/updateLoginFlowWithPasskeyMethod"
+    - "$ref": "#/components/schemas/updateLoginFlowWithIdentifierFirstMethod"
 - op: add
   path: /components/schemas/updateLoginFlowBody/discriminator
   value:
@@ -62,6 +65,7 @@
       lookup_secret: "#/components/schemas/updateLoginFlowWithLookupSecretMethod"
       code: "#/components/schemas/updateLoginFlowWithCodeMethod"
       passkey: "#/components/schemas/updateLoginFlowWithPasskeyMethod"
+      identifier_first: "#/components/schemas/updateLoginFlowWithIdentifierFirstMethod"
 - op: add
   path: /components/schemas/loginFlowState/enum
   value:

@@ -193,8 +193,8 @@ migrations-sync: .bin/ory
 	ory dev pop migration sync persistence/sql/migrations/templates persistence/sql/migratest/testdata
 	script/add-down-migrations.sh
 
-.PHONY: test-update-snapshots
-test-update-snapshots:
+.PHONY: test-refresh
+test-refresh:
 	UPDATE_SNAPSHOTS=true go test -tags sqlite,json1,refresh -short ./...
 
 .PHONY: post-release

@@ -177,6 +177,8 @@ func init() {
 		"NewErrorValidationAddressUnknown":                        text.NewErrorValidationAddressUnknown(),
 		"NewInfoSelfServiceLoginCodeMFA":                          text.NewInfoSelfServiceLoginCodeMFA(),
 		"NewInfoSelfServiceLoginCodeMFAHint":                      text.NewInfoSelfServiceLoginCodeMFAHint("{maskedIdentifier}"),
+		"NewInfoLoginPassword":                                    text.NewInfoLoginPassword(),
+		"NewErrorValidationAccountNotFound":                       text.NewErrorValidationAccountNotFound(),
 	}
 }
 

@@ -63,6 +63,7 @@ func TestQueueSMS(t *testing.T) {
 			Body: body.Body,
 		})
 	}))
+	t.Cleanup(srv.Close)
 
 	requestConfig := fmt.Sprintf(`{
 		"url": "%s",
@@ -112,8 +113,6 @@ func TestQueueSMS(t *testing.T) {
 		assert.Equal(t, expected.To, message.To)
 		assert.Equal(t, fmt.Sprintf("stub sms body %s\n", expected.Body), message.Body)
 	}
-
-	srv.Close()
 }
 
 func TestDisallowedInternalNetwork(t *testing.T) {

@@ -134,6 +134,8 @@ const (
 	ViperKeySelfServiceRegistrationAfter                     = "selfservice.flows.registration.after"
 	ViperKeySelfServiceRegistrationBeforeHooks               = "selfservice.flows.registration.before.hooks"
 	ViperKeySelfServiceLoginUI                               = "selfservice.flows.login.ui_url"
+	ViperKeySelfServiceLoginFlowStyle                        = "selfservice.flows.login.style"
+	ViperKeySecurityAccountEnumerationMitigate               = "security.account_enumeration.mitigate"
 	ViperKeySelfServiceLoginRequestLifespan                  = "selfservice.flows.login.lifespan"
 	ViperKeySelfServiceLoginAfter                            = "selfservice.flows.login.after"
 	ViperKeySelfServiceLoginBeforeHooks                      = "selfservice.flows.login.before.hooks"
@@ -774,14 +776,16 @@ func (p *Config) SelfServiceStrategy(ctx context.Context, strategy string) *Self
 	var err error
 	config, err = json.Marshal(pp.GetF(basePath+".config", config))
 	if err != nil {
-		p.l.WithError(err).Warn("Unable to marshal self service strategy configuration.")
+		p.l.WithError(err).Warn("Unable to marshal self-service strategy configuration.")
 		config = json.RawMessage("{}")
 	}
 
 	// The default value can easily be overwritten by setting e.g. `{"selfservice": "null"}` which means that
 	// we need to forcibly set these values here:
 	defaultEnabled := false
 	switch strategy {
+	case "identifier_first":
+		defaultEnabled = p.SelfServiceLoginFlowIdentifierFirstEnabled(ctx)
 	case "code", "password", "profile":
 		defaultEnabled = true
 	}
@@ -1612,3 +1616,16 @@ func (p *Config) PasswordMigrationHook(ctx context.Context) (hook *PasswordMigra
 
 	return hook
 }
+
+func (p *Config) SelfServiceLoginFlowIdentifierFirstEnabled(ctx context.Context) bool {
+	switch p.GetProvider(ctx).String(ViperKeySelfServiceLoginFlowStyle) {
+	case "identifier_first":
+		return true
+	default:
+		return false
+	}
+}
+
+func (p *Config) SecurityAccountEnumerationMitigate(ctx context.Context) bool {
+	return p.GetProvider(ctx).Bool(ViperKeySecurityAccountEnumerationMitigate)
+}
@@ -12,6 +12,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/selfservice/strategy/idfirst"
+
 	"github.com/cenkalti/backoff"
 	"github.com/dgraph-io/ristretto"
 	"github.com/gobuffalo/pop/v6"
@@ -324,6 +326,7 @@ func (m *RegistryDefault) selfServiceStrategies() []any {
 				passkey.NewStrategy(m),
 				webauthn.NewStrategy(m),
 				lookup.NewStrategy(m),
+				idfirst.NewStrategy(m),
 			}
 		}
 	}
@@ -379,6 +382,7 @@ nextStrategy:
 					continue nextStrategy
 				}
 			}
+
 			if m.strategyLoginEnabled(ctx, s.ID().String()) {
 				loginStrategies = append(loginStrategies, s)
 			}

@@ -872,7 +872,7 @@ func TestDefaultRegistry_AllStrategies(t *testing.T) {
 	_, reg := internal.NewVeryFastRegistryWithoutDB(t)
 
 	t.Run("case=all login strategies", func(t *testing.T) {
-		expects := []string{"password", "oidc", "code", "totp", "passkey", "webauthn", "lookup_secret"}
+		expects := []string{"password", "oidc", "code", "totp", "passkey", "webauthn", "lookup_secret", "identifier_first"}
 		s := reg.AllLoginStrategies()
 		require.Len(t, s, len(expects))
 		for k, e := range expects {

@@ -1298,10 +1298,10 @@
                 },
                 "style": {
                   "title": "Login Flow Style",
-                  "description": "The style of the login flow. If set to `one_step` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.",
+                  "description": "The style of the login flow. If set to `unified` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.",
                   "type": "string",
-                  "enum": ["one_step", "identifier_first"],
-                  "default": "one_step"
+                  "enum": ["unified", "identifier_first"],
+                  "default": "unified"
                 },
                 "before": {
                   "$ref": "#/definitions/selfServiceBeforeLogin"
@@ -1557,12 +1557,6 @@
                   "title": "Enables login flows code method to fulfil MFA requests",
                   "default": false
                 },
-                "passwordless_login_fallback_enabled": {
-                  "type": "boolean",
-                  "title": "Passwordless Login Fallback Enabled",
-                  "description": "This setting allows the code method to always login a user with code if they have registered with another authentication method such as password or social sign in.",
-                  "default": false
-                },
                 "enabled": {
                   "type": "boolean",
                   "title": "Enables Code Method",
@@ -2879,6 +2873,21 @@
         }
       }
     },
+    "security": {
+      "type": "object",
+      "properties": {
+        "account_enumeration": {
+          "type": "object",
+          "properties": {
+            "mitigate": {
+              "type": "boolean",
+              "default": false,
+              "description": "Mitigate account enumeration by making it harder to figure out if an identifier (email, phone number) exists or not. Enabling this setting degrades user experience. This setting does not mitigate all possible attack vectors yet."
+            }
+          }
+        }
+      }
+    },
     "version": {
       "title": "The kratos version this config is written for.",
       "description": "SemVer according to https://semver.org/ prefixed with `v` as in our releases.",

@@ -11,11 +11,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/ory/kratos/x"
-
-	"github.com/ory/kratos/internal/testhelpers"
-
 	ory "github.com/ory/client-go"
+	"github.com/ory/kratos/internal/testhelpers"
+	"github.com/ory/kratos/x"
 )
 
 func PrintJSONPretty(v interface{}) {

@@ -15,6 +15,7 @@ docs/ConsistencyRequestParameters.md
 docs/ContinueWith.md
 docs/ContinueWithRecoveryUi.md
 docs/ContinueWithRecoveryUiFlow.md
+docs/ContinueWithRedirectBrowserTo.md
 docs/ContinueWithSetOrySessionToken.md
 docs/ContinueWithSettingsUi.md
 docs/ContinueWithSettingsUiFlow.md
@@ -99,6 +100,7 @@ docs/UiText.md
 docs/UpdateIdentityBody.md
 docs/UpdateLoginFlowBody.md
 docs/UpdateLoginFlowWithCodeMethod.md
+docs/UpdateLoginFlowWithIdentifierFirstMethod.md
 docs/UpdateLoginFlowWithLookupSecretMethod.md
 docs/UpdateLoginFlowWithOidcMethod.md
 docs/UpdateLoginFlowWithPasskeyMethod.md
@@ -139,6 +141,7 @@ model_consistency_request_parameters.go
 model_continue_with.go
 model_continue_with_recovery_ui.go
 model_continue_with_recovery_ui_flow.go
+model_continue_with_redirect_browser_to.go
 model_continue_with_set_ory_session_token.go
 model_continue_with_settings_ui.go
 model_continue_with_settings_ui_flow.go
@@ -219,6 +222,7 @@ model_ui_text.go
 model_update_identity_body.go
 model_update_login_flow_body.go
 model_update_login_flow_with_code_method.go
+model_update_login_flow_with_identifier_first_method.go
 model_update_login_flow_with_lookup_secret_method.go
 model_update_login_flow_with_oidc_method.go
 model_update_login_flow_with_passkey_method.go

@@ -142,6 +142,7 @@ Class | Method | HTTP request | Description
  - [ContinueWith](docs/ContinueWith.md)
  - [ContinueWithRecoveryUi](docs/ContinueWithRecoveryUi.md)
  - [ContinueWithRecoveryUiFlow](docs/ContinueWithRecoveryUiFlow.md)
+ - [ContinueWithRedirectBrowserTo](docs/ContinueWithRedirectBrowserTo.md)
  - [ContinueWithSetOrySessionToken](docs/ContinueWithSetOrySessionToken.md)
  - [ContinueWithSettingsUi](docs/ContinueWithSettingsUi.md)
  - [ContinueWithSettingsUiFlow](docs/ContinueWithSettingsUiFlow.md)
@@ -222,6 +223,7 @@ Class | Method | HTTP request | Description
  - [UpdateIdentityBody](docs/UpdateIdentityBody.md)
  - [UpdateLoginFlowBody](docs/UpdateLoginFlowBody.md)
  - [UpdateLoginFlowWithCodeMethod](docs/UpdateLoginFlowWithCodeMethod.md)
+ - [UpdateLoginFlowWithIdentifierFirstMethod](docs/UpdateLoginFlowWithIdentifierFirstMethod.md)
  - [UpdateLoginFlowWithLookupSecretMethod](docs/UpdateLoginFlowWithLookupSecretMethod.md)
  - [UpdateLoginFlowWithOidcMethod](docs/UpdateLoginFlowWithOidcMethod.md)
  - [UpdateLoginFlowWithPasskeyMethod](docs/UpdateLoginFlowWithPasskeyMethod.md)