v1.0.1

v1.0.1

v1.0.0

Announcing Logto Cloud (Preview) and OSS General Availability

Did you know?
We have refreshed the Logto logo! We simplified the gradients but made our brand color stronger, resulting in improved recognizability.

---

We are grateful for your participation in testing Logto OSS, and we're excited to announce our first general availability version. In this version, we have delivered numerous improvements to the sign-in experience, making it more delightful for your end-users. This new release also includes several new practical features.

Note
In case you missed it, please see the letter from Gao: Announcing Logto Cloud (Preview) and OSS General Availability.

Let's take a look at what's new!

💥 BREAKING CHANGE 💥

Rename the /api/phrase API to /api/.well-known/phrases.

New features

Custom CSS editor

The console now has a custom CSS code editor in the “Sign-in experience” tab that allows you to apply advanced UI customization to your application. You can preview your changes in real-time via the sign-in experience preview on the right side.

Image uploader

The console now supports a drag-and-drop image uploader for multiple scenarios. If a storage provider is configured in the system, you can upload images directly from your local file system. The first version of the uploader supports AWS S3 and Azure Blob Storage. For more information, please refer to the Configure storage providers documentation.

Console profile page

We have removed the previous profile component and moved it to the user profile page. You can access the page by clicking your user avatar in the top right corner. From there, you can also change your language or theme directly from the popover menu.

On the profile page, you can update your avatar, name, and username, as well as change your password. For cloud users, it is now possible to link your email address and social accounts (Google and GitHub at first launch).

Sign-in experience

Added "Powered by Logto" to the sign-in experience.

CLI

We have added a new CLI command db system that allows you to get/set the system table value for your database. Enter logto db system --help in your terminal for details.

Improvements

Add parameter to specify showing sign-in or sign-up

A new parameter have been added to our JavaScript SDKs which allows users to specify their desired user interaction experience. For instance, in our React SDK:

const { signIn } = useLogto();

// Shows the sign-in page
void signIn('https://some-callback-url');

// Shows the sign-up page
void signIn('https://some-callback-url', 'signUp');

Other SDKs will be updated soon.

Country code selector

A new country code selector dropdown component with a search box has been added to sign-in experience, allowing users to quickly search for a country code by typing in the search box.

Custom favicon

Users can now upload their own favicon in the sign-in-experience branding settings. A local logto icon will be used as a fallback.

Dynamic HTML titles

Instead of showing “Logto”, now sign-in experience will change the page title based on the current context, for example, “Create account”.

Enhanced password policy

The password policy has been updated to require a minimum of 8 characters and contain a mix of letters, numbers, and symbols. The allowed characters now include:

• Digits: 0-9
• Letters: a-z, A-Z
• Symbols: !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

Users must now use at least two out of three types of characters.

Note the new password policy only applies to new users or new passwords. Existing users can continue to use their old password to sign in.

Implement a lite version of set password form

The new lite version only contains one field for the password and will be used only if the forgot-password feature is enabled (password can be reset either by email and phone). If you don't have any email or SMS service enabled, the old version of set password form containing two fields (password and confirm password) will still be used.

Support Privacy Policy URL

A new Privacy Policy URL field has been added to the sign-in-experience settings to support end-users' privacy declaration needs.

Simplify the Terms of Use and Privacy Policy manual agreement for the sign-in flow

The Terms of Use and Privacy Policy manual agreement steps have been removed from the sign-in flow. The agreement checkbox in sign-in pages has been replaced with links to the Terms of Use and Privacy Policy.

Users can still read the agreements before signing in. However, the manual agreement is still mandatory for the sign-up flow, including sign-up with new social identities.

New Contributors

• @Eengineer1 made their first contribution in #3431

v1.0.0-rc.3

2023 Feb Update (Extended)

While Logto Cloud is still under construction, we would like to introduce some new features to our foundation, Logto OSS. This will be the last version before general availability.

Notable updates include:

• Refactored infrastructure and enhanced security
• Smart Input and Customize CSS added to Sign-in Experience
• Open standard connectors (SAML, OIDC, and OAuth 2.0)
• New language support

Let's take a look at what's inside!

💥 BREAKING CHANGES 💥

Decouple normal users and admins

Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.

Note
From this version, Logto listens to two ports by default, one for normal users (3001), and one for admins (3002).

---

‼️ Click to expand details

• Nothing changed for normal users. No adaption is needed.
• For admin users:
  • The default Admin Console URL has been changed to http://localhost:3002/console.
  • To change the admin port, set the environment variable ADMIN_PORT. For instance, ADMIN_PORT=3456.
  • You can specify a custom endpoint for admins by setting the environment variable ADMIN_ENDPOINT. For example, ADMIN_ENDPOINT=https://admin.your-domain.com.
  • You can now completely disable admin endpoints by setting ADMIN_DISABLE_LOCALHOST=1 and leaving ADMIN_ENDPOINT unset.
  • Admin Console and admin user data are not accessible via normal user endpoints, including localhost and ENDPOINT from the environment.
  • Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
  • Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded); admin users cannot sign in to the user apps.
• Resource Indicator for Logto Management API changed from https://api.logto.io to https://default.logto.app/api.

---

If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.

DID YOU KNOW?

Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.

CORS policy

• If ADMIN_ENDPOINT is not specified, localhost:[admin-port] will be allowed to perform Cross-Origin Resource Sharing (CORS) in Logto.
• If ADMIN_ENDPOINT is specified, only requests from the origin of ADMIN_ENDPOINT will be allowed.

🔐 Security update

In previous versions, when registering or changing passwords, all new passwords were stored in plain text in the Audit Logs before being encrypted and inserted into the database.

In this version, we have updated the process to fully mask password fields before inserting them into the Audit Logs.

Warning

For enhanced security and compliance, we strongly recommend removing all passwords from the Audit Logs or deleting all logs that include passwords.

If you have any questions regarding this issue or the removal of data, please do not hesitate to contact us via email or Discord.

🧑‍🚀 Feature update

💡 Smart Input for Sign-in Experience

We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box:

combined-input.mov

This advanced input box automatically identifies the type of characters you’re entering, such as an @ sign or consecutive numbers, and provides relevant error feedback.

By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.

🎨 Customize CSS in Sign-in Experience

We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.

You can now use the Management API PATCH /api/sign-in-exp with body { "customCss": "arbitrary string" } to set customized CSS for the sign-in experience. You should see the value of customCss attached after <title> of the page. If the style has a higher priority, it should be able to override.

For instance, if you want to give your sign-in page a feel of the Night City, try this CSS:

---

Click to expand CSS and preview

@font-face { font-family: 'Rock Salt'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/rocksalt/v18/MwQ0bhv11fWD6QsAVOZrt0M6p7NGrQ.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
@font-face { font-family: 'Share Tech'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/sharetech/v17/7cHtv4Uyi5K0OeZ7bohU8H0JmBUhfrE.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
#app * { font-family: 'Share Tech'; letter-spacing: 0.5px; }
#app > div[class$=viewBox] { background-image: url(https://silverhand.io/assets/v-in-nc.jpg); background-size: cover; }
#app main[class$=main] { background-image: url(https://silverhand.io/assets/gentle-universe.png); background-size: cover; opacity: 0.98; min-height: initial; padding: 24px; padding-bottom: 72px; border-radius: 12px; }
#app main[class$=main] img[class$=logo] { content: url(https://silverhand.io/assets/cyberpunk-2077.png); margin: -20px 0 -12px; height: 160px; }
#app main[class$=main] div[class$=headline] { visibility: hidden; height: 60px; }
#app main[class$=main] div[class$=headline]:before { content: 'Welcome to Night City'; visibility: visible; display: block; font-family: 'Rock Salt'; font-style: italic; line-height: 60px; font-size: 20px; color: rgba(245,250,255,0.6); padding: 0 20px; }
#app form div[class$=inputField] > div { outline: none; border: none; border-radius: 4px; }
#app form div[class$=inputField] > div > input, #app form div[class$=inputField] div[class$=countryCodeSelector] { background: initial; background-color: #453f67; font-family: 'Share Tech'; letter-spacing: 0.5px; font-size: 16px; font-weight: 600; }
#app button { font-weight: 600; font-size: 16px; border-radius: 4px; }
#app button[type=submit] { background: linear-gradient(270.84deg, #2FD6FB -24.55%, #6369FC 44.33%, #A741EB 119.2%), #5D34F2; }

"We have a city to burn!"

---

Note

Since Logto uses CSS Modules, you may see a hash value in the class property of DOM elements (e.g. a <div> with vUugRG_container). To override these, you can use the $= CSS selector to match elements that end with a specified value. In this case, it should be div[class$=container].

🔗 Open standard connectors with better config interface

Logto now supports standard protocols (SAML, OIDC, and OAuth 2.0) for creating social connectors to integrate external identity providers. Each protocol can create multiple social connectors, giving you more control over your access needs.

Plus, we optimized the config interface for SAML connectors. Try it and let us know your feeling!

📄 New language

Added Russian translation. (credit @evist0)

🎉 New Contributors

• @Alanimdeo made their first contribution in #3064
• @gadkins made their first contribution in #3032
• @evist0 made their first contribution in #3158
• @muratgozel made their first contribution in #3203

Thank you!

---

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.3

v1.0.0-rc.2

Please see v1.0.0-rc.3.

v1.0.0-rc.1

Note
For the full release notes of the recent major release, please see v1.0.0-rc.0.

What's Changed

• fix(core): insert id when patch application #3052
• fix(ui): should handle requiredProfile error on bindSocialRelatedUser #3034

Full Changelog: v1.0.0-rc.0...v1.0.0-rc.1

v1.0.0-rc.0

v1.0.0-rc.0 (2023-02-02)

Note
Please welcome our first release candidate! Logto is just a few steps away from general availability.

💥 Breaking changes 💥

• core: remove GET /settings and PATCH /settings API
• core: add GET /configs/admin-console and PATCH /configs/admin-console API
  • /configs/* APIs are config/key-specific now. they may have different logic per key.
• core: officially remove all deprecated /session APIs
• core: use HTTP/2 to serve TLS (HTTPS) connections
• cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  • OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  • alteration state is still a system-wide config
• for admin access of Machine to Machine applications, now it's required to add scope all for client configs to fetch proper Access Token
  • see 🚝 Interact with Management API for details

🔒 Role-Based Access Control

We are excited to introduce our latest addition to our product, Role-Based Access Control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.

With RBAC, administrators can:

• Define permissions across APIs
• Create custom roles with specific permissions
• Assign roles to users and manage their roles
• Easily manage and update permissions
• Securely validate permissions to protect APIs

Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.

Note
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.

Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!

🏄 Streamlined social sign-in flow

💡 Logto now detects a trusted email (or phone number) from the social account during social sign-in.

• If the email (or phone number) has been registered: Automatically connect the social identity to the existing user account with a single click.
• If the email (or phone number) is not registered: Automatically sync the user profile with the social-provided email (or phone number) if and only if it is marked as a required user profile.

🔢 Send and verify verification codes via Management API

The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.

• Call /api/verification-code to send verification code to a given email or phone
• Call /api/verification-code/verify to verify the code against a given email or phone

↩️ Rollback database alteration state

In case of any issues with the database, you can now use the logto db alteration rollback [target] command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19.

v1.0.0-beta.19

v1.0.0-beta.19 (2023-01-06)

• Fixed an alteration scripts issue

For full release notes of the recent major release, please see v1.0.0-beta.18.

v1.0.0-beta.18

Logto New Year Release (v1.0.0-beta.18)

🙋 Hey folks!

For the first day of 2023, we shipped a few things for everybody:

• Web hooks, Advanced search API, New connectors
• Admin console enhancement, Refactored Interaction APIs and Audit logs
• New blog posts

Note
We are currently busy working on the general availability version which includes User profile, RBAC (Role-based access control), and much more!

💥 Breaking change 💥

If you want to perform the original fuzzy user search via Management API, adding % around the keyword is required. E.g.:

Original: GET /users?search=foo
Now: GET /users?search=%foo%

Migration

If you are upgrading from an older version of logto, make sure to go through our Database alteration tutorial.

Feature updates

🪝 Web hooks

With hooks, Logto can enable the next-level extensibility for you to interact with other services in an event-based manner. E.g., do some async jobs after a new user registered.

We support three events in this version: PostRegister, PostSignIn and PostResetPassword. Check out 🪝 Web hooks for the concept explained and detailed usage.

⚙️ Advanced search API

Management API is a programmatic way to communicate with Logto. We redesigned the user search API to make it powerful for advanced search requests.

Now you can designate one or multiple search fields as well as the match mode. For example, you can search users that:

• Name starts with “Alice”, case-sensitive; or
• Email includes “Alice”, case-insensitive.

Exact search is also supported, e.g., search users that name is exactly “John Wick”. See Advanced user search for details.

🔗 Connectors

Logto is built on open standards, and we believe they can eliminate enormous gaps in software development. From this version, Logto supports creating multiple connectors based on the same open standard: OAuth 2.0 or OpenID Connect; We call them “standard connectors”.

We are developing more standard connectors like SAML and LDAP. Feel free to let us know your needs!

Besides, we’d like to highlight our community contributors:

• @kentio contributed AWS SES connector
• @StringKe contributed Tencent SMS and Feishu (Lark) connector

Thank you!

Enhancement

💻 Admin Console enhancement to streamline the set up process

💡 We revisited the Logto admin console UI and give it a fresh look! The goal of this is to make the admin console more intuitive and aesthetically pleasing, which ends up helping developers more efficiently perform the tasks.

Now you can feel the following enhancement as follows:

• Responsive design improvement We optimized responsive design to ensure that the interface looks great on different screen sizes.
• Simplification of the layout We have streamlined the layout of the interface, organizing the content in a more logical and intuitive way. This makes it easier for our developers to navigate the interface and find what they are looking for.
• Fixed the non-intuitive interaction behaviors we changed the saving interaction and make it a section-level behavior, which avoiding seeing too many double check alerts. We wish to provide a more secure developer experience when making configuration.

Please check it out and explore, and let us know how you feel! 😉

🧑‍🚀 Refactored Interaction APIs and Audit logs

Due to the increased flexibility and complexity of Sign-in experience, and to provide even more auditable and structured logs for user interactions, we decided to refactor our Interaction APIs with the logging mechanism; The original session APIs are deprecated from now.

Note
This API change does not affect the end-user Sign-in experience.

Audit logs become fine-categorized by the new key definitions, and payloads are optimized for behavior tracing. Check out the “Audit logs” tab in Admin console to feel the change.

Blog posts

• The design considerations for a seamless sign-in experience (Second Chapter) Learn more about our design thinking and decision making philosophies
• Migrate a 60k LOC TypeScript (NodeJS) repo to ESM and testing become 4x faster A practical series of our engineering efforts on module system migration

v1.0.0-beta.17

1.0.0-beta.17 (2022-12-13)

• Fix a bug to correctly show the "Forgot password" button during sign-in experience when only SMS connector is configured.

Update 2022-12-30

Now GitHub release also has built-in connectors available.

v1.0.0-beta.16

1.0.0-beta.16 (2022-11-30)

Note
This release is a hot-fix based on v1.0.0-beta.14.

Bug fix

Unblock the "Continue" flow for some end-users (fixes #2555)

Users could get stuck during sign-in when email or phone is the sign-up identifier (required), but they don't have one in Logto.

Connectors

If you enabled email or SMS connector, please add the "Continue" template to make sure "Forgot password" works.

Please upgrade connectors as well to get the latest connector template for "Continue" flow configuration. Or you can go to the connectors repo to read the latest README.

Feel free to jump into our Discord server if you meet any issues.