We are excited to present the next big step towards ORY Hydra 1.9! In this release we completely refactored the configuration internals and moved from spf13/viper to knadh/koanf:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving the developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works excellently on Kubernetes.
3. Performance gains that remove the need for a cache layer between the configuration system and ORY Hydra.
4. Loading of several config files using the --config flag now possible.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.

In addition, this release includes the new OpenID Connect Conformity Test Suite as part of the ORY Hydra CI pipeline. This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint and error_debug will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields to true.

Furthermore, support for OpenID Connect flows response_mode=form_post was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.

Several other bugs have been resolved and we have completely overhauled the tests, deprecating test tables in favor of test suites. This greatly improves the readability of our tests and allows new contributors to more easily understand what is going on!

If you wish to get into ORY Hydra, check out the newly published YouTube tutorial:

1.9.0-alpha.3 (2020-12-08)

Bug Fixes

• Add encrypt_at_rest option to config schema (3219c16)

• Add required aud, jti claims to userinfo response (d0697fa)

• Add standardized client registration errors (02a9137):

  Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.

• Allow all request object signing algs per default (edc54c2):

  This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.

• Allow lower bcrypt values and add tests (812a21c)

• Document describe error (#2208) (b59bdf8)

• Ensure consistent auth_time in session handling (e973ffe)

• Increase parallelism to 4 (ae02706)

• Mark false gosec positive (206d1ee)

• Nonce is not required for hybrid flows (c708ada)

• Quickstart yml (5ebd984)

• Remove session from store on logout (4495f56):

  This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.

• Remove unrelated quickstart entry (#2214) (a583d78), closes #2213

• Request_id should not be unique (a8ca333):

  This patch resolves an issue where certain OpenID Connect Hybrid flows would error with a UNIQUE violation. The cause of this issue was an incorrect UNIQUE constraint on the request_id field of the access, refresh, pkce, and other, similar tables.

• Resolve broken quickstart (95a1dfb)

• Update deprecated config in quickstart (1c1433a)

• Update invalid quickstart config (8d076a5)

• Update package lock (18bfc96)

• Update schema to support new koanf (29763c8)

Code Refactoring

• Deprecate driver semantics (8fc3e2e)
• Move oauth2 cors to own package (3beddbd)
• Rename token_type to token_use in introspection (152fd5d), closes #1762
• Replace viper with koanf config management (8c12b27)

Documentation

• Add config debug section (c53f036)

• Add contributing to sidebar (#2209) (21f3b1f):

  Added Contributing Guidelines to the introduction menu point on the sidebar.
  I think it should be as obvious as possible.
  Another good solution would be to add them to the top bar?

  If this is merged, I will do the same changes for Kratos/Oathkeeper/Keto.

• Add newsletter banner (5b63aa4)

• Add quickstart video (#2220) (d4aa981)

• Bcrypt reference config (#2161) (e7eece2), closes #2077

• Deps are installed automagically and make deps was removed (#2157) (25e96e2), closes #2154

• Fix omissions in consent flow description (#2194) (d9d719a)

• Minor improvements to the concepts/consent page (#2168) (1128cfc)

• Update links and fix typos (#2169) (409f2f4)

• Update toc (#2158) (ee4a9ed), closes #2153

• Use codefromremote for consent samples (51c0874)

Features

• Add ability to override oidc discovery urls (bb8b982):

  Added config options webfinger.oidc_discovery.token_url, webfinger.oidc_discovery.auth_url, webfinger.oidc_discovery.jwks_url.

• Add new request_object_signing_alg_values_supported to oidc discovery (4220959)

• Add oidc conformity tests (651f424)

• Add support for ElasticAPM tracing (#2155) (7792715)

• Improve and clean up error handling (b727367)

• Improve error responses for consent handler (44ab747)

• Improve error stack trace wrapping (fdf142c)

• Only set state-param if it was passed (#2183) (568434a):

  Using state in the logout flow is optional, so state can be empty. In order to avoid an ugly /post-logout-redirect-uri?state= URI, the state should only be appended if it is not empty.

• Remove legacy error fields unless configured to do so (e2a7135)

• Support OpenID Connect's response_mode=form_post (8ab9eff), closes #1621:

  This patch adds support for the response_mode parameter as defined in OAuth 2.0 Form Post Response Mode. Additionally, values fragment and query are supported as defined in OAuth 2.0 Multiple Response Type Encoding Practices.

• Support pkger (07a360e)

Tests

• Add timeout to wait (90dfaf5)
• Completely refactor consent tests (defc063)
• Fix jwt e2e tests (1b480d8)
• Improve github action conformity tests (1015e49)
• Improve TestClientCredentialsGrantAllScopes (19409b4)
• Increase timeout for conformity (a65d289)
• Oidc conformity tests should run as workflow dispatch (5b8fa0a)
• Refactor client credential tests (b74cffa)
• Refactor consent logout tests and add failing case (ef12c06)
• Refactor oauth2 auth code tests (c376473)
• Resolve conformity test suite concurrency issues (ef312c3)
• Resolve e2e startup issues (5af4cef)
• Resolve e2e test failures (03f5e8e)
• Resolve failing rotation key tests (8e8b943)
• Resolve flaky test issue (e17a074)
• Resolve incorrect retry loop (ef141c2)
• Retry conformity failures (409ae42)
• Retry interrupted tests (c72367b)
• Skip preloading in migration tests (14272f2)
• Update config to pass validation (6931461)
• Use 16 workers for conformance (9cf0e65)
• Use correct test context (45bc907)
• Use prebuilt images for conformity testing (4dd7a62)

Unclassified

• Format (5f08ff2)

BREAKING CHANGES

• After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.

• This patch requires running SQL Migrations. Please be aware that a NOT NULL column is being dropped which could require a lot of time when the authentication_session table contains a lot of data.
• This patch removes error_hint and error_debug fields from OAuth2 responses. These are now all merged into error_description which is according to the OAuth2 and OpenID Connect specification. If you wish to keep the old behavior around, set oauth2.include_legacy_error_fields to true in your ORY Hydra configuration.
• Applying this patch requires running SQL migrations. The SQL migrations will remove a UNIQUE constraint and add new INDEX to several tables which should speed up certain operations. Please be aware that this might cause certain databases to lock which could be problematic if there are many rows affected.
• This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, token_type would return access_token or refresh_token. The specification however mandates that token_type is always Bearer. This patch resolves that issue. The previous behaviour of token_type has now been moved to token_use which can be access_token or refresh_token.

Changelog

d849bd5 autogen(docs): generate and format documentation
eb0baa2 autogen(docs): generate and format documentation
2d54c1e autogen(docs): generate and format documentation
14577a0 autogen(docs): generate and format documentation
450d69b autogen(docs): generate and format documentation
af4b011 autogen(docs): generate and format documentation
a84a34c autogen(docs): generate and format documentation
a45b64d autogen(docs): generate and format documentation
f7bed35 autogen(docs): generate and format documentation
876cd96 autogen(docs): generate and format documentation
6529d51 autogen(docs): generate and format documentation
b569aca autogen(docs): generate and format documentation
7390886 autogen(docs): generate and format documentation
23d6a02 autogen(docs): generate and format documentation
2be5283 autogen(docs): generate and format documentation
f267f72 autogen(docs): generate and format documentation
c56ff71 autogen(docs): generate and format documentation
a0db388 autogen(docs): generate and format documentation
ddee4ea autogen(docs): generate and format documentation
97b1663 autogen(docs): generate cli docs
05be6b8 autogen(docs): regenerate and update changelog
7a4d972 autogen(docs): regenerate and update changelog
45674ca autogen(docs): regenerate and update changelog
c4591ca autogen(docs): regenerate and update changelog
e46b9d0 autogen(docs): regenerate and update changelog
fd5729d autogen(docs): regenerate and update changelog
81076b9 autogen(docs): regenerate and update changelog
84230bf autogen(docs): update milestone document
1d7e7a2 autogen(docs): update milestone document
6da7cf4 autogen(docs): update milestone document
95e41ca autogen(docs): update milestone document
3f8ea20 autogen(docs): update milestone document
ec237ab autogen(docs): update milestone document
de0db90 autogen(docs): update milestone document
c345b41 autogen(docs): update milestone document
7b5d613 autogen(docs): update milestone document
6d0861c autogen(docs): update milestone document
c2e6251 autogen(docs): update milestone document
de5d09a autogen(docs): update milestone document
906ad87 autogen(docs): update milestone document
94c937c autogen(openapi): Regenerate swagger spec and internal client
91e0396 autogen: add v1.9.0-alpha.2 to version.schema.json
05809d2 autogen: pin v1.9.0-alpha.3 release commit
e602dcf autogen: pin v1.9.0-alpha.3.pre.0 release commit
b6f49cd autogen: pin v1.9.0-alpha.3.pre.1 release commit
959aa93 autogen: pin v1.9.0-alpha.3.pre.2 release commit
eff69fb autogen: pin v1.9.0-alpha.3.pre.3 release commit
ec7d987 autogen: pin v1.9.0-alpha.3.pre.4 release commit
e972bcb chore: apply ory-prettier-styles to cypress tests (#2179)
ee1f3cb chore: clean up code base
3e6c8d2 chore: clean up test code
428df22 chore: clean up viper mentions
755b12d chore: format docs according to upgraded prettier styles
2c883f6 chore: style and install
2dd80fe chore: update docusaurus template
f5291a8 chore: update docusaurus template
ddfcd27 chore: update docusaurus template (#2162)
caa1117 chore: update docusaurus template (#2174)
775c8c7 chore: update docusaurus template (#2177)
88ddd90 chore: update docusaurus template (#2178)
71ca67b chore: update docusaurus template (#2185)
1169bd5 chore: update docusaurus template (#2186)
9f037ac chore: update docusaurus template (#2189)
99ca515 chore: update docusaurus template (#2196)
1fc4f43 chore: update docusaurus template (#2198)
781201f chore: update docusaurus template (#2201)
e28d99b chore: update docusaurus template (#2202)
697f4f8 chore: update docusaurus template (#2203)
7f07323 chore: update docusaurus template (#2205)
d37c1ed chore: update docusaurus template (#2210)
cebdd4a chore: update docusaurus template (#2212)
2ecb2d8 chore: update docusaurus template (#2219)
415a279 chore: update docusaurus template (#2221)
dee7fe4 chore: update docusaurus template (#2223)
6f4b26e chore: update docusaurus template (#2225)
396ca19 chore: update package locks
8b4628e chore: update repository templates (#2176)
2dc526d chore: update repository templates (#2190)
ccfbf96 chore: update repository templates (#2197)
f6d0222 chore: update repository templates (#2199)
76e31f1 ci: do not require validation
c9cc7d4 ci: improve docs release config
3c696c4 ci: increase parallelism
98d1a8c ci: pin exact prettier version
c53f036 docs: add config debug section
21f3b1f docs: add contributing to sidebar (#2209)
5b63aa4 docs: add newsletter banner
d4aa981 docs: add quickstart video (#2220)
e7eece2 docs: bcrypt reference config (#2161)
25e96e2 docs: deps are installed automagically and make deps was removed (#2157)
d9d719a docs: fix omissions in consent flow description (#2194)
1128cfc docs: minor improvements to the concepts/consent page (#2168)
409f2f4 docs: update links and fix typos (#2169)
ee4a9ed docs: update toc (#2158)
51c0874 docs: use codefromremote for consent samples
568434a feat: Only set state-param if it was passed (#2183)
bb8b982 feat: add ability to override oidc discovery urls
4220959 feat: add new request_object_signing_alg_values_supported to oidc discovery
651f424 feat: add oidc conformity tests
7792715 feat: add support for ElasticAPM tracing (#2155)
b727367 feat: improve and clean up error handling
44ab747 feat: improve error responses for consent handler
fdf142c feat: improve error stack trace wrapping
e2a7135 feat: remove legacy error fields unless configured to do so
8ab9eff feat: support OpenID Connect's response_mode=form_post
07a360e feat: support pkger
3219c16 fix: add encrypt_at_rest option to config schema
d0697fa fix: add required aud, jti claims to userinfo response
02a9137 fix: add standardized client registration errors
edc54c2 fix: allow all request object signing algs per default
812a21c fix: allow lower bcrypt values and add tests
b59bdf8 fix: document describe error (#2208)
e973ffe fix: ensure consistent auth_time in session handling
ae02706 fix: increase parallelism to 4
206d1ee fix: mark false gosec positive
c708ada fix: nonce is not required for hybrid flows
5ebd984 fix: quickstart yml
4495f56 fix: remove session from store on logout
a583d78 fix: remove unrelated quickstart entry (#2214)
a8ca333 fix: request_id should not be unique
95a1dfb fix: resolve broken quickstart
1c1433a fix: update deprecated config in quickstart
8d076a5 fix: update invalid quickstart config
18bfc96 fix: update package lock
29763c8 fix: update schema to support new koanf
8fc3e2e refactor: deprecate driver semantics
3beddbd refactor: move oauth2 cors to own package
152fd5d refactor: rename token_type to token_use in introspection
8c12b27 refactor: replace viper with koanf config management
9ccf762 style: format
0a801dc style: format
251f9dc style: format cypress files
5f08ff2 styles: format
90dfaf5 test: add timeout to wait
defc063 test: completely refactor consent tests
1b480d8 test: fix jwt e2e tests
19409b4 test: improve TestClientCredentialsGrantAllScopes
1015e49 test: improve github action conformity tests
a65d289 test: increase timeout for conformity
5b8fa0a test: oidc conformity tests should run as workflow dispatch
b74cffa test: refactor client credential tests
ef12c06 test: refactor consent logout tests and add failing case
c376473 test: refactor oauth2 auth code tests
ef312c3 test: resolve conformity test suite concurrency issues
5af4cef test: resolve e2e startup issues
03f5e8e test: resolve e2e test failures
8e8b943 test: resolve failing rotation key tests
e17a074 test: resolve flaky test issue
ef141c2 test: resolve incorrect retry loop
409ae42 test: retry conformity failures
c72367b test: retry interrupted tests
14272f2 test: skip preloading in migration tests
6931461 test: update config to pass validation
9cf0e65 test: use 16 workers for conformance
45bc907 test: use correct test context
4dd7a62 test: use prebuilt images for conformity testing

Docker images

• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpha.3-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0-alpha.3
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-alpha.3-sqlite
• docker pull oryd/hydra:latest-sqlite