v1.11.2

autogen: pin v1.11.2 release commit

Code Generation

• Pin v1.11.2 release commit (7c099f8)

Changelog

• 7c099f8 autogen: pin v1.11.2 release commit

Artifacts can be verified with cosign using this public key.

v1.11.0

Happy new year! We are excited to announce to you the next iteration of Ory Hydra: Version 1.11.0!

This version has significant new features contributed by the awesome Open Source Community - you! But not only that:

Ory Hydra 2.0 is coming!

While a major version, we intend to keep all APIs with as few breaking changes as possible. The efforts focus on some long-standing issues in the persistence layer. In particular, data growth rate and performance improvements are the focus areas! If you are interested to see what is going on, check out PR #2796

And Ory Hydra 2.0 will be available as an API in Ory Cloud! If you are interested in Ory Cloud, apply to Ory Acceleration Program and receive a one-year free subscription for Ory Cloud's Start-Up plan. The Start-Up plan comes with convenient features such as custom domains and unlimited identities/tokens!

More on timelines and Ory Hydra 2.0 plans will follow later this year.

If these changes are not exciting enough already, Ory Hydra now supports loading Private and Public Keys from Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Thank you @aarmam for this amazing work! For more information, please read the guide.

Next up, Ory Hydra now natively supports the OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol which can be enabled (optionally) in the configuration! Thank you @fjvierap for your hard work!

We do not stop there, @Xopek and @jagobagascon added the Support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523) to Ory Hydra! This major improvement allows Ory Hydra to have an even better integration API than before!

For our Apple users and everyone eyeballing ARM64, we now distributed binaries and Docker Images for all platforms and CPU architectures, including Apple M1, Linux ARM (v6, v7, v8, ARM64), and - this is new - FreeBSD!

Lastly, we resolved a bug in the configuration loading which now allows loading complex configuration keys from environment variables without hassle!

Please notice that this release requires SQL migrations to be applied! As always, please make a backup before applying them!

Breaking Changes

To celebrate this change, we cleaned up the ways you install Ory software. There is now one central brew / bash curl repository:

-brew install ory/hydra/hydra
+brew install ory/tap/hydra

-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) hydra

Endpoint PUT /clients now returns a 404 error when the OAuth2 Client to be updated does not exist. It returned 401 previously. This change requires you to run SQL migrations!

Co-authored-by: fjviera javier.viera@mindcurv.com

Please notice that this change requires SQL migrations to be applied! As always, please make a backup before applying them!

Co-authored-by: aeneasr 3372410+aeneasr@users.noreply.github.com
Co-authored-by: Jagoba Gascón jagoba@arima.eu
Co-authored-by: Gajewski Dmitriy dmit8815@gmail.com

Bug Fixes

• Add hiring notice to README (#2893) (0a73d8b)

• Bump deps (#2868) (b287287)

• Contributors is upper case (5bad542)

• Error handling in persister (#2860) (33d75d7)

• FreeBSD build issue, env loading, add OTEL tracing (5158faa), closes #2597 #2912:

  This fix addresses an issue where configuration values in arrays could not be loaded from environment variables, which is now possible. For more information on how Ory Hydra parses configuration, head over to the documentation!

  Additionally, this PR resolves a build issue on FreeBSD - making it now possible to compile Ory Hydra with the FreeBSD target.

  Lastly, this change adds OpenTelemetry support!

• Missing imports (42fec62)

• Missing stack traces (#2858) (1441658)

• Patch should not reset client secret (#2872) (895de01), closes #2869

• Remove codecov report for internal testhelpers (52a77a3), closes #2871

• Remove contributors file (565aa2d)

• Update v1.10 installation instructions for linux (#2799) (45afd0d):

  The documentation for how to install hydra on linux is still using the old version tags

• Use pop/v6 (b284353)

• Version info nil on version api endpoint (#2894) (440e0b8)

Code Generation

• Pin v1.11.0 release commit (5355a1a)

Documentation

• Fix grammar issues and typos (#2830) (49b582c)
• ORY -> Ory to follow styleguides (#2941) (5895d03)
• Update bash install (5ca99e5)
• Update coverage badge (1f89973), closes #2871
• Use Ory instead of ORY in the documentation (#2939) (1b2f6a6)

Features

• Add list of authors (#2831) (511a668), closes #2829

• Add shellcheck to circleci (#2835) (38cbcc0), closes #2832

• docs: Opentelemetry tracing (74da7b6)

• ES256 for JWK generation (#2828) (5795bc3), closes #2453

• Hardware Security Module support (#2625) (7578aa9):

  This change introduces support for Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.

  If enabled, the Hardware Security Module is used to look up any keys. If no key is found, the software module is used as a fallback for lookup. This allows you to use the HSM for privileged keys, and the software module to manage lifecycle keys (e.g. for Token Exchange).

  For more information, please read the guide.

  Thank you to aarmam for this great contribution!

• Native ARM64 support in Docker and Binaries (abffb09):

  This release adds important security updates for the base Docker Images (e.g. Alpine). Additionally, Ory Hydra now has full ARM support have been resolved and the binaries are now downloadable for all major platforms.

• OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol (#2909) (6a18f62), closes #2568 #2549:

  This feature adds first-class support for two IETF RFCs and one OpenID Spec:

  • [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.htm...

v1.10.6

Changelog

2f01882 autogen(docs): generate and format documentation
ba9501c autogen(docs): generate and format documentation
8889048 autogen(docs): generate and format documentation
3d08e96 autogen(docs): regenerate and update changelog
699c022 autogen(docs): update milestone document
10944a7 autogen: add v1.10.5 to version.schema.json
f1771f1 autogen: pin v1.10.6 release commit
57b41e9 chore: update x/sys to support go 1.17 (#2687)
87f4a58 docs: section for debugging jwks based client errors (#2680)
184a3c4 fix: documentation SYSTEM_SECRET -> SECRETS_SYSTEM (#2686)
df08c7f fix: typo in errors.go (#2699)

Docker images

• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.10-sqlite
• docker pull oryd/hydra:v1.10.6-sqlite
• docker pull oryd/hydra:v1.10.6-sqlite
• docker pull oryd/hydra:latest-sqlite
• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.10
• docker pull oryd/hydra:v1.10.6
• docker pull oryd/hydra:v1.10.6
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.10-alpine
• docker pull oryd/hydra:v1.10.6-alpine
• docker pull oryd/hydra:v1.10.6-alpine
• docker pull oryd/hydra:latest-alpine

v1.10.5

This patch introduces a faster and better janitor (database clean up routine), the ability to filter OAuth2 Clients by owner and name, and resolves a regression when parsing config environment variables.

Changelog

7374431 autogen(docs): generate and format documentation
447451f autogen(docs): generate and format documentation
6f5c01a autogen(docs): generate cli docs
3a48df6 autogen(docs): update milestone document
a8675dd autogen(docs): update milestone document
b808501 autogen(docs): update milestone document
cbf1c97 autogen(openapi): Regenerate swagger spec and internal client
4a66d0c autogen: add v1.10.3 to version.schema.json
16381f4 autogen: add v1.10.5-pre.1 to version.schema.json
a5d30aa autogen: pin v1.10.4 release commit
0456f54 autogen: pin v1.10.5 release commit
94cda7a autogen: pin v1.10.5-pre.0 release commit
ba5547a autogen: pin v1.10.5-pre.1 release commit
4f74591 chore: adjust CODEOWNERS (#2659)
23bd2f7 chore: update docusaurus template
8d36817 chore: update docusaurus template (#2647)
575dc3f chore: update docusaurus template (#2655)
a4e9461 chore: update docusaurus template (#2658)
5a81130 chore: update repository templates
a30f9d0 chore: update repository templates (#2656)
7ec3919 chore: update x library (#2674)
4083684 docs: add long flag --grant-types in 5min tutorial (#2650)
ea6fdfd feat: add owner/name filter to list clients (#2637)
6ea0bf8 feat: improve delete queries for janitor command (#2540)
564d18b fix: docs generator
81ab0af style: format

Docker images

• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.10-sqlite
• docker pull oryd/hydra:v1.10.5-sqlite
• docker pull oryd/hydra:v1.10.5-sqlite
• docker pull oryd/hydra:latest-sqlite
• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.10
• docker pull oryd/hydra:v1.10.5
• docker pull oryd/hydra:v1.10.5
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.10-alpine
• docker pull oryd/hydra:v1.10.5-alpine
• docker pull oryd/hydra:v1.10.5-alpine
• docker pull oryd/hydra:latest-alpine

v1.10.3

Ory Hydra v0.10.3 brings several bug fixes and configuration features, in particular:

1. Adding the hydra keys import command;
2. Passing the client_id in the logout request;
3. Resolving prometheus cardinality issues;
4. Moving to go-jose for JSON Web Keys and JSON Web Tokens;
5. Supporting PKCE discovery in /.well-known/;
6. Support for Instana tracing.

For a full list of changes, please check below!

Bug Fixes

• Add RFC 8414 pkce info to OpenID Connect Discovery (#2547) (9693168), closes #2311

• Add the missing keys import command (#2521) (c4bc248), closes #2520

• Audience should include client ID (#2455) (8c70394)

• Build issues (5de255b)

• Correct CodeFromRemote syntax (#2626) (d3ee859)

• Intro docs (#2602) (bc87822)

• No more windows workaround (#2632) (db73b44), closes #2160

• oauth2: Enforce assertion check on userinfo aud field (#2524) (c463d9f):

  This is so the check on the ok variable is effectual. Prior to this patch the type assertion on the *client.Client was setting the value of ok. Due to the fact the type assertion on *client.Client is already checked and on a false value it exits the func, this value will always be true.

• Prometheus URL label (#2503) (f588ec6), closes #2502

• README exemplary apps (#2579) (60e7042)

• Resolve config parsing regression (58deacf), closes #2518

• Resolve sdk build issues (68976f8)

• Resolve sdk build issues (1807e89)

• Resolve swagger generation issues (#2610) (53a50dd)

• Use prebuilt ory cli and bump ory/x (#2605) (0f95e01), closes #2596

• Wrong description (#2589) (5553a6f), closes #2587

• WWW-Authenticate header in userinfo handler (#2454) (f701b28)

Code Generation

• Pin v1.10.3 release commit (ea93158)

Code Refactoring

• Integrate with fosite v0.40 (go-jose migration) (#2526) (5bdc4bc)

Documentation

• Clearer wording in SPA notice for HTML forms (#2565) (64a332a):

  See https://ory-community.slack.com/archives/C012RBW0F18/p1621977892051700

• Fix erroneous sidebar commit (94ded27)

• Fix typo ('ROCP' to 'ROPC') (#2633) (00e15aa)

• Link to correct doc in help command (#2631) (3e5760f), closes #2366

• Move api docs to top level (243a617)

• New redoc api docs (9fb505f)

• Rename sidebar api (f14d2e7)

• Replace oryd in examples with ory (#2600) (5796994)

Features

• Add custom claims to top-level JWT payload (#2545) (63402de), closes #1974
• Add instana as possible tracing provider (#2548) (f74fe90)
• Add max_conn_idle_time flag (#2551) (81e0784)
• Import keys with a default key id (#2563) (cd3014c)
• Pass client in logout request (#2483) (43b391d), closes #2468

Changelog

77d1000 autogen(docs): generate and format documentation
dbdc00c autogen(docs): generate and format documentation
379f34a autogen(docs): generate and format documentation
a27b057 autogen(docs): generate and format documentation
eddfa2d autogen(docs): generate and format documentation
754bb41 autogen(docs): generate and format documentation
64022e8 autogen(docs): generate and format documentation
cc1d698 autogen(docs): generate and format documentation
1558174 autogen(docs): generate and format documentation
2839bc8 autogen(docs): generate cli docs
fdfe7eb autogen(docs): generate cli docs
fe63f3f autogen(docs): regenerate and update changelog
371a9ae autogen(docs): regenerate and update changelog
b98676e autogen(docs): update milestone document
6b29f75 autogen(docs): update milestone document
0324739 autogen(docs): update milestone document
8debee7 autogen(openapi): Regenerate swagger spec and internal client
9702d38 autogen(openapi): Regenerate swagger spec and internal client
70cd4a2 autogen(openapi): Regenerate swagger spec and internal client
b597c88 autogen(openapi): Regenerate swagger spec and internal client
02f766c autogen(openapi): Regenerate swagger spec and internal client
bdbb775 autogen(openapi): Regenerate swagger spec and internal client
be8de37 autogen(openapi): Regenerate swagger spec and internal client
737685e autogen(openapi): Regenerate swagger spec and internal client
c07adb6 autogen(openapi): Regenerate swagger spec and internal client
0e9778a autogen: add v1.10.2 to version.schema.json
46b438e autogen: add v1.10.3-pre.1 to version.schema.json
ea93158 autogen: pin v1.10.3 release commit
30b77e6 autogen: pin v1.10.3-pre.1 release commit
2579fe0 autogen: pin v1.10.3-pre.1 release commit
38ba27b chore(deps): bump color-string in /test/e2e/oauth2-client (#2592)
f85f5be chore: bump ory/x and cleanup go.mod Closes #2609 by pulling in upstream fix ory/x#373
e739e63 chore: coc shield
5730436 chore: docs sidebar uniform (#2591)
089fdc1 chore: format
19482e8 chore: update docusaurus template
110f748 chore: update docusaurus template
52a1a25 chore: update docusaurus template
b48e54d chore: update docusaurus template
ef59ab2 chore: update docusaurus template (#2569)
9d5fc15 chore: update docusaurus template (#2590)
a303e9e chore: update docusaurus template (#2595)
0d9a250 chore: update docusaurus template (#2611)
fc41dbe chore: update docusaurus template (#2613)
cb981ec chore: update docusaurus template (#2615)
e06b8a5 chore: update docusaurus template (#2616)
510456d chore: update docusaurus template (#2617)
9cfec9d chore: update docusaurus template (#2619)
2ca6de6 chore: update docusaurus template (#2620)
60a14a3 chore: update repository templates
2fca5a4 chore: update repository templates
a347d7b chore: update repository templates
8a2b9aa chore: update repository templates
64f0018 chore: update repository templates
3f88ca3 chore: update repository templates (#2550)
3f05926 chore: update repository templates (#2554)
5ae6fe6 chore: update repository templates (#2601)
06c3482 chore: update repository templates (#2630)
4f8d0bc ci: add codecov reporting
e6ee5b9 ci: explicit go mod cache keys (#2566)
64a332a docs: clearer wording in SPA notice for HTML forms (#2565)
94ded27 docs: fix erroneous sidebar com...

v1.10.2

This maintenance release resolves regressions introduced in Ory Hydra v1.10.1. A big change is that Ory Hydra now supports PATCH operations for OAuth2 Clients and is able to handle TLS for admin and public endpoints individually. The breaking changes included in this release address two bugs which are marked as a BREAKING CHANGE. We believe however that these changes do not affect running systems and given the major improvements introduced by the fixes, we decided to mark this as a patch release.

1.10.2 (2021-05-04)

Bug Fixes

• CookieStore MaxAge value (#2485) (#2488) (aafc901):

  CookieStore MaxAge is set to 86400 * 30 by default. This prevents secure cookies retrieval with expiration > 30 days. MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.

• Do not use error_hint anymore (#2450) (ff90c47)

• Handled requests respond with 410 Gone and include redirect URL (#2473) (e3d9158), closes #1569

• Link in documentation (#2478) (5fdd913)

• Login and consent redirect behavior change since 1.9.x (#2457) (2f3a1af), closes #2363:

  Allow #fragment in configured url to keep backwards compatibility.

• Make token user command work with public clients (#2479) (a033d6a)

• Resolve clidoc issues (f6e5958)

• Resolve specignore issues (1431167)

• Use PublicURL where given (#2441) (eefefd5), closes #2422

• Valid JSON response for already handled requests (#2517) (ac61616), closes #2515

• Version schema (#2427) (7781215)

Code Refactoring

• Move unix socket support helpers into ory/x (#2486) (44fd4e4)

Documentation

• Add dotnet sdk (#2431) (014c773)

• Add php link sdk page & fix links (#2469) (47cf3c7)

• Change forum to discussions readme (#2451) (aa2919d):

  same as ory/kratos#1220

• Fix uppercase id (8ac186c)

• Guide for merging system.secrets (#2448) (5466d4e)

Features

• Add the MaxTagValueLength config for jaeger of tracing (#2482) (03c96ee), closes #2447

• Enable "nbf" (not before) claim to be optional for Access Token (#2437) (666cd25), closes #1542

• Global docs sidebar and added cloud pages (#2495) (7f7362b)

• Implement partial client updates (PATCH) with JSON Patch syntax (#2411) (540c89d):

  Implements a new endpoint PATCH /clients/{id} which uses JSON Patch syntax to update an OAuth2 client partially. This removes the need to do PUT /clients/{id} with the full OAuth2 Client in the payload.

• Split TLS config into admin and public interfaces (#2476) (60704d4), closes #1231 #1962:

  Adds the possibility to specify TLS certificates for admin and public endpoints individually. Also improves compatibility for internal networks (e.g. Kubernetes) by removing the need for having TLS termination on admin endpoints. This can be enabled by setting serve.admin.tls.enabled to false.

BREAKING CHANGES

• This patch makes it so that already handled consent/login/logout requests respond with 410 Gone instead of 409 Conflict. Additionally, a URL is included that the user should be redirected to!

Co-authored-by: hackerman 3372410+aeneasr@users.noreply.github.com

• This patch changes how issuer and public URLs are used. Please be aware that going forward, the public URL is used for redirects. Previously, the issuer URL was used. If no public URL is set, the issuer URL will be used as before.

Changelog

5c611f0 autogen(docs): generate and format documentation
09dc774 autogen(docs): generate and format documentation
4d58f1f autogen(docs): generate and format documentation
a02ffe9 autogen(docs): generate and format documentation
d8682a9 autogen(docs): generate and format documentation
24f91ab autogen(docs): generate and format documentation
2666562 autogen(docs): generate and format documentation
3151706 autogen(docs): generate and format documentation
1c0e811 autogen(docs): generate and format documentation
7ba4b47 autogen(docs): generate and format documentation
79f3b90 autogen(docs): generate and format documentation
0c7a2ad autogen(docs): generate and format documentation
af6beb8 autogen(docs): generate and format documentation
c9b99be autogen(docs): generate and format documentation
b6c34e0 autogen(docs): generate and format documentation
c1cc947 autogen(docs): generate and format documentation
e0ccaf3 autogen(docs): generate and format documentation
40b09cd autogen(docs): generate cli docs
bfa14a5 autogen(docs): regenerate and update changelog
3dbcf87 autogen(docs): update milestone document
db4eb72 autogen(docs): update milestone document
5d0d69e autogen(docs): update milestone document
598de15 autogen(docs): update milestone document
00a57bd autogen(docs): update milestone document
d33a490 autogen(openapi): Regenerate swagger spec and internal client
3e37546 autogen(openapi): Regenerate swagger spec and internal client
fcc0dd2 autogen(openapi): Regenerate swagger spec and internal client
17cfc78 autogen(openapi): Regenerate swagger spec and internal client
4e6aebe autogen: add v1.10.1 to version.schema.json
1da2f24 autogen: pin v1.10.2 release commit
e8c3a06 autogen: pin v1.10.2 release commit
3bb0bb9 chore: bump base alpine images (#2439)
b8bac7f chore: bump ory/x
638562c chore: bump ory/x and gogo/protobuf (#2434)
73c9931 chore: fix links (#2481)
bd90f3e chore: fix sdk links (#2433)
380fc94 chore: format and cleanup
ddb34c1 chore: update docusaurus template
d99f213 chore: update docusaurus template
6b01fa9 chore: update docusaurus template
cf2fe0c chore: update docusaurus template
eaa3f87 chore: update docusaurus template
c3d705d chore: update docusaurus template (#2493)
69a87a5 chore: update docusaurus template (#2494)
a76bf40 chore: update repository templates (#2443)
9a484fc chore: update vulnerable jwt-go
3d48259 ci: run conformity on PRs
014c773 docs: add dotnet sdk (#2431)
47cf3c7 docs: add php link sdk page & fix links (#2469)
aa2919d docs: change forum to discussions readme (#2451)
8ac186c docs: fix uppercase id
5466d4e docs: guide for merging system.secrets (#2448)
03c96ee feat: add the MaxTagValueLength config for jaeger of tracing (#2482)
666cd25 feat: enable "nbf" (not before) claim to be optional for Access Token (#2437)
7f7362b feat: global docs sidebar and added cloud pages (#2495)
540c89d feat: implement partial client updates (PATCH) with JSON Patch syntax (#2411)
60704d4 feat: split TLS config into admin and public interfaces (#2476)
aafc901 fix: CookieStore MaxAge value (#2485) (#2488)
ff90c47 fix: do not use error_hint anymore (#2450)
e3d9158 fix: handled requests respond with 410 Gone and include redirect URL (#2473)
5fdd913 fix: link in documentation (#2478)
2f3a1af fix: login and consent redirect behavior change since 1.9.x (#2457)
a033d6a fix: make token user command wor...

v1.10.1

We are excited to announce Ory Hydra v1.10.0!

This release adds significant data management improvements. As such, we introduce the new "hydra janitor" command which cleans up stale data and can be run, for example, as a (Kubernetes) CronJob.

The new janitor command is able to clean up invalid and expired access and refresh tokens as well as login and consent requests. This solves issues observed in installations with lots of traffic.

This patch refactors the internal file embed system by migrating to Go 1.16, simplifying and speeding up the build process.

To follow OAuth2 best-practice, refresh tokens will now invalidate the whole access and refresh token chain if reused.

1.10.1 (2021-03-25)

Bug Fixes

• Add docs/node_modules make target (b302501)

• Add network specific error message to avoid confusion (#2367) (56d71e6), closes #2338

• Adds sqa section to config.schema.json (#2360) (89df8d7), closes #2358:

  Move from viper to koanf caused env vars without corresponding
  paths in config.schema.json to be ignored. This commit adds
  missing sqa section, so the SQA_OPT_OUT env var has effect again.

• Adopt new cli renderer pipeline (02483ce)

• Better http resiliency and sqlite updates (883a84f)

• Improve cache and update CI images to go 1.16 (#2388) (7803202)

• Increase conformance test timeout (e9bd064)

• Record cypress videos (c9d0a26)

• Resolve clidoc issues (8257cb2)

• Resolve docs build issues (6612099)

• Resolve e2e test issues (4812f54)

• Resolve migrator duplicate files (b1f63ff)

• Resolve migrator regression issues (cdfc03d)

• Revert mode default and maximum values (#2349) (b20fc48):

  I made a mistake in previous pull request, these socket mode values are in decimal, not octal format. Sorry.

• Update janitor help (b7965c6)

• Use appropriate migrations with precedence (b61d05c)

• Use gelf windows hotfix (0cac0f1)

• Use go 1.16 in conformity suite (3fbda05)

Documentation

• Faq custom data (#2334) (471e85d)

• Fix basic examples for the golang SDK (#2399) (6806865)

• Fix subject identifier algorithms to match configuration (#2400) (dd19b86):

  On https://www.ory.sh/hydra/docs/reference/configuration/ under 'subject identifiers' the name for defining which subject identifier algorithms are supported it is called "supported_types", not "enabled" as in these pages.

• Improve readme tests section (#2380) (277afe9)

• Quickstart config (#2328) (f20f645)

• Update config.schema.json default values (#2348) (8494822):

  Updated wrong config schema values

• Update examples to new helm install command format (#2369) (f006556):

  Tried example with helm 3.5.2 and it does not support --name flag. So I moved name and repository to first line of commands.

Features

• Add --no-shutdown flag to "hydra token user" to prevent auto-termination (#2382) (#2386) (a17d10e)

• Add front/backchannel logout params to client cli (#2387) (055f801), closes #1487

• Flush inactive/expired login and consent requests (#2381) (f039ebb), closes #1574:

  This patch resolves various table growth issues caused by expired/inactive login and consent flows never being purged from the database.

  You may now use the new hydra janitor command to remove access & refresh tokens and login & consent requests which are no longer valid or used. The command follows the notAfter safe-guard approach to ensure records needed to be kept are not deleted.

  To learn more, please use hydra help janitor.

  This patch phases out the /oauth2/flush endpoint as the janitor is better suited for background tasks, is easier to run in a targeted fashion (e.g. as a singleton job), and does not cause HTTP timeouts.

• Flush refresh tokens for service oauth2/flush (#2373) (b46a14c), closes /github.com/ory/hydra/issues/1574#issuecomment-736684327

• Move to go 1.16 and static embed files (6fa591c)

• Refresh token reuse detection (#2383) (bc349f1), closes #2022:

  This patch adds support for Refresh Token reuse Detection introduced by ory/fosite#567. Ory Hydra's persister no longer deletes refresh tokens when using them, but instead deactivates them - similar to how authorization codes work.

Tests

• Bump cypress to newer version and add resilience (c76309c)
• Bump ory/x and resolve regressions (1a03c07)
• Fix record arg (b248406)
• Improve e2e script and add record option (9d4764d)
• Resolve flaky cypress tests (356b05f)
• Resolve migration regression (e59e2bc)
• Use cypress fetchers (2aa0980)
• Use go 1.16 in conformity (ccd983d)

Unclassified

• Do not send 404 on revoke consent / delete login (#2397) (854b9ee)
• Resolve oidc conformity regression (1049602)

Changelog

ce7ee75 autogen(docs): generate and format documentation
74bfe9c autogen(docs): generate and format documentation
ec93526 autogen(docs): generate and format documentation
4cc8012 autogen(docs): generate and format documentation
21c6285 autogen(docs): generate and format documentation
67d9b38 autogen(docs): generate and format documentation
dc97559 autogen(docs): generate and format documentation
a11527f autogen(docs): generate and format documentation
e18e966 autogen(docs): generate and format documentation
9ad9c1d autogen(docs): generate and format documentation
d3697cd autogen(docs): generate cli docs
83f8ebd autogen(docs): generate cli docs
7731121 autogen(docs): generate cli docs
d6c8209 autogen(docs): generate cli docs
8f939da autogen(docs): generate cli docs
5005c9a autogen(docs): re...

v1.9.2

This release adds more telemetry data to the prometheus exporter.

1.9.2 (2021-01-29)

Features

• Enable emittance of response time metrics (#2323) (c1f1ba5)

Changelog

8a415d9 autogen(docs): generate and format documentation
eb6f682 autogen(docs): regenerate and update changelog
fcd80d1 autogen(docs): regenerate and update changelog
0b4673e autogen: add v1.9.1 to version.schema.json
f0580e2 autogen: pin v1.9.2 release commit
c1f1ba5 feat: enable emittance of response time metrics (#2323)

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.2
• docker pull oryd/hydra:v1.9.2
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.2-alpine
• docker pull oryd/hydra:v1.9.2-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.2-sqlite
• docker pull oryd/hydra:v1.9.2-sqlite
• docker pull oryd/hydra:latest-sqlite

v1.9.1

This release makes Dart and Rust SDKs available for Ory Hydra!

1.9.1 (2021-01-27)

Documentation

• Add faq items (8d31cb3):

  Added two items to the FAQ that were sitting in meta/tmp.

• Add link endings. (#2313) (1316cc0), closes #38

• Add Rust and Dart SDKs (c4b4f73):

  We now support for Rust and Dart SDKs!

• Fix npm links (#2303) (341f3ed)

• Quickstart cleanup (#2324) (a8ad705)

• Reorg faq sidebar (#2318) (4fdb7f1)

• Update before oauth2.mdx (#2299) (d2ee4f6), closes #2295

• Update javascript documentation (a2b3a49):

  Closes ory/sdk#22

• Update npm package name (#2302) (d05d82e):

  Changed npm client package from @oryd/hydra-client to @ory/hydra-client

Changelog

efa4c4c autogen(docs): generate and format documentation
ea5edb3 autogen(docs): generate cli docs
7e162f6 autogen(docs): generate cli docs
10b5d59 autogen(docs): generate cli docs
994d4d4 autogen(docs): regenerate and update changelog
97c664b autogen(docs): regenerate and update changelog
2a0c1d0 autogen(docs): regenerate and update changelog
8d5c8b1 autogen(docs): regenerate and update changelog
7e546aa autogen(docs): regenerate and update changelog
3027833 autogen(docs): regenerate and update changelog
bdf7991 autogen(docs): update milestone document
1921e54 autogen: add v1.9.0 to version.schema.json
5cedc9e autogen: pin v1.9.1 release commit
68cb667 chore: bump gjson (#2298)
183d421 chore: update repository templates (#2301)
c4b4f73 docs: add Rust and Dart SDKs
8d31cb3 docs: add faq items
1316cc0 docs: add link endings. (#2313)
341f3ed docs: fix npm links (#2303)
a8ad705 docs: quickstart cleanup (#2324)
4fdb7f1 docs: reorg faq sidebar (#2318)
d2ee4f6 docs: update before oauth2.mdx (#2299)
a2b3a49 docs: update javascript documentation
d05d82e docs: update npm package name (#2302)

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.1
• docker pull oryd/hydra:v1.9.1
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.1-alpine
• docker pull oryd/hydra:v1.9.1-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.1-sqlite
• docker pull oryd/hydra:v1.9.1-sqlite
• docker pull oryd/hydra:latest-sqlite

v1.9.0

Today, we are very excited to announce the stable release of ORY Hydra 1.9! This release contains significant internal code refactoring, making ORY Hydra more reliable, lightweight, and even more scalable! Also, for the first time ever, ORY Hydra handled over 13.3 billion API requests in December 2020 in over 23.000 production environments around the globe.

Let's talk features - in a TL;DR overview:

• Completely replacing the existing DBAL and switching to gobuffalo/pop.
• Support for SQLite, an embedded database, which can be used for testing and tiny deployments.
• Deprecating the existing configuration system spf13/viper and moving to knadh/koanf.
• Adding OpenID Connect Conformity Test Suite to the CI, guaranteeing that every code change is fully OpenID Connect compliant.
• Support for the OpenID Connect response_mode=form_post Response Mode.
• Compatibility with MITREid, allowing easy migration from MITREid to ORY Hydra.
• The TypeScript SDK moved from @oryd/hydra-client to @ory/hydra-client. Please update your dependencies!

If you wish to get into ORY Hydra, check out the new YouTube tutorial:

See you on slack, signed HACKERMAN.

ORY Kratos

We would like to take a bit of your time and introduce you to ORY Kratos. ORY Kratos implements all the hard things related to users: login, registration, customizable profile fields, multi-factor authentication scheduled for v0.6, secure account recovery, email and SMS verification, profile management, session and device management, user administration, social sign in and sign up, and much, much more! Everything works with proven and ORY-hardened protocols in the same lightweight fashion you are used to from our other products. And it natively targets mobile, desktop, web, and robots! ORY Kratos is essentially an open-source alternative to Auth0, Okta, and Google Firebase with the added benefit of avoiding the complexity of implementing OAuth2 and OpenID Connect for your first-party apps just to get login to work. So if you are wondering whether you really need OAuth2, this is worth your time!

To get a feeling for ORY Kratos, check out our exemplary React Native app (available on GitHub, Android and iOS) demonstrating user registration, login, and profile management. It uses APIs from ORY Cloud, which will be publicly announced this year. If you are interested in becoming an early adopter, get in touch now! We have more super exciting stuff planned!

Changes in-depth

Let's break down the most significant changes in more detail:

The configuration system has been reworked

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema. This makes changing or updating configuration much easier.
2. Configuration reloading is improved and works on Kubernetes.
3. Performance gains remove the need for a cache layer between the configuration system and ORY Hydra.
4. Loading of several config files is now possible using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.

The OpenID Connect Conformity Test Suite is now part of the ORY Hydra CI pipeline.

This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint and error_debug will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields to true.

Supporting response_mode=form_post

Support OpenID Connect flows response_mode=form_post was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.

Compatibility with MITREid

Adds an option that allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid and allows migrating from MITREid to ORY Hydra.

Refactoring the internal DBAL

We completely refactored the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.

Changelog 1.9.0 (2021-01-12)

Bug Fixes

• Add 400 as possible reply to /oauth2/token (24daede), closes #2260

• Bump ory/x and update config usage (#2248) (4937a00)

• Do not require unset pairwise (4136aaf)

• Improve version regex (17d9599), closes #2255

• Update schema reference for subject_identifiers.supported_types (0e14a08), closes #2270

• Add encrypt_at_rest option to config schema (3219c16)

• Add required aud, jti claims to userinfo response (d0697fa)

• Add standardized client registration errors (02a9137):

  Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.

• Allow all request object signing algs per default (edc54c2):

  This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.

• Allow lower bcrypt values and add tests (812a21c)

• Document describe error (#2208) (b59bdf8)

• Ensure consistent auth_time in session handling (e973ffe)

• Increase parallelism to 4 (ae02706)

• Mark false gosec positive (206d1ee)

• Nonce is not required for hybrid flows (c708ada)

• Quickstart yml (5ebd984)

• Remove session from store on logout (4495f56):

  This patch reso...