Changelog for Ory Polis OEL

v26.2.19

Optionally return group members in the SCIM Groups API

The SCIM Groups API can now return a group's members. Reading a group with GET /api/scim/v2.0/{directoryId}/Groups/{groupId} or listing groups with GET /api/scim/v2.0/{directoryId}/Groups returns an empty members list by default. Add includeMembers=true to the request to include the current members instead.

Members stay omitted by default to avoid loading very large memberships into a single response. When includeMembers=true is set and a group has more than 500 members, the request returns a 400 error and directs you to the paginated group members endpoint, rather than returning a partial or oversized response.

The 500-member limit is configurable. Set the DSYNC_MAX_INLINE_GROUP_MEMBERS environment variable (or the dsync.maxInlineGroupMembers option when embedding the library) to raise or lower it.

v26.2.18

Configurable retention for SCIM webhook event logs

You can now set how long SCIM (directory sync) webhook event logs are kept, using the DSYNC_WEBHOOK_LOGS_TTL environment variable. Set it to a duration such as 720h or 30d.

If you leave the variable unset, logs keep the existing 7-day retention. Set it to an empty string to keep logs indefinitely. An unrecognized value falls back to the 7-day default and logs a warning, so a typo never disables retention.

26.2.17

This version contains only minor changes and improvements such as dependency updates.

26.2.16

This version contains only minor changes and improvements such as dependency updates.

26.2.15

This version contains only minor changes and improvements such as dependency updates.

26.2.14

This version contains only minor changes and improvements such as dependency updates.

26.2.13

This version contains only minor changes and improvements such as dependency updates.

26.2.12

This version contains only minor changes and improvements such as dependency updates.

26.2.11

This version contains only minor changes and improvements such as dependency updates.

26.2.10

This version contains only minor changes and improvements such as dependency updates.

v26.2.9

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).
github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).
go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).
postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).
uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).
@xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).
axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

26.2.8

This version contains only minor changes and improvements such as dependency updates.

26.2.7

This version contains only minor changes and improvements such as dependency updates.

26.2.6

This version contains only minor changes and improvements such as dependency updates.

26.2.5

This version contains only minor changes and improvements such as dependency updates.

26.2.4

This version contains only minor changes and improvements such as dependency updates.

26.2.3

This version contains only minor changes and improvements such as dependency updates.

26.2.2

This version contains only minor changes and improvements such as dependency updates.

26.2.1

This version contains only minor changes and improvements such as dependency updates.

26.2.0

This version contains only minor changes and improvements such as dependency updates.

v26.1.18

Fixed a security issue

This release includes a fix for a security issue. Additional details will be shared with customers directly.

26.1.17

This version contains only minor changes and improvements such as dependency updates.

26.1.16

This version contains only minor changes and improvements such as dependency updates.

26.1.15

This version contains only minor changes and improvements such as dependency updates.

26.1.14

This version contains only minor changes and improvements such as dependency updates.

26.1.13

This version contains only minor changes and improvements such as dependency updates.

26.1.12

This version contains only minor changes and improvements such as dependency updates.

26.1.11

This version contains only minor changes and improvements such as dependency updates.

26.1.10

This version contains only minor changes and improvements such as dependency updates.

26.1.9

This version contains only minor changes and improvements such as dependency updates.

26.1.8

This version contains only minor changes and improvements such as dependency updates.

v26.1.7

Switched to better-sqlite3

We have replaced the unmaintained sqlite3 dependency with better-sqlite3 to ensure ongoing maintenance and stability.

Breaking changes

Turso is no longer supported due to the removal of the sqlite3 library.

Identity Federation: Support for including OIDC tokens in SAML responses

When creating an Identity Federation app, you can now include OIDC tokens in the SAML Response by setting the includeOidcTokensInAssertion attribute. This allows downstream applications to access the original OIDC tokens issued by the provider when using SAML federation.

26.1.6

This version contains only minor changes and improvements such as dependency updates.

26.1.5

This version contains only minor changes and improvements such as dependency updates.

26.1.4

This version contains only minor changes and improvements such as dependency updates.

26.1.3

This version contains only minor changes and improvements such as dependency updates.

v26.1.2

Identity Federation: SAML Response expiry is now configurable

When creating an Identity Federation app, you can now control how long a SAML Response remains valid by setting the ttlInMinutes attribute. The default expiry remains 10 minutes.

26.1.1

This version contains only minor changes and improvements such as dependency updates.

26.1.0

This version contains only minor changes and improvements such as dependency updates.

25.4.12

This version contains only minor changes and improvements such as dependency updates.

25.4.11

This version contains only minor changes and improvements such as dependency updates.

25.4.10

This version contains only minor changes and improvements such as dependency updates.

25.4.9

This version contains only minor changes and improvements such as dependency updates.

25.4.8

This version contains only minor changes and improvements such as dependency updates.

25.4.7

This version contains only minor changes and improvements such as dependency updates.

25.4.6

This version contains only minor changes and improvements such as dependency updates.

25.4.5

This version contains only minor changes and improvements such as dependency updates.

25.4.4

This version contains only minor changes and improvements such as dependency updates.

25.4.3

This version contains only minor changes and improvements such as dependency updates.

25.4.2

This version contains only minor changes and improvements such as dependency updates.

25.4.1

This version contains only minor changes and improvements such as dependency updates.

25.4.0

This version contains only minor changes and improvements such as dependency updates.

25.3.9

This version contains only minor changes and improvements such as dependency updates.

25.3.8

This version contains only minor changes and improvements such as dependency updates.

25.3.7

This version contains only minor changes and improvements such as dependency updates.

25.3.6

This version contains only minor changes and improvements such as dependency updates.

25.3.5

This version contains only minor changes and improvements such as dependency updates.

25.3.4

This version contains only minor changes and improvements such as dependency updates.

25.3.3

This version contains only minor changes and improvements such as dependency updates.

2025-07-28

Tag: c2370d3c35c060459b46f1c77b2241a23a1b04eb

No specific upgrade steps are required for this release. The Ory Polis OEL image is now available in the Ory Enterprise Docker Registry.

v26.2.19​

Optionally return group members in the SCIM Groups API​

v26.2.18​

Configurable retention for SCIM webhook event logs​

26.2.17

26.2.16

26.2.15

26.2.14

26.2.13

26.2.12

26.2.11

26.2.10

v26.2.9​

Patch security vulnerabilities in dependencies​

26.2.8

26.2.7

26.2.6

26.2.5

26.2.4

26.2.3

26.2.2

26.2.1

26.2.0

v26.1.18​

Fixed a security issue​

26.1.17

26.1.16

26.1.15

26.1.14

26.1.13

26.1.12

26.1.11

26.1.10

26.1.9

26.1.8

v26.1.7​

Switched to better-sqlite3​

Breaking changes​

Identity Federation: Support for including OIDC tokens in SAML responses​

26.1.6

26.1.5

26.1.4

26.1.3

v26.1.2​

Identity Federation: SAML Response expiry is now configurable​

26.1.1

26.1.0

25.4.12

25.4.11

25.4.10

25.4.9

25.4.8

25.4.7

25.4.6

25.4.5

25.4.4

25.4.3

25.4.2

25.4.1

25.4.0

25.3.9

25.3.8

25.3.7

25.3.6

25.3.5

25.3.4

25.3.3

2025-07-28​

Ory Network

v26.2.19

Optionally return group members in the SCIM Groups API

v26.2.18

Configurable retention for SCIM webhook event logs

v26.2.9

Patch security vulnerabilities in dependencies

v26.1.18

Fixed a security issue

v26.1.7

Switched to better-sqlite3

Breaking changes

Identity Federation: Support for including OIDC tokens in SAML responses

v26.1.2

Identity Federation: SAML Response expiry is now configurable

2025-07-28