Skip to main content

Changelog for Ory Keto OEL

26.2.6

This version contains only minor changes and improvements such as dependency updates.

v26.2.5

Limit tree size in expand endpoint (default 4k nodes)

The expand endpoint now returns a maximum of 4,000 nodes by default to reduce backend resource usage. For OSS and OEL deployments, this limit can be configured via limit.max_expand_size config.

Fix shared mutable state in error handling

Error globals such as herodot.ErrNotFound were package-level variables shared across all requests. Calling methods like WithReason or WithDetail mutated these variables in place and returned the same pointer, so any request that added context to an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited those stale details.

As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were reported with details belonging to an unrelated request, or with fields missing that should have been present.

The new API creates a fresh error instance on each call, so each request gets its own copy.

The following values were at risk of leaking into unrelated error responses:

  • HTTP cookie names (Kratos CSRF flow)
  • Entity UUIDs (identity, organization, etc)
  • OAuth2 error hints (Hydra and Kratos Hydra bridge)
  • OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
  • External schema fetch URLs and HTTP status codes (Kratos schema handler)
  • JWT claims and issuers (Oathkeeper JWT authenticator)

No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path on the same node — even back-to-back with no concurrency — could exchange error details.

Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an inconsistent or partially written state.

This change has no externally observable effect other than fixing the information leak in error paths.

v26.2.4

Migrate Helm chart repository URL from k8s.ory.sh to k8s.ory.com

The Helm chart repository URL has been updated from k8s.ory.sh to k8s.ory.com. The old URL will continue to work with redirects for a limited time. Update your Helm repository configuration to use the new URL.

v26.2.3

Remove CGO requirement from Ory by switching to modernc.org/sqlite

Migrates SQLite support from mattn/go-sqlite3 (CGO) to modernc.org/sqlite (pure Go) and fixes several timestamp comparison bugs that caused incorrect pagination results. This migration is fully backwards compatible. Going forward, the -tags sqlite tag is no longer required to compile Ory.

26.2.2

This version contains only minor changes and improvements such as dependency updates.

26.2.1

This version contains only minor changes and improvements such as dependency updates.

26.2.0

This version contains only minor changes and improvements such as dependency updates.

26.1.18

This version contains only minor changes and improvements such as dependency updates.

26.1.17

This version contains only minor changes and improvements such as dependency updates.

26.1.16

This version contains only minor changes and improvements such as dependency updates.

26.1.15

This version contains only minor changes and improvements such as dependency updates.

26.1.14

This version contains only minor changes and improvements such as dependency updates.

26.1.13

This version contains only minor changes and improvements such as dependency updates.

26.1.12

This version contains only minor changes and improvements such as dependency updates.

v26.1.11

Breaking changes

Upgrading from <26.1.7 will break pagination tokens. To ensure smooth upgrade, you must upgrade to 26.1.7 first.

Optimizes List Tuples query performance

Optimizes pagination performance for certain list relation-tuple queries. This also changes the order of results while ensuring stable pagination.

26.1.10

This version contains only minor changes and improvements such as dependency updates.

26.1.9

This version contains only minor changes and improvements such as dependency updates.

26.1.8

This version contains only minor changes and improvements such as dependency updates.

26.1.7

This version contains only minor changes and improvements such as dependency updates.

26.1.6

This version contains only minor changes and improvements such as dependency updates.

26.1.5

This version contains only minor changes and improvements such as dependency updates.

26.1.4

This version contains only minor changes and improvements such as dependency updates.

26.1.3

This version contains only minor changes and improvements such as dependency updates.

26.1.2

This version contains only minor changes and improvements such as dependency updates.

26.1.1

This version contains only minor changes and improvements such as dependency updates.

26.1.0

This version contains only minor changes and improvements such as dependency updates.

25.4.12

This version contains only minor changes and improvements such as dependency updates.

25.4.11

This version contains only minor changes and improvements such as dependency updates.

25.4.10

This version contains only minor changes and improvements such as dependency updates.

25.4.9

This version contains only minor changes and improvements such as dependency updates.

25.4.8

This version contains only minor changes and improvements such as dependency updates.

25.4.7

This version contains only minor changes and improvements such as dependency updates.

25.4.6

This version contains only minor changes and improvements such as dependency updates.

25.4.5

This version contains only minor changes and improvements such as dependency updates.

25.4.4

This version contains only minor changes and improvements such as dependency updates.

v25.4.3

Breaking changes

Remove the ability for Keto to watch a WebSocket URL (starting with ws://) for legacy namespaces.

This affects the configuration field namespaces, but only when using the legacy namespaces which are deprecated. Use the new Ory Permission Language instead.

To check if you are affected, run the command: keto namespace validate-legacy -c /path/to/keto.yml.

25.4.2

This version contains only minor changes and improvements such as dependency updates.

25.4.1

This version contains only minor changes and improvements such as dependency updates.

25.4.0

This version contains only minor changes and improvements such as dependency updates.

25.3.9

This version contains only minor changes and improvements such as dependency updates.

25.3.8

This version contains only minor changes and improvements such as dependency updates.

25.3.7

This version contains only minor changes and improvements such as dependency updates.

25.3.6

This version contains only minor changes and improvements such as dependency updates.

v25.3.5

Change of base image

The base image for OEL images is now set to "gcr.io/distroless/static-debian12:nonroot". Previously, it was "gcr.io/distroless/static-debian12:debug-nonroot", which included BusyBox (a minimal shell and basic debugging utilities). Debug images are still available using the "-debug" tag suffix.

25.3.4

This version contains only minor changes and improvements such as dependency updates.

v25.3.3

Improved tracing and metrics for the high-performance SQL connection pool

This change adds distributed tracing and advanced metrics for the high-performance SQL connection pool in all Ory OEL products.