Merge branch 'master'

Author: christiannwamba

docs/hydra/guides/oauth2-webhooks.mdx

@@ -141,6 +141,8 @@ To accept the token exchange without modification, return a `204` or `200` HTTP
 
 To deny the token exchange, reply with a `403` HTTP status code.
 
+To keep the claims as is, return an empty body with a 204 status code.
+
 To modify the claims of the issued tokens and instruct Hydra to proceed with the token exchange, return `200` with a JSON response
 body:
 

docs/kratos/emails-sms/05_custom-email-templates.mdx

@@ -112,7 +112,7 @@ automatically uses the built-in template.
 
 :::info
 
-The recovery & verification templates only show the versions for the method (**One time code** or **link**) you have selected in
+The recovery & verification templates only show the versions for the method (**one-time code** or **link**) you have selected in
 the flow configuration.
 
 - <ConsoleLink route="project.recovery" />

docs/kratos/manage-identities/25_import-user-accounts-identities.mdx

@@ -594,7 +594,10 @@ The following steps are necessary to set up password migration using a web hook:
     After a successful response, the identity will be updated with the hashed password and the user will be logged in. The
     password migration hook will not be called again for this identity.
 
-    Any other response will be treated as an invalid password, and the user will be notified that the password is incorrect.
+    If the password does not match, the webhook should return `403 Forbidden`, to indicate to the user that the password did not
+    match.
+
+    Any other response will be treated as an unexpected error, and the user will not be logged in.
 
 ### Social sign-in connections
 

docs/kratos/mfa/30_sms.mdx

@@ -10,7 +10,7 @@ import TabItem from '@theme/TabItem';
 import BrowserWindow from "@site/src/theme/BrowserWindow"
 ```
 
-SMS and email can be used to deliver one time codes to users. Ory will deliver a 6-digit code to an SMS / email gateway of your
+SMS and email can be used to deliver one-time codes to users. Ory will deliver a 6-digit code to an SMS / email gateway of your
 choice, such as Twilio, Amazon SNS, SMTP, or your own application. These codes are valid for a short amount of time, usually 15
 minutes or less. Once the user completes the challenge, by entering the code, the AAL of the session is upgraded to AAL2.
 
@@ -30,6 +30,15 @@ To enable MFA via SMS, you need to configure an SMS channel in the Ory configura
 
 ```mdx-code-block
 <Tabs groupId="console-or-cli">
+<TabItem value="console" label="Ory Console" default>
+```
+
+1. Go to <ConsoleLink route="project.mfa" />.
+2. Toggle **Enable one-time code multi factor authentication**.
+3. Click **Save**.
+
+```mdx-code-block
+  </TabItem>
 <TabItem value="cli" label="Ory CLI" default>
 ```
 

docs/kratos/organizations/organizations.mdx

@@ -245,6 +245,14 @@ organization.
 </Tabs>
 ```
 
+## Pre-provisioning identities in an organization
+
+After creating an organization, you can pre-provision identities in it. This is useful when you need to create related data in
+your system but need the identity to be created in Ory Network first, before the user logs in for the first time.
+
+To achieve this, set the `organization_id` property to the ID of the created organization in the identity, either when creating
+the identity, or by updating the identity's data using the Ory APIs.
+
 ## SAML
 
 SAML (Security Assertion Markup Language) is an XML-based open standard used for exchanging authentication and authorization data

docs/reference/api.json

@@ -2231,40 +2231,68 @@
       },
       "accountExperienceConfiguration": {
         "properties": {
-          "account_experience_theme_stylesheet": {
+          "default_redirect_url": {
             "type": "string"
           },
-          "favicon_type": {
+          "error_ui_url": {
             "type": "string"
           },
-          "favicon_url": {
+          "favicon_dark_url": {
             "type": "string"
           },
-          "kratos_selfservice_default_browser_return_url": {
+          "favicon_light_url": {
             "type": "string"
           },
-          "kratos_selfservice_flows_recovery_enabled": {
-            "type": "boolean"
+          "login_ui_url": {
+            "type": "string"
           },
-          "kratos_selfservice_flows_registration_enabled": {
+          "logo_dark_url": {
+            "type": "string"
+          },
+          "logo_light_url": {
+            "type": "string"
+          },
+          "name": {
+            "type": "string"
+          },
+          "recovery_enabled": {
             "type": "boolean"
           },
-          "kratos_selfservice_flows_verification_enabled": {
+          "recovery_ui_url": {
+            "type": "string"
+          },
+          "registration_enabled": {
             "type": "boolean"
           },
-          "logo_url": {
+          "registration_ui_url": {
             "type": "string"
           },
-          "name": {
+          "settings_ui_url": {
             "type": "string"
           },
-          "organization_map": {
-            "additionalProperties": {
-              "type": "string"
-            },
-            "type": "object"
+          "stylesheet": {
+            "type": "string"
+          },
+          "verification_enabled": {
+            "type": "boolean"
+          },
+          "verification_ui_url": {
+            "type": "string"
           }
         },
+        "required": [
+          "name",
+          "registration_enabled",
+          "verification_enabled",
+          "recovery_enabled",
+          "recovery_ui_url",
+          "registration_ui_url",
+          "verification_ui_url",
+          "login_ui_url",
+          "settings_ui_url",
+          "error_ui_url",
+          "default_redirect_url"
+        ],
         "type": "object"
       },
       "accountExperienceThemeVariables": {
@@ -2946,6 +2974,9 @@
           "metadata_public": {
             "description": "Store metadata about the identity which the identity itself can see when calling for example the\nsession endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field."
           },
+          "organization_id": {
+            "$ref": "#/components/schemas/NullUUID"
+          },
           "recovery_addresses": {
             "description": "RecoveryAddresses contains all the addresses that can be used to recover an identity.\n\nUse this structure to import recovery addresses for an identity. Please keep in mind\nthat the address needs to be represented in the Identity Schema or this field will be overwritten\non the next identity update.",
             "items": {
@@ -6155,6 +6186,9 @@
             "readOnly": true,
             "type": "string"
           },
+          "fedcm_config_url": {
+            "$ref": "#/components/schemas/String"
+          },
           "id": {
             "format": "uuid",
             "type": "string"
@@ -6172,6 +6206,9 @@
             "description": "Mapper specifies the JSONNet code snippet which uses the OpenID Connect Provider's data (e.g. GitHub or Google\nprofile information) to hydrate the identity's data.",
             "type": "string"
           },
+          "net_id_token_origin_header": {
+            "$ref": "#/components/schemas/String"
+          },
           "organization_id": {
             "$ref": "#/components/schemas/NullUUID"
           },

docs/self-hosted/oel/eol-image-tags.md

@@ -40,3 +40,5 @@
 | e879d83cd5cc0cba4a0ec3399ef32f252c220b0e | 2025-01-30   |
 | 35ba5a70b32d69c3b623f312f985f69a54f71029 | 2025-01-31   |
 | 29c1dd6b0b5d0b991019e2730f4efd4fce86fa48 | 2025-02-04   |
+| e17b2ea61cc69e70f252e384d5ccbac83e504ced | 2025-02-12   |
+| 569c06b47e9ccd9548afa71d22e7ba4e3b1d5b01 | 2025-02-14   |

docs/self-hosted/oel/oauth2/postgresql-ttl-migrations.mdx

@@ -0,0 +1,80 @@
+---
+id: migrate-postgresql-ttl
+title: PostgreSQL TTL jobs for Hydra OEL
+---
+
+# PostgreSQL TTL jobs for Ory Hydra
+
+This guide outlines the steps to enable and configure the PostgreSQL TTL jobs for Ory Hydra. The TTL jobs are executed
+periodically to remove expired data from the PostgreSQL database. They are essential for maintaining database performance and
+preventing uncontrolled growth.
+
+This feature is available in Ory Hydra Enterprise License (OEL) and it requires the PostgreSQL database with the `pg_cron`
+extension installed.
+
+By default, Postgresql TTL jobs are disabled. They can be installed by enabling an additional migration job, similar to the
+default migration job that introduces schema changes. This additional job populates the database with the necessary cron job
+definitions containing delete statements for expired data. The cron jobs are executed by the `pg_cron` extension at 00:00 UTC.
+
+## Prerequisites
+
+Before starting the upgrade process, ensure that you meet the following requirements:
+
+1. **Ory Hydra Version**: Your current Ory Hydra OEL installation must be version `e17b2ea61cc69e70f252e384d5ccbac83e504ced` or
+   newer.
+2. **PostgreSQL Database**: The PostgreSQL database must be installed and configured with the `pg_cron` extension.
+3. **Backup and Testing**: Create a backup of your current Ory Hydra database and test the migration on a test environment to
+   ensure compatibility and minimize risks.
+
+## Installation process
+
+If you are using the official [Hydra helm chart](https://github.com/ory/k8s/tree/master/helm/charts/hydra) modify your values.yaml
+file to include the following configuration:
+
+```yaml
+hydra:
+  customMigrations:
+    jobs:
+      oel-postgresql-ttl:
+        enabled: true
+```
+
+This change enables the additional migration job that introduces the TTL jobs to the PostgreSQL database. By default, it executes
+the `hydra` binary with following arguments:
+
+```
+migrate postgresql-addons up --hydra-db-name ory_hydra --pgcron-db-name postgres
+```
+
+If you use a different database name, you can override it by setting the `--hydra-db-name` and `--pgcron-db-name` flags in the
+`values.yaml` file:
+
+```yaml
+hydra:
+  customMigrations:
+    jobs:
+      oel-postgresql-ttl:
+        enabled: true
+        customArgs:
+          [
+            "migrate",
+            "postgresql-addons",
+            "up",
+            "--hydra-db-name",
+            "<your hydra database>",
+            "--pgcron-db-name",
+            "<database where pg_cron is installed>",
+          ]
+```
+
+## Possible issues
+
+### pg_cron extension not installed
+
+If the `pg_cron` extension is not installed in the PostgreSQL database, the migration job will fail with the following error:
+
+```
+ERROR: schema "cron" does not exist (SQLSTATE 3F000)
+```
+
+To resolve this issue, install the `pg_cron` extension and enable it in the postgres database.

src/sidebar.ts

@@ -852,6 +852,7 @@ const selfhostingSidebar = [
         items: [
           "self-hosted/oel/oauth2/token-prefix",
           "self-hosted/oel/oauth2/upgrade",
+          "self-hosted/oel/oauth2/migrate-postgresql-ttl",
           "self-hosted/oel/oauth2/changelog",
         ],
       },

src/theme/Mermaid.js

@@ -48,15 +48,16 @@ const Mermaid = ({ chart }) => {
 
   useEffect(() => {
     // https://mermaid.js.org/config/theming.html#diagram-specific-themes
-    mermaid.render(
-      id,
-      `%%{init: {'theme':'${
-        colorMode === "light" ? "neutral" : "dark"
-      }'}}%%\n${chart}`,
-      (svg) => {
+    mermaid
+      .render(
+        id,
+        `%%{init: {'theme':'${
+          colorMode === "light" ? "neutral" : "dark"
+        }'}}%%\n${chart}`,
+      )
+      .then(({ svg }) => {
         setSvg(svg)
-      },
-    )
+      })
   }, [])
 
   return (