Logto product updates
It's time for a new Logto release! This update brings customizable MFA prompt policies, relaxed redirect URI restrictions for better real-world application support, and new social and SMS connectors contributed by our community.
Developer
Customizable MFA prompt policy
We're excited to introduce customizable MFA prompt policies in the Console. This new feature offers two main configuration options:
For Require MFA:
- When enabled, users must set up MFA during sign-in with no option to skip. Users who fail to set up MFA or delete their settings will be locked out until MFA is configured
- When disabled, users can skip the MFA setup during sign-up or sign-in
With Require MFA disabled, you can further customize the MFA setup prompt:
- No MFA setup prompts
- One-time, skippable prompt during registration (matching the previous UserControlled policy)
- One-time, skippable prompt during the first sign-in after registration
Relaxed Redirect URI restrictions
While we've always followed OAuth2.0 and OIDC best practices, we understand the real-world challenges with third-party services and operating systems like Windows. We've now relaxed our redirect URI restrictions to support:
- Combined native and HTTP(S) redirect URIs (e.g.,
https://example.com/for native apps) - Native schemes without periods (e.g.,
myapp://callback)
The Logto Console will display clear warnings when these URIs are used. This update maintains backward compatibility with existing applications.
New connectors
Our connector ecosystem continues to grow with two new additions:
Bug fixes
We've resolved an issue with the CLI command for fetching official connectors by updating the npm registry API integration.