Skip to content

Releases: ory/hydra

v2.0.1

27 Oct 11:54
403223c
Compare
Choose a tag to compare

Resolves an issues with post-release steps and adds the introspect command to the Ory Hydra CLI.

Bug Fixes

  • Add missing introspect command (c43aba3)
  • Bump quickstart images to 2.0.0 (8c763ad)
  • Post-release steps with yq (b6300e3)

Code Generation

  • Pin v2.0.1 release commit (403223c)

Documentation

Changelog

  • 8297cfc autogen(docs): regenerate and update changelog
  • 403223c autogen: pin v2.0.1 release commit
  • c48e481 docs: update README (#3323)
  • c43aba3 fix: add missing introspect command
  • 8c763ad fix: bump quickstart images to 2.0.0
  • b6300e3 fix: post-release steps with yq

Artifacts can be verified with cosign using this public key.

v2.0.0

27 Oct 06:47
4d83a28
Compare
Choose a tag to compare

Ory Hydra 2.0 is available now! It ships major internal data restructuring and adds support for additional OAuth2 flows such as OAuth2 Token Exchange. Ory Hydra now natively integrates with Ory Kratos, an open source Identity Server.

Install the Ory CLI for the best developer experience to try out Ory Hydra 2.0 right away!

bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

brew install ory/tap/cli

create a new project (you may also use Docker)

ory create project --name "Ory Hydra 2.0 Example"
project_id="{set to the id from output}"

and follow the quick & easy steps below.

Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow:

ory create oauth2-client --project $project_id \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
client_id="{set to client id from output}"
client_secret="{set to client secret from output}"

ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id
access_token="{set to access token from output}"

ory introspect token $access_token --project $project_id

Try out the OAuth 2.0 Authorize Code grant right away!

By accepting permissions openid and offline_access at the consent screen, Ory refreshes and OpenID Connect ID token,

ory create oauth2-client --project $project_id \
    --name "Authorize Code with OpenID Connect Demo" \
    --grant-type authorization_code \
    --response-type code \
    --redirect-uri ttp://127.0.0.1:4446/callback
code_client_id="{set to client id from output}"
code_client_secret="{set to client secret from output}"

ory perform authorization-code \
    --project $project_id \
    --client-id $code_client_id \
    --client-secret $code_client_secret
code_access_token="{set to access token from output}"

ory introspect token $code_access_token --project $project_id

What's changed in Ory Hydra 2.0?

  • Ory Identities is now compatible with the Ory OAuth2 Login and Consent Flow. This means, for example, that Ory Kratos can be the login provider for Ory Hydra with a bit of configuration.
  • The Ory Network enables this integration as a default.
  • Ory Hydra 2.0 now natively supports key types such as ES256 for signing ID Tokens and OAuth 2.0 Access Tokens in JWT format.
  • Additionally, the key naming mechanism was updated to conform with industry best practices.
  • Ory Hydra 2.0 ships a complete refactoring of the internal database structure, reducing database storage at scale and optimizing query performance.
  • All primary keys are now UUIDs to avoid hotspots in distributed systems. Please note that as part of this change it is no longer possible to choose the OAuth 2.0 Client ID. Instead, Ory chooses the best-performing ID format for the petabyte scale.
  • Ory chose to denormalize tables that had a negative performance impact due to excessive JOIN statements.
  • Using BCrypt as the primary hashing algorithm for OAuth 2.0 Client Secrets creates excessive CPU consumption at scale. OAuth 2.0 Client Secrets are auto-generated in Ory Hydra 2.x, removing the need for excessive hashing costs.
  • The new PKBDF2 hasher can be fine-tuned to support hashing at scale without a significant threat model impact.
  • This section only applies in scenarios where Ory Hydra is working in a do-it-yourself fashion e.g. on Docker. An Ory Hydra 2.0 compatible service is already available on the Ory Network.
  • The database schema changed significantly from the previous structure. Please be aware that there might be a period where the database tables will be locked for writes while the upgrade runs. A full backup of the database before upgrading is essential! We recommend trying out the upgrade on a copy of a production database first.

Detailed Overview

Find a list of detailed changes below!

SQL Migrations

To run the SQL migrations using:

hydra migrate sql $DSN

SDK changes

Ory Hydra 1.x is a crucial service at Ory. Version 2.0 streamlines the APIs and SDKs to follow Ory API’s semantics and specification.

To better support TB-scale environments, the OAuth2 Client HTTP API's query
parameters for pagination have changed from limit and offset to page_token
and page_size. The page_token is an opaque string contained in the HTTP
Link Header, which expresses the next, previous, first, and last page.

Administrative endpoints now have an /admin prefix (e.g. POST /admin/keys instead of POST /keys). Existing administrative endpoints will redirect to this new prefixed path for backward compatibility.

HTTP endpoint /oauth2/flush, used to flush inactive access tokens was deprecated and has been removed. Please use hydra janitor instead.

To conform with the Ory V1 SDK, several SDK methods and payloads were renamed. Please check the CHANGELOG for a complete list of changes.

Configuration changes

The iss (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.

Setting

urls:
  self:
    issuer: https://auth.example.com

has changed

- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"

To set a trailing slash make sure to set it in the config value:

urls:
  self:
    issuer: https://auth.example.com/

CLI Changes

Flags --dangerous-allow-insecure-redirect-url and --dangerous-force-http have been removed. Use the --dev flag instead to denote a development environment with reduced security restrictions.

We now recommend using the Ory CLI to manage OAuth2 resources. As part of this restructuring, some of the commands were renamed. Here are some examples:

- hydra client create
+ ory create oauth2-client

- hydra clients list
+ ory list oauth2-clients

Additionally, array arguments now use the singular form:

hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar

To manage resources in a do-it-yourself installation, continue using the hydra CLI.

Please check the CHANGELOG for a complete list of changes.

Ory Hydra 2.0 ships with support for OpenTelemetry. The previous telemetry solution using OpenTracing format is deprecated with this release.

Breaking Changes

SDK naming has changed for the following operations:

ory.
-   V0alpha2Api.AdminDeleteOAuth2Token(context.Background()).
+   OAuth2Api.DeleteOAuth2Token(context.Background()).
    ClientId("foobar").Execute()

ory.
-   V0alpha2Api.RevokeOAuth2Token(
+   OAuth2Api.RevokeOAuth2Token(
        context.WithValue(context.Background(), sdk.ContextBasicAuth, sdk.BasicAuth{
            UserName: clientID,
            Password: clientSecret,
        })).Token(token).Execute()

ory.
-   V0alpha2Api.AdminIntrospectOAuth2Token(context.Background()).
+   OAuth2Api.IntrospectOAuth2Token(context.Background()).
    Token(token).
    Scope("foo bar")).Execute()

SDK naming has changed for the following operations:

ory.
-   V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+   WellknownApi.DiscoverJsonWebKeys(context.Background()).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+	JwkApi.GetJsonWebKeySet(context.Background(), setID).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
    Execute()

ory.
-   V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
-   AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
-       Alg: "RS256",
-       Use: "sig",
+   JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+   CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+       Alg: "RS256",
+       Use: "sig",
    }).Execute()

ory.
-   V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
    JsonWebKey(jsonWebKey).Execute()
ory.
-   V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+   JwkApi.SetJsonWebKeySet(context.Background(), setID).
    JsonWebKeySet(jsonWebKeySet).Execute()

ory.
-   V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
    JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
    Execute()
ory.
-   V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
    JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
    Execute()

SDK naming has changed for the following operations:

ory.
-   V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+   WellknownApi.DiscoverJsonWebKeys(context.Background()).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+	JwkApi.GetJsonWebKeySet(context.Background(), setID).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
    Execute()

ory.
-   V0alpha2Api.AdminC...
Read more

v1.11.10

25 Aug 17:41
1a6c220
Compare
Choose a tag to compare

This release resolves a critical regression introduced in Ory Hydra v1.11.9. Upgrade to this version and skip Ory Hydra v1.11.9 if you have an existing system. The bug can break existing refresh tokens from working.

It includes no other significant changes.

Bug Fixes

Code Generation

  • Pin v1.11.10 release commit (1a6c220)

Changelog

  • 75bdfc0 autogen(docs): generate and bump docs
  • 40c8c2d autogen(docs): regenerate and update changelog
  • e7faec9 autogen(docs): regenerate and update changelog
  • 958895b autogen(docs): regenerate and update changelog
  • 4b5cc90 autogen(docs): regenerate and update changelog
  • e1bb936 autogen(docs): regenerate and update changelog
  • 1a6c220 autogen: pin v1.11.10 release commit
  • b3abc58 chore: update repository templates
  • 3c0a6ec chore: update repository templates
  • 2cee9e1 chore: update version schema to be compatible with current ory/cli (#3211)
  • 5205a36 ci: pin go to 1.18
  • 1d94bfd ci: workaround for linter issue
  • d40b1da fix: improve refresh webhook getter
  • 2d080a0 fix: omit null lifespans (#3212)
  • 5c4321d fix: regression in session store
  • 7128ad2 fix: remove special char from snapshot symbols
  • 4da64de fix: revert config changes
  • 3bb943a fix: session unmarshalling

Artifacts can be verified with cosign using this public key.

RETRACTED - v1.11.9

01 Aug 13:06
8814e79
Compare
Choose a tag to compare

☠️ WARNING ☠️

This version contains a regression which can cause the refresh flow to fail for existing consent sessions. Please do not upgrade to this version. For new systems, you can still use this version.


This release introduces two new features:

  • The ability to specify token lifespans on a per-client basis using a new HTTP endpoint;
  • The additional context in the refresh token hook.

Bug Fixes

  • Backport fix for client specific CORS (#1754) (#3163) (996258d)

  • docs: Correct the tracing service name environment variable (6e2343c):

    While I believe this used to be specific to OTEL, it now appears to be
    configurable "globally", according to spec/config.json.

  • Fixed configuration editor for the documentation page (#3105) (0a77a06):

    Closes ory/docs#722

  • Handle server error when refresh token requests come same time (#3207) (e66ba3c)

  • Link OIDC Certification image (#3124) (17b517f)

  • Ping logic for SQL Registry (#3095) (a383b5a), closes #2734

  • Swagger for dynamic client registration (#3141) (9902ec7)

  • Updated process ending instructions (#3176) (b72491e):

    cmd + c doesn't end the process on macOS but ctrl + c does.

Code Generation

  • Pin v1.11.9 release commit (8814e79)

Documentation

Features

  • Add session and requester to refresh token webhook data (#3204) (6d23859), closes #3203

  • Add token_endpoint_auth_signing_alg to cli (#3148) (ed6eb30)

  • Custom client token ttl (#3206) (9544c03), closes #3157:

    This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.

Changelog

  • b0d672d autogen(docs): generate and bump docs
  • 44b2c44 autogen(docs): regenerate and update changelog
  • b62b21b autogen(docs): regenerate and update changelog
  • b5af690 autogen(docs): regenerate and update changelog
  • e586fd7 autogen(docs): regenerate and update changelog
  • 3f96276 autogen(docs): regenerate and update changelog
  • 9bc59be autogen(docs): regenerate and update changelog
  • d0533c4 autogen(docs): regenerate and update changelog
  • dd63a18 autogen(docs): regenerate and update changelog
  • f0cb539 autogen(openapi): regenerate swagger spec and internal client
  • dbf1056 autogen(openapi): regenerate swagger spec and internal client
  • 5c8350e autogen(openapi): regenerate swagger spec and internal client
  • 8814e79 autogen: pin v1.11.9 release commit
  • 5127bb7 autogen: pin v1.11.9-pre.0 release commit
  • 540d932 chore: delete semantic.yml
  • ceada19 chore: deprecate coupon
  • 1faa00b chore: display GitHub Action badge
  • 87b20be chore: replace x/json.go with ory/x's jsonx patch (#3183)
  • c9be891 chore: update repository templates
  • fa87290 chore: update repository templates
  • 88992d3 chore: update repository templates
  • 6b954c2 chore: update repository templates
  • 5a75323 chore: update repository templates
  • 3fa88fc chore: update repository templates
  • f2f1347 chore: update repository templates
  • 2a4ad74 chore: update repository templates
  • fbde500 chore: update repository templates
  • 7925597 docs: fix missing image
  • 6d23859 feat: add session and requester to refresh token webhook data (#3204)
  • ed6eb30 feat: add token_endpoint_auth_signing_alg to cli (#3148)
  • 9544c03 feat: custom client token ttl (#3206)
  • 6e2343c fix(docs): correct the tracing service name environment variable
  • 996258d fix: backport fix for client specific CORS (#1754) (#3163)
  • 0a77a06 fix: fixed configuration editor for the documentation page (#3105)
  • e66ba3c fix: handle server error when refresh token requests come same time (#3207)
  • 17b517f fix: link OIDC Certification image (#3124)
  • a383b5a fix: ping logic for SQL Registry (#3095)
  • 9902ec7 fix: swagger for dynamic client registration (#3141)
  • b72491e fix: updated process ending instructions (#3176)

Artifacts can be verified with cosign using this public key.

v1.11.8

04 May 11:05
337ab3e
Compare
Choose a tag to compare

This release resolves issues in the log module, improves the SDK type definitions, and introduces new configuration options to HSM.

Bug Fixes

Code Generation

  • Pin v1.11.8 release commit (337ab3e)

Documentation

Features

  • Add hsm key set prefix to support multiple hydra instances on the same hsm partition (#3066) (90523fd):

    This pull request adds configuration option hsm.key_set_prefix to support multiple Ory Hydra instances to store keys on the same HSM partition. For example if hsm.key_set_prefix=app1. then key set hydra.openid.id-token would be generated/requested/deleted on HSM with CKA_LABEL=app1.hydra.openid.id-token

    This will not affect Hydra API in any way. GET /keys/hydra.openid.id-token will return key set from HSM with label app1.hydra.openid.id-token.

  • Add support for trust grants that can issue tokens for any subject (#3012) (a3c4304), closes #2930:

    Previously, a trust relationship had to be setup for every subject
    before the issuer could sign a JWT token for it. This change will allow
    setting up token services that can issue tokens with any value in the
    subject field.

  • Async backchannel logout (#2849) (22e1ebb)

  • Backchannel request logging (#3067) (6dda48d)

  • Make sensitive log value redaction text configurable (#3040) (536352c)

Tests

Changelog

  • e06dd6a autogen(docs): generate and bump docs
  • b548c5a autogen(docs): regenerate and update changelog
  • 7739439 autogen(docs): regenerate and update changelog
  • 152bddd autogen(docs): regenerate and update changelog
  • b00d2b9 autogen(docs): regenerate and update changelog
  • f2bef45 autogen(docs): regenerate and update changelog
  • 1f0e79c autogen(docs): regenerate and update changelog
  • fff6491 autogen(docs): regenerate and update changelog
  • 8adbfb0 autogen(docs): regenerate and update changelog
  • 48449f6 autogen(docs): regenerate and update changelog
  • 924be24 autogen(docs): regenerate and update changelog
  • f9338e4 autogen(docs): regenerate and update changelog
  • a2afc75 autogen(docs): regenerate and update changelog
  • 7d89963 autogen(docs): regenerate and update changelog
  • e3236dd autogen(docs): regenerate and update changelog
  • 05286df autogen(docs): regenerate and update changelog
  • 835cb78 autogen(docs): regenerate and update changelog
  • 1e4e328 autogen(docs): regenerate and update changelog
  • 1056795 autogen(docs): regenerate and update changelog
  • 7602b4c autogen(openapi): regenerate swagger spec and internal client
  • b17b474 autogen(openapi): regenerate swagger spec and internal client
  • 2217648 autogen(openapi): regenerate swagger spec and internal client
  • 23bc3e9 autogen(openapi): regenerate swagger spec and internal client
  • 83c918a autogen: add v1.11.7 to version.schema.json
  • 337ab3e autogen: pin v1.11.8 release commit
  • f06505f chore(deps): bump async from 2.6.2 to 2.6.4 in /test/e2e/oauth2-client (#3073)
  • 57693f6 chore(deps): bump async from 3.2.0 to 3.2.3 (#3069)
  • ff10e17 chore(deps): bump minimist from 1.2.5 to 1.2.6 (#3045)
  • 5768671 chore(deps): bump minimist in /test/e2e/oauth2-client (#3047)
  • 9eabc7d chore(deps): update alpine version (#3036)
  • 222a01b chore: bump ory/fosite to v0.42.2 (#3077)
  • 184d322 chore: improve Dockerfiles (#3052)
  • f320673 chore: update repository templates
  • 849af9f chore: update repository templates
  • 980c2d8 docs: update README (#3032)
  • c46f780 docs: update pricing
  • 90523fd feat: add hsm key set prefix to support multiple hydra instances on the same hsm partition (#3066)
  • a3c4304 feat: add support for trust grants that can issue tokens for any subject (#3012)
  • 22e1ebb feat: async backchannel logout (#2849)
  • 6dda48d feat: backchannel request logging (#3067)
  • 536352c feat: make sensitive log value redaction text configurable (#3040)
  • 646459a fix(sdk): correct polymorph type for consent session (#3074)
  • d654911 fix(sdk): incorrect title (#3014)
  • 51f6c5d fix: add limit and offset to pagination (#3062)
  • 00100a1 fix: add missing flags to config schema
  • 3115dde fix: configure audit logger (#3022)
  • 422d422 fix: do not use cached version
  • 270dbe0 fix: generated consent model (#3076)
  • e711273 fix: proper response types for 404 errors (#3072)
  • 1590542 fix: remove extraneous call to driver.init() (#3093)
  • d4b2696 fix: remove unnecessary transaction (#3029)
  • ebd1694 fix: sync ports between Dockerfiles and comments (#3027)
  • 7d378f1 fix: typo README (#3078)
  • 2b024b4 fix: use default for env var
  • d38f6e6 test: ensure generator checks are executed (#3061)

Artifacts can be verified with cosign using this public key.

v1.11.7

23 Feb 10:47
510615b
Compare
Choose a tag to compare

Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.

Code Generation

  • Pin v1.11.7 release commit (510615b)

Changelog

  • 510615b autogen: pin v1.11.7 release commit

Artifacts can be verified with cosign using this public key.

v1.11.6

23 Feb 08:08
49d0d75
Compare
Choose a tag to compare

Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.

Code Generation

  • Pin v1.11.6 release commit (49d0d75)

Changelog

  • 49d0d75 autogen: pin v1.11.6 release commit

Artifacts can be verified with cosign using this public key.

v1.11.5

21 Feb 12:20
743468e
Compare
Choose a tag to compare

Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.

Code Generation

  • Pin v1.11.5 release commit (743468e)

Changelog

  • 743468e autogen: pin v1.11.5 release commit

Artifacts can be verified with cosign using this public key.

v1.11.4

16 Feb 11:59
9e731b6
Compare
Choose a tag to compare

autogen: pin v1.11.4 release commit

Bug Fixes

Code Generation

  • Pin v1.11.4 release commit (9e731b6)

Changelog

  • 3536a98 autogen(docs): regenerate and update changelog
  • 0fa1a53 autogen(docs): regenerate and update changelog
  • 39c82fc autogen(docs): regenerate and update changelog
  • 950f25a autogen(docs): regenerate and update changelog
  • 3659006 autogen(openapi): regenerate swagger spec and internal client
  • 2c80bc6 autogen(openapi): regenerate swagger spec and internal client
  • bad5b04 autogen(openapi): regenerate swagger spec and internal client
  • 89a6a91 autogen(openapi): regenerate swagger spec and internal client
  • 9e731b6 autogen: pin v1.11.4 release commit
  • b00f5ec autogen: pin v1.11.4-pre.0 release commit
  • 96798db autogen: pin v1.11.4-pre.1 release commit
  • 8b1c967 autogen: pin v1.11.4-pre.2 release commit
  • b768bb5 fix: pass swag-spec-location to sdk-release (#2994)

Artifacts can be verified with cosign using this public key.

v1.11.3

15 Feb 08:13
a3dd4ee
Compare
Choose a tag to compare

autogen: pin v1.11.3 release commit

Bug Fixes

  • Comply with new fosite persister interface (#2990) (4c91a39)

Code Generation

  • Pin v1.11.3 release commit (a3dd4ee)

Changelog

  • 52ebedb autogen(docs): regenerate and update changelog
  • 8a966e8 autogen(docs): regenerate and update changelog
  • dec52a1 autogen(docs): regenerate and update changelog
  • e6ec7f3 autogen(openapi): regenerate swagger spec and internal client
  • ce6c4f8 autogen(openapi): regenerate swagger spec and internal client
  • dec56ed autogen(openapi): regenerate swagger spec and internal client
  • a3dd4ee autogen: pin v1.11.3 release commit
  • 067438f ci: use ory/ci/checkout (#2991)
  • 4c91a39 fix: comply with new fosite persister interface (#2990)

Artifacts can be verified with cosign using this public key.