v1.9.0

Today, we are very excited to announce the stable release of ORY Hydra 1.9! This release contains significant internal code refactoring, making ORY Hydra more reliable, lightweight, and even more scalable! Also, for the first time ever, ORY Hydra handled over 13.3 billion API requests in December 2020 in over 23.000 production environments around the globe.

Let's talk features - in a TL;DR overview:

• Completely replacing the existing DBAL and switching to gobuffalo/pop.
• Support for SQLite, an embedded database, which can be used for testing and tiny deployments.
• Deprecating the existing configuration system spf13/viper and moving to knadh/koanf.
• Adding OpenID Connect Conformity Test Suite to the CI, guaranteeing that every code change is fully OpenID Connect compliant.
• Support for the OpenID Connect response_mode=form_post Response Mode.
• Compatibility with MITREid, allowing easy migration from MITREid to ORY Hydra.
• The TypeScript SDK moved from @oryd/hydra-client to @ory/hydra-client. Please update your dependencies!

If you wish to get into ORY Hydra, check out the new YouTube tutorial:

See you on slack, signed HACKERMAN.

ORY Kratos

We would like to take a bit of your time and introduce you to ORY Kratos. ORY Kratos implements all the hard things related to users: login, registration, customizable profile fields, multi-factor authentication scheduled for v0.6, secure account recovery, email and SMS verification, profile management, session and device management, user administration, social sign in and sign up, and much, much more! Everything works with proven and ORY-hardened protocols in the same lightweight fashion you are used to from our other products. And it natively targets mobile, desktop, web, and robots! ORY Kratos is essentially an open-source alternative to Auth0, Okta, and Google Firebase with the added benefit of avoiding the complexity of implementing OAuth2 and OpenID Connect for your first-party apps just to get login to work. So if you are wondering whether you really need OAuth2, this is worth your time!

To get a feeling for ORY Kratos, check out our exemplary React Native app (available on GitHub, Android and iOS) demonstrating user registration, login, and profile management. It uses APIs from ORY Cloud, which will be publicly announced this year. If you are interested in becoming an early adopter, get in touch now! We have more super exciting stuff planned!

Changes in-depth

Let's break down the most significant changes in more detail:

The configuration system has been reworked

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema. This makes changing or updating configuration much easier.
2. Configuration reloading is improved and works on Kubernetes.
3. Performance gains remove the need for a cache layer between the configuration system and ORY Hydra.
4. Loading of several config files is now possible using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.

The OpenID Connect Conformity Test Suite is now part of the ORY Hydra CI pipeline.

This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint and error_debug will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields to true.

Supporting response_mode=form_post

Support OpenID Connect flows response_mode=form_post was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.

Compatibility with MITREid

Adds an option that allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid and allows migrating from MITREid to ORY Hydra.

Refactoring the internal DBAL

We completely refactored the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.

Changelog 1.9.0 (2021-01-12)

Bug Fixes

• Add 400 as possible reply to /oauth2/token (24daede), closes #2260

• Bump ory/x and update config usage (#2248) (4937a00)

• Do not require unset pairwise (4136aaf)

• Improve version regex (17d9599), closes #2255

• Update schema reference for subject_identifiers.supported_types (0e14a08), closes #2270

• Add encrypt_at_rest option to config schema (3219c16)

• Add required aud, jti claims to userinfo response (d0697fa)

• Add standardized client registration errors (02a9137):

  Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.

• Allow all request object signing algs per default (edc54c2):

  This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.

• Allow lower bcrypt values and add tests (812a21c)

• Document describe error (#2208) (b59bdf8)

• Ensure consistent auth_time in session handling (e973ffe)

• Increase parallelism to 4 (ae02706)

• Mark false gosec positive (206d1ee)

• Nonce is not required for hybrid flows (c708ada)

• Quickstart yml (5ebd984)

• Remove session from store on logout (4495f56):

  This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.

• Remove unrelated quickstart entry (#2214) (a583d78), closes #2213

• Request_id should not be unique (a8ca333):

  This patch resolves an issue where certain OpenID Connect Hybrid flows would error with a UNIQUE violation. The cause of this issue was an incorrect UNIQUE constraint on the request_id field of the access, refresh, pkce, and other, similar tables.

• Resolve broken quickstart (95a1dfb)

• Update deprecated config in quickstart (1c1433a)

• Update invalid quickstart config (8d076a5)

• Update package lock (18bfc96)

• Update schema to support new koanf (29763c8)

• Add support for tracing to SQL (b3dda7c)

• Address pop inconsistencies and update tests (8f3462f)

• CGO build issues on Windows and Go 1.15+ (1c1fe19)

• Do not require sqlite and CGO for other databases (8069205)

• Do not run migrations in background (308edb9)

• Explicitly set pwd in makefile (aeb1090)

• Goreleaser add docker images (7a81908)

• Improve cli flags and add -c config flag (bf3be84)

• Improve schema typing for tracing (4cc25c3)

• Improve tests and pop adapter (1354611)

• Remove explicit cve allowlist (90caeda), closes #2117

• Remove obsolete makefile targets (dc5d37f)

• Remove unnecessary transactions (1df50ec)

• Remove websocket direct dep (d525983), closes #2111

• Run tests only once (4e1d0f6)

• Set context in connection getter (644967a)

• Update docker and quickstart examples (b01c246)

• Update format to goimports (c4438b0)

• Use context in transaction creator (db0ac86)

• Use sqlite for standalone (e5b7147)

• Add docs format to make format (cfa50fe)

• Client update breaks primary key (#2150) (7662917), closes #2148

• Explicitly use no-CGO images for non-SQLite (1ec2d1d)

• Force brew install statement (0252b5a)

• Update install script (c614c0b)

Documentation

• Add note about mounting the config file when using docker (#2235) (766e8f1), closes #2231

• Change deprecated fallback url (#2275) (0bf61aa), closes #2254

• Client api upper bound on limit parameter (#2277) (bc2bbd2), closes #2267

• Corrected a link within the docs (#2257) (0dd4e64)

• Fix incorrect version replacements (70a6b8f)

• Fix typo (#2264) (82ba2df)

• OAUTH2_ERROR_URL -> URLS_ERROR (#2263) (f9b8205)

• Oidc.subject_identifiers config key change (#2232) (2172f25):

  oidc.subject_identifiers.enabled is now oidc.subject_identifiers.supported_types. Docs should get updated.

• Update install from source instructions (bcfd9b7)

• Add config debug section (c53f036)

• Add contributing to sidebar (#2209) (21f3b1f):

  Added Contributing Guidelines to the introduction menu point on the sidebar.
  I think it should be as obvious as possible.
  Another good solution would be to add them to the top bar?

  If this is merged, I will do the same changes for Kratos/Oathkeeper/Keto.

• Add newsletter banner (5b63aa4)

• Add quickstart video (#2220) (d4aa981)

• Bcrypt reference config (#2161) (e7eece2), closes #2077

• Deps are installed automagically and make deps was removed (#2157) (25e96e2), closes #2154

• Fix omissions in consent flow description (#2194) (d9d719a)

• Minor improvements to the concepts/consent page (#2168) (1128cfc)

• Update links and fix typos (#2169) (409f2f4)

• Update toc (#2158) (ee4a9ed), closes #2153

• Use codefromremote for consent samples (51c0874)

• Add hypnoglow terraform provider (7ed8870), closes #1304

• Correct port (#2101) (487e733), closes #2100

• Correct port (#2102) (7aca301), closes #2100

• Fix typo (71a4495)

• Remove obsolete doc section (443a225)

• Swagger route headline capitalization (4540ece), closes #2015

• Update code listings and image tags (3cd22c4)

• Update sql instructions (bfed7f2)

• Updates kubernetes helm chart url (6d63a73)

• Add missing trailing slash (97bc47d)

• Replace dex with keycloak (fa877d7), closes #2128

• Version bash-curl script (71b0592), closes #2145

Code Refactoring

• Deprecate driver semantics (8fc3e2e)

• Move oauth2 cors to own package (3beddbd)

• Rename token_type to token_use in introspection (152fd5d), closes #1762

• Replace viper with koanf config management (8c12b27)

• Move Dockerfiles to .docker directory (5508f2a)

• Use gobuffalo/pop for SQL abstraction (#2059) (56bce67), closes #1730:

  This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!

Features

• Add ability to override oidc discovery urls (bb8b982):

  Added config options webfinger.oidc_discovery.token_url, webfinger.oidc_discovery.auth_url, webfinger.oidc_discovery.jwks_url.

• Add new request_object_signing_alg_values_supported to oidc discovery (4220959)

• Add oidc conformity tests (651f424)

• Add support for ElasticAPM tracing (#2155) (7792715)

• Improve and clean up error handling (b727367)

• Improve error responses for consent handler (44ab747)

• Improve error stack trace wrapping (fdf142c)

• Only set state-param if it was passed (#2183) (568434a):

  Using state in the logout flow is optional, so state can be empty. In order to avoid an ugly /post-logout-redirect-uri?state= URI, the state should only be appended if it is not empty.

• Remove legacy error fields unless configured to do so (e2a7135)

• Support OpenID Connect's response_mode=form_post (8ab9eff), closes #1621:

  This patch adds support for the response_mode parameter as defined in OAuth 2.0 Form Post Response Mode. Additionally, values fragment and query are supported as defined in OAuth 2.0 Multiple Response Type Encoding Practices.

• Support pkger (07a360e)

• Add configuration option to grant default client_credential scope when no scope is requested (#2144) (0b1de34), closes #2141:

  Adds an option which allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid.

• Implement docker for quickstart (8e64202)

• Re-enable freebsd (2f19837), closes #2116 #2115

• Support sqlite in goreleaser (e946487)

Tests

• Add timeout to wait (90dfaf5)

• Completely refactor consent tests (defc063)

• Fix jwt e2e tests (1b480d8)

• Improve github action conformity tests (1015e49)

• Improve TestClientCredentialsGrantAllScopes (19409b4)

• Increase timeout for conformity (a65d289)

• Oidc conformity tests should run as workflow dispatch (5b8fa0a)

• Refactor client credential tests (b74cffa)

• Refactor consent logout tests and add failing case (ef12c06)

• Refactor oauth2 auth code tests (c376473)

• Resolve conformity test suite concurrency issues (ef312c3)

• Resolve e2e startup issues (5af4cef)

• Resolve e2e test failures (03f5e8e)

• Resolve failing rotation key tests (8e8b943)

• Resolve flaky test issue (e17a074)

• Resolve incorrect retry loop (ef141c2)

• Retry conformity failures (409ae42)

• Retry interrupted tests (c72367b)

• Skip preloading in migration tests (14272f2)

• Update config to pass validation (6931461)

• Use 16 workers for conformance (9cf0e65)

• Use correct test context (45bc907)

• Use prebuilt images for conformity testing (4dd7a62)

• Fix confusing expected/got (#2135) (14b6db2):

  And fixed assert.EqualError params in right order in TestStrategyLoginConsent

• Move tests to persistence (46d0571)

• Remove unused expectSession variable (#2134) (eda8532)

• Write migrate logs to file (9a1fbd8)

• Fix misused id field (#2152) (511e8d2)

Unclassified

• Format (5f08ff2)

BREAKING CHANGES

• After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.

• This patch requires running SQL Migrations. Please be aware that a NOT NULL column is being dropped which could require a lot of time when the authentication_session table contains a lot of data.
• This patch removes error_hint and error_debug fields from OAuth2 responses. These are now all merged into error_description which is according to the OAuth2 and OpenID Connect specification. If you wish to keep the old behavior around, set oauth2.include_legacy_error_fields to true in your ORY Hydra configuration.
• Applying this patch requires running SQL migrations. The SQL migrations will remove a UNIQUE constraint and add new INDEX to several tables which should speed up certain operations. Please be aware that this might cause certain databases to lock which could be problematic if there are many rows affected.
• This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, token_type would return access_token or refresh_token. The specification however mandates that token_type is always Bearer. This patch resolves that issue. The previous behaviour of token_type has now been moved to token_use which can be access_token or refresh_token.

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:latest-sqlite