Happy new year! We are excited to announce to you the next iteration of Ory Hydra: Version 1.11.0!
This version has significant new features contributed by the awesome Open Source Community - you! But not only that:
Ory Hydra 2.0 is coming!
While a major version, we intend to keep all APIs with as few breaking changes as possible. The efforts focus on some long-standing issues in the persistence layer. In particular, data growth rate and performance improvements are the focus areas! If you are interested to see what is going on, check out PR #2796
And Ory Hydra 2.0 will be available as an API in Ory Cloud! If you are interested in Ory Cloud, apply to Ory Acceleration Program and receive a one-year free subscription for Ory Cloud's Start-Up plan. The Start-Up plan comes with convenient features such as custom domains and unlimited identities/tokens!
More on timelines and Ory Hydra 2.0 plans will follow later this year.
If these changes are not exciting enough already, Ory Hydra now supports loading Private and Public Keys from Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Thank you @aarmam for this amazing work! For more information, please read the guide.
Next up, Ory Hydra now natively supports the OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol which can be enabled (optionally) in the configuration! Thank you @fjvierap for your hard work!
We do not stop there, @Xopek and @jagobagascon added the Support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523) to Ory Hydra! This major improvement allows Ory Hydra to have an even better integration API than before!
For our Apple users and everyone eyeballing ARM64, we now distributed binaries and Docker Images for all platforms and CPU architectures, including Apple M1, Linux ARM (v6, v7, v8, ARM64), and - this is new - FreeBSD!
Lastly, we resolved a bug in the configuration loading which now allows loading complex configuration keys from environment variables without hassle!
Please notice that this release requires SQL migrations to be applied! As always, please make a backup before applying them!
Breaking Changes
To celebrate this change, we cleaned up the ways you install Ory software. There is now one central brew / bash curl repository:
-brew install ory/hydra/hydra
+brew install ory/tap/hydra
-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) hydraEndpoint PUT /clients now returns a 404 error when the OAuth2 Client to be updated does not exist. It returned 401 previously. This change requires you to run SQL migrations!
Co-authored-by: fjviera javier.viera@mindcurv.com
Please notice that this change requires SQL migrations to be applied! As always, please make a backup before applying them!
Co-authored-by: aeneasr 3372410+aeneasr@users.noreply.github.com
Co-authored-by: Jagoba Gascón jagoba@arima.eu
Co-authored-by: Gajewski Dmitriy dmit8815@gmail.com
Bug Fixes
-
Contributors is upper case (5bad542)
-
FreeBSD build issue, env loading, add OTEL tracing (5158faa), closes #2597 #2912:
This fix addresses an issue where configuration values in arrays could not be loaded from environment variables, which is now possible. For more information on how Ory Hydra parses configuration, head over to the documentation!
Additionally, this PR resolves a build issue on FreeBSD - making it now possible to compile Ory Hydra with the FreeBSD target.
Lastly, this change adds OpenTelemetry support!
-
Missing imports (42fec62)
-
Patch should not reset client secret (#2872) (895de01), closes #2869
-
Remove codecov report for internal testhelpers (52a77a3), closes #2871
-
Remove contributors file (565aa2d)
-
Update v1.10 installation instructions for linux (#2799) (45afd0d):
The documentation for how to install hydra on linux is still using the old version tags
-
Use pop/v6 (b284353)
Code Generation
- Pin v1.11.0 release commit (5355a1a)
Documentation
- Fix grammar issues and typos (#2830) (49b582c)
- ORY -> Ory to follow styleguides (#2941) (5895d03)
- Update bash install (5ca99e5)
- Update coverage badge (1f89973), closes #2871
- Use Ory instead of ORY in the documentation (#2939) (1b2f6a6)
Features
-
docs: Opentelemetry tracing (74da7b6)
-
Hardware Security Module support (#2625) (7578aa9):
This change introduces support for Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.
If enabled, the Hardware Security Module is used to look up any keys. If no key is found, the software module is used as a fallback for lookup. This allows you to use the HSM for privileged keys, and the software module to manage lifecycle keys (e.g. for Token Exchange).
For more information, please read the guide.
Thank you to aarmam for this great contribution!
-
Native ARM64 support in Docker and Binaries (abffb09):
This release adds important security updates for the base Docker Images (e.g. Alpine). Additionally, Ory Hydra now has full ARM support have been resolved and the binaries are now downloadable for all major platforms.
-
OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol (#2909) (6a18f62), closes #2568 #2549:
This feature adds first-class support for two IETF RFCs and one OpenID Spec:
- OpenID Connect Dynamic Client Registration 1.0
- OAuth 2.0 Dynamic Client Registration Protocol
- OAuth 2.0 Dynamic Client Registration Management Protocol
To enable this feature, which is disabled by default, set
oidc: dynamic_client_registration: enabled: true
in your Ory Hydra configuration. Once enabled, endpoints
POST,GET,PUT, andDELETEfor/connect/registerwill be available at the public port! -
Support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 (#2384) (858f2cf), closes #2229:
This change adds support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523).
Users of Ory Hydra will be able to grant permission for OAuth 2.0 Client to act on behalf of some Resource Owner using JWT Bearer Assertions.For more information about this feature, please head over to the documentation: https://www.ory.sh/hydra/docs/next/guides/oauth2-grant-type-jwt-bearer
Changelog
- b052084 autogen(docs): generate and format documentation
- 61cef96 autogen(docs): generate and format documentation
- 04a25b1 autogen(docs): generate and format documentation
- bdc365d autogen(docs): generate and format documentation
- 5a4e11c autogen(docs): generate and format documentation
- 7dd428e autogen(docs): generate and format documentation
- 844a595 autogen(docs): generate and format documentation
- 31af257 autogen(docs): generate and format documentation
- 6cb74cb autogen(docs): generate and format documentation
- e8eeb8e autogen(docs): generate and format documentation
- f15f339 autogen(docs): generate cli docs
- 9a4d04e autogen(docs): generate cli docs
- 72837a1 autogen(docs): update milestone document
- e91e2d1 autogen(docs): update milestone document
- ecb841c autogen(docs): update milestone document
- 91b0870 autogen(docs): update milestone document
- e03a1fe autogen(docs): update milestone document
- 3236e31 autogen(docs): update milestone document
- e10309c autogen(docs): update milestone document
- 745619f autogen(openapi): Regenerate swagger spec and internal client
- 2d54490 autogen(openapi): Regenerate swagger spec and internal client
- 41f6187 autogen(openapi): Regenerate swagger spec and internal client
- 4250f03 autogen(openapi): Regenerate swagger spec and internal client
- 7da8adf autogen: add v1.10.7 to version.schema.json
- 5355a1a autogen: pin v1.11.0 release commit
- e770afa autogen: pin v1.11.0-pre.0 release commit
- ef11adf chore: bump aline to 3.14.3 (#2856)
- 50f9dc8 chore: document consent requirement for non-https redirect schemes (#2826)
- 7a71b2d chore: new goreleaser config
- 54eb3c8 chore: update docusaurus template
- e291535 chore: update docusaurus template
- b75b20a chore: update docusaurus template
- b7ecf2c chore: update docusaurus template
- d687366 chore: update docusaurus template (#2838)
- ebe4698 chore: update docusaurus template (#2846)
- c094288 chore: update docusaurus template (#2922)
- 21b470d chore: update repository templates
- 4a734a2 chore: update repository templates
- c8eb2e2 chore: update repository templates
- 47ff2b9 ci: bump groreleaser
- 5895d03 docs: ORY -> Ory to follow styleguides (#2941)
- 49b582c docs: fix grammar issues and typos (#2830)
- 5ca99e5 docs: update bash install
- 1f89973 docs: update coverage badge
- 1b2f6a6 docs: use Ory instead of ORY in the documentation (#2939)
- 74da7b6 feat(docs): opentelemetry tracing
- 5795bc3 feat: ES256 for JWK generation (#2828)
- 7578aa9 feat: Hardware Security Module support (#2625)
- 6a18f62 feat: OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol (#2909)
- 511a668 feat: add list of authors (#2831)
- 38cbcc0 feat: add shellcheck to circleci (#2835)
- abffb09 feat: native ARM64 support in Docker and Binaries
- 858f2cf feat: support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 (#2384)
- 5158faa fix: FreeBSD build issue, env loading, add OTEL tracing
- 0a73d8b fix: add hiring notice to README (#2893)
- b287287 fix: bump deps (#2868)
- 5bad542 fix: contributors is upper case
- 33d75d7 fix: error handling in persister (#2860)
- 42fec62 fix: missing imports
- 1441658 fix: missing stack traces (#2858)
- 895de01 fix: patch should not reset client secret (#2872)
- 52a77a3 fix: remove codecov report for internal testhelpers
- 565aa2d fix: remove contributors file
- 45afd0d fix: update v1.10 installation instructions for linux (#2799)
- b284353 fix: use pop/v6
- 440e0b8 fix: version info nil on version api endpoint (#2894)
Artifacts can be verified with cosign using this public key.