• release

Logto product updates

It's time for a new Logto release! This month, we're introducing the new Account API for direct user management, Microsoft EntraID SSO connector enhancements and improved sign-in experience features.

Yijun
Yijun
Developer

Account API

Introducing the new Account API, designed to give end users direct API access without needing to go through the Management API:

  1. Direct access: The Account API empowers end users to directly access and manage their own account profile without requiring the relay of Management API
  2. User profile and identities management: Users can fully manage their profiles and security settings, including the ability to update identity information like email, phone, and password, as well as manage social connections (MFA and SSO support coming soon)
  3. Global access control: Admin has full, global control over access settings, can customize each fields
  4. Seamless authorization: Simply use client.getAccessToken() to obtain an opaque access token for OP (Logto), and attach it to the Authorization header

Check out the Account API documentation for more details.

Microsoft EntraID SSO connector enhancements

Added trustUnverifiedEmail setting for the Microsoft EntraID OIDC SSO connector.

This addresses the issue where email addresses couldn't be populated to Logto's user profile during EntraID SSO sign-up. Since Microsoft's organization-managed email addresses don't include the email_verified claim, this new setting allows trusting these email addresses even without explicit verification.

You can configure this setting in the EntraID OIDC SSO connector settings page in the Logto console or through the management API.

Sign-in experience improvements

Support contact information

Added support email and website information display on error pages.

When users encounter issues (like 404 errors or social callback failures), they can now easily find ways to contact support for assistance.

You may configure the support email and website info in the Sign-in experience > Content > Support settings in the Logto Console or through the management API.

Unknown session handling

Introduced unknown session redirect URL configuration.

This helps users who land on sign-in pages with expired sessions or through bookmarked URLs - instead of seeing a 404 error, they can be automatically redirected to a specified URL to restart their authentication process.

You may configure the unknown session redirect URL in the Sign-in experience > Sign-up and sign-in > Advanced options settings in the Logto Console or through the management API.