Our [public roadmap](https://logto.productlane.com/roadmap) has come back. Upvote the features you need and feel free to leave comments! ## Compliance We are SOC 2 Type I compliant, officially! 🎉 A Type II audit is on the horizon. ![SOC 2 Type I](https://uploads.strapi.logto.io/1/soc_2_fdc1807681.png) ## Just-in-Time provisioning for organizations This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for Just-in-Time provisioning. To use this feature, head to the organization settings and find the "Just-in-Time provisioning" section. Management APIs are also available to configure this feature via routes under `/api/organizations/{id}/jit`. To learn more, see [Just-in-Time provisioning](https://docs.logto.io/docs/recipes/organizations/just-in-time-provisioning/). ![Organization JIT provisioning](https://uploads.strapi.logto.io/1/organization_jit_d5fc2549b8.webp) ### Email domains New users will automatically join organizations with Just-in-Time provisioning if they: - Sign up with verified email addresses, or; - Use social sign-in with verified email addresses. This applies to organizations that have the same email domain configured.

Click to expand

To enable this feature, you can add email domain via the Management API or the Logto Console: - We added the following new endpoints to the Management API: - `GET /organizations/{organizationId}/jit/email-domains` - `POST /organizations/{organizationId}/jit/email-domains` - `PUT /organizations/{organizationId}/jit/email-domains` - `DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}` - In the Logto Console, you can manage email domains in the organization details page -> "Just-in-Time provisioning" section.

### SSO connectors New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have Just-in-Time provisioning configured for the SSO connector.

Click to expand

To enable this feature, you can add SSO connectors via the Management API or the Logto Console: - We added the following new endpoints to the Management API: - `GET /organizations/{organizationId}/jit/sso-connectors` - `POST /organizations/{organizationId}/jit/sso-connectors` - `PUT /organizations/{organizationId}/jit/sso-connectors` - `DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}` - In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-Time provisioning" section.

### Default organization roles You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

Click to expand

To enable this feature, you can set the default roles via the Management API or the Logto Console: - We added the following new endpoints to the Management API: - `GET /organizations/{organizationId}/jit/roles` - `POST /organizations/{organizationId}/jit/roles` - `PUT /organizations/{organizationId}/jit/roles` - `DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}` - In the Logto Console, you can manage default roles in the organization details page -> "Just-in-Time provisioning" section.

## Machine-to-machine apps for organizations This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles. **OpenID Connect grant** The `client_credentials` grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

Click to expand Console updates

- Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type. - You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section. - You can view the associated organizations in the machine-to-machine app details page.

Click to expand Management API updates

A set of new endpoints are added to the Management API: - `/api/organizations/{id}/applications` to manage machine-to-machine apps. - `/api/organizations/{id}/applications/{applicationId}` to manage a specific machine-to-machine app in an organization. - `/api/applications/{id}/organizations` to view the associated organizations of a machine-to-machine app.

## Swagger (OpenAPI) improvements Shout out to [@mostafa](https://github.com/mostafa) for bringing these amazing improvements to Logto! **Build `operationId` for Management API in OpenAPI response** As per [the specification](https://swagger.io/docs/specification/paths-and-operations/): > `operationId` is an optional unique string used to identify an operation. If provided, these IDs must be unique among all operations described in your API. This greatly simplifies the creation of client SDKs in different languages, because it generates more meaningful function names instead of auto-generated ones, like the following examples: ```diff - org, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdGet(ctx, req.GetId()).Execute() + org, _, err := s.Client.OrganizationsAPI.GetOrganization(ctx, req.GetId()).Execute() ``` ```diff - users, _, err := s.Client.OrganizationsAPI.ApiOrganizationsIdUsersGet(ctx, req.GetId()).Execute() + users, _, err := s.Client.OrganizationsAPI.ListOrganizationUsers(ctx, req.GetId()).Execute() ``` **Fixed OpenAPI schema returned by the `GET /api/swagger.json` endpoint** - The `:` character is invalid in parameter names, such as `organizationId:root`. These characters have been replaced with `-`. - The `tenantId` parameter of the `/api/.well-known/endpoints/{tenantId}` route was missing from the generated OpenAPI spec document, resulting in validation errors. This has been fixed. ## Backchannel logout support We've enabled the support of [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html). To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save". You can also enable session requirements for backchannel logout. When enabled, Logto will include the `sid` claim in the logout token. For programmatic registration, you can set the `backchannelLogoutUri` and `backchannelLogoutSessionRequired` properties in the application `oidcClientMetadata` object. ## Sign-in experience ### Support Google One Tap When you added Google as a social connector, you can now enable Google One Tap to provide a smoother sign-in experience for your users with Google accounts. Head to the Google connector settings in the Logto Console and switch on the "Google One Tap" option. ![Google One Tap](https://uploads.strapi.logto.io/1/google_one_tap_abed7522c4.webp) To learn more about Google One Tap, see [Enable Google One Tap](https://docs.logto.io/docs/recipes/configure-connectors/social-connector/enable-google-one-tap/). ### Allow skipping manual account linking during sign-in You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking. When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking. ### Agree to terms polices for sign-in experience We've added a new configuration to allow you to set the terms of service agreement policy for sign-in experience: - **Automatic**: Users automatically agree to terms by continuing to use the service. - **ManualRegistrationOnly**: Users must agree to terms by checking a box during registration, and don't need to agree when signing in. - **Manual**: Users must agree to terms by checking a box during registration or signing in. ## Console improvements - Added Ruby and Chrome extension guide. - Display OIDC issuer endpoint in the application details form. - Application guides have been reorganized to provide a better developer experience. - Now you can view and update user's `profile` property in the user settings page. - Improved machine-to-machine application integration user experience. - Fixed a regression bug that error toasts pop up in audit log when logs are associated with deleted applications. ## Other improvements - Added `hasPassword` to custom JWT user context. - Connector: Google and Azure AD connectors now support custom `prompt`. - Support per-organization multi-factor authentication requirement: - An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token. - A dev panel is available after you sign in to the live preview. - Pagination is now optional for `GET /api/organizations/{id}/users/{userId}/roles`. If you don't provide `page` and `limit` query parameters, the API will return all roles. - Added user detail data payload to the `User.Deleted` webhook event.