The new SameSite attribute is now enforced on Google Chrome and may cause issues with your current ORY Hydra deployment:

SameSite=None no longer works without secure flag cookies. If you are using the --dangerous-force-http flag and have not configured SameSite=Lax your users will no longer be able to perform OAuth2 flows.

The next FireFox release will follow this implementation as well. To prevent your users from experiencing issues:

• Remove --dangerous-force-http from your deployment. This flag should never be set outside of local development machines anyways!
• Set environment variable SERVE_COOKIES_SAME_SITE_MODE=Lax or configuration value serve.cookies.same_site_mode = Lax.

By applying this release, the above recommendations will be set per default, for example using Lax when --dangerous-force-http is set.

Many of you reached out in the past asking about managed / SaaS offerings from ORY, for more support, automated updates, and automated fixes for issues like the SameSite behavior above. We would like to invite those interested in that kind of an offering and service to engage in a dialogue to better help us understand how you are using ORY, what requirements your businesses have and how we can better help and service you. Together, we can shape some of this journey together. If you like to be part of this conversation please send an email to jared@ory.sh so we can get in touch directly and begin talking about what an ideal and fully supported offering from ORY would look like for you.

This patch additionally includes a breaking API change for the "Revoke Consent Sessions API endpoint" - please check the breaking changes below. Bugfixes are included in this release as well - such as pretty JSON format logging, fixes to Jaeger configuration, and more!

1.7.0 (2020-08-14)

Bug Fixes

• Add json_pretty to possible log.format values (cc96359)
• Add uri to jaeger's local_agent_address (#1982) (4d5df3e), closes #1956
• Bump clidoc (7800049)
• Remove duplicate html tags (#1960) (819fe6c)
• Send total item count in X-Total-Count header (#1983) (5f9f294), closes #1666
• Use SameSite=Lax for dev environments per default (534203c)
• Use SameSite=Lax for quickstart (379f5f0), closes #1988 #1981

Code Refactoring

• Cleanup the code for CORS handling (#1959) (5a53d28), closes #1754

Documentation

• Access token time config (#1966) (f066cc1):

  Adds a short guide how to configure access token expiration time.

• Add expiry-time sidebar item (#1967) (5f8e58b):

  Adds token-expiration to sidebar.

• Add sdk samples for tls termination and tls verify skip (#1968) (6619e59)

• Add section on oauth2 limitations at beginning (4254363)

• Adopt new sidebar.json (8faf070)

• Clarify secure flag in chrome (f01ac17)

• Clarify when to use oauth2 (4c58601)

• Document SameSite woes on Chrome (921f8c2)

• Fix broken links (b3c6c5a)

• Fix invalid links (3838cdc)

• Fix typos (#1964) (83ce657)

• Fixed link (#1969) (ba1f14b)

• Update oauth2 limitation section (62e6fdf)

• Update TLS example to quote strings not spawn a subshell (#1961) (0e6ed29)

Features

• Add audit and debug logs for cookies (08813b3)

• Add clidoc task and program (e44d256)

• Revoke consent sessions of a subject only if explicitly requested (#1952) (fb925cf), closes #1951:

  This patch adds query parameter all to /oauth2/auth/sessions/consent. If all=true, then all consent sessions of a certain subject will be revoked.

Unclassified

• Whitelist new session cookies and set log level to trace (6e75638)
• Add 1.5 notes to UPGRADING.md (270b89a)

BREAKING CHANGES

• Previously, '/oauth2/auth/sessions/consent?subject=foo@bar.com' would revoke all consent sessions of that user. This may be problematic in cases where the caller forgot to specify the client ID as all tokens for that user are revoked. To prevent that, a "failsave" all=true is now required to make this explicit: '/oauth2/auth/sessions/consent?subject=foo@bar.com&all=true'.

Changelog

270b89a Add 1.5 notes to UPGRADING.md
69d4af7 Merge branch 'master' into fix-e2e-cookie
cd76524 Merge pull request #1990 from ory/fix-e2e-cookie
5821d7e autogen(docs): generate and format documentation
38b8368 autogen(docs): generate and format documentation
e7f38eb autogen(docs): generate and format documentation
cf90919 autogen(docs): generate and format documentation
1208827 autogen(docs): generate and format documentation
8772df0 autogen(docs): generate and format documentation
109c2d8 autogen(docs): generate and format documentation
6aec75f autogen(docs): generate and format documentation
853fa94 autogen(docs): generate and format documentation
d91a0e8 autogen(docs): generate and format documentation
e5f7511 autogen(docs): generate and format documentation
a65919b autogen(docs): generate and format documentation
b81fd79 autogen(docs): generate and format documentation
5cb4bb4 autogen(docs): generate and format documentation
2fb6102 autogen(docs): generate and format documentation
2b44614 autogen(docs): generate cli docs
6811eec autogen(docs): generate cli docs
e3a3005 autogen(docs): generate cli docs
9e491fa autogen(docs): generate cli docs
11176dc autogen(docs): generate cli docs
1c8b31d autogen(docs): regenerate and update changelog
3927ca2 autogen(docs): regenerate and update changelog
6060cb0 autogen(openapi): Regenerate swagger spec and internal client
ff4b81e autogen: pin v1.7.0 release commit
53f3645 chore: add cypress screenshots to gitignore
dd48558 chore: bump ory/x
6ffa84a chore: clean up RootCmd
9dcaaf1 chore: fix editorconfig ident size
912eae7 chore: update .dockerignore
04fa732 chore: update docusaurus template
e681c8c chore: update docusaurus template
2bdc31b chore: update docusaurus template (#1972)
4b1be80 chore: update docusaurus template (#1985)
1ef032d ci: add docs/cli task
1f6d49a ci: bump ci versions
5494e41 ci: disable legacy migrations
2d47224 ci: fix goreleaser config
f066cc1 docs: access token time config (#1966)
5f8e58b docs: add expiry-time sidebar item (#1967)
6619e59 docs: add sdk samples for tls termination and tls verify skip (#1968)
4254363 docs: add section on oauth2 limitations at beginning
8faf070 docs: adopt new sidebar.json
f01ac17 docs: clarify secure flag in chrome
4c58601 docs: clarify when to use oauth2
921f8c2 docs: document SameSite woes on Chrome
b3c6c5a docs: fix broken links
3838cdc docs: fix invalid links
83ce657 docs: fix typos (#1964)
ba1f14b docs: fixed link (#1969)
0e6ed29 docs: update TLS example to quote strings not spawn a subshell (#1961)
62e6fdf docs: update oauth2 limitation section
08813b3 feat: add audit and debug logs for cookies
e44d256 feat: add clidoc task and program
fb925cf feat: revoke consent sessions of a subject only if explicitly requested (#1952)
cc96359 fix: add json_pretty to possible log.format values
4d5df3e fix: add uri to jaeger's local_agent_address (#1982)
7800049 fix: bump clidoc
819fe6c fix: remove duplicate html tags (#1960)
5f9f294 fix: send total item count in X-Total-Count header (#1983)
534203c fix: use SameSite=Lax for dev environments per default
379f5f0 fix: use SameSite=Lax for quickstart
5a53d28 refactor: cleanup the code for CORS handling (#1959)
00bfa09 style: go format
6e75638 tests: whitelist new session cookies and set log level to trace

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.7
• docker pull oryd/hydra:v1.7.0
• docker pull oryd/hydra:v1.7.0
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.7-alpine
• docker pull oryd/hydra:v1.7.0-alpine
• docker pull oryd/hydra:v1.7.0-alpine
• docker pull oryd/hydra:latest-alpine