-
32df9acde: update user consent page to support the new third-party application feature
- Only show the user consent page if current application is a third-party application, otherwise auto-consent the requested scopes.
- Add the new fetching API to get the user consent context. Including the application detail, authenticated user info, all the requested scopes and user organizations info (if requested scopes include the organization scope).
- Add the new user consent interaction API and authorize button. User have to manually authorize the requested scopes for the third-party application before continue the authentication flow.
-
31e60811d: use Node 20 LTS for engine requirement.
Note: We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.
- 9089dbf84: upgrade TypeScript to 5.3.3
-
9a7b19e49: Implement the new single sign-on (SSO) interaction flow
/single-sign-on/email
- The SSO email form page for user to enter their email address./single-sign-on/connectors
- The SSO connectors page for user to select the enabled SSO connector they want to use.- Implement the email identifier guard on all the sign-in and registration identifier forms. If the email address is enabled with SSO, redirect user to the SSO flow.
- 9421375d7: Bump libphonenumber-js to v1.10.51 to support China 19 started phone numbers. Thanks to @agileago
-
6727f629d: feature: introduce multi-factor authentication
We're excited to announce that Logto now supports multi-factor authentication (MFA) for your sign-in experience. Navigate to the "Multi-factor auth" tab to configure how you want to secure your users' accounts.
In this release, we introduce the following MFA methods:
- Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
- WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
- Backup codes:users can generate a set of backup codes to use when they don't have access to other MFA methods.
For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.
- 6f5a0acad: fix a bug that prevents user from customizing i18n translations in Sign-in Experience config
-
e8b0b1d02: feature: password policy
This feature enables custom password policy for users. Now it is possible to guard with the following rules when a user is creating a new password:
- Minimum length (default:
8
) - Minimum character types (default:
1
) - If the password has been pwned (default:
true
) - If the password is exactly the same as or made up of the restricted phrases:
- Repetitive or sequential characters (default:
true
) - User information (default:
true
) - Custom words (default:
[]
)
- Repetitive or sequential characters (default:
If you are an existing Logto Cloud user or upgrading from a previous version, to ensure a smooth experience, we'll keep the original policy as much as possible:
The original password policy requires a minimum length of 8 and at least 2 character types (letters, numbers, and symbols).
Note in the new policy implementation, it is not possible to combine lower and upper case letters into one character type. So the original password policy will be translated into the following:
- Minimum length:
8
- Minimum character types:
2
- Pwned:
false
- Repetitive or sequential characters:
false
- User information:
false
- Custom words:
[]
If you want to change the policy, you can do it:
- Logto Console -> Sign-in experience -> Password policy.
- Update
passwordPolicy
property in the sign-in experience via Management API.
- All new users will be affected by the new policy immediately.
- Existing users will not be affected by the new policy until they change their password.
- We removed password restrictions when adding or updating a user via Management API.
- Minimum length (default:
- f8408fa77: rename the package
phrases-ui
tophrases-experience
- f6723d5e2: rename the package
ui
toexperience
-
c743cef42: Bug fix main flow preview mode should not allow user interaction.
- Recover the missing preview classname from the preview mode body element
- 046a5771b: upgrade i18next series packages (#3733, #3743)
- 748878ce5: add React context and hook to app-insights, fix init issue for frontend projects
- 352807b16: support setting cloud role name for AppInsights in React
-
4945b0be2: Apply security headers
Apply security headers to logto http request response using (helmetjs)[https://helmetjs.github.io/].
- crossOriginOpenerPolicy
- crossOriginEmbedderPolicy
- crossOriginResourcePolicy
- hidePoweredBy
- hsts
- ieNoOpen
- noSniff
- referrerPolicy
- xssFilter
- Content-Security-Policy
-
1c9160112: ### Features
- Enhanced user search params #2639
- Web hooks
- Refactored Interaction APIs and Audit logs
-
343b1090f: 💥 BREAKING CHANGE 💥 Move
/api/phrase
API to/api/.well-known/phrases
-
343b1090f: ### Simplify the terms of use and privacy policy manual agreement steps for the sign-in flow
The Terms of Use and Privacy Policy manuel agreement are now removed from the sign-in flow.
- The changes may take effect on all the existing sign-in flows, including password sign-in, social sign-in, and verification-code sign-in.
- The agreement checkbox in sign-in pages is now replaced with links to the Terms of Use and Privacy Policy pages. Users can still read the agreements before signing in.
- The manual agreement steps are still mandatory for the sign-up flow. Users must agree to the Terms of Use and Privacy Policy before signing up a new account. Including sign-up with new social identities. The agreement checkbox in sign-up pages remain still.
-
f41fd3f05: Replace
passcode
naming convention in the interaction APIs and main flow ui withverificationCode
. -
343b1090f: ### Update the password policy
Password policy description: Password requires a minimum of 8 characters and contains a mix of letters, numbers, and symbols.
- min-length updates: Password requires a minimum of 8 characters
- allowed characters updates: Password contains a mix of letters, numbers, and symbols
- digits: 0-9
- letters: a-z, A-Z
- symbols: !"#$%&'()*+,./:;<=>?@[]^_`{|}~-
- At least two types of characters are required:
- letters and digits
- letters and symbols
- digits and symbols
notice: The new password policy is applied to new users or new passwords only. Existing users are not affected by this change, users may still use their old password to sign-in.
-
343b1090f: ### Add dynamic favicon and html title
-
Add the favicon field in the sign-in-experience branding settings. Users would be able to upload their own favicon. Use local logto icon as a fallback
-
Set different html title for different pages.
- sign-in
- register
- forgot-password
- logto
-
-
343b1090f: Allow admin tenant admin to create tenants without limitation
-
343b1090f: ## Add iframe modal for mobile platform
Implement a full screen iframe modal on the mobile platform. As for most of the webview containers, opening a new tab is not allowed. So we need to implement a full screen iframe modal to show the external link page on the mobile platform.
-
343b1090f: New feature: User account settings page
- We have removed the previous settings page and moved it to the account settings page. You can access to the new settings menu by clicking the user avatar in the top right corner.
- You can directly change the language or theme from the popover menu, and explore more account settings by clicking the "Profile" menu item.
- You can update your avatar, name and username in the profile page, and also changing your password.
- [Cloud] Cloud users can also link their email address and social accounts (Google and GitHub at first launch).
-
c12717412: ## Smart Identifier Input designed to streamline your sign-in experience
- Smart Contact Input
- Smart Identifier Input
- Intelligent Identifier Input Field
Content: We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box. This advanced input box automatically identifies the type of characters you’re entering, such as an @ sign or consecutive numbers, and provides relevant error feedback. By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.
-
343b1090f: Implement a country code selector dropdown component with search box. Users may able to quick search for a country code by typing in the search box.
-
343b1090f: remove the branding style config and make the logo URL config optional
-
c12717412: Customize CSS for Sign-in Experience
We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.
You can now use the Management API
PATCH /api/sign-in-exp
with body{ "customCss": "arbitrary string" }
to set customized CSS for the sign-in experience. You should see the value ofcustomCss
attached after<title>
of the page. If the style has a higher priority, it should be able to override.Note
Since Logto uses CSS Modules, you may see a hash value in the
class
property of DOM elements (e.g. a<div>
withvUugRG_container
). To override these, you can use the$=
CSS selector to match elements that end with a specified value. In this case, it should bediv[class$=container]
. -
343b1090f: Add custom CSS code editor so that users can apply advanced UI customization.
- Users can check the real time preview of the CSS via SIE preview on the right side.
-
2168936b9: Sign-in Experience v2
We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.
When compared to Sign-in Experience v1, this version’s capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.
We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.
-
343b1090f: ### Add custom content sign-in-experience settings to allow insert custom static html content to the logto sign-in pages
- feat: combine with the custom css, give the user the ability to further customize the sign-in pages
-
fdb2bb48e: Streamlining the social sign-up flow
- detect trusted email (or phone number) from the social account
- email (or phone number) has been registered: automatically connecting the social identity to the existing user account with a single click
- email (or phone number) not registered: automatically sync up the user profile with the social provided email (or phone) if and only if marked as a required user profile.
- detect trusted email (or phone number) from the social account
-
f41fd3f05: Replace the
sms
naming convention usingphone
cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.
-
51f527b0c: bug fixes
- core: fix 500 error when enabling app admin access in console
- ui: handle required profile errors on social binding flow
-
343b1090f: ## Implement a lite version of set password form.
To simplify the effort when user set new password, we implement a lite version of set password form.
The lite version of set password form only contains only one field password. It will be used if and only if the forgot-password feature is enabled (password can be reset either by email and phone).
If you do not have any email or sms service enabled, we still use the old version of set password form which contains two fields: password and confirm password.
-
38970fb88: Fix a Sign-in experience bug that may block some users to sign in.
-
02cc9abd8: Fix a bug to show forgot password when only SMS connector is configured
-
343b1090f: - Add Power By Logto Signature to the main-flow pages
-
c12717412: ## Smart Identifier Input designed to streamline your sign-in experience
- Smart Contact Input
- Smart Identifier Input
- Intelligent Identifier Input Field
Content: We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box. This advanced input box automatically identifies the type of characters you’re entering, such as an @ sign or consecutive numbers, and provides relevant error feedback. By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.
-
c12717412: Customize CSS for Sign-in Experience
We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.
You can now use the Management API
PATCH /api/sign-in-exp
with body{ "customCss": "arbitrary string" }
to set customized CSS for the sign-in experience. You should see the value ofcustomCss
attached after<title>
of the page. If the style has a higher priority, it should be able to override.Note
Since Logto uses CSS Modules, you may see a hash value in the
class
property of DOM elements (e.g. a<div>
withvUugRG_container
). To override these, you can use the$=
CSS selector to match elements that end with a specified value. In this case, it should bediv[class$=container]
.
-
51f527b0: bug fixes
- core: fix 500 error when enabling app admin access in console
- ui: handle required profile errors on social binding flow
-
f41fd3f0: Replace
passcode
naming convention in the interaction APIs and main flow ui withverificationCode
. -
fdb2bb48: Streamlining the social sign-up flow
- detect trusted email (or phone number) from the social account
- email (or phone number) has been registered: automatically connecting the social identity to the existing user account with a single click
- email (or phone number) not registered: automatically sync up the user profile with the social provided email (or phone) if and only if marked as a required user profile.
- detect trusted email (or phone number) from the social account
-
f41fd3f0: Replace the
sms
naming convention usingphone
cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.
-
1c916011: ### Features
- Enhanced user search params #2639
- Web hooks
- Refactored Interaction APIs and Audit logs
- 02cc9abd: Fix a bug to show forgot password when only SMS connector is configured
- 38970fb8: Fix a Sign-in experience bug that may block some users to sign in.
-
2168936b: Sign-in Experience v2
We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.
When compared to Sign-in Experience v1, this version’s capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.
We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.
All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.
1.0.0-beta.12 (2022-10-19)
Note: Version bump only for package @logto/ui
1.0.0-beta.11 (2022-10-19)
- ui: add a11y support (#2076) (2249d71)
- ui: add reset password error handling flow (#2079) (afa2ac4)
- ui: global confirm modal (#2018) (f1ca49c)
- console: remove connector id and prevent text overflow (#2072) (05b5025)
- ui: fix ut (9ea6a8c)
- ui: revert color token changes in ui as it uses different design system (489e2b3)
1.0.0-beta.10 (2022-09-28)
- ui: add forget password flow (#1952) (ba787b4)
- ui: add forget password page (#1943) (39d80d9)
- ui: add passwordless switch (#1976) (ddb0e47)
- ui: add reset password form (#1964) (f97ec56)
- ui: add reset password page (#1961) (ff81b0f)
- bump react sdk and essentials toolkit to support CJK characters in idToken (2f92b43)
- ui: align mobile input outline (#1991) (c9ba198)
1.0.0-beta.9 (2022-09-07)
- add Portuguese translation (f268ecb)
- console,ui: fix locale guard issue in settings page (e200578)
1.0.0-beta.8 (2022-09-01)
Note: Version bump only for package @logto/ui
1.0.0-beta.6 (2022-08-30)
Note: Version bump only for package @logto/ui
1.0.0-beta.5 (2022-08-19)
Note: Version bump only for package @logto/ui
1.0.0-beta.4 (2022-08-11)
- build and types (8b51543)
- ui,console,demo-app: update react render method (#1750) (4b972f2)
- ui: add sandbox props to iframe (#1757) (62d2afe)
- ui: connector name should fallback to en (#1718) (3af5b1b)
- ui: extract ReactModal elementApp and fix act warning in ut (#1756) (0270bf1)
- ui: fix ui test (e4629f2)
1.0.0-beta.3 (2022-08-01)
1.0.0-beta.2 (2022-07-25)
- ui: fix some firefox standout bug (#1615) (4ce6bd8)
- ui: protect window.location xss (#1639) (34b465c)
- ui: should clear prev passcode input when click on backspace (#1660) (7dfbc30)
1.0.0-beta.1 (2022-07-19)
- ui: fix no-restrict-syntax in ui (#1559) (816ce9f)
- ui: format phone number with country calling code (#1551) (c6384be)
1.0.0-beta.0 (2022-07-14)
- ui,core: fix i18n issue (#1548) (6b58d8a)
- ui: fix multiple libphonmenumber packed bug (#1544) (e06f8d0)
1.0.0-alpha.4 (2022-07-08)
1.0.0-alpha.3 (2022-07-07)
1.0.0-alpha.2 (2022-07-07)
1.0.0-alpha.1 (2022-07-05)
Note: Version bump only for package @logto/ui
1.0.0-alpha.0 (2022-07-04)
Note: Version bump only for package @logto/ui
0.1.2-alpha.5 (2022-07-03)
Note: Version bump only for package @logto/ui
0.1.2-alpha.4 (2022-07-03)
Note: Version bump only for package @logto/ui
0.1.2-alpha.3 (2022-07-03)
Note: Version bump only for package @logto/ui
0.1.2-alpha.2 (2022-07-02)
Note: Version bump only for package @logto/ui
0.1.2-alpha.1 (2022-07-02)
Note: Version bump only for package @logto/ui
0.1.2-alpha.0 (2022-07-02)
Note: Version bump only for package @logto/ui
0.1.1-alpha.0 (2022-07-01)
- connector: apple (#966) (7400ed8)
- console,ui: generate dark mode color in console (#1231) (f72b21d)
- console: add 404 page in admin console (0d047fb)
- console: add mobile web tab in preview (#1214) (9b6fd4c)
- console: sie form reorg (#1218) (2c41334)
- core,connectors: update Aliyun logo and add logo_dark to Apple, Github (#1194) (98f8083)
- core,console: social connector targets (#851) (127664a)
- core: add sign-in-mode (#1132) (f640dad)
- core: add socialConnectors details for get sign-in-settings (#804) (7a922cb)
- core: update connector db schema (#732) (8e1533a)
- demo-app: show notification in main flow (#1038) (90ca76e)
- ui: add bind social account flow (#671) (5e251bd)
- ui: add darkmode logo (#880) (9fa13a2)
- ui: add global primary color settings (#871) (0f2827c)
- ui: add mobile terms of use iframe modal (#947) (4abcda6)
- ui: add native sdk guard logic (#1096) (147775a)
- ui: add Notification component (#994) (8530e24)
- ui: add social dropdown list for desktop (#834) (36922b3)
- ui: app notification (#999) (f4e380f)
- ui: display error message on social callback page (#1097) (f3b8678)
- ui: implement preview mode (#852) (ef19fb3)
- ui: init destop styling foundation (#787) (5c02ec3)
- ui: not found page (#691) (731ff1c)
lint:report
script (#730) (3b17324)- console: socialConnectors in preview data (#862) (a2cd983)
- revert "chore(deps): update parcel monorepo to v2.6.0" (877bbc0)
- ui: add body background color (#831) (be8b862)
- ui: add default success true for no response api (#842) (88600c0)
- ui: add i18n formater for zh-CN list (#1009) (ca5c8aa)
- ui: catch request exceptions with no response body (#790) (48de9c0)
- ui: fix callback link params for apple (#985) (362c3a6)
- ui: fix ci fail (#708) (da49812)
- UI: fix connector target and id used in UI (#838) (cd46505)
- ui: fix count down bug (#874) (9c1e9ef)
- ui: fix create account page reload issue (#832) (e221758)
- ui: fix drawer overflow bug (#984) (b9131e9)
- ui: fix social bug (#939) (7a17d41)
- ui: fix social native interaction bug (#772) (2161856)
- ui: fix some of the bug bash issues (#1053) (db1b6d2)
- ui: fix typo (#792) (13cd2c1)
- ui: fix ui i18n package error (#713) (34d798b)
- ui: fix undefined dark-primary-color bug (#876) (542d878)
- ui: hide social signin method if connectors are empty (#909) (5e0c39e)
- ui: input fields (#1125) (20f7ad9)
- ui: relocate svg jest config (#856) (d8c62c1)
- ui: social bind account should back to sign-in page (#952) (da41369)
- ui: ui design review fix (#697) (15dd1a7)
- ui: ui refinement (#855) (1661c81)
- ut: fix ut (#683) (b0138bd)