Please welcome our first release candidate! Logto is just a few steps away from general availability.
๐ฅ Breaking changes ๐ฅโ
- core: remove
GET /settings
andPATCH /settings
API - core: add
GET /configs/admin-console
andPATCH /configs/admin-console
API/configs/*
APIs are config/key-specific now. they may have different logic per key.
- core: officially remove all deprecated
/session
APIs - core: use HTTP/2 to serve TLS (HTTPS) connections
- cli: change valid
logto db config
keys by removingalterationState
and addingadminConsole
since:- OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
- alteration state is still a system-wide config
- for admin access of machine-to-machine applications, now it's required to add scope
all
for client configs to fetch proper Access Token- see ๐ Interact with Management API for details
๐ Role-based access controlโ
We are excited to introduce our latest addition to our product, Role-based access control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.
With RBAC, administrators can:
- Define permissions across APIs
- Create custom roles with specific permissions
- Assign roles to users and manage their roles
- Easily manage and update permissions
- Securely validate permissions to protect APIs
Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.
Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!
๐ Streamlined social sign-in flowโ
๐ก Logto now detects a trusted email (or phone number) from the social account during social sign-in.
- If the email (or phone number) has been registered: Automatically connect the social identity to the existing user account with a single click.
- If the email (or phone number) is not registered: Automatically sync the user profile with the social-provided email (or phone number) if and only if it is marked as a required user profile.
๐ข Send and verify verification codes via Management APIโ
The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.
- Call
/api/verification-code
to send verification code to a given email or phone - Call
/api/verification-code/verify
to verify the code against a given email or phone
โฉ๏ธ Rollback database alteration stateโ
In case of any issues with the database, you can now use the logto db alteration rollback [target]
command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19
.