-
Notifications
You must be signed in to change notification settings - Fork 1.8k
chore(docs): update of OEL images #2670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| No changelog entries found for keto/oel in versions v26.3.3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| ## v26.3.3 | ||
|
|
||
| ### Kratos gains a FIPS 140-3 build with a PBKDF2 password hasher | ||
|
|
||
| Ory Enterprise License releases now include a dedicated FIPS build of Kratos (`kratos_oel_fips_<version>_<os>_<arch>`) next to the | ||
| standard build. The FIPS build uses the Go Cryptographic Module and starts with `GODEBUG=fips140=on` by default, so all | ||
| cryptographic operations run through the FIPS 140-3 validated module. The standard build is unchanged. | ||
|
|
||
| #### PBKDF2 password hasher | ||
|
|
||
| You can now choose `pbkdf2` as the password hashing algorithm alongside `argon2` and `bcrypt`. PBKDF2-HMAC-SHA256 is FIPS 140-3 | ||
| approved, which makes it the recommended choice for FIPS-compliant deployments. Configure it under `hashers`: | ||
|
|
||
| ```yaml | ||
| hashers: | ||
| algorithm: pbkdf2 | ||
| pbkdf2: | ||
| iterations: 600000 | ||
| salt_length: 16 | ||
| key_length: 32 | ||
| ``` | ||
|
|
||
| The defaults are 600,000 iterations, a 16-byte salt, and a 32-byte derived key. | ||
|
|
||
| #### Existing password hashes keep working | ||
|
|
||
| Passwords hashed with a different algorithm still verify as before. When an identity signs in with such a password, Kratos | ||
| re-hashes it with the configured algorithm on the next successful login, just as it already does when you switch between argon2 | ||
| and bcrypt. No migration or password reset is needed. | ||
|
|
||
| #### FIPS mode log signals | ||
|
|
||
| When the FIPS build runs, Kratos tells you where your configuration deviates from a FIPS-compliant setup: | ||
|
|
||
| - On startup, Kratos logs that FIPS 140-3 mode is active. | ||
| - On startup, Kratos warns when the configured password hasher or cipher is not FIPS 140-3 approved (any hasher other than | ||
| `pbkdf2`, or any cipher other than `aes`, including the default `noop`). | ||
| - When signing a session JSON Web Token through the JWT webhook, Kratos warns if the signing algorithm is not FIPS 140-3 approved | ||
| (once per algorithm). Configure a JSON Web Key with an approved algorithm (`RS*`, `PS*`, `ES*`, `HS*`, or `EdDSA`) for a fully | ||
| FIPS-compliant deployment. | ||
|
|
||
| These warnings do not block any operation. | ||
|
|
||
| ### One-time-code and verification messages can be branded per OAuth2 client | ||
|
|
||
| The `login_code_valid`, `registration_code_valid`, and `verification_code_valid` courier templates (email and SMS), as well as the | ||
| link method's `verification_valid` email template, now include a scoped `oauth2_login_request` object when the flow was started | ||
| through an OAuth2 login challenge. Verification flows inherit the challenge from the OAuth2-initiated registration or login that | ||
| triggered them. The object contains the challenge and the initiating client's `client_id`, `client_name`, `client_uri`, | ||
| `logo_uri`, and `metadata`. Custom HTTP mail servers can brand these messages per OAuth2 client from | ||
| `template_data.oauth2_login_request.client` — a trusted, server-sourced value — without relying on the end-user-controlled | ||
| `transient_payload` or resolving the login challenge with an unscoped API token. Flows without a login challenge are unchanged. | ||
|
|
||
| ### Stricter validation of iOS device attestations at enrollment | ||
|
|
||
| When you enroll an iOS device key, Kratos now inspects the authenticator data of the Apple App Attest attestation and rejects keys | ||
| that fail any of these checks: | ||
|
|
||
| - The attestation environment (AAGUID) must be the production environment. Development keys, which can be produced on jailbroken | ||
| devices, are accepted only when relaxed attestation is enabled, and such keys remain short-lived. | ||
| - The signature counter must be zero, confirming the key was just created and has never been used. | ||
| - The credential ID embedded in the attestation must match the key identifier the client submits. | ||
|
|
||
| These checks harden the enrollment flow against forged or reused attestations. Compliant iOS clients are unaffected. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| No changelog entries found for oathkeeper/oel in versions v26.3.3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| No changelog entries found for hydra/oel in versions v26.3.3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| No changelog entries found for polis/oel in versions v26.3.3 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.