This project is mirrored from https://github.com/ory/hydra.
Pull mirroring updated .
-
-
v1.11.05355a1ab · ·
Happy new year! We are excited to announce to you the next iteration of Ory Hydra: Version 1.11.0! This version has significant new features contributed by the awesome Open Source Community - you! But not only that: **Ory Hydra 2.0 is coming!** While a major version, we intend to keep all APIs with as few breaking changes as possible. The efforts focus on some long-standing issues in the persistence layer. In particular, data growth rate and performance improvements are the focus areass! If you are interested to see what is going on, check out PR [#2796](https://github.com/ory/hydra/pull/2796) And Ory Hydra 2.0 will be available as an API in Ory Cloud! If you are interested in Ory Cloud, apply to [Ory Acceleration Program](https://share-eu1.hsforms.com/1KWJxgKzNQWOjR9r5blC41wextgn) and receive a **one-year free subscription for Ory Cloud's Start-Up plan**. The Start-Up plan comes with convenient features such as custom domains and unlimited identities/tokens! More on timelines and Ory Hydra 2.0 plans will follow later this year. If these changes are not exciting enough already, Ory Hydra now supports loading Private and Public Keys from Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Thank you [@aarmam](https://github.com/aarmam) for this amazing work! For more information, please [read the guide](https://www.ory.sh/hydra/docs/next/guides/hsm-support). Next up, Ory Hydra now natively supports the OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol which can be enabled (optionally) in the configuration! Thank you [@fjvierap](https://github.com/fjvierap) for your hard work! We do not stop there, [@Xopek](https://github.com/Xopek) and [@jagobagascon](https://github.com/jagobagascon) added the Support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523) to Ory Hydra! This major improvement allows Ory Hydra to have an even better integration API than before! For our Apple users and everyone eyeballing ARM64, we now distributed binaries and Docker Images for all platforms and CPU architectures, including Apple M1, Linux ARM (v6, v7, v8, ARM64), and - this is new - FreeBSD! Lastly, we resolved a bug in the configuration loading which now allows loading complex configuration keys from environment variables without hassle! **Please notice that this release requires SQL migrations to be applied! As always, please make a backup before applying them!**
-
-
v1.10.70a425352 · ·
Ory Hydra v1.10.7 ships an exciting new feature that enables the updating of access and ID tokens during a refresh flow via an HTTP webhook. To set it up, use the `oauth2.refresh_token_hook` configuration to set up an HTTP(S) endpoint which receives a POST request when a refresh token is about to be issued! And even more exciting, we would like to invite you to our first developer conference which is happening tomorrow and the day after (October 28th and 29th, 2021). The event is [digital and tickets are free](https://www.ory.sh/summit21). After short keynotes from Ory's founders Aeneas (hackerman) and Thomas (tacurran), you will learn from fellow community members and contributors about building robust authorization and authentication, best practices for modern cloud infrastructure and many other developer topics! **[Grab your free tickets now!](https://www.ory.sh/summit21)** Additionally, improvements to tracing, documentation, ID token claims have been merged. Also, Ory Hydra now no longer takes 3 seconds for the CLI to become responsive as we have found a transient dependency that caused slow initialization times: ``` $ time hydra hydra 1.87s user 1.90s system 620% cpu 0.607 total $ time ./hydra-v1.10.7 ./hydra-patch 0.03s user 0.01s system 8% cpu 0.450 total $ time ./hydra-v1.10.7 ./hydra-patch 0.02s user 0.01s system 104% cpu 0.032 total ``` Please note that the location of our Homebrew tap has changed for Ory Hydra from `ory/ory/hydra` to `ory/tap/hydra`: ```patch - brew install ory/ory/hydra + brew install ory/tap/hydra ``` All homebrew taps will move to this location, including Ory Kratos, Ory Oathkeeper, Ory Keto, and the Ory CLI!
-
-
v1.10.50456f54d · ·
This patch introduces a faster and better janitor (database clean up routine), the ability to filter OAuth2 Clients by owner and name, and resolves a regression when parsing config environment variables.
-
v1.10.3ea931581 · ·
Ory Hydra v0.10.3 brings several bug fixes and configuration features, in particular: 1. Adding the `hydra keys import` command; 2. Passing the `client_id` in the logout request; 3. Resolving prometheus cardinality issues; 4. Moving to `go-jose` for JSON Web Keys and JSON Web Tokens; 5. Supporting PKCE discovery in `/.well-known/`; 6. Support for Instana tracing. For a full list of changes, please check below!
-
v1.10.2e8c3a06e · ·
This maintenance release resolves regressions introduce in Ory Hydra v1.10.1. A big change is that Ory Hydra now support PATCH operations for OAuth2 Clients and is able to handle TLS for admin and public endpoints individually.
-
v1.10.12287ac59 · ·
We are excited to announce Ory Hydra v1.10.0! This release adds significant data management improvements. As such, we introduce the new "hydra janitor" command which cleans up stale data and can be run, for example, as a (Kubernetes) CronJob. The new janitor command is able to clean up invalid and expired access and refresh tokens as well as login and consent requests. This solves issues observed in installations with lots of traffic. This patch refactors the internal file embed system by migrating to Go 1.16, simplifying and speeding up the build process. To follow OAuth2 best-practice, refresh tokens will now invalidate the whole access and refresh token chain if reused.
-
-
v1.9.15cedc9e2 · ·
This release makes [Dart](https://pub.dev/packages/ory_hydra_client) and [Rust](https://crates.io/crates/ory-hydra-client) SDKs available for Ory Hydra!
-
v1.9.07120b4f5 · ·
Today, we are very excited to announce the stable release of ORY Hydra 1.9! This release contains significant internal code refactoring, making ORY Hydra more reliable, lightweight, and even more scalable! Also, for the first time ever, **ORY Hydra handled over 13.3 billion API requests in December 2020** in over **23.000 production environments** around the globe. Let's talk features - in a TL;DR overview: - Completely replacing the existing DBAL and switching to gobuffalo/pop. - Support for SQLite, an embedded database, which can be used for testing and tiny deployments. - Deprecating the existing configuration system [spf13/viper](https://github.com/spf13/viper) and moving to [knadh/koanf](https://github.com/knadh/koanf). - Adding OpenID Connect Conformity Test Suite to the CI, guaranteeing that every code change is fully OpenID Connect compliant. - Support for the OpenID Connect `response_mode=form_post` Response Mode. - Compatibility with MITREid, allowing [easy migration from MITREid to ORY Hydra](https://www.ory.sh/hydra/docs/next/guides/migrating-from-MITREid). - The TypeScript SDK moved from **@oryd/hydra-client to @ory/hydra-client**. Please update your dependencies! If you wish to get into ORY Hydra, check out the new YouTube tutorial: [![ORY Hydra YouTube Quickstart Tutorial](https://raw.githubusercontent.com/ory/web/master/static/images/newsletter/hydra-1.9.0/YouTube-tutorial-hydra-preview.png)](https://www.youtube.com/watch?v=tlO9p2E501A) *See you on [slack](https://slack.ory.sh), signed [HACKERMAN](https://github.com/aeneasr).* **ORY Kratos** We would like to take a bit of your time and introduce you to [ORY Kratos](https://github.com/ory/kratos). ORY Kratos implements all the hard things related to users: [login](https://www.ory.sh/kratos/docs/self-service/flows/user-login), [registration](https://www.ory.sh/kratos/docs/self-service/flows/user-registration), [customizable profile fields](https://www.ory.sh/kratos/docs/concepts/identity-data-model/), [multi-factor authentication scheduled for v0.6](https://www.ory.sh/kratos/docs/self-service/flows/2fa-mfa-multi-factor-authentication), [secure account recovery](https://www.ory.sh/kratos/docs/self-service/flows/account-recovery), [email and SMS verification](https://www.ory.sh/kratos/docs/self-service/flows/verify-email-account-activation), [profile management](https://www.ory.sh/kratos/docs/self-service/flows/user-settings), [session and device management](https://github.com/ory/kratos/issues/655), [user administration](https://www.ory.sh/kratos/docs/admin/managing-users-identities), [social sign in and sign up](https://www.ory.sh/kratos/docs/concepts/credentials/openid-connect-oidc-oauth2/), and much, much more! Everything works with proven and ORY-hardened protocols in the same lightweight fashion you are used to from our other products. And it natively targets mobile, desktop, web, and robots! [ORY Kratos](https://github.com/ory/kratos) is essentially an open-source alternative to Auth0, Okta, and Google Firebase with the added benefit of avoiding the complexity of implementing OAuth2 and OpenID Connect for your first-party apps just to get login to work. So if you are wondering [**whether you really need OAuth2**](https://www.ory.sh/hydra/docs/concepts/before-oauth2), this is worth your time! To get a feeling for ORY Kratos, check out our exemplary React Native app (available on [GitHub](https://github.com/ory/kratos-selfservice-ui-react-native), [Android](https://play.google.com/store/apps/details?id=com.ory.kratos_self_service_ui_react_native&hl=en&gl=US) and [iOS](https://apps.apple.com/de/app/ory-profile-app/id1536546333)) demonstrating user registration, login, and profile management. It uses APIs from ORY Cloud, which will be publicly announced this year. If you are interested in becoming an early adopter, [get in touch now](mailto:jared@ory.sh)! We have more super exciting stuff planned! ![ORY Kratos User Data Screen for Mobile Applications](https://raw.githubusercontent.com/ory/web/master/static/images/newsletter/kratos-0.5.0/welcome-screen.png) **Changes in-depth** Let's break down the most significant changes in more detail: **The configuration system has been reworked** 1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema. This makes changing or updating configuration much easier. 2. Configuration reloading is improved and works on Kubernetes. 3. Performance gains remove the need for a cache layer between the configuration system and ORY Hydra. 4. Loading of several config files is now possible using the `--config` flag. 5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled. Please be aware that deprecated configuration flags have been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process. **The [OpenID Connect Conformity Test Suite](https://gitlab.com/openid/conformance-suite) is now part of the ORY Hydra CI pipeline.** This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields `error_hint` and `error_debug` will no longer be sent. You can re-enable those legacy fields by setting `oauth2.include_legacy_error_fields` to `true`. **Supporting `response_mode=form_post`** Support OpenID Connect flows `response_mode=form_post` was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production. **Compatibility with MITREid** Adds an option that allows granting the OAuth2 Client's authorized scope when performing a `client_credentials` flow without specifying a scope. This enables compatibility with MITREid and allows [migrating from MITREid to ORY Hydra](https://www.ory.sh/hydra/docs/next/guides/migrating-from-MITREid). **Refactoring the internal DBAL** We completely refactored the internal database abstraction layer (DBAL). We have been using [gobuffalo/pop](https://github.com/gobuffalo/pop) successfully in [ORY Kratos](https://github.com/ory/kratos) and decided to move the ORY Hydra DBAL to [gobuffalo/pop](https://github.com/gobuffalo/pop) as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.
-
-
-
v1.9.0-alpha.305809d25 · ·
We are excited to present the next big step towards ORY Hydra 1.9! In this release we completely refactored the configuration internals and moved from [spf13/viper](https://github.com/spf13/viper) to [knadh/koanf](https://github.com/knadh/koanf): 1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving the developer experience when changing or updating configuration. 2. Configuration reloading has improved significantly and works excellently on Kubernetes. 3. Performance gains that remove the need for a cache layer between the configuration system and ORY Hydra. 4. Loading of several config files using the `--config` flag now possible. 5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled. Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process. In addition, this release includes the new OpenID Connect Conformity Test Suite as part of the ORY Hydra CI pipeline. This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields `error_hint` and `error_debug` will no longer be sent. You can re-enable those legacy fields by setting `oauth2.include_legacy_error_fields` to `true`. Furthermore, support for OpenID Connect flows `response_mode=form_post` was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production. Several other bugs have been resolved and we have completely overhauled the tests, deprecating test tables in favor of test suites. This greatly improves the readability of our tests and allows new contributors to more easily understand what is going on! If you wish to get into ORY Hydra, check out the newly published YouTube tutorial: [![ORY Hydra YouTube Quickstart Tutorial](https://raw.githubusercontent.com/ory/web/master/static/images/newsletter/hydra-1.9.0/YouTube-tutorial-hydra-preview.png)](https://www.youtube.com/watch?v=tlO9p2E501A)
-
v1.9.0-alpha.21a7fe913 · ·
This release addresses an issue in the update routine of OAuth2 Clients (see [kratos#2148](https://github.com/ory/hydra/issues/2148)) and adds an option which makes ORY Hydra compatible with MITREid.
-
v1.9.0-alpha.1a270e4ca · ·
This release focuses on a complete refactor of the internal database abstraction layer (DBAL). We have been using [gobuffalo/pop](https://github.com/gobuffalo/pop) successfully in [ORY Kratos](https://github.com/ory/kratos) and decided to move the ORY Hydra DBAL to [gobuffalo/pop](https://github.com/gobuffalo/pop) as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments. This is an alpha release as we want to gather feedback from the community regarding performance and other potential issues before tagging the v1.9.0 version branch as stable.
-
v1.8.5951870ed · ·
This is a security-focused release with fixes for [CVE-2020-15234](https://github.com/ory/fosite/security/advisories/GHSA-grfp-q2mm-hfp6), [CVE-2020-15223](https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](https://github.com/ory/fosite/security/advisories/GHSA-rfq3-w54c-f9q5). Additionally, several system dependencies (e.g. Golang) have been upgraded. A few things have changed as part of these patches: - OAuth 2.0 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release. - OAuth 2.0 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaining why the flow failed. Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed. Due to several complex CI issues and regressions, build versions v1.8.0 - v1.8.4 failed. v1.8.5 the first and only stable release in the current 1.8.x branch. New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.
-
v1.8.0-pre.1861fdb7d · ·
-
v1.8.0-pre.0293c3ac7 · ·
This is a security-focused release with fixes for [CVE-2020-15234](https://github.com/ory/fosite/security/advisories/GHSA-grfp-q2mm-hfp6), [CVE-2020-15223](https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](https://github.com/ory/fosite/security/advisories/GHSA-rfq3-w54c-f9q5). Upgrading is strongly advised! A few things have changed as part of these patches: - OAuth2 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release. - OAuth2 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaning why the flow failed. Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed. New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.