Releases: ory/hydra
v1.9.0
Today, we are very excited to announce the stable release of ORY Hydra 1.9! This release contains significant internal code refactoring, making ORY Hydra more reliable, lightweight, and even more scalable! Also, for the first time ever, ORY Hydra handled over 13.3 billion API requests in December 2020 in over 23.000 production environments around the globe.
Let's talk features - in a TL;DR overview:
- Completely replacing the existing DBAL and switching to gobuffalo/pop.
- Support for SQLite, an embedded database, which can be used for testing and tiny deployments.
- Deprecating the existing configuration system spf13/viper and moving to knadh/koanf.
- Adding OpenID Connect Conformity Test Suite to the CI, guaranteeing that every code change is fully OpenID Connect compliant.
- Support for the OpenID Connect
response_mode=form_post
Response Mode. - Compatibility with MITREid, allowing easy migration from MITREid to ORY Hydra.
- The TypeScript SDK moved from @oryd/hydra-client to @ory/hydra-client. Please update your dependencies!
If you wish to get into ORY Hydra, check out the new YouTube tutorial:
See you on slack, signed HACKERMAN.
ORY Kratos
We would like to take a bit of your time and introduce you to ORY Kratos. ORY Kratos implements all the hard things related to users: login, registration, customizable profile fields, multi-factor authentication scheduled for v0.6, secure account recovery, email and SMS verification, profile management, session and device management, user administration, social sign in and sign up, and much, much more! Everything works with proven and ORY-hardened protocols in the same lightweight fashion you are used to from our other products. And it natively targets mobile, desktop, web, and robots! ORY Kratos is essentially an open-source alternative to Auth0, Okta, and Google Firebase with the added benefit of avoiding the complexity of implementing OAuth2 and OpenID Connect for your first-party apps just to get login to work. So if you are wondering whether you really need OAuth2, this is worth your time!
To get a feeling for ORY Kratos, check out our exemplary React Native app (available on GitHub, Android and iOS) demonstrating user registration, login, and profile management. It uses APIs from ORY Cloud, which will be publicly announced this year. If you are interested in becoming an early adopter, get in touch now! We have more super exciting stuff planned!
Changes in-depth
Let's break down the most significant changes in more detail:
The configuration system has been reworked
- Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema. This makes changing or updating configuration much easier.
- Configuration reloading is improved and works on Kubernetes.
- Performance gains remove the need for a cache layer between the configuration system and ORY Hydra.
- Loading of several config files is now possible using the
--config
flag. - Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.
Please be aware that deprecated configuration flags have been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.
The OpenID Connect Conformity Test Suite is now part of the ORY Hydra CI pipeline.
This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint
and error_debug
will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields
to true
.
Supporting response_mode=form_post
Support OpenID Connect flows response_mode=form_post
was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.
Compatibility with MITREid
Adds an option that allows granting the OAuth2 Client's authorized scope when performing a client_credentials
flow without specifying a scope. This enables compatibility with MITREid and allows migrating from MITREid to ORY Hydra.
Refactoring the internal DBAL
We completely refactored the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.
Changelog 1.9.0 (2021-01-12)
Bug Fixes
-
Add 400 as possible reply to /oauth2/token (24daede), closes #2260
-
Do not require unset pairwise (4136aaf)
-
Update schema reference for subject_identifiers.supported_types (0e14a08), closes #2270
-
Add encrypt_at_rest option to config schema (3219c16)
-
Add required aud, jti claims to userinfo response (d0697fa)
-
Add standardized client registration errors (02a9137):
Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.
-
Allow all request object signing algs per default (edc54c2):
This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.
-
Allow lower bcrypt values and add tests (812a21c)
-
Ensure consistent auth_time in session handling (e973ffe)
-
Increase parallelism to 4 (ae02706)
-
Mark false gosec positive (206d1ee)
-
Nonce is not required for hybrid flows (c708ada)
-
Quickstart yml (5ebd984)
-
Remove session from store on logout (4495f56):
This patch reso...
v1.9.0-alpha.3
We are excited to present the next big step towards ORY Hydra 1.9! In this release we completely refactored the configuration internals and moved from spf13/viper to knadh/koanf:
- Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving the developer experience when changing or updating configuration.
- Configuration reloading has improved significantly and works excellently on Kubernetes.
- Performance gains that remove the need for a cache layer between the configuration system and ORY Hydra.
- Loading of several config files using the
--config
flag now possible. - Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.
Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.
In addition, this release includes the new OpenID Connect Conformity Test Suite as part of the ORY Hydra CI pipeline. This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint
and error_debug
will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields
to true
.
Furthermore, support for OpenID Connect flows response_mode=form_post
was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.
Several other bugs have been resolved and we have completely overhauled the tests, deprecating test tables in favor of test suites. This greatly improves the readability of our tests and allows new contributors to more easily understand what is going on!
If you wish to get into ORY Hydra, check out the newly published YouTube tutorial:
1.9.0-alpha.3 (2020-12-08)
Bug Fixes
-
Add encrypt_at_rest option to config schema (3219c16)
-
Add required aud, jti claims to userinfo response (d0697fa)
-
Add standardized client registration errors (02a9137):
Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.
-
Allow all request object signing algs per default (edc54c2):
This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.
-
Allow lower bcrypt values and add tests (812a21c)
-
Ensure consistent auth_time in session handling (e973ffe)
-
Increase parallelism to 4 (ae02706)
-
Mark false gosec positive (206d1ee)
-
Nonce is not required for hybrid flows (c708ada)
-
Quickstart yml (5ebd984)
-
Remove session from store on logout (4495f56):
This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.
-
Remove unrelated quickstart entry (#2214) (a583d78), closes #2213
-
Request_id should not be unique (a8ca333):
This patch resolves an issue where certain OpenID Connect Hybrid flows would error with a UNIQUE violation. The cause of this issue was an incorrect UNIQUE constraint on the
request_id
field of the access, refresh, pkce, and other, similar tables. -
Resolve broken quickstart (95a1dfb)
-
Update deprecated config in quickstart (1c1433a)
-
Update invalid quickstart config (8d076a5)
-
Update package lock (18bfc96)
-
Update schema to support new koanf (29763c8)
Code Refactoring
- Deprecate driver semantics (8fc3e2e)
- Move oauth2 cors to own package (3beddbd)
- Rename
token_type
totoken_use
in introspection (152fd5d), closes #1762 - Replace viper with koanf config management (8c12b27)
Documentation
-
Add config debug section (c53f036)
-
Add contributing to sidebar (#2209) (21f3b1f):
Added Contributing Guidelines to the introduction menu point on the sidebar.
I think it should be as obvious as possible.
Another good solution would be to add them to the top bar?If this is merged, I will do the same changes for Kratos/Oathkeeper/Keto.
-
Add newsletter banner (5b63aa4)
-
Deps are installed automagically and make deps was removed (#2157) (25e96e2), closes #2154
-
Minor improvements to the concepts/consent page (#2168) (1128cfc)
-
Use codefromremote for consent samples (51c0874)
Features
-
Add ability to override oidc discovery urls (bb8b982):
Added config options
webfinger.oidc_discovery.token_url
,webfinger.oidc_discovery.auth_url
,webfinger.oidc_discovery.jwks_url
. -
Add new
request_object_signing_alg_values_supported
to oidc discovery (4220959) -
Add oidc conformity tests (651f424)
-
Improve and clean up error handling (b727367)
-
Improve error responses for consent handler (44ab747)
-
Improve error stack trace wrapping (fdf142c)
-
Only set state-param if it was passed (#2183) ([568434a](5684...
v1.9.0-alpha.2
This release addresses an issue in the update routine of OAuth2 Clients (see kratos#2148) and adds an option which makes ORY Hydra compatible with MITREid.
1.9.0-alpha.2 (2020-10-29)
Bug Fixes
- Add docs format to make format (cfa50fe)
- Client update breaks primary key (#2150) (7662917), closes #2148
- Explicitly use no-CGO images for non-SQLite (1ec2d1d)
- Force brew install statement (0252b5a)
- Update install script (c614c0b)
Documentation
- Add missing trailing slash (97bc47d)
- Replace dex with keycloak (fa877d7), closes #2128
- Version bash-curl script (71b0592), closes #2145
Features
-
Add configuration option to grant default client_credential scope when no scope is requested (#2144) (0b1de34), closes #2141:
Adds an option which allows granting the OAuth2 Client's authorized scope when performing a
client_credentials
flow without specifying a scope. This enables compatibility with MITREid.
Tests
Changelog
0f0c509 autogen(docs): generate and format documentation
26ede91 autogen(docs): generate and format documentation
c188739 autogen(docs): generate and format documentation
92bc86c autogen(docs): regenerate and update changelog
f79ae29 autogen(docs): update milestone document
7df5ea3 autogen(docs): update milestone document
90d311b autogen(docs): update milestone document
c654010 autogen: add v1.9.0-alpha.1 to version.schema.json
1a7fe91 autogen: pin v1.9.0-alpha.2 release commit
702b0f5 chore: update docusaurus template
12d4eb3 ci: fix replacer script
97bc47d docs: add missing trailing slash
fa877d7 docs: replace dex with keycloak
71b0592 docs: version bash-curl script
0b1de34 feat: add configuration option to grant default client_credential scope when no scope is requested (#2144)
cfa50fe fix: add docs format to make format
7662917 fix: client update breaks primary key (#2150)
1ec2d1d fix: explicitly use no-CGO images for non-SQLite
0252b5a fix: force brew install statement
c614c0b fix: update install script
7289f30 style: format
511e8d2 test: fix misused id field (#2152)
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.9
docker pull oryd/hydra:v1.9.0
docker pull oryd/hydra:v1.9.0-alpha.2
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.9-alpine
docker pull oryd/hydra:v1.9.0-alpine
docker pull oryd/hydra:v1.9.0-alpha.2-alpine
docker pull oryd/hydra:latest-alpine
docker pull oryd/hydra:v1-sqlite
docker pull oryd/hydra:v1.9-sqlite
docker pull oryd/hydra:v1.9.0-sqlite
docker pull oryd/hydra:v1.9.0-alpha.2-sqlite
docker pull oryd/hydra:latest-sqlite
v1.9.0-alpha.1
This release focuses on a complete refactor of the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.
This is an alpha release as we want to gather feedback from the community regarding performance and other potential issues before tagging the v1.9.0 version branch as stable.
1.9.0-alpha.1 (2020-10-20)
Bug Fixes
- Add support for tracing to SQL (b3dda7c)
- Address pop inconsistencies and update tests (8f3462f)
- CGO build issues on Windows and Go 1.15+ (1c1fe19)
- Do not require sqlite and CGO for other databases (8069205)
- Do not run migrations in background (308edb9)
- Explicitly set pwd in makefile (aeb1090)
- Goreleaser add docker images (7a81908)
- Improve cli flags and add
-c
config flag (bf3be84) - Improve schema typing for tracing (4cc25c3)
- Improve tests and pop adapter (1354611)
- Remove explicit cve allowlist (90caeda), closes #2117
- Remove obsolete makefile targets (dc5d37f)
- Remove unnecessary transactions (1df50ec)
- Remove websocket direct dep (d525983), closes #2111
- Run tests only once (4e1d0f6)
- Set context in connection getter (644967a)
- Update docker and quickstart examples (b01c246)
- Update format to goimports (c4438b0)
- Use context in transaction creator (db0ac86)
- Use sqlite for standalone (e5b7147)
Code Refactoring
-
Move Dockerfiles to .docker directory (5508f2a)
-
Use gobuffalo/pop for SQL abstraction (#2059) (56bce67), closes #1730:
This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!
Documentation
- Add hypnoglow terraform provider (7ed8870), closes #1304
- Correct port (#2101) (487e733), closes #2100
- Correct port (#2102) (7aca301), closes #2100
- Fix typo (71a4495)
- Remove obsolete doc section (443a225)
- Swagger route headline capitalization (4540ece), closes #2015
- Update code listings and image tags (3cd22c4)
- Update sql instructions (bfed7f2)
- Updates kubernetes helm chart url (6d63a73)
Features
- Implement docker for quickstart (8e64202)
- Re-enable freebsd (2f19837), closes #2116 #2115
- Support sqlite in goreleaser (e946487)
Tests
-
Fix confusing expected/got (#2135) (14b6db2):
And fixed assert.EqualError params in right order in TestStrategyLoginConsent
-
Move tests to persistence (46d0571)
-
Write migrate logs to file (9a1fbd8)
Changelog
f3056f6 autogen(docs): generate and format documentation
afde5c6 autogen(docs): generate and format documentation
6f51702 autogen(docs): generate and format documentation
c326ae8 autogen(docs): generate and format documentation
f5441d6 autogen(docs): generate and format documentation
8f87c1f autogen(docs): generate and format documentation
243adeb autogen(docs): generate and format documentation
d56bfb1 autogen(docs): generate and format documentation
8ff756c autogen(docs): generate and format documentation
849ead0 autogen(docs): generate and format documentation
049c415 autogen(docs): generate and format documentation
d560807 autogen(docs): generate cli docs
4734c88 autogen(docs): generate cli docs
ec71cd9 autogen(docs): generate cli docs
1dee4e3 autogen(docs): generate cli docs
878bd97 autogen(docs): generate cli docs
a8c33bc autogen(docs): regenerate and update changelog
3e011f6 autogen(docs): regenerate and update changelog
7b60472 autogen(docs): regenerate and update changelog
bb041f2 autogen(docs): update milestone document
1d45dec autogen(docs): update milestone document
e3f71d3 autogen(docs): update milestone document
434a3b1 autogen(docs): update milestone document
0ee3c10 autogen(openapi): Regenerate swagger spec and internal client
0eba003 autogen: add v1.8.5 to version.schema.json
0382fea autogen: add v1.9.0-alpha.0.pre.2 to version.schema.json
dc19f4a autogen: pin v1.9.0-alpha.0.pre.2 release commit
a270e4c autogen: pin v1.9.0-alpha.1 release commit
edb221c autogen: pin v1.9.0-pre.0 release commit
4fbf357 autogen: pin v1.9.0-pre.1 release commit
4062f77 chore(deps): bump cci orbs (#2132)
3e259c4 chore(docs): format
3f8f2d7 chore(docs): remove unneeded files (#2121)
1a23377 chore: add schema to gitignore
2fad604 chore: bump datadog dependency
75cc527 chore: bump gobuffalo/pop
eeb4576 chore: bump gobuffalo/pop
8ee0996 chore: bump gobuffalo/pop and integrate new tracing fixes
f83f662 chore: update Docker Images to golang 1.15.2, alpine 3.12 (#2127)
cf358c5 chore: update docusaurus template (#2104)
4e24824 chore: update docusaurus template (#2137)
92a207b chore: update repository templates
70c7998 ci: add docs format checking (#2099)
02edf37 ci: force changelog generation
fda87cf ci: remove mysql parameters which are set automatically
51d9390 ci: revert multiStatements removal
7ed8870 docs: add hypnoglow terraform provider
487e733 docs: correct port (#2101)
7aca301 docs: correct port (#2102)
71a4495 docs: fix typo
443a225 docs: remove obsolete doc section
4540ece docs: swagger route headline capitalization These should be the last places, therefore closes #2015
3cd22c4 docs: update code listings and image tags
bfed7f2 docs: update sql instructions
6d63a73 docs: updates kubernetes helm chart url
8e64202 feat: implement docker for quickstart
2f19837 feat: re-enable freebsd
e946487 feat: support sqlite in goreleaser
1c1fe19 fix: CGO build issues on Windows and Go 1.15+
b3dda7c fix: add support for tracing to SQL
8f3462f fix: address pop inconsistencies and update tests
8069205 fix: do not require sqlite and CGO for other databases
308edb9 fix: do not run migrations in background
aeb1090...
v1.8.5
This is a security-focused release with fixes for CVE-2020-15234, CVE-2020-15223, CVE-2020-15233. Additionally, several system dependencies (e.g. Golang) have been upgraded.
A few things have changed as part of these patches:
- OAuth 2.0 Redirection URL error parameters
error_hint
,error_debug
have been deprecated and are now part oferror_description
. The parameters are still included for compatibility reasons but will be removed in a future release. - OAuth 2.0 Error
revocation_client_mismatch
was not standardized and has been removed. Instead, you will now receiveunauthorized_client
with a description explaining why the flow failed.
Additionally, the TypeScript SDK generator has changed from OpenAPI's typescript-node
to typescript-axios
making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed.
Due to several complex CI issues and regressions, build versions v1.8.0 - v1.8.4 failed. v1.8.5 the first and only stable release in the current 1.8.x branch.
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.8
docker pull oryd/hydra:v1.8.5
docker pull oryd/hydra:v1.8.5
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.8-alpine
docker pull oryd/hydra:v1.8.5-alpine
docker pull oryd/hydra:v1.8.5-alpine
docker pull oryd/hydra:latest-alpine
v1.8.0-pre.1
autogen: pin v1.8.0-pre.1 release commit
1.8.0-pre.1 (2020-10-03)
Bug Fixes
- Resolve gosec issues and false positives (0832138)
Features
- Bump golangci-lint and add lint job (5ea6fb6)
Changelog
fe8fdc5 autogen(docs): generate and format documentation
ed6360b autogen(docs): generate cli docs
0c9ef69 autogen(docs): update milestone document
861fdb7 autogen: pin v1.8.0-pre.1 release commit
bb39d28 chore: bump ory/cli
89abc15 chore: bump ory/x
3e60cbf ci: bump circleci orbs
24062c1 ci: remove freebsd build due to DataDog build error
5ea6fb6 feat: bump golangci-lint and add lint job
0832138 fix: resolve gosec issues and false positives
5b65100 style: make format
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.8
docker pull oryd/hydra:v1.8.0
docker pull oryd/hydra:v1.8.0-pre.1
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.8-alpine
docker pull oryd/hydra:v1.8.0-alpine
docker pull oryd/hydra:v1.8.0-pre.1-alpine
docker pull oryd/hydra:latest-alpine
v1.7.4
This release resolves several minor bugs and one slow query. Please be aware that applying this version requires running SQL migrations.
1.7.4 (2020-08-31)
Bug Fixes
- Update e2e docker image (2ce0f14)
Changelog
7e2b6cb autogen(docs): generate and format documentation
28b31a7 autogen(docs): regenerate and update changelog
ff980e6 autogen: pin v1.7.4 release commit
2ce0f14 fix: update e2e docker image
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.7
docker pull oryd/hydra:v1.7.4
docker pull oryd/hydra:v1.7.4
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.7-alpine
docker pull oryd/hydra:v1.7.4-alpine
docker pull oryd/hydra:v1.7.4-alpine
docker pull oryd/hydra:latest-alpine
v1.7.0
The new SameSite attribute is now enforced on Google Chrome and may cause issues with your current ORY Hydra deployment:
SameSite=None
no longer works without secure
flag cookies. If you are using the --dangerous-force-http
flag and have not configured SameSite=Lax
your users will no longer be able to perform OAuth2 flows.
The next FireFox release will follow this implementation as well. To prevent your users from experiencing issues:
- Remove
--dangerous-force-http
from your deployment. This flag should never be set outside of local development machines anyways! - Set environment variable
SERVE_COOKIES_SAME_SITE_MODE=Lax
or configuration valueserve.cookies.same_site_mode = Lax
.
By applying this release, the above recommendations will be set per default, for example using Lax
when --dangerous-force-http
is set.
Many of you reached out in the past asking about managed / SaaS offerings from ORY, for more support, automated updates, and automated fixes for issues like the SameSite
behavior above. We would like to invite those interested in that kind of an offering and service to engage in a dialogue to better help us understand how you are using ORY, what requirements your businesses have and how we can better help and service you. Together, we can shape some of this journey together. If you like to be part of this conversation please send an email to jared@ory.sh so we can get in touch directly and begin talking about what an ideal and fully supported offering from ORY would look like for you.
This patch additionally includes a breaking API change for the "Revoke Consent Sessions API endpoint" - please check the breaking changes below. Bugfixes are included in this release as well - such as pretty JSON format logging, fixes to Jaeger configuration, and more!
1.7.0 (2020-08-14)
Bug Fixes
- Add json_pretty to possible log.format values (cc96359)
- Add uri to jaeger's local_agent_address (#1982) (4d5df3e), closes #1956
- Bump clidoc (7800049)
- Remove duplicate html tags (#1960) (819fe6c)
- Send total item count in X-Total-Count header (#1983) (5f9f294), closes #1666
- Use SameSite=Lax for dev environments per default (534203c)
- Use SameSite=Lax for quickstart (379f5f0), closes #1988 #1981
Code Refactoring
Documentation
-
Access token time config (#1966) (f066cc1):
Adds a short guide how to configure access token expiration time.
-
Add expiry-time sidebar item (#1967) (5f8e58b):
Adds token-expiration to sidebar.
-
Add sdk samples for tls termination and tls verify skip (#1968) (6619e59)
-
Add section on oauth2 limitations at beginning (4254363)
-
Adopt new sidebar.json (8faf070)
-
Clarify secure flag in chrome (f01ac17)
-
Clarify when to use oauth2 (4c58601)
-
Document SameSite woes on Chrome (921f8c2)
-
Fix broken links (b3c6c5a)
-
Fix invalid links (3838cdc)
-
Update oauth2 limitation section (62e6fdf)
-
Update TLS example to quote strings not spawn a subshell (#1961) (0e6ed29)
Features
-
Add audit and debug logs for cookies (08813b3)
-
Add clidoc task and program (e44d256)
-
Revoke consent sessions of a subject only if explicitly requested (#1952) (fb925cf), closes #1951:
This patch adds query parameter
all
to/oauth2/auth/sessions/consent
. Ifall=true
, then all consent sessions of a certain subject will be revoked.
Unclassified
- Whitelist new session cookies and set log level to trace (6e75638)
- Add 1.5 notes to UPGRADING.md (270b89a)
BREAKING CHANGES
- Previously, '/oauth2/auth/sessions/consent?subject=foo@bar.com' would revoke all consent sessions of that user. This may be problematic in cases where the caller forgot to specify the client ID as all tokens for that user are revoked. To prevent that, a "failsave"
all=true
is now required to make this explicit: '/oauth2/auth/sessions/consent?subject=foo@bar.com&all=true'.
Changelog
270b89a Add 1.5 notes to UPGRADING.md
69d4af7 Merge branch 'master' into fix-e2e-cookie
cd76524 Merge pull request #1990 from ory/fix-e2e-cookie
5821d7e autogen(docs): generate and format documentation
38b8368 autogen(docs): generate and format documentation
e7f38eb autogen(docs): generate and format documentation
cf90919 autogen(docs): generate and format documentation
1208827 autogen(docs): generate and format documentation
8772df0 autogen(docs): generate and format documentation
109c2d8 autogen(docs): generate and format documentation
6aec75f autogen(docs): generate and format documentation
853fa94 autogen(docs): generate and format documentation
d91a0e8 autogen(docs): generate and format documentation
e5f7511 autogen(docs): generate and format documentation
a65919b autogen(docs): generate and format documentation
b81fd79 autogen(docs): generate and format documentation
5cb4bb4 autogen(docs): generate and format documentation
2fb6102 autogen(docs): generate and format documentation
2b44614 autogen(docs): generate cli docs
6811eec autogen(docs): generate cli docs
e3a3005 autogen(docs): generate cli docs
9e491fa autogen(docs): generate cli docs
11176dc autogen(docs): generate cli docs
1c8b31d autogen(docs): regenerate and update changelog
3927ca2 autogen(docs): regenerate and update changelog
6060cb0 autogen(openapi): Regenerate swagger spec and internal client
ff4b81e autogen: pin v1.7.0 release commit
53f3645 chore: add cypress screenshots to gitignore
dd48558 chore: bump ory/x
6ffa84a chore: clean up RootCmd
9dcaaf1 chore: fix editorconfig ident size
912eae7 chore: update .dockerignore
04fa732 chore: update docusaurus template
e681c8c chore: update docusaurus template
2bdc31b chore: update docusaurus template (#1972)
4b1be80 chore: update docusaurus template (#1985)
1ef032d ci: add docs/cli task
1f6d49a ci: bump ci versions
5494e41 ci: disable legacy migrations
2d47224 ci: fix goreleaser config
f066cc1 docs: access token time config (#1966)
5f8e58b docs: add expiry-time sidebar item (#1967)
6619e59 docs: add sdk samples for tls termination and tls verify skip (#1968)
4254363 docs: add section on oauth2 limitations at beginning
8faf070 docs: adopt new sidebar.json
f01ac17 docs: clarify secure flag in chrome
4c58601 docs: clarify when to use oauth2
921f8c2 docs: document SameSite woes on Chrome
b3c6c5a docs: fix broken links
3838cdc docs: fix invalid links
83ce657 docs: fix typos (#1964)
ba1f14b docs: fixed link (#1969)
0e6ed29 docs: update TLS example to quote strings not spawn a subshell (#1961)
62e6fdf docs: update oauth2 limitation section
08813b3 feat: add audit and debug logs for cookies
e44d256 feat: add clidoc task and program
fb925cf feat: revoke consent sessions of a subject only if explicitly requested (#1952)
cc96359 fix: add json_pretty to possible log.format values
4d5df3e fix: add uri to jaeger's local_agent_address (#1982)
7800049 fix: bump cli...
v1.6.0
We focused on reworking the ORY Hydra documentation in this release.
Even though no breaking changes were introduced with this release, we decided
to bump to the next minor (1.6) version to signal the significance of the
documentation changes.
We also refactored the NodeJS example implementation to use lightweight
TypeScript and the official TypeScript SDK.
1.6.0 (2020-07-20)
Bug Fixes
- Correct hydra-login-consent-node image (2bc777d), closes #1955
- Improve nancy pipeline with nancy-ignore and bump ci (aaabb6f)
- Improve structured logging (#1935) (82c5302), closes #1683
- Logout error hint (#1949) (2f1f832)
- SDK generation at Makefile (#1954) (e7a8322)
- Use correct assertion in test (9a5593b)
Documentation
- Add scaling hydra section (e812bfa)
- Annotate code samples (c6099ec)
- Clean up concept section (13c593c)
- Improve csrf debug help (48e50da)
- Move helm chart docs from ory/k8s (5185368)
- Refactor documentation (2b23437)
- Remove duplicate heading (74cb812)
- Update openid certification (5f8c0d4)
Unclassified
Changelog
793a9e2 autogen(docs): generate and format documentation
06fde37 autogen(docs): generate and format documentation
cdcaee6 autogen(docs): generate and format documentation
b1933d7 autogen(docs): generate and format documentation
fc6727e autogen(docs): generate and format documentation
ce1f99e autogen(docs): generate and format documentation
70f9fb4 autogen(docs): generate and format documentation
d95315c autogen(docs): generate and format documentation
5f556f0 autogen(docs): generate and format documentation
6c4bc77 autogen(docs): generate and format documentation
c2e7f2f autogen(docs): generate and format documentation
69ac6b9 autogen(docs): regenerate and update changelog
90faa60 autogen: pin v1.6.0 release commit
523307e chore: bump ci tools
4780c69 chore: bump fosite to 0.32.2 (#1936)
384f7ff chore: optimize CircleCI workflow (#1919)
519e07e chore: update docusaurus template
79c1442 chore: update docusaurus template
fcbbdf5 chore: update docusaurus template
f71d740 chore: update docusaurus template (#1945)
e812bfa docs: add scaling hydra section
c6099ec docs: annotate code samples
13c593c docs: clean up concept section
48e50da docs: improve csrf debug help
5185368 docs: move helm chart docs from ory/k8s
2b23437 docs: refactor documentation
74cb812 docs: remove duplicate heading
5f8c0d4 docs: update openid certification
e7a8322 fix: SDK generation at Makefile (#1954)
2bc777d fix: correct hydra-login-consent-node image
aaabb6f fix: improve nancy pipeline with nancy-ignore and bump ci
82c5302 fix: improve structured logging (#1935)
2f1f832 fix: logout error hint (#1949)
9a5593b fix: use correct assertion in test
7bf91c2 tracing: exclude health endpoints (#1932)
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.6
docker pull oryd/hydra:v1.6.0
docker pull oryd/hydra:v1.6.0
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.6-alpine
docker pull oryd/hydra:v1.6.0-alpine
docker pull oryd/hydra:v1.6.0-alpine
docker pull oryd/hydra:latest-alpine
v1.5.2
This release contains mostly minor bug fixes and allows more granular control
for listening on unix sockets.
1.5.2 (2020-06-23)
Bug Fixes
-
Do not log error at login/consent cancelation (#1914) (379eed3), closes #1912
-
Improve Makefile dependency management (#1918) (5359276), closes #1916:
This install dependencies only when you make a target that needs it.
This also removes the check that certain system dependencies (e.g. go)
are installed. Instead, we simply let the target fail. This ensures we
only test for the desired dependencies.
Features
-
Allow modifying unix socket permissions (#1915) (b19b7cf):
This allows the reverse proxy to actually read the unix socket, since
- The default permissions are 0755
- Hydra is usually run as a user different than the reverse proxy
- One needs read and write permissions to connect to the socket
With the commit, one can set the group to be a group that contains the
reverse proxy user and permissions to 0770
Changelog
dca89f9 autogen(docs): generate and format documentation
54d610d autogen(docs): generate and format documentation
f4f84fc autogen(docs): generate and format documentation
17c2fe0 autogen(docs): generate and format documentation
8d94004 autogen(docs): regenerate and update changelog
4d2cd48 autogen: pin v1.5.2 release commit
2bf781f chore: bump docker-compose hydra version
4603c5a chore: bump ory/x to v0.0.132 (#1923)
b19b7cf feat: allow modifying unix socket permissions (#1915)
5097805 fix: bump pop to v5.2 (#1922)
379eed3 fix: do not log error at login/consent cancelation (#1914)
5359276 fix: improve Makefile dependency management (#1918)
Docker images
docker pull oryd/hydra:v1
docker pull oryd/hydra:v1.5
docker pull oryd/hydra:v1.5.2
docker pull oryd/hydra:v1.5.2
docker pull oryd/hydra:latest
docker pull oryd/hydra:v1-alpine
docker pull oryd/hydra:v1.5-alpine
docker pull oryd/hydra:v1.5.2-alpine
docker pull oryd/hydra:v1.5.2-alpine
docker pull oryd/hydra:latest-alpine