OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!
Want to check out Ory Hydra yourself? Try common OAuth2 flows in the Ory OAuth2 Get Started guide!
This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.
Key improvements include:
Thank all contributors who have made this release available!
Return empty slice if requested_scope or audience is null (#3711) (65165e7)
Correct id token type in token exchange response (#3625) (d1f9ba8):
Handle subject mismatch gracefully (#3619) (af0d477):
We now redirect to the original request URL if the subjects between the remembered Hydra session and what was confirmed by the login screen does not match.
Handle token hook auth config (#3677) (1a40833):
Incorrect down migration (#3708) (8812e0e), closes /github.com/ory/hydra/pull/3705#discussion_r1471514014
Timeout in jwt-bearer grants when too many grants are available (#3692) (a748797)
Deflake ttl test (6741a49)
Only query access tokens by hashed signature (a21e945)
Reject invalid JWKS in client configuration / dependency cleanup and bump (#3603) (1d73d83)
Restore ability to override auth and token urls for exemplary app (#3590) (dfb129a)
Return proper error when the grant request cannot be parsed (#3558) (26f2d34)
Add prompt=registration (#3636) (19857d2):
Ory Hydra now supports a registration
value for the prompt
parameter of
the authorization request. When specifying prompt=registration
, Ory Hydra
will redirect the user to the URL found under urls.registration
(instead of urls.login
).
Add skip_logout_consent option to clients (#3705) (2a653e6):
Adds a special field which disables the logout consent screen when performing OIDC logout.
Re-enable legacy client IDs (#3628) (5dd7d30):
This patch changes the primary key of the hydra_client
table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.
Remove flow cookie (#3639) (cde3a30):
This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.
Remove login session cookie during consent flow (#3667) (5f41949)
Add more resolution to events and collect client metrics (#3568) (466e66b)
Add state override (b8b9154)
Add support for OIDC VC (#3575) (219a7c0):
This adds initial support for issuing verifiable credentials as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.
Because the spec is still in draft, public identifiers are
suffixed with draft_00
.
Allow to disable claim mirroring (#3563) (c72a316):
This PR introduces another config option called oauth2:mirror_top_level_claims
which may be used to disable the mirroring of custom claims into the ext
claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
Bump fosite and add some more tracing (0b56f53)
cmd: Add route that redirects to the auth code url (4db6416)
Propagate logout to identity provider (#3596) (c004fee):
This commit improves the integration between Hydra and Kratos when logging out the user.
This adds a new configuration key for configuring a Kratos admin URL. Additionally, Kratos can send a session ID when accepting a login request. If a session ID was specified and a Kratos admin URL was configured, Hydra will disable the corresponding Kratos session through the admin API if a frontchannel or backchannel logout was triggered.
Support different jwt scope claim strategies (#3531) (45da11e)
Artifacts can be verified with cosign using this public key.
Introduces logout compatibility with Ory Kratos.
Add more resolution to events and collect client metrics (#3568) (466e66b)
Add state override (b8b9154)
Add support for OIDC VC (#3575) (219a7c0):
This adds initial support for issuing verifiable credentials as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.
Because the spec is still in draft, public identifiers are
suffixed with draft_00
.
Allow to disable claim mirroring (#3563) (c72a316):
This PR introduces another config option called oauth2:mirror_top_level_claims
which may be used to disable the mirroring of custom claims into the ext
claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
Bump fosite and add some more tracing (0b56f53)
cmd: Add route that redirects to the auth code url (4db6416)
Propagate logout to identity provider (#3596) (c004fee):
This commit improves the integration between Hydra and Kratos when logging out the user.
This adds a new configuration key for configuring a Kratos admin URL. Additionally, Kratos can send a session ID when accepting a login request. If a session ID was specified and a Kratos admin URL was configured, Hydra will disable the corresponding Kratos session through the admin API if a frontchannel or backchannel logout was triggered.
Support different jwt scope claim strategies (#3531) (45da11e)
hydra migrate status
subcommand (#3579)Artifacts can be verified with cosign using this public key.
Test release
Artifacts can be verified with cosign using this public key.
This release optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
Artifacts can be verified with cosign using this public key.
We are excited to announce the next Ory Hydra release! This release includes the following important changes:
We appreciate your continuous support and feedback. Please feel free to reach out to us with any further suggestions or issues.
Add index on requested_at for refresh tokens and use it in janitor (#3516) (5b8e712)
Do not use prepared SQL statements and bump deps (#3506) (31b9e66)
sql: Incorrect JWK query (#3499) (13ce0d6):
persister_grant_jwk
had an OR statement without bracket leading to not using the last part of the query.
Artifacts can be verified with cosign using this public key.
We are excited to share this year's Q1 release of Ory Hydra: v2.1!
Highlights:
Don't want to run the upgrade yourself? Switch to Ory Network!
Artifacts can be verified with cosign using this public key.
We are excited to share this year's Q1 release of Ory Hydra: v2.1.0!
Highlights:
Don't want to run the upgrade yourself? Switch to Ory Network!
Artifacts can be verified with cosign using this public key.
autogen: pin v2.1.0-pre.2 release commit
Artifacts can be verified with cosign using this public key.
autogen: pin v2.1.0-pre.1 release commit
Artifacts can be verified with cosign using this public key.
Bugfixes for migration and pagination regressions and a new endpoint.
Add client_id
and client_secret
to revokeOAuth2Token
(#3373) (93bac07)
Docker build (48217bd)
Invalidate tokens with inconsistent state (#3385) (542ea77), closes #3346:
This patch includes SQL migrations targeting environments which have not yet migrated to Ory Hydra 2.0. It removes inconsistent records which resolves issues during the migrations process. Please be aware that some users might be affected by this change. They might need to re-authorize certain apps. However, most active records should not be affected by this.
Installations already on Ory Hydra 2.0 will not be affected by this change.
No longer auto-generate system secret (c5fe043):
This patch changes Ory Hydra's behavior to no longer auto-generate a temporary secret when no global secret was set. The APIs now return an error instead.
Prevent multiple redirections to post logout url (#3366) (50666b9), closes #3342
client_id
and client_secret
to revokeOAuth2Token
(#3373)public
from schema (#3374)Artifacts can be verified with cosign using this public key.