This milestone release impacts most of Ory’s installed base. While we are thrilled to unveil Ory Hydra 2.0, we would strongly suggest reading this document carefully and to the end.
Open Source software is not easy. Ory now provides the Ory OAuth2 & OpenID service on the Ory Network powered by Ory Hydra making this release a major event for Ory and the entire Ory Community.
Ory Hydra 2.0 is available now. Install the Ory CLI for the best developer experience.
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/
brew install ory/tap/cli
create a new project (you may also use Docker)
ory create project --name "Ory Hydra 2.0 Example"
project_id="{set to the id from output}"
and follow the quick & easy steps below.
Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow:
ory create oauth2-client --project $project_id \
--name "Client Credentials Demo" \
--grant-type client_credentials
client_id="{set to client id from output}"
client_secret="{set to client secret from output}"
ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id
access_token="{set to access token from output}"
ory introspect token $access_token --project $project_id
Try out the OAuth 2.0 Authorize Code grant right away!
By accepting permissions openid
and offline_access
at the consent screen, Ory refreshes and OpenID Connect ID token,
ory create oauth2-client --project $project_id \
--name "Authorize Code with OpenID Connect Demo" \
--grant-type authorization_code \
--response-type code \
--redirect-uri ttp://127.0.0.1:4446/callback
code_client_id="{set to client id from output}"
code_client_secret="{set to client secret from output}"
ory perform authorization-code \
--project $project_id \
--client-id $code_client_id \
--client-secret $code_client_secret
code_access_token="{set to access token from output}"
ory introspect token $code_access_token --project $project_id
What's changed in Ory Hydra 2.0?
OAuth 2.0 Token Exchange (RFC8693) is now fully supported, including the JSON Web Token profile!
Ory Identities is now compatible with the Ory OAuth2 Login and Consent Flow. This means, for example, that Ory Kratos can be the login provider for Ory Hydra with a bit of configuration.
The Ory Network enables has this integration as a default.
Ory Hydra 2.0 now natively supports key types such as ES256 for signing ID Tokens and OAuth 2.0 Access Tokens in JWT format.
Additionally, the key naming mechanism was updated to conform with industry best practices.
Ory Hydra 2.0 ships a complete refactoring of the internal database structure, reducing database storage at scale and optimizing query performance.
All primary keys are now UUIDs to avoid hotspots in distributed systems. Please note that as part of this change it is no longer possible to choose the OAuth 2.0 Client ID. Instead, Ory chooses the best-performing ID format for the petabyte scale.
Ory chose to denormalize tables that had a negative performance impact due to excessive JOIN statements.
Using BCrypt as the primary hashing algorithm for OAuth 2.0 Client Secrets creates excessive CPU consumption at scale. OAuth 2.0 Client Secrets are auto-generated in Ory Hydra 2.x, removing the need for excessive hashing costs.
The new PKBDF2 hasher can be fine-tuned to support hashing at scale without a significant threat model impact.
This section only applies in scenarios where Ory Hydra is working in a do-it-yourself fashion e.g. on Docker. An Ory Hydra 2.0 compatible service is already available on the Ory Network.
The database schema changed significantly from the previous structure. Please be aware that there might be a period where the database tables will be locked for writes while the upgrade runs.
A full backup of the database before upgrading is essential! We recommend trying out the upgrade on a copy of a production database first.
To run the SQL migrations using:
hydra migrate sql $DSN
Ory Hydra 1.x is a crucial service at Ory. Version 2.0 streamlines the APIs and SDKs to follow Ory API’s semantics and specification.
To better support TB-scale environments, the OAuth2 Client HTTP API's query
parameters for pagination have changed from limit
and offset
to page_token
and page_size
. The page_token
is an opaque string contained in the HTTP
Link
Header, which expresses the next, previous, first, and last page.
Administrative endpoints now have an /admin
prefix (e.g. POST /admin/keys
instead of POST /keys
). Existing administrative endpoints will redirect to this new prefixed path for backward compatibility.
HTTP endpoint /oauth2/flush
, used to flush inactive access tokens was deprecated and has been removed. Please use hydra janitor
instead.
To conform with the Ory V1 SDK, several SDK methods and payloads were renamed. Please check the CHANGELOG for a complete list of changes.
The iss
(issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.
Setting
urls:
self:
issuer: https://auth.example.com
has changed
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
To set a trailing slash make sure to set it in the config value:
urls:
self:
issuer: https://auth.example.com/
Flags --dangerous-allow-insecure-redirect-url
and --dangerous-force-http
have been removed. Use the --dev
flag instead to denote a development environment with reduced security restrictions.
We now recommend using the Ory CLI to manage OAuth2 resources. As part of this restructuring, some of the commands were renamed. Here are some examples:
- hydra client create
+ ory create oauth2-client
- hydra clients list
+ ory list oauth2-clients
Additionally, array arguments now use the singular form:
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
To manage resources in a do-it-yourself installation, continue using the hydra
CLI.
Please check the CHANGELOG for a complete list of changes.
Ory Hydra 2.0 ships with support for OpenTelemetry. The previous telemetry solution using OpenTracing format is deprecated with this release.
Breaking Changes
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.AdminDeleteOAuth2Token(context.Background()).
+ OAuth2Api.DeleteOAuth2Token(context.Background()).
ClientId("foobar").Execute()
ory.
- V0alpha2Api.RevokeOAuth2Token(
+ OAuth2Api.RevokeOAuth2Token(
context.WithValue(context.Background(), sdk.ContextBasicAuth, sdk.BasicAuth{
UserName: clientID,
Password: clientSecret,
})).Token(token).Execute()
ory.
- V0alpha2Api.AdminIntrospectOAuth2Token(context.Background()).
+ OAuth2Api.IntrospectOAuth2Token(context.Background()).
Token(token).
Scope("foo bar")).Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+ WellknownApi.DiscoverJsonWebKeys(context.Background()).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+ JwkApi.GetJsonWebKeySet(context.Background(), setID).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
- AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
- Alg: "RS256",
- Use: "sig",
+ JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+ CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+ Alg: "RS256",
+ Use: "sig",
}).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
JsonWebKey(jsonWebKey).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+ JwkApi.SetJsonWebKeySet(context.Background(), setID).
JsonWebKeySet(jsonWebKeySet).Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+ WellknownApi.DiscoverJsonWebKeys(context.Background()).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+ JwkApi.GetJsonWebKeySet(context.Background(), setID).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
- AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
- Alg: "RS256",
- Use: "sig",
+ JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+ CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+ Alg: "RS256",
+ Use: "sig",
}).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
JsonWebKey(jsonWebKey).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+ JwkApi.SetJsonWebKeySet(context.Background(), setID).
JsonWebKeySet(jsonWebKeySet).Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.AdminRevokeOAuth2ConsentSessions(cmd.Context()).
+ OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
Client(clientId).Execute()
ory.
- V0alpha2Api.AdminListOAuth2SubjectConsentSessions(cmd.Context(), id).
+ OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
Client(clientId).Execute()
ory.
- V0alpha2Api.AdminListOAuth2SubjectConsentSessions(context.Background()).
+ OAuth2Api.ListOAuth2ConsentSessions(context.Background()).
Subject(subjectId).Execute()
ory.
- V0alpha2Api.AdminRevokeOAuth2LoginSessions(context.Background()).
+ OAuth2Api.RevokeOAuth2LoginSessions(context.Background()).
Subject(subjectId).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2LoginRequest(context.Background()).
+ OAuth2Api.GetOAuth2LoginRequest(context.Background()).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2LoginRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2LoginRequest(context.Background()).
AcceptOAuth2LoginRequest(body).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2LoginRequest(context.Background()).
+ OAuth2Api.RejectOAuth2LoginRequest(context.Background()).
RejectOAuth2Request(body).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.GetOAuth2ConsentRequest(context.Background()).
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2ConsentRequest(context.Background()).
AcceptOAuth2ConsentRequest(body).
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.RejectOAuth2ConsentRequest(context.Background()).
RejectOAuth2Request().
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.RejectOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
ory.
V0alpha2Api.AdminGetOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.GetOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2LoginRequestAlreadyHandled
- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2ConsentRequestAlreadyHandled
- var OAuth2SuccessResponse SuccessfulOAuth2RequestResponse
+ var OAuth2SuccessResponse OAuth2RedirectTo
Error models in the generated SDK have been renamed:
- oAuth2ApiError
+ errorOAuth2
The SDK API for the following has changed:
// Go example
ory.
- V0alpha2Api.AdminUpdateOAuth2Client(cmd.Context(), id)
+ Oauth2Api.SetOAuth2Client(cmd.Context(), id).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2Client(cmd.Context(), id).
+ Oauth2Api.GetOAuth2Client(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.AdminDeleteOAuth2Client(cmd.Context(), id).
+ Oauth2Api.DeleteOAuth2Client(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.AdminCreateOAuth2Client(cmd.Context()).
+ Oauth2Api.CreateOAuth2Client(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context(), id).
+ OidcApi.GetOidcDynamicClient(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context()).
+ OidcApi.CreateOidcDynamicClient(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationDeleteOAuth2Client(cmd.Context()).
+ OidcApi.DeleteOidcDynamicClient(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationUpdateOAuth2Client(cmd.Context(), id).
+ OidcApi.SetOidcDynamicClient(cmd.Context(), id).
Execute()
We removed compatibility with unsupported database versions (e.g. MySQL 5.6). Ory Hydra v2.x is now compatible with MySQL 8.0.13+, PostgreSQL 11.8+, CockroachDB v22.1.2+.
Configuration keys have changed:
serve: {
public: {
- access_log: {
+ request_log: {
disable_for_health: true
},
},
admin: {
- access_log: {
+ request_log: {
disable_for_health: true
},
}
}
Rename SDK method from deleteOAuth2Token
to adminDeleteOAuth2Token
.
Rename SDK method from oauth2Token
to performOAuth2TokenFlow
.
Rename SDK method from introspectOAuth2Token
to adminIntrospectOAuth2Token
.
Rename SDK method from userinfo
to getOidcUserInfo
.
Rename SDK method from discoverOpenIDConfiguration
to discoverOidcConfiguration
.
Rename SDK method from listTrustedJwtGrantIssuers
to adminListTrustedOAuth2JwtGrantIssuers
.
Rename SDK method from deleteTrustedJwtGrantIssuer
to adminDeleteTrustedOAuth2JwtGrantIssuer
.
Rename SDK method from getTrustedJwtGrantIssuer
to adminGetTrustedOAuth2JwtGrantIssuer
.
Rename SDK method from trustJwtGrantIssuer
to adminTrustOAuth2JwtGrantIssuer
.
Rename SDK method from rejectLogoutRequest
to adminRejectOAuth2LogoutRequest
.
Rename SDK method from rejectConsentRequest
to rejectOAuth2ConsentRequest
.
Rename SDK method from acceptConsentRequest
to adminAcceptOAuth2ConsentRequest
.
Rename SDK method from getOAuth2ConsentRequest
to adminGetOAuth2ConsentRequest
.
Rename SDK method from rejectLoginRequest
to rejectOAuth2LoginRequest
.
Rename SDK method from acceptLoginRequest
to adminAcceptOAuth2LoginRequest
.
Rename SDK method from getLoginRequest
to adminGetOAuth2LoginRequest
.
Rename SDK method from revokeAuthenticationSession
to adminRevokeOAuth2LoginSessions
.
Rename SDK method from adminListSubjectConsentSessions
to adminListOAuth2SubjectConsentSessions
.
Rename SDK method from revokeConsentSessions
to adminRevokeOAuth2ConsentSessions
This release updates SDK services from public
and admin
to v2
. Methods exposed at the admin interface are now prefixed with admin
(e.g. adminCreateJsonWebKeySet
). Administrative endpoints now have an /admin
prefix (e.g. POST /admin/keys
). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
This release updates SDK services from public
and admin
to v2
. Methods exposed at the admin interface are now prefixed with admin
(e.g. adminCreateOAuth2Client
). Administrative endpoints now have an /admin
prefix (e.g. POST /admin/clients
). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
The default names of cookies have changed:
- oauth2_authentication_csrf
+ ory_hydra_login_csrf
- oauth2_consent_csrf
+ ory_hydra_consent_csrf
- oauth2_authentication_session
+ ory_hydra_session
Use the new configuration option to change the cookie names back to v1.x if required.
CLI flag --dangerous-force-http
has been removed. Please use the --dev
flag instead!
CLI flag --dangerous-allow-insecure-redirect-url
has been removed. Please use the --dev
flag instead!
The hydra token revoke
command has been renamed to hydra revoke token
and now supports structured output (JSON, tables, ...).
The hydra token introspect
command has been renamed to hydra introspect token
and now supports structured output (JSON, tables, ...).
The hydra token delete
command has been renamed to hydra delete access-tokens
and now supports structured output (JSON, tables, ...).
The hydra token client
command has been renamed to hydra perform client-credentials
and now supports structured output (JSON, tables, ...).
The hydra keys create|delete|get|import
commands have changed to follow other Ory project's guidelines, including structured output and improved handling. They are now:
hydra create jwks
hydra get jwks
hydra delete jwks
hydra import jwk
Please head over to the documentation for more information or use the --help
CLI flag for each command.
HTTP endpoint /oauth2/flush
, used to flush inactive access token was deprecated and has been removed. Please use hydra janitor
instead.
Command hydra clients import
is now hydra import client
.
Command hydra clients update
is now hydra update client
. Additionally, all flags are now singular:
hydra update client [client-id] \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
To better support TB-scale environments, the OAuth2 Client HTTP API's query parameters for pagination have changed from limit
and offset
to page_token
and page_size
. The page_token
is an opaque string contained in the HTTP Link
Header, which expresses the next, previous, first, and last page.
Command hydra clients list
is now hydra list client
. Please notice that the pagination flags have changed to --page-token
and page-size
!
Command hydra clients delete
is now hydra delete client
.
Command hydra clients get
is now hydra get client
.
Command hydra clients create
is now hydra create client
. Additionally, all flags are now singular:
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
This change is backwards compatible, but changes the default hashing algorithm to PBKDF2. To keep using BCrypt for hashing new OAuth2 Client Secrets set the following configuration option in your configuration file:
oauth2:
hashers:
algorithm: bcrypt
To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.
Additionally, the hydra create client
command no longer supports flag --id
and flag --callbacks
has been renamed to --redirect-uris
.
The iss
(issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.
Setting
urls:
self:
issuer: https://auth.example.com
has changed
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
To set a trailing slash make sure to set it in the config value:
urls:
self:
issuer: https://auth.example.com/
SDK object PatchDocument
was renamed to JsonPatchDocument
.
TLS is no longer enabled by default. We want to make deployments behind TLS termination easier. To expose Ory Hydra directly to the public internet, configure keys serve.<public|admin>.tls
.
JSON Web Keys are no longer prefixed with public
or private
. This affects keys generated in Ory Hydra after upgrading to this patch. Existing keys are unaffected by this.
OAuth2 errors can no longer be returned in the legacy error format. Essentially, fields error_hint
, error_debug
have been removed. Option oauth2.include_legacy_error_fields
has been removed.
The HS512 and HS256 JSON Web Key generators has been removed. It is now only possible to generate asymmetric keys in Ory Hydra. It will still be possible to save HS512 or HS256 keys.
if using MySQL, hydra_jwk/kid and hydra_oauth2_trusted_jwt_bearer_issuer/key_id may only contain ascii/utf-8 symbols 0-127
Encode MySQL columns hydra_oauth2_trusted_jwt_bearer_issuer/key_id and hydra_jwk/kid in ascii as
a workaround for the 3072-byte index entry size limit1.
Signed-off-by: Grant Zvolsky grant@zvolsky.org
This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that there are no down migrations, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see Hydra 2.x Migration Guide.
Rows with NULL login_challenge in hydra_oauth2_consent_request
and corresponding hydra_oauth2_consent_request_handled
are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.
Signed-off-by: Grant Zvolsky grant@zvolsky.org
Bug Fixes
-
Add CORS to public health handler (#3114) (02c6d5d):
Co-authored-by: Reaper barelyhuman@users.noreply.github.com
Co-authored-by: Patrik zepatrik@users.noreply.github.com
Co-authored-by: Alano Terblanche Benehiko@users.noreply.github.com
Co-authored-by: Reaper barelyhuman@users.noreply.github.com -
Add json1 tag everywhere (dd1d733)
-
Add missing down migrations (a98c067)
-
Allow retries of unused login & consent requests (51a586b), closes #2914 #3085 #2824
-
Cache migration status (7e25fdb)
-
cli: Output format issues (fe3c899)
-
Cockroach migration fixes (7bed244)
-
Compile errors (d1f5a0e)
-
Compile issue (83983c2)
-
Compile issues (68cb7d5)
-
Conditionals in db-diff (a006b04)
-
config: Add default to supported types. (f4812c8)
-
config: Correct salt detection (2b6350c)
-
config: Disallow additional properties (9022769)
-
config: Support number (ab6a9ee)
-
ConfirmLoginSession, missing FKs; add tests (1f7bf40)
-
Conformity health check (e163c80)
-
Consistently use RS256 in hot reloading (6376135)
-
Default back to RS256 keys (891fb55)
-
Disable NID tests with HSM enabled (142cd13):
We currently don't support NID isolation in combination with HSM.
-
Docker image build (1d8a8ff)
-
Docker instructions (063f61b)
-
Dont close crdb for reuse purposes (11587ae)
-
Fix hydra_client pk change mysql down migration (#2791) (560acce)
-
Fix unbatched select in flushInactiveTokens (a5cc6ea):
chore: code review
chore: format
don't delete more tokens than expected.
correct test.
add nid in flush tokens.
-
Handle server error when refresh token requests come same time (#3207) (b0196c0)
-
Hsm compile issues (8571a67)
-
HSM test (ca748a1)
-
hsm: Public key extraction (57cf46c)
-
hsm: Public key extraction everywhere (c9c2e01)
-
Ignore cypress screenshots in git (668a319)
-
Improve duration pattern (6c8dda8)
-
Improve health check reporting (1bd0c52)
-
Improve jwk generator defaults (ece5ca6)
-
Improve lazy initialization of JWKs (8cffc5b)
-
Improve migration status speed (1a4abd6)
-
Improve time validation (b32ff33)
-
Incorrect queries (255b4e2)
-
jwk: Expose correct metadata algorithms (0a786b7)
-
Lazy load PKI (d65aa3a)
-
Lint issues (72a5cd8)
-
Make servicelocator explicit (3a26385)
-
Move to v0alpha2 api spec (a364db4)
-
Mysql slice delete (c56b958):
- Add a workaround for mysql slice delete
- Optimize logout verification (save 1 db rountrip)
- Update a test to use StaticContextualizer & revert CleanAndMigrate workaround
- Ensure a Client generated with faker satisfies the DB schema
- Remove unused argument from HandleConsentRequest
-
mysql: Fix mysql key too long error (ba16958)
-
oauth2: Incorrect TTL override (7893a98)
-
Optimise sql update to avoid redundant writes (#3289) (1aa6cc4), closes #3137:
The SQL update here would potentially update a lot of rows, which did not need updating. In some DB engines, this would not be an issue, because the redundant writes are ignored. But on PostgreSQL engines, it is another story; here it would actually carry out the writes, leading to a potentially high number of redundant iops when the engine is vaccuming outdated records. With this change, the SQL update will only affect the rows which is not in the desired state already.
-
Pop compile issue (3e7b6b4)
-
Prefix paths correctly with /admin (e130dfa)
-
Regression in database layer (1d78e79)
-
Remove deprecated config value (8994190)
-
Remove goswagger generated client (e2c8809)
-
Remove incorrect aliases (2a20080)
-
Remove obsolete type patches (e670d68)
-
Remove unnecessary load of TLS certificates at boot (13691d3)
-
Remove unused swagger struct (4ff0690)
-
Replace of consent session expires values (e1731ba)
-
Resolve a merge conflict in migration_test (#2811) (acb16c1)
-
Resolve conformance build issues (f6ee1d3)
-
Resolve internal SDK regressions (937e6ba)
-
Resolve merge conflicts (6eee09c)
-
Resolve migration regressions (5552e4d)
-
Resolve test issues and regressions introduced by the new JWK generator (77b1ac7)
-
Resolve token prefix regression (1fd6ea3)
-
Retry transient crdb transaction failures (f0f3139)
-
Revert latest docker image changes (#3286) (f2daa7d):
Closes #3285
-
Revert to normal crdb (c9a248d)
-
sdk: GenericError type (21c579a)
-
sdk: Make session uniquely named (468e27d)
-
sdk: Omit DefaultSession (954aa5f)
-
sdk: Remove pattern from scope parameter (1332fe6), closes #3142
-
sdk: Resolve type issues and regenerate SDK (6880fea)
-
sdk: Use correct struct for response (04b308f)
-
Speed up health checks (eafa2bb)
-
Support issuer with and without trailing slash (d746fa4), closes #1482
-
Update benchmark script (63a84de)
-
Use --yes flag in db-diff (36ddb61)
-
Use config func everywhere (d1af32d)
-
Use correct context (3ceefd7)
-
Use CreateWith (9fbbbdf)
-
Use StringSliceJSONFormat instead of StringSlicePipeDelimiter (#3112) (1d9891d):
Closes #2859
Code Generation
- Pin v2.0.0 release commit (4d83a28)
Code Refactoring
-
hydra keys
command (e466d7c) -
hydra token client
command (81e79f2) -
hydra token delete
command (aa338e1) -
hydra token introspect
command (da3e2b4) -
hydra token revoke
command (42e75c3) -
CLI environment variables
HYDRA_URL
has been renamed toORY_SDK_URL
(08bbbab):BREKAING CHANGE: To follow ecosystem convention, environment variables
HYDRA_URL
,HYDRA_ADMIN_URL
have been renamed toORY_SDK_URL
. -
client: Make OAuth2 Client IDs system-chosen and immutable (4002224), closes #2911
-
client: Rename SDK methods and introduce
/admin
prefix (0752721) -
client: Replace limit and offset parameters with page_token and page_size (23585b5)
-
consent: Rename SDK method from
acceptConsentRequest
toadminAcceptOAuth2ConsentRequest
(5885ab3) -
consent: Rename SDK method from
acceptLoginRequest
toadminAcceptOAuth2LoginRequest
(fa27d0c) -
consent: Rename SDK method from
adminListSubjectConsentSessions
toadminListOAuth2SubjectConsentSessions
(bb51ba0) -
consent: Rename SDK method from
getLoginRequest
toadminGetOAuth2LoginRequest
(9053040) -
consent: Rename SDK method from
getOAuth2ConsentRequest
toadminGetOAuth2ConsentRequest
(475efbc) -
consent: Rename SDK method from
rejectConsentRequest
torejectOAuth2ConsentRequest
(e0e3da9) -
consent: Rename SDK method from
rejectLoginRequest
torejectOAuth2LoginRequest
(37a8839) -
consent: Rename SDK method from
rejectLogoutRequest
toadminRejectOAuth2LogoutRequest
(cdffa1e) -
consent: Rename SDK method from
revokeAuthenticationSession
toadminRevokeOAuth2LoginSessions
(0a5ebe8) -
consent: Rename SDK method from
revokeConsentSessions
toadminRevokeOAuth2ConsentSessions
(1108409) -
Deprecate
--dangerous-allow-insecure-redirect-url
flag (46b5887) -
Deprecate
--dangerous-force-http
flag (062734e) -
Drop TLS by default (edb042e)
-
Environment variable
DATABASE_URL
has been deprecated (8023d2a) -
Finalize consent SDK methods (53d225a)
-
Generated UUID variant & version test (#2793) (697813e), closes #2792
-
Improve performance and reduce data use of consent persistence layer (#2836) (53862f2):
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:
-
Introduce the
hydra sql gen
command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks. -
Introduce the
hack/db-diff.sh
command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.
-
-
jwk: No longer prefix keys with
public
orprivate
(5e2ea0b) -
jwk: Rename SDK methods and introduce
/admin
prefix (cd007bb) -
Make commands easier to consume (cc9d9e5)
-
oauth2: Clean up changes (c12b45c)
-
oauth2: Rename SDK method from
deleteOAuth2Token
toadminDeleteOAuth2Token
(ea4caf7) -
oauth2: Rename SDK method from
discoverOpenIDConfiguration
todiscoverOidcConfiguration
(df467a0) -
oauth2: Rename SDK method from
introspectOAuth2Token
toadminIntrospectOAuth2Token
(f2bd9a3) -
oauth2: Rename SDK method from
oauth2Token
toperformOAuth2TokenFlow
(51b58e7) -
oauth2: Rename SDK method from
userinfo
togetOidcUserInfo
(4e554e7) -
Remove
/oauth2/flush
endpoint (17c226c) -
Remove
oauth2.include_legacy_error_fields
config (148cadb) -
Remove HS512 and HS256 jwk key generator (5fb3049)
-
Rename
access_log
torequest_log
(223c8bc) -
Rename
hydra clients create
command (76eb93c):Renames the command to
hydra create client
and changes CLI flags. -
Rename
hydra clients delete
command (dea2fdd):Renames the command to
hydra delete client
and changes CLI flags. -
Rename
hydra clients get
command (edd4b43):Renames the command to
hydra get client
and changes CLI flags. -
Rename
hydra clients import
command (7de7841):The
hydra clients import
command now supports reading from STDIN as well as the file system, and ships with output formats such asjson
andjson-pretty
. -
Rename
hydra clients list
command (1c0f971):Renames the command to
hydra list client
and changes CLI flags. -
Rename
hydra clients update
command (7482b77) -
Replace custom key generator with jose key generator (d2d5512):
Closes #1825
-
sdk: Consent SDK (e800002)
-
sdk: JSON Web Key SDK API (06d565e)
-
sdk: OAuth 2.0 Trust Relationship SDK (b0a2b05)
-
sdk: OAuth2 SDK API (142b55f)
-
sdk: Rename errors (6b60156)
-
sdk: Rename oauth2 client operations and payloads (cb742ad)
-
sdk: Rename PatchDocument to JsonPatchDocument (a54ea69)
-
trust: Rename SDK method from
deleteTrustedJwtGrantIssuer
toadminDeleteTrustedOAuth2JwtGrantIssuer
(e0be7cf) -
trust: Rename SDK method from
getTrustedJwtGrantIssuer
toadminGetTrustedOAuth2JwtGrantIssuer
(210116e) -
trust: Rename SDK method from
listTrustedJwtGrantIssuers
toadminListTrustedOAuth2JwtGrantIssuers
(cb7b9e0) -
trust: Rename SDK method from
trustJwtGrantIssuer
toadminTrustOAuth2JwtGrantIssuer
(7edf8df)
Documentation
- Add required key to all versions in the version schema (#3233) (ac61740)
- Clarify command usage strings (34cde51)
- Remove mention of CircleCI (#3240) (75f7b50)
- Update config key descriptions (919170f)
Features
-
Add
db.ignore_unknown_table_columns
configuration property (#3192) (#3193) (5842946):The property allows to ignore scan errors when columns in the SQL result have no fields in the destination struct.
-
Add ability to allow token refresh from hook without overriding the session claims (#3146) (afa2ea0), closes #3082
-
Add new key
serve.public.tls.enabled
(ecacc6d) -
Add SQLite dependency to SQLite Dockerfile (#3282) (841a153)
-
Add tag descriptions (c111a4c)
-
Add token prefixes (60bab08), closes #2845:
This patch adds token prefixes to access tokens (
ory_at_
), refresh tokens (ory_rt_
), and authorize codes (ory_ac_
). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. -
Allow config context (d894c97)
-
Better control for cookie secure flag (90d539f)
-
client: Respect ip restrictions in client validation (cafe89a)
-
cli: Improve migrate command handling (e252654)
-
cli: Significantly improved
create client
(bb9c8ba), closes #3091:This patch adds output formats to
hydra create client
and makes all client fields configurable as flags. -
Config hot reloading architecture (bbe0406)
-
Custom client token ttl (#3206) (9ef671f), closes #3157:
This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.
-
Deprecate autoincrement primary key in hydra_client (#2784) (6d01e2e), closes #2781
-
Deprecate autoincrement primary key in hydra_jwk (#2789) (b76a151), closes #2788
-
Implement NID (b7fc2bf)
-
Improve CLI messages (e934c4f)
-
Improve cloud cli compatibility (93a626d)
-
Improve cookie settings (9717cad)
-
Improve refresh token error messages (2769c9b)
-
Improved cookie controls (e7834ec):
New cookie configuration options have been introduced, allowing a higher degree of control:
serve: cookies: same_site_mode: Lax same_site_legacy_workaround: false domain: example.com names: login_csrf: ory_hydra_login_csrf consent_csrf: ory_hydra_consent_csrf session: ory_hydra_session
-
Make all ui urls relative (370a487)
-
Make CORS config hot reloadable (2d5c893)
-
Make perform commands ory cloud-able (954693f)
-
Pass options from root (2f91ef4)
-
Rebuild containers on start (5b616d8)
-
Replace hydra's transaction impl with ory/popx/transaction (77d8dac)
-
Respect local DNS restrictions (7eb1d1c)
-
sdk: Add missing bearer security definition (a85bc7a)
-
sdk: Type nulls (fe70395)
-
Support alternate hashing algorithms for client secrets (ddba42f), closes rfc6819#section-5 /datatracker.ietf.org/doc/html/rfc6819#section-5:
This patch adds support for hashing client secrets using pbkdf2 instead of bcrypt, which might be a more appropriate algorithm in certain settings. As we assume that most environments fall in this category, we also changed the default to pbkdf2 with 25.000 rounds (roughly 1-3ms per hash on an Apple M1 Max core).
High hash costs are needed when hashing user-chosen passwords, as users often reuse passwords across sites. A high hash cost will make it much harder for the attacker to guess the user-chosen password and try using it on other sites (e.g. Google).
As most client secrets are auto-generated, using high hash costs is not useful. The password (OAuth2 Client Secret) is not user chosen and unlikely to be reused. As such, there is little point in using excessive hash costs to protect users. High hash costs in a system like Ory Hydra will cause high CPU costs from mostly automated traffic (OAuth2 Client interactions). It has also been a point of critizism from some who wish for better RPS on specific endpoints.
Other systems like Keycloak do not hash client secrets at all, referencing more secure authentication mechanisms such as assertion-based client authentication.
-
Support ES256 for generating JWTs (9a080ad)
-
Tls on public port can now be configured without restrictions (73d9517)
-
Upgrade go-swagger (cce8d60)
Tests
- Add test for access token strategy (b4865dd)
- conformance: Add directory (f5d0885)
- conformity: Revert admin prefix (580f33b)
- conformity: Sdk regression (15f3cfc)
- e2e: Add trailing slash to issuer (fa23960)
- e2e: Fix build instructions (415658d)
- e2e: Fix issuer URL (03b2340)
- e2e: Fix jwt regression (647822d)
- e2e: Resolve test regressions (30855d9)
- e2e: Respect metadata (7bea2e8)
- e2e: Upgrade cypress (40be7bb)
- e2e: Upgrade jwks-rsa (8ddf880)
- Fix a flaky test (51600f4)
- Fix assertions on nil pointers (8710590)
- Fix conformity issues (2875c19)
- Fix failing master pipeline (#3283) (f979adb)
- Fix flaky equal check (1100aba)
- Fix flaky equal check (2c4615c)
- Fix resp.bodyclose lint error (f0f5223)
- hsm: Do not evaluate HSM private key (3420026)
- hsm: Resolve test issues (8db9e5b)
- Implement network test structure for clients (8a09175)
- Improve jwk test layout (3b7a1a7)
- migratest: Add missing cockroach migrations and debug test failures (5e6c099)
- Refactor migration tests to use fixtures (#2936) (7b96651), closes #2901
- Remove unused fixture (1cf5bd0)
- Resolve test migration issues (63b7303)
- Test client update and double delete (3a50926)
- Update fixtures (e77c0d3)
- Update paths to reflect new admin api (549deda)
- Update resource limits (9e9ea94)
- Update snapshot (1c9a0d2)
- Update snapshots (5f5c81e)
- Update snapshots (01dbc0e)
- Update snapshots (34bc743)
- Update snapshots (c66a536)
- Use fixed time.Now function in pop (08968aa)
Unclassified
- unstaged - refactor sdk use across the board (34dfc0f)
- code review: add missing nid (2592451)
- code review (8e961d0)
- code review: contextualize config (10c146b)
- code review: make sure CreateClient doesn't use provided ID (8eec85d)
- code review: generate first NID randomly; add/update tests; fix db-diff (00490cb)
- Create networks table (a2c5e14)
Changelog
- 52154bc autogen(docs): generate and bump docs
- 9d01e24 autogen(docs): generate cli docs
- 3895d8a autogen(docs): regenerate and update changelog
- c16ffb4 autogen(docs): regenerate and update changelog
- 984185f autogen(docs): regenerate and update changelog
- 181dda5 autogen(docs): regenerate and update changelog
- e70a6ce autogen(docs): regenerate and update changelog
- 07e0212 autogen(docs): regenerate and update changelog
- 1cab940 autogen(docs): regenerate and update changelog
- 200dc9a autogen(docs): regenerate and update changelog
- 60b9345 autogen(docs): regenerate and update changelog
- 09b9318 autogen(docs): regenerate and update changelog
- e4d17df autogen(openapi): Regenerate swagger spec and internal client
- 20f2bcd autogen(openapi): Regenerate swagger spec and internal client (#2812)
- 8b12c91 autogen(openapi): regenerate swagger spec and internal client
- f9e71cf autogen(openapi): regenerate swagger spec and internal client
- f148145 autogen(openapi): regenerate swagger spec and internal client
- 8db8cd7 autogen: pin v2.0.0 release commit
- 4d83a28 autogen: pin v2.0.0 release commit
- c68e130 autogen: pin v2.0.0-alpha.0.pre.0 release commit
- 71226bc autogen: pin v2.0.0-alpha.0.pre.1 release commit
- 0cafe8f autogen: pin v2.0.0-alpha.0.pre.2 release commit
- e27e290 chore(deps): bump minimist and minimist in /test/e2e/oauth2-client (#3246)
- 8e35137 chore(sdk): remove obsolete template
- c38e700 chore: add json1 tag to db-diff
- 22d4a92 chore: address merge conflicts
- 3ba28f2 chore: backport migration fix to migration source (#3267)
- f467619 chore: bump go to 1.19
- ac279c3 chore: change metric name and make Go 1.19 compatible (#3223)
- dc11913 chore: code review
- 96adcb8 chore: delete unused code
- 9fd2a47 chore: fix CLI command description (#3248)
- 81503e0 chore: fix compile and lint issues
- 922b43a chore: fix formatting (#3269)
- 3632a6c chore: fix lint issues
- 046b1eb chore: fix typo (#3236)
- da0feb7 chore: format
- 56d1286 chore: format
- 6e59302 chore: format
- 2ef71d9 chore: format
- 655f8aa chore: format
- a76cda3 chore: format
- 15cdb88 chore: format using Make (#3257)
- b849d3d chore: go mod tidy
- 2adb928 chore: regenerate SDKs
- f5d8963 chore: regenerate SDKs
- 336ccaf chore: regenerate values
- 019f6bf chore: remove cypress screenshots
- 0b643a3 chore: remove double tabs from Makefile (#3273)
- abca5ed chore: remove fosite replace
- cc5d770 chore: remove mod rewrites
- bbd4804 chore: remove stray console.log's
- 925013e chore: remove unused OpenAPI specifications and update snapshots
- 47daf0a chore: remove unused code
- 098a983 chore: reorganize definition
- a28bcf1 chore: styles
- 49d4847 chore: update Prettier and ory-prettier-style and format everything (#3242)
- 82ba446 chore: update formatter and formatting
- 5835ede chore: update fosite dependency
- aa7d059 chore: update go mod
- b067680 chore: update golang and alpine
- f1b0603 chore: update openapi-generator to 6.0.1
- 8cea91d chore: update ory/x
- 686d59c chore: update package locks
- e07e578 chore: update prettierignore
- 216352e chore: update repository templates
- a9c8da0 chore: update repository templates to ory/meta@19eed81
- 8b8e73d chore: update repository templates to ory/meta@23d918a
- 1c9f3e0 chore: update repository templates to ory/meta@4a68ca0
- a73301c chore: update repository templates to ory/meta@4ef1342
- 8177cb5 chore: update repository templates to ory/meta@6ab5ce6
- be24b80 chore: update repository templates to ory/meta@935cc04
- 791f5d1 chore: upgrade crdb to v22.x
- c8c3dbc chore: upgrade golangci-lint
- 55948d8 ci: add missing npm dependencies for changelog generation
- b4931a3 ci: do not use --verbose flag
- f040caf ci: install changelog-generator-cli
- 1cb56df ci: update crdb
- 8e961d0 code review
- 2592451 code review: add missing nid
- 10c146b code review: contextualize config
- 00490cb code review: generate first NID randomly; add/update tests; fix db-diff
- 8eec85d code review: make sure CreateClient doesn't use provided ID
- ac61740 docs: add required key to all versions in the version schema (#3233)
- 34cde51 docs: clarify command usage strings
- 75f7b50 docs: remove mention of CircleCI (#3240)
- 919170f docs: update config key descriptions
- e252654 feat(cli): improve migrate command handling
- bb9c8ba feat(cli): significantly improved
create client
- cafe89a feat(client): respect ip restrictions in client validation
- a85bc7a feat(sdk): add missing bearer security definition
- fe70395 feat(sdk): type nulls
- 2ee9229 feat(tracing): add lots of tracing spans (#3125)
- 841a153 feat: add SQLite dependency to SQLite Dockerfile (#3282)
- 5842946 feat: add
db.ignore_unknown_table_columns
configuration property (#3192) (#3193) - afa2ea0 feat: add ability to allow token refresh from hook without overriding the session claims (#3146)
- ee9032c feat: add embedx helpers (#3189)
- ecacc6d feat: add new key
serve.public.tls.enabled
- a84c5f5 feat: add nid tests and resolve issues (#3102)
- c111a4c feat: add tag descriptions
- 60bab08 feat: add token prefixes
- d894c97 feat: allow config context
- 90d539f feat: better control for cookie secure flag
- bbe0406 feat: config hot reloading architecture
- 9ef671f feat: custom client token ttl (#3206)
- 6d01e2e feat: deprecate autoincrement primary key in hydra_client (#2784)
- b76a151 feat: deprecate autoincrement primary key in hydra_jwk (#2789)
- 1d13be6 feat: hot-reload TLS certificate (#3265)
- b7fc2bf feat: implement NID
- e934c4f feat: improve CLI messages
- 93a626d feat: improve cloud cli compatibility
- 9717cad feat: improve cookie settings
- 2769c9b feat: improve refresh token error messages
- e7834ec feat: improved cookie controls
- 2d5c893 feat: make CORS config hot reloadable
- 370a487 feat: make all ui urls relative
- 954693f feat: make perform commands ory cloud-able
- 2f91ef4 feat: pass options from root
- 5b616d8 feat: rebuild containers on start
- fbcaaad feat: renaming to Ory Network (#3298)
- 77d8dac feat: replace hydra's transaction impl with ory/popx/transaction
- 7eb1d1c feat: respect local DNS restrictions
- 9a080ad feat: support ES256 for generating JWTs
- ddba42f feat: support alternate hashing algorithms for client secrets
- 05eaf6d feat: switch to otelx (#3108)
- 47d0518 feat: switch to otelx (#3108)
- 73d9517 feat: tls on public port can now be configured without restrictions
- cce8d60 feat: upgrade go-swagger
- a2c5e14 feature: create networks table
- fe3c899 fix(cli): output format issues
- f4812c8 fix(config): add default to supported types.
- 2b6350c fix(config): correct salt detection
- 9022769 fix(config): disallow additional properties
- ab6a9ee fix(config): support number
- 57cf46c fix(hsm): public key extraction
- c9c2e01 fix(hsm): public key extraction everywhere
- 0a786b7 fix(jwk): expose correct metadata algorithms
- ba16958 fix(mysql): fix mysql key too long error
- 7893a98 fix(oauth2): incorrect TTL override
- 21c579a fix(sdk): genericError type
- 1ab345b fix(sdk): handle all error codes (#3153)
- 468e27d fix(sdk): make session uniquely named
- 954aa5f fix(sdk): omit DefaultSession
- 1332fe6 fix(sdk): remove pattern from scope parameter
- 6880fea fix(sdk): resolve type issues and regenerate SDK
- 04b308f fix(sdk): use correct struct for response
- 1f7bf40 fix: ConfirmLoginSession, missing FKs; add tests
- ca748a1 fix: HSM test
- cd2c252 fix:
allowed_top_level_claims
set to nil (#3245) - 2597f19 fix:
max_age=0
forces authentication - 02c6d5d fix: add CORS to public health handler (#3114)
- dd1d733 fix: add json1 tag everywhere
- a98c067 fix: add missing down migrations
- 51a586b fix: allow retries of unused login & consent requests
- 7e25fdb fix: cache migration status
- 9a4f9e9 fix: client specific CORS
- 7bed244 fix: cockroach migration fixes
- d1f5a0e fix: compile errors
- 83983c2 fix: compile issue
- 68cb7d5 fix: compile issues
- a006b04 fix: conditionals in db-diff
- e163c80 fix: conformity health check
- 6376135 fix: consistently use RS256 in hot reloading
- 891fb55 fix: default back to RS256 keys
- 142cd13 fix: disable NID tests with HSM enabled
- 1d8a8ff fix: docker image build
- 05bda6b fix: docker image build (#3247)
- 063f61b fix: docker instructions
- 11587ae fix: dont close crdb for reuse purposes
- 560acce fix: fix hydra_client pk change mysql down migration (#2791)
- a5cc6ea fix: fix unbatched select in flushInactiveTokens
- b0196c0 fix: handle server error when refresh token requests come same time (#3207)
- 4bf995d fix: high db cpu utilisation on query (#3260)
- 8571a67 fix: hsm compile issues
- 668a319 fix: ignore cypress screenshots in git
- 6c8dda8 fix: improve duration pattern
- 1bd0c52 fix: improve health check reporting
- ece5ca6 fix: improve jwk generator defaults
- 8cffc5b fix: improve lazy initialization of JWKs
- 1a4abd6 fix: improve migration status speed
- b32ff33 fix: improve time validation
- 255b4e2 fix: incorrect queries
- d65aa3a fix: lazy load PKI
- 72a5cd8 fix: lint issues
- 3a26385 fix: make servicelocator explicit
- c51b21b fix: missing data in JWT grant (#3143)
- a364db4 fix: move to v0alpha2 api spec
- c56b958 fix: mysql slice delete
- 1aa6cc4 fix: optimise sql update to avoid redundant writes (#3289)
- 3e7b6b4 fix: pop compile issue
- d6e7f94 fix: postgres migration script (#3249)
- e130dfa fix: prefix paths correctly with /admin
- 8b77f5a fix: proper introspection output format (#3312)
- e58d3d1 fix: quickstart with SQLite
- 1d78e79 fix: regression in database layer
- 8994190 fix: remove deprecated config value
- e2c8809 fix: remove goswagger generated client
- 2a20080 fix: remove incorrect aliases
- e670d68 fix: remove obsolete type patches
- 13691d3 fix: remove unnecessary load of TLS certificates at boot
- 4ff0690 fix: remove unused swagger struct
- e1731ba fix: replace of consent session expires values
- acb16c1 fix: resolve a merge conflict in migration_test (#2811)
- f6ee1d3 fix: resolve conformance build issues
- 937e6ba fix: resolve internal SDK regressions
- 6eee09c fix: resolve merge conflicts
- 5552e4d fix: resolve migration regressions
- 77b1ac7 fix: resolve test issues and regressions introduced by the new JWK generator
- 1fd6ea3 fix: resolve token prefix regression
- f0f3139 fix: retry transient crdb transaction failures
- f2daa7d fix: revert latest docker image changes (#3286)
- c9a248d fix: revert to normal crdb
- eafa2bb fix: speed up health checks
- d746fa4 fix: support issuer with and without trailing slash
- 63a84de fix: update benchmark script
- 36ddb61 fix: use --yes flag in db-diff
- 9fbbbdf fix: use CreateWith
- 1d9891d fix: use StringSliceJSONFormat instead of StringSlicePipeDelimiter (#3112)
- d1af32d fix: use config func everywhere
- 3ceefd7 fix: use correct context
- aea37d6 fix: use correct sdk tag (#3318)
- 4002224 refactor(client): make OAuth2 Client IDs system-chosen and immutable
- 0752721 refactor(client): rename SDK methods and introduce
/admin
prefix - 23585b5 refactor(client): replace limit and offset parameters with page_token and page_size
- 5885ab3 refactor(consent): rename SDK method from
acceptConsentRequest
toadminAcceptOAuth2ConsentRequest
- fa27d0c refactor(consent): rename SDK method from
acceptLoginRequest
toadminAcceptOAuth2LoginRequest
- bb51ba0 refactor(consent): rename SDK method from
adminListSubjectConsentSessions
toadminListOAuth2SubjectConsentSessions
- 9053040 refactor(consent): rename SDK method from
getLoginRequest
toadminGetOAuth2LoginRequest
- 475efbc refactor(consent): rename SDK method from
getOAuth2ConsentRequest
toadminGetOAuth2ConsentRequest
- e0e3da9 refactor(consent): rename SDK method from
rejectConsentRequest
torejectOAuth2ConsentRequest
- 37a8839 refactor(consent): rename SDK method from
rejectLoginRequest
torejectOAuth2LoginRequest
- cdffa1e refactor(consent): rename SDK method from
rejectLogoutRequest
toadminRejectOAuth2LogoutRequest
- 0a5ebe8 refactor(consent): rename SDK method from
revokeAuthenticationSession
toadminRevokeOAuth2LoginSessions
- 1108409 refactor(consent): rename SDK method from
revokeConsentSessions
toadminRevokeOAuth2ConsentSessions
- 5e2ea0b refactor(jwk): no longer prefix keys with
public
orprivate
- cd007bb refactor(jwk): rename SDK methods and introduce
/admin
prefix - c12b45c refactor(oauth2): clean up changes
- ea4caf7 refactor(oauth2): rename SDK method from
deleteOAuth2Token
toadminDeleteOAuth2Token
- df467a0 refactor(oauth2): rename SDK method from
discoverOpenIDConfiguration
todiscoverOidcConfiguration
- f2bd9a3 refactor(oauth2): rename SDK method from
introspectOAuth2Token
toadminIntrospectOAuth2Token
- 51b58e7 refactor(oauth2): rename SDK method from
oauth2Token
toperformOAuth2TokenFlow
- 4e554e7 refactor(oauth2): rename SDK method from
userinfo
togetOidcUserInfo
- 06d565e refactor(sdk): JSON Web Key SDK API
- b0a2b05 refactor(sdk): OAuth 2.0 Trust Relationship SDK
- 142b55f refactor(sdk): OAuth2 SDK API
- e800002 refactor(sdk): consent SDK
- a54ea69 refactor(sdk): rename PatchDocument to JsonPatchDocument
- 6b60156 refactor(sdk): rename errors
- cb742ad refactor(sdk): rename oauth2 client operations and payloads
- e0be7cf refactor(trust): rename SDK method from
deleteTrustedJwtGrantIssuer
toadminDeleteTrustedOAuth2JwtGrantIssuer
- 210116e refactor(trust): rename SDK method from
getTrustedJwtGrantIssuer
toadminGetTrustedOAuth2JwtGrantIssuer
- cb7b9e0 refactor(trust): rename SDK method from
listTrustedJwtGrantIssuers
toadminListTrustedOAuth2JwtGrantIssuers
- 7edf8df refactor(trust): rename SDK method from
trustJwtGrantIssuer
toadminTrustOAuth2JwtGrantIssuer
- 08bbbab refactor: CLI environment variables
HYDRA_URL
has been renamed toORY_SDK_URL
- e466d7c refactor:
hydra keys
command - 81e79f2 refactor:
hydra token client
command - aa338e1 refactor:
hydra token delete
command - da3e2b4 refactor:
hydra token introspect
command - 42e75c3 refactor:
hydra token revoke
command - 46b5887 refactor: deprecate
--dangerous-allow-insecure-redirect-url
flag - 062734e refactor: deprecate
--dangerous-force-http
flag - edb042e refactor: drop TLS by default
- 8023d2a refactor: environment variable
DATABASE_URL
has been deprecated - 53d225a refactor: finalize consent SDK methods
- 697813e refactor: generated UUID variant & version test (#2793)
- 53862f2 refactor: improve performance and reduce data use of consent persistence layer (#2836)
- cc9d9e5 refactor: make commands easier to consume
- 5fb3049 refactor: remove HS512 and HS256 jwk key generator
- 17c226c refactor: remove
/oauth2/flush
endpoint - 148cadb refactor: remove
oauth2.include_legacy_error_fields
config - 223c8bc refactor: rename
access_log
torequest_log
- 76eb93c refactor: rename
hydra clients create
command - dea2fdd refactor: rename
hydra clients delete
command - edd4b43 refactor: rename
hydra clients get
command - 7de7841 refactor: rename
hydra clients import
command - 1c0f971 refactor: rename
hydra clients list
command - 7482b77 refactor: rename
hydra clients update
command - d2d5512 refactor: replace custom key generator with jose key generator
- f5d0885 test(conformance): add directory
- 580f33b test(conformity): revert admin prefix
- 15f3cfc test(conformity): sdk regression
- fa23960 test(e2e): add trailing slash to issuer
- 415658d test(e2e): fix build instructions
- 03b2340 test(e2e): fix issuer URL
- 647822d test(e2e): fix jwt regression
- 30855d9 test(e2e): resolve test regressions
- 7bea2e8 test(e2e): respect metadata
- 40be7bb test(e2e): upgrade cypress
- 8ddf880 test(e2e): upgrade jwks-rsa
- 3420026 test(hsm): do not evaluate HSM private key
- 8db9e5b test(hsm): resolve test issues
- 5e6c099 test(migratest): add missing cockroach migrations and debug test failures
- b4865dd test: add test for access token strategy
- 51600f4 test: fix a flaky test
- 8710590 test: fix assertions on nil pointers
- 2875c19 test: fix conformity issues
- f979adb test: fix failing master pipeline (#3283)
- 2c4615c test: fix flaky equal check
- 1100aba test: fix flaky equal check
- f0f5223 test: fix resp.bodyclose lint error
- 8a09175 test: implement network test structure for clients
- 3b7a1a7 test: improve jwk test layout
- 7b96651 test: refactor migration tests to use fixtures (#2936)
- 1cf5bd0 test: remove unused fixture
- 63b7303 test: resolve test migration issues
- 3a50926 test: test client update and double delete
- e77c0d3 test: update fixtures
- 549deda test: update paths to reflect new admin api
- 9e9ea94 test: update resource limits
- 1c9a0d2 test: update snapshot
- 5f5c81e test: update snapshots
- 34bc743 test: update snapshots
- 01dbc0e test: update snapshots
- c66a536 test: update snapshots
- 08968aa test: use fixed time.Now function in pop
- 34dfc0f unstaged - refactor sdk use across the board
Artifacts can be verified with cosign using this public key.