Logto product updates

Account API for WebAuthn (passkeys)#

You can now manage WebAuthn passkeys in Account API, including:

1. Binding a WebAuthn passkey to the user's account through your website.
2. Manage the passkeys in the user's account.

We have implemented Related Origin Requests so that you can manage the WebAuthn passkeys on your website which has a different domain from the Logto's sign-in page.

To learn more, check out the documentation.

Access user interaction details in custom JWT#

User interaction data is now accessible through the context.interaction when generating custom token claims:

Example Use Case:

Read the verification records from the interaction context. If an Enterprise SSO verification record is present, include the corresponding user profile from the Enterprise SSO identities as additional token claims.

See custom token claims context for more details.

Improvements#

• Updated timestamp tracking for SSO: Added updated_at field to user_sso_identities table
• Changed user password digest length to 256, supporting Legacy hashing algorithm such as SHA512
• Mask TOTP secret from audit log
• Support flexible size in Turnstile widget, allowing the widget to scale responsively and fill the available space.

Bug fixes#

• Fixed SAML application callback API to properly handle RelayState parameter in authentication responses
• Made access_token optional for Azure OIDC SSO connector, previously, the Azure OIDC connector strictly required an access token in the token response, which caused issues with Azure B2C applications that only return ID tokens.
• Fixed potential WebAuthn registration errors by specifying the displayName. For example, when using Chrome on Windows 11 with the "Use other devices" option (scanning QR code), an empty displayName will cause the registration to fail.
• Fixed an issue where the payment page could not open in iOS Safari.