v2.2.0-rc.3
Pre-release
Introduces logout compatibility with Ory Kratos.
Bug Fixes
- Add exceptions for internal IP addresses (#3608) (1f1121c)
- Add kid to verifiable credential header (#3606) (9f1c8d1)
- Deflake ttl test (6741a49)
- Docker build (#3609) (01ff9da)
- Enable CORS with hot-reloaded origins (#3601) (6f592fc)
- Only query access tokens by hashed signature (a21e945)
- Racy random string generation (#3555) (1b26c4c)
- Reject invalid JWKS in client configuration / dependency cleanup and bump (#3603) (1d73d83)
- Restore ability to override auth and token urls for exemplary app (#3590) (dfb129a)
- Return proper error when the grant request cannot be parsed (#3558) (26f2d34)
- Use correct tracer in middleware (#3567) (807cbd2)
Code Generation
- Pin v2.2.0-rc.3 release commit (ad8a4ba)
Features
-
Add more resolution to events and collect client metrics (#3568) (466e66b)
-
Add state override (b8b9154)
-
Add support for OIDC VC (#3575) (219a7c0):
This adds initial support for issuing verifiable credentials
as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.Because the spec is still in draft, public identifiers are
suffixed withdraft_00. -
Allow to disable claim mirroring (#3563) (c72a316):
This PR introduces another config option called
oauth2:mirror_top_level_claimswhich may be used to disable the mirroring of custom claims into theextclaim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.Example:
oauth2: allowed_top_level_claims: - test_claim mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
Closes #3348
-
Bump fosite and add some more tracing (0b56f53)
-
cmd: Add route that redirects to the auth code url (4db6416)
-
Propagate logout to identity provider (#3596) (c004fee):
- feat: propagate logout to identity provider
This commit improves the integration between Hydra and Kratos when logging
out the user.This adds a new configuration key for configuring a Kratos admin URL.
Additionally, Kratos can send a session ID when accepting a login request.
If a session ID was specified and a Kratos admin URL was configured,
Hydra will disable the corresponding Kratos session through the admin API
if a frontchannel or backchannel logout was triggered.- fix: add special case for MySQL
- chore: update sdk
- chore: consistent naming
- fix: cleanup persister
-
Support different jwt scope claim strategies (#3531) (45da11e)
Changelog
- 2c452ef autogen(docs): regenerate and update changelog
- 551c359 autogen(docs): regenerate and update changelog
- 93ebaee autogen(docs): regenerate and update changelog
- 7cfba84 autogen(docs): regenerate and update changelog
- cb64770 autogen(docs): regenerate and update changelog
- 938d4bb autogen(docs): regenerate and update changelog
- 0072ddf autogen(docs): regenerate and update changelog
- c30de7f autogen(docs): regenerate and update changelog
- 6c298b2 autogen(docs): regenerate and update changelog
- a547a74 autogen(docs): regenerate and update changelog
- 5704640 autogen(docs): regenerate and update changelog
- e586cc2 autogen(docs): regenerate and update changelog
- 2bdad2c autogen(docs): regenerate and update changelog
- dc878b8 autogen(docs): regenerate and update changelog
- 425c977 autogen(docs): regenerate and update changelog
- 339bf40 autogen(docs): regenerate and update changelog
- ea40d44 autogen(docs): regenerate and update changelog
- 71d1853 autogen(docs): regenerate and update changelog
- be85c29 autogen(docs): regenerate and update changelog
- 598c21d autogen(docs): regenerate and update changelog
- 42a9615 autogen(docs): regenerate and update changelog
- 330530d autogen(openapi): regenerate swagger spec and internal client
- 254a21b autogen(openapi): regenerate swagger spec and internal client
- ad8a4ba autogen: pin v2.2.0-rc.3 release commit
- 6631c21 autogen: render config schema
- 59ec76b chore(deps): bump semver from 5.7.0 to 5.7.2 (#3569)
- 9fd59e2 chore(deps): bump semver from 5.7.0 to 5.7.2 in /test/e2e/oauth2-client (#3570)
- 3c5c126 chore(deps): bump tough-cookie, @cypress/request and wait-on (#3592)
- 48d5df4 chore: add hperl as codeowner (#3607)
- efd9ca7 chore: bump deps (#3560)
- d5099cb chore: remove fosite branch override (#3599)
- 3914585 chore: replace fosite rewrite (#3564)
- 8ed2a2d chore: support in README (#3565)
- 1a1f504 chore: update repository templates to ory/meta@ac80097
- eb89af7 chore: update repository templates to ory/meta@af28aff
- 4db6416 feat(cmd): add route that redirects to the auth code url
- 749eb8d feat: add
hydra migrate statussubcommand (#3579) - 466e66b feat: add more resolution to events and collect client metrics (#3568)
- b8b9154 feat: add state override
- 219a7c0 feat: add support for OIDC VC (#3575)
- 8eed306 feat: allow Go migrations (#3602)
- 8900cbb feat: allow additional SQL migrations (#3587)
- c72a316 feat: allow to disable claim mirroring (#3563)
- 0b56f53 feat: bump fosite and add some more tracing
- 5bd9002 feat: parallel generation of JSON web key set (#3561)
- c004fee feat: propagate logout to identity provider (#3596)
- 45da11e feat: support different jwt scope claim strategies (#3531)
- 1f1121c fix: add exceptions for internal IP addresses (#3608)
- 9f1c8d1 fix: add kid to verifiable credential header (#3606)
- 6741a49 fix: deflake ttl test
- 01ff9da fix: docker build (#3609)
- 6f592fc fix: enable CORS with hot-reloaded origins (#3601)
- a21e945 fix: only query access tokens by hashed signature
- 1b26c4c fix: racy random string generation (#3555)
- 1d73d83 fix: reject invalid JWKS in client configuration / dependency cleanup and bump (#3603)
- dfb129a fix: restore ability to override auth and token urls for exemplary app (#3590)
- 26f2d34 fix: return proper error when the grant request cannot be parsed (#3558)
- 807cbd2 fix: use correct tracer in middleware (#3567)
Artifacts can be verified with cosign using this public key.