We are excited to announce Ory Hydra v1.10.0!

This release adds significant data management improvements. As such, we introduce the new "hydra janitor" command which cleans up stale data and can be run, for example, as a (Kubernetes) CronJob.

The new janitor command is able to clean up invalid and expired access and refresh tokens as well as login and consent requests. This solves issues observed in installations with lots of traffic.

This patch refactors the internal file embed system by migrating to Go 1.16, simplifying and speeding up the build process.

To follow OAuth2 best-practice, refresh tokens will now invalidate the whole access and refresh token chain if reused.

1.10.1 (2021-03-25)

Bug Fixes

• Add docs/node_modules make target (b302501)

• Add network specific error message to avoid confusion (#2367) (56d71e6), closes #2338

• Adds sqa section to config.schema.json (#2360) (89df8d7), closes #2358:

  Move from viper to koanf caused env vars without corresponding paths in config.schema.json to be ignored. This commit adds missing sqa section, so the SQA_OPT_OUT env var has effect again.

• Adopt new cli renderer pipeline (02483ce)

• Better http resiliency and sqlite updates (883a84f)

• Improve cache and update CI images to go 1.16 (#2388) (7803202)

• Increase conformance test timeout (e9bd064)

• Record cypress videos (c9d0a26)

• Resolve clidoc issues (8257cb2)

• Resolve docs build issues (6612099)

• Resolve e2e test issues (4812f54)

• Resolve migrator duplicate files (b1f63ff)

• Resolve migrator regression issues (cdfc03d)

• Revert mode default and maximum values (#2349) (b20fc48):

  I made a mistake in previous pull request, these socket mode values are in decimal, not octal format. Sorry.

• Update janitor help (b7965c6)

• Use appropriate migrations with precedence (b61d05c)

• Use gelf windows hotfix (0cac0f1)

• Use go 1.16 in conformity suite (3fbda05)

Documentation

• Faq custom data (#2334) (471e85d)

• Fix basic examples for the golang SDK (#2399) (6806865)

• Fix subject identifier algorithms to match configuration (#2400) (dd19b86):

  On https://www.ory.sh/hydra/docs/reference/configuration/ under 'subject identifiers' the name for defining which subject identifier algorithms are supported it is called "supported_types", not "enabled" as in these pages.

• Improve readme tests section (#2380) (277afe9)

• Quickstart config (#2328) (f20f645)

• Update config.schema.json default values (#2348) (8494822):

  Updated wrong config schema values

• Update examples to new helm install command format (#2369) (f006556):

  Tried example with helm 3.5.2 and it does not support --name flag. So I moved name and repository to first line of commands.

Features

• Add --no-shutdown flag to "hydra token user" to prevent auto-termination (#2382) (#2386) (a17d10e)

• Add front/backchannel logout params to client cli (#2387) (055f801), closes #1487

• Flush inactive/expired login and consent requests (#2381) (f039ebb), closes #1574:

  This patch resolves various table growth issues caused by expired/inactive login and consent flows never being purged from the database.

  You may now use the new hydra janitor command to remove access & refresh tokens and login & consent requests which are no longer valid or used. The command follows the notAfter safe-guard approach to ensure records needed to be kept are not deleted.

  To learn more, please use hydra help janitor.

  This patch phases out the /oauth2/flush endpoint as the janitor is better suited for background tasks, is easier to run in a targeted fashion (e.g. as a singleton job), and does not cause HTTP timeouts.

• Flush refresh tokens for service oauth2/flush (#2373) (b46a14c), closes /github.com/ory/hydra/issues/1574#issuecomment-736684327

• Move to go 1.16 and static embed files (6fa591c)

• Refresh token reuse detection (#2383) (bc349f1), closes #2022:

  This patch adds support for Refresh Token reuse Detection introduced by https://github.com/ory/fosite/pull/567. Ory Hydra's persister no longer deletes refresh tokens when using them, but instead deactivates them - similar to how authorization codes work.

Tests

• Bump cypress to newer version and add resilience (c76309c)
• Bump ory/x and resolve regressions (1a03c07)
• Fix record arg (b248406)
• Improve e2e script and add record option (9d4764d)
• Resolve flaky cypress tests (356b05f)
• Resolve migration regression (e59e2bc)
• Use cypress fetchers (2aa0980)
• Use go 1.16 in conformity (ccd983d)

Unclassified

• Do not send 404 on revoke consent / delete login (#2397) (854b9ee)
• Resolve oidc conformity regression (1049602)

Changelog

ce7ee75c autogen(docs): generate and format documentation 74bfe9ce autogen(docs): generate and format documentation ec93526e autogen(docs): generate and format documentation 4cc80123 autogen(docs): generate and format documentation 21c62857 autogen(docs): generate and format documentation 67d9b387 autogen(docs): generate and format documentation dc97559d autogen(docs): generate and format documentation a11527f1 autogen(docs): generate and format documentation e18e9669 autogen(docs): generate and format documentation 9ad9c1d3 autogen(docs): generate and format documentation d3697cd9 autogen(docs): generate cli docs 83f8ebd0 autogen(docs): generate cli docs 7731121d autogen(docs): generate cli docs d6c82091 autogen(docs): generate cli docs 8f939da6 autogen(docs): generate cli docs 5005c9a7 autogen(docs): regenerate and update changelog 48b75ab7 autogen(docs): regenerate and update changelog 97e3f80f autogen(docs): regenerate and update changelog 69e7bef3 autogen(docs): regenerate and update changelog 003a6820 autogen(docs): regenerate and update changelog c1e9b38a autogen(docs): regenerate and update changelog eb5c5305 autogen(docs): regenerate and update changelog 5210a0fd autogen(docs): regenerate and update changelog 4eafcfe1 autogen(docs): regenerate and update changelog c84fcdf4 autogen(docs): update milestone document d4d243ff autogen(docs): update milestone document 1cce525e autogen(docs): update milestone document ac95a335 autogen(openapi): Regenerate swagger spec and internal client f6ef7514 autogen(openapi): Regenerate swagger spec and internal client cc7a8e46 autogen(openapi): Regenerate swagger spec and internal client b660fa39 autogen(openapi): Regenerate swagger spec and internal client 72a2e2f3 autogen(openapi): Regenerate swagger spec and internal client 756f19fc autogen(openapi): Regenerate swagger spec and internal client f5b993a2 autogen(openapi): Regenerate swagger spec and internal client 577ad1bc autogen(openapi): Regenerate swagger spec and internal client 582aca38 autogen(openapi): Regenerate swagger spec and internal client 27dc147a autogen: add v1.9.2 to version.schema.json ed096e92 autogen: add v1.9.3-pre.5 to version.schema.json bf8f805f autogen: pin v1.10.0 release commit 60b2434e autogen: pin v1.10.0 release commit 2287ac59 autogen: pin v1.10.1 release commit c3833af2 autogen: pin v1.10.1-pre.1 release commit 01af32f3 autogen: pin v1.10.1-pre.2 release commit 440d171d autogen: pin v1.9.3-pre.0 release commit 38b6317a autogen: pin v1.9.3-pre.1 release commit 149db769 autogen: pin v1.9.3-pre.2 release commit 26615cbb autogen: pin v1.9.3-pre.3 release commit bf652999 autogen: pin v1.9.3-pre.4 release commit be012b6d autogen: pin v1.9.3-pre.5 release commit d2aecf88 chore(deps): bump pug-code-gen in /test/e2e/oauth2-client (#2376) d0ef3e37 chore: fix go mod ab06db3e chore: fix link (#2359) 4b595e87 chore: update docusaurus template 15653367 chore: update docusaurus template (#2424) 785e743e chore: update package lock f4ed887a chore: update repository templates 96627651 chore: update repository templates cb64d68d chore: update repository templates 1d314105 chore: update repository templates (#2362) a3295561 chore: update repository templates (#2378) e3d60323 ci: add trailing slash to prettier check (#2389) e819e7b5 ci: adopt new swagger ignorepkgs 0afd9fc0 ci: bump orbs 7f806e55 ci: fix yaml syntax error 0326699f ci: link to cypress project d8ad323f ci: reorder e2e execution 94593db5 ci: run e2e tests in one container (#2391) d17f5050 ci: use nancy command instead of job (#2390) 854b9eed consent: do not send 404 on revoke consent / delete login (#2397) 471e85d2 docs: faq custom data (#2334) 68068651 docs: fix basic examples for the golang SDK (#2399) dd19b86b docs: fix subject identifier algorithms to match configuration (#2400) 277afe9d docs: improve readme tests section (#2380) f20f6459 docs: quickstart config (#2328) 84948220 docs: update config.schema.json default values (#2348) f006556f docs: update examples to new helm install command format (#2369) a17d10e7 feat: add --no-shutdown flag to "hydra token user" to prevent auto-termination (#2382) (#2386) 055f801e feat: add front/backchannel logout params to client cli (#2387) f039ebbd feat: flush inactive/expired login and consent requests (#2381) b46a14cd feat: flush refresh tokens for service oauth2/flush (#2373) 6fa591c8 feat: move to go 1.16 and static embed files bc349f1f feat: refresh token reuse detection (#2383) b302501b fix: add docs/node_modules make target 56d71e67 fix: add network specific error message to avoid confusion (#2367) 89df8d7b fix: adds sqa section to config.schema.json (#2360) 02483ce4 fix: adopt new cli renderer pipeline 883a84f8 fix: better http resiliency and sqlite updates 78032026 fix: improve cache and update CI images to go 1.16 (#2388) e9bd0642 fix: increase conformance test timeout c9d0a262 fix: record cypress videos 8257cb29 fix: resolve clidoc issues 6612099b fix: resolve docs build issues 4812f549 fix: resolve e2e test issues b1f63fff fix: resolve migrator duplicate files cdfc03d8 fix: resolve migrator regression issues b20fc48d fix: revert mode default and maximum values (#2349) b7965c6f fix: update janitor help b61d05ce fix: use appropriate migrations with precedence 0cac0f1e fix: use gelf windows hotfix 3fbda05a fix: use go 1.16 in conformity suite c76309cf test: bump cypress to newer version and add resilience 1a03c077 test: bump ory/x and resolve regressions b248406d test: fix record arg 9d4764d8 test: improve e2e script and add record option 356b05f6 test: resolve flaky cypress tests e59e2bc9 test: resolve migration regression 2aa09804 test: use cypress fetchers ccd983d7 test: use go 1.16 in conformity 10496024 tests: resolve oidc conformity regression

Docker images

• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.10-sqlite
• docker pull oryd/hydra:v1.10.1-sqlite
• docker pull oryd/hydra:v1.10.1-sqlite
• docker pull oryd/hydra:latest-sqlite
• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.10
• docker pull oryd/hydra:v1.10.1
• docker pull oryd/hydra:v1.10.1
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.10-alpine
• docker pull oryd/hydra:v1.10.1-alpine
• docker pull oryd/hydra:v1.10.1-alpine
• docker pull oryd/hydra:latest-alpine

This release adds more telemetry data to the prometheus exporter.

1.9.2 (2021-01-29)

Features

• Enable emittance of response time metrics (#2323) (c1f1ba5)

Changelog

8a415d92 autogen(docs): generate and format documentation eb6f682f autogen(docs): regenerate and update changelog fcd80d16 autogen(docs): regenerate and update changelog 0b4673ec autogen: add v1.9.1 to version.schema.json f0580e25 autogen: pin v1.9.2 release commit c1f1ba5c feat: enable emittance of response time metrics (#2323)

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.2
• docker pull oryd/hydra:v1.9.2
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.2-alpine
• docker pull oryd/hydra:v1.9.2-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.2-sqlite
• docker pull oryd/hydra:v1.9.2-sqlite
• docker pull oryd/hydra:latest-sqlite

This release makes Dart and Rust SDKs available for Ory Hydra!

1.9.1 (2021-01-27)

Documentation

• Add faq items (8d31cb3):

  Added two items to the FAQ that were sitting in meta/tmp.

• Add link endings. (#2313) (1316cc0), closes #38

• Add Rust and Dart SDKs (c4b4f73):

  We now support for Rust and Dart SDKs!

• Fix npm links (#2303) (341f3ed)

• Quickstart cleanup (#2324) (a8ad705)

• Reorg faq sidebar (#2318) (4fdb7f1)

• Update before oauth2.mdx (#2299) (d2ee4f6), closes #2295

• Update javascript documentation (a2b3a49):

  Closes https://github.com/ory/sdk/issues/22

• Update npm package name (#2302) (d05d82e):

  Changed npm client package from @oryd/hydra-client to @ory/hydra-client

Changelog

efa4c4ce autogen(docs): generate and format documentation ea5edb39 autogen(docs): generate cli docs 7e162f65 autogen(docs): generate cli docs 10b5d594 autogen(docs): generate cli docs 994d4d4d autogen(docs): regenerate and update changelog 97c664bd autogen(docs): regenerate and update changelog 2a0c1d06 autogen(docs): regenerate and update changelog 8d5c8b18 autogen(docs): regenerate and update changelog 7e546aa0 autogen(docs): regenerate and update changelog 3027833e autogen(docs): regenerate and update changelog bdf79911 autogen(docs): update milestone document 1921e54c autogen: add v1.9.0 to version.schema.json 5cedc9e2 autogen: pin v1.9.1 release commit 68cb6670 chore: bump gjson (#2298) 183d421a chore: update repository templates (#2301) c4b4f73e docs: add Rust and Dart SDKs 8d31cb34 docs: add faq items 1316cc00 docs: add link endings. (#2313) 341f3ede docs: fix npm links (#2303) a8ad7052 docs: quickstart cleanup (#2324) 4fdb7f1c docs: reorg faq sidebar (#2318) d2ee4f6c docs: update before oauth2.mdx (#2299) a2b3a49e docs: update javascript documentation d05d82e9 docs: update npm package name (#2302)

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.1
• docker pull oryd/hydra:v1.9.1
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.1-alpine
• docker pull oryd/hydra:v1.9.1-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.1-sqlite
• docker pull oryd/hydra:v1.9.1-sqlite
• docker pull oryd/hydra:latest-sqlite

Today, we are very excited to announce the stable release of ORY Hydra 1.9! This release contains significant internal code refactoring, making ORY Hydra more reliable, lightweight, and even more scalable! Also, for the first time ever, ORY Hydra handled over 13.3 billion API requests in December 2020 in over 23.000 production environments around the globe.

Let's talk features - in a TL;DR overview:

• Completely replacing the existing DBAL and switching to gobuffalo/pop.
• Support for SQLite, an embedded database, which can be used for testing and tiny deployments.
• Deprecating the existing configuration system spf13/viper and moving to knadh/koanf.
• Adding OpenID Connect Conformity Test Suite to the CI, guaranteeing that every code change is fully OpenID Connect compliant.
• Support for the OpenID Connect response_mode=form_post Response Mode.
• Compatibility with MITREid, allowing easy migration from MITREid to ORY Hydra.
• The TypeScript SDK moved from @oryd/hydra-client to @ory/hydra-client. Please update your dependencies!

If you wish to get into ORY Hydra, check out the new YouTube tutorial:

See you on slack, signed HACKERMAN.

ORY Kratos

We would like to take a bit of your time and introduce you to ORY Kratos. ORY Kratos implements all the hard things related to users: login, registration, customizable profile fields, multi-factor authentication scheduled for v0.6, secure account recovery, email and SMS verification, profile management, session and device management, user administration, social sign in and sign up, and much, much more! Everything works with proven and ORY-hardened protocols in the same lightweight fashion you are used to from our other products. And it natively targets mobile, desktop, web, and robots! ORY Kratos is essentially an open-source alternative to Auth0, Okta, and Google Firebase with the added benefit of avoiding the complexity of implementing OAuth2 and OpenID Connect for your first-party apps just to get login to work. So if you are wondering whether you really need OAuth2, this is worth your time!

To get a feeling for ORY Kratos, check out our exemplary React Native app (available on GitHub, Android and iOS) demonstrating user registration, login, and profile management. It uses APIs from ORY Cloud, which will be publicly announced this year. If you are interested in becoming an early adopter, get in touch now! We have more super exciting stuff planned!

Changes in-depth

Let's break down the most significant changes in more detail:

The configuration system has been reworked

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema. This makes changing or updating configuration much easier.
2. Configuration reloading is improved and works on Kubernetes.
3. Performance gains remove the need for a cache layer between the configuration system and ORY Hydra.
4. Loading of several config files is now possible using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.

The OpenID Connect Conformity Test Suite is now part of the ORY Hydra CI pipeline.

This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint and error_debug will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields to true.

Supporting response_mode=form_post

Support OpenID Connect flows response_mode=form_post was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.

Compatibility with MITREid

Adds an option that allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid and allows migrating from MITREid to ORY Hydra.

Refactoring the internal DBAL

We completely refactored the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.

Changelog 1.9.0 (2021-01-12)

Bug Fixes

• Add 400 as possible reply to /oauth2/token (24daede), closes #2260

• Bump ory/x and update config usage (#2248) (4937a00)

• Do not require unset pairwise (4136aaf)

• Improve version regex (17d9599), closes #2255

• Update schema reference for subject_identifiers.supported_types (0e14a08), closes #2270

• Add encrypt_at_rest option to config schema (3219c16)

• Add required aud, jti claims to userinfo response (d0697fa)

• Add standardized client registration errors (02a9137):

  Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.

• Allow all request object signing algs per default (edc54c2):

  This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.

• Allow lower bcrypt values and add tests (812a21c)

• Document describe error (#2208) (b59bdf8)

• Ensure consistent auth_time in session handling (e973ffe)

• Increase parallelism to 4 (ae02706)

• Mark false gosec positive (206d1ee)

• Nonce is not required for hybrid flows (c708ada)

• Quickstart yml (5ebd984)

• Remove session from store on logout (4495f56):

  This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.

• Remove unrelated quickstart entry (#2214) (a583d78), closes #2213

• Request_id should not be unique (a8ca333):

  This patch resolves an issue where certain OpenID Connect Hybrid flows would error with a UNIQUE violation. The cause of this issue was an incorrect UNIQUE constraint on the request_id field of the access, refresh, pkce, and other, similar tables.

• Resolve broken quickstart (95a1dfb)

• Update deprecated config in quickstart (1c1433a)

• Update invalid quickstart config (8d076a5)

• Update package lock (18bfc96)

• Update schema to support new koanf (29763c8)

• Add support for tracing to SQL (b3dda7c)

• Address pop inconsistencies and update tests (8f3462f)

• CGO build issues on Windows and Go 1.15+ (1c1fe19)

• Do not require sqlite and CGO for other databases (8069205)

• Do not run migrations in background (308edb9)

• Explicitly set pwd in makefile (aeb1090)

• Goreleaser add docker images (7a81908)

• Improve cli flags and add -c config flag (bf3be84)

• Improve schema typing for tracing (4cc25c3)

• Improve tests and pop adapter (1354611)

• Remove explicit cve allowlist (90caeda), closes #2117

• Remove obsolete makefile targets (dc5d37f)

• Remove unnecessary transactions (1df50ec)

• Remove websocket direct dep (d525983), closes #2111

• Run tests only once (4e1d0f6)

• Set context in connection getter (644967a)

• Update docker and quickstart examples (b01c246)

• Update format to goimports (c4438b0)

• Use context in transaction creator (db0ac86)

• Use sqlite for standalone (e5b7147)

• Add docs format to make format (cfa50fe)

• Client update breaks primary key (#2150) (7662917), closes #2148

• Explicitly use no-CGO images for non-SQLite (1ec2d1d)

• Force brew install statement (0252b5a)

• Update install script (c614c0b)

Documentation

• Add note about mounting the config file when using docker (#2235) (766e8f1), closes #2231

• Change deprecated fallback url (#2275) (0bf61aa), closes #2254

• Client api upper bound on limit parameter (#2277) (bc2bbd2), closes #2267

• Corrected a link within the docs (#2257) (0dd4e64)

• Fix incorrect version replacements (70a6b8f)

• Fix typo (#2264) (82ba2df)

• OAUTH2_ERROR_URL -> URLS_ERROR (#2263) (f9b8205)

• Oidc.subject_identifiers config key change (#2232) (2172f25):

  oidc.subject_identifiers.enabled is now oidc.subject_identifiers.supported_types. Docs should get updated.

• Update install from source instructions (bcfd9b7)

• Add config debug section (c53f036)

• Add contributing to sidebar (#2209) (21f3b1f):

  Added Contributing Guidelines to the introduction menu point on the sidebar. I think it should be as obvious as possible. Another good solution would be to add them to the top bar?

  If this is merged, I will do the same changes for Kratos/Oathkeeper/Keto.

• Add newsletter banner (5b63aa4)

• Add quickstart video (#2220) (d4aa981)

• Bcrypt reference config (#2161) (e7eece2), closes #2077

• Deps are installed automagically and make deps was removed (#2157) (25e96e2), closes #2154

• Fix omissions in consent flow description (#2194) (d9d719a)

• Minor improvements to the concepts/consent page (#2168) (1128cfc)

• Update links and fix typos (#2169) (409f2f4)

• Update toc (#2158) (ee4a9ed), closes #2153

• Use codefromremote for consent samples (51c0874)

• Add hypnoglow terraform provider (7ed8870), closes #1304

• Correct port (#2101) (487e733), closes #2100

• Correct port (#2102) (7aca301), closes #2100

• Fix typo (71a4495)

• Remove obsolete doc section (443a225)

• Swagger route headline capitalization (4540ece), closes #2015

• Update code listings and image tags (3cd22c4)

• Update sql instructions (bfed7f2)

• Updates kubernetes helm chart url (6d63a73)

• Add missing trailing slash (97bc47d)

• Replace dex with keycloak (fa877d7), closes #2128

• Version bash-curl script (71b0592), closes #2145

Code Refactoring

• Deprecate driver semantics (8fc3e2e)

• Move oauth2 cors to own package (3beddbd)

• Rename token_type to token_use in introspection (152fd5d), closes #1762

• Replace viper with koanf config management (8c12b27)

• Move Dockerfiles to .docker directory (5508f2a)

• Use gobuffalo/pop for SQL abstraction (#2059) (56bce67), closes #1730:

  This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!

Features

• Add ability to override oidc discovery urls (bb8b982):

  Added config options webfinger.oidc_discovery.token_url, webfinger.oidc_discovery.auth_url, webfinger.oidc_discovery.jwks_url.

• Add new request_object_signing_alg_values_supported to oidc discovery (4220959)

• Add oidc conformity tests (651f424)

• Add support for ElasticAPM tracing (#2155) (7792715)

• Improve and clean up error handling (b727367)

• Improve error responses for consent handler (44ab747)

• Improve error stack trace wrapping (fdf142c)

• Only set state-param if it was passed (#2183) (568434a):

  Using state in the logout flow is optional, so state can be empty. In order to avoid an ugly /post-logout-redirect-uri?state= URI, the state should only be appended if it is not empty.

• Remove legacy error fields unless configured to do so (e2a7135)

• Support OpenID Connect's response_mode=form_post (8ab9eff), closes #1621:

  This patch adds support for the response_mode parameter as defined in OAuth 2.0 Form Post Response Mode. Additionally, values fragment and query are supported as defined in OAuth 2.0 Multiple Response Type Encoding Practices.

• Support pkger (07a360e)

• Add configuration option to grant default client_credential scope when no scope is requested (#2144) (0b1de34), closes #2141:

  Adds an option which allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid.

• Implement docker for quickstart (8e64202)

• Re-enable freebsd (2f19837), closes #2116 #2115

• Support sqlite in goreleaser (e946487)

Tests

• Add timeout to wait (90dfaf5)

• Completely refactor consent tests (defc063)

• Fix jwt e2e tests (1b480d8)

• Improve github action conformity tests (1015e49)

• Improve TestClientCredentialsGrantAllScopes (19409b4)

• Increase timeout for conformity (a65d289)

• Oidc conformity tests should run as workflow dispatch (5b8fa0a)

• Refactor client credential tests (b74cffa)

• Refactor consent logout tests and add failing case (ef12c06)

• Refactor oauth2 auth code tests (c376473)

• Resolve conformity test suite concurrency issues (ef312c3)

• Resolve e2e startup issues (5af4cef)

• Resolve e2e test failures (03f5e8e)

• Resolve failing rotation key tests (8e8b943)

• Resolve flaky test issue (e17a074)

• Resolve incorrect retry loop (ef141c2)

• Retry conformity failures (409ae42)

• Retry interrupted tests (c72367b)

• Skip preloading in migration tests (14272f2)

• Update config to pass validation (6931461)

• Use 16 workers for conformance (9cf0e65)

• Use correct test context (45bc907)

• Use prebuilt images for conformity testing (4dd7a62)

• Fix confusing expected/got (#2135) (14b6db2):

  And fixed assert.EqualError params in right order in TestStrategyLoginConsent

• Move tests to persistence (46d0571)

• Remove unused expectSession variable (#2134) (eda8532)

• Write migrate logs to file (9a1fbd8)

• Fix misused id field (#2152) (511e8d2)

Unclassified

• Format (5f08ff2)

BREAKING CHANGES

• After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.

• This patch requires running SQL Migrations. Please be aware that a NOT NULL column is being dropped which could require a lot of time when the authentication_session table contains a lot of data.
• This patch removes error_hint and error_debug fields from OAuth2 responses. These are now all merged into error_description which is according to the OAuth2 and OpenID Connect specification. If you wish to keep the old behavior around, set oauth2.include_legacy_error_fields to true in your ORY Hydra configuration.
• Applying this patch requires running SQL migrations. The SQL migrations will remove a UNIQUE constraint and add new INDEX to several tables which should speed up certain operations. Please be aware that this might cause certain databases to lock which could be problematic if there are many rows affected.
• This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, token_type would return access_token or refresh_token. The specification however mandates that token_type is always Bearer. This patch resolves that issue. The previous behaviour of token_type has now been moved to token_use which can be access_token or refresh_token.

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:latest-sqlite

We are excited to present the next big step towards ORY Hydra 1.9! In this release we completely refactored the configuration internals and moved from spf13/viper to knadh/koanf:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving the developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works excellently on Kubernetes.
3. Performance gains that remove the need for a cache layer between the configuration system and ORY Hydra.
4. Loading of several config files using the --config flag now possible.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process.

In addition, this release includes the new OpenID Connect Conformity Test Suite as part of the ORY Hydra CI pipeline. This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields error_hint and error_debug will no longer be sent. You can re-enable those legacy fields by setting oauth2.include_legacy_error_fields to true.

Furthermore, support for OpenID Connect flows response_mode=form_post was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production.

Several other bugs have been resolved and we have completely overhauled the tests, deprecating test tables in favor of test suites. This greatly improves the readability of our tests and allows new contributors to more easily understand what is going on!

If you wish to get into ORY Hydra, check out the newly published YouTube tutorial:

1.9.0-alpha.3 (2020-12-08)

Bug Fixes

• Add encrypt_at_rest option to config schema (3219c16)

• Add required aud, jti claims to userinfo response (d0697fa)

• Add standardized client registration errors (02a9137):

  Adds new errors to fully comply with the OpenID Connect Dynamic Client Registration specification.

• Allow all request object signing algs per default (edc54c2):

  This patch resolves an issue where RS256 would be the only allowed request object signing algorithm. The spec however mandates that all algorithms are allowed if the client does not explicitly set the request object signing algorithm.

• Allow lower bcrypt values and add tests (812a21c)

• Document describe error (#2208) (b59bdf8)

• Ensure consistent auth_time in session handling (e973ffe)

• Increase parallelism to 4 (ae02706)

• Mark false gosec positive (206d1ee)

• Nonce is not required for hybrid flows (c708ada)

• Quickstart yml (5ebd984)

• Remove session from store on logout (4495f56):

  This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.

• Remove unrelated quickstart entry (#2214) (a583d78), closes #2213

• Request_id should not be unique (a8ca333):

  This patch resolves an issue where certain OpenID Connect Hybrid flows would error with a UNIQUE violation. The cause of this issue was an incorrect UNIQUE constraint on the request_id field of the access, refresh, pkce, and other, similar tables.

• Resolve broken quickstart (95a1dfb)

• Update deprecated config in quickstart (1c1433a)

• Update invalid quickstart config (8d076a5)

• Update package lock (18bfc96)

• Update schema to support new koanf (29763c8)

Code Refactoring

• Deprecate driver semantics (8fc3e2e)
• Move oauth2 cors to own package (3beddbd)
• Rename token_type to token_use in introspection (152fd5d), closes #1762
• Replace viper with koanf config management (8c12b27)

Documentation

• Add config debug section (c53f036)

• Add contributing to sidebar (#2209) (21f3b1f):

  Added Contributing Guidelines to the introduction menu point on the sidebar. I think it should be as obvious as possible. Another good solution would be to add them to the top bar?

  If this is merged, I will do the same changes for Kratos/Oathkeeper/Keto.

• Add newsletter banner (5b63aa4)

• Add quickstart video (#2220) (d4aa981)

• Bcrypt reference config (#2161) (e7eece2), closes #2077

• Deps are installed automagically and make deps was removed (#2157) (25e96e2), closes #2154

• Fix omissions in consent flow description (#2194) (d9d719a)

• Minor improvements to the concepts/consent page (#2168) (1128cfc)

• Update links and fix typos (#2169) (409f2f4)

• Update toc (#2158) (ee4a9ed), closes #2153

• Use codefromremote for consent samples (51c0874)

Features

• Add ability to override oidc discovery urls (bb8b982):

  Added config options webfinger.oidc_discovery.token_url, webfinger.oidc_discovery.auth_url, webfinger.oidc_discovery.jwks_url.

• Add new request_object_signing_alg_values_supported to oidc discovery (4220959)

• Add oidc conformity tests (651f424)

• Add support for ElasticAPM tracing (#2155) (7792715)

• Improve and clean up error handling (b727367)

• Improve error responses for consent handler (44ab747)

• Improve error stack trace wrapping (fdf142c)

• Only set state-param if it was passed (#2183) (568434a):

  Using state in the logout flow is optional, so state can be empty. In order to avoid an ugly /post-logout-redirect-uri?state= URI, the state should only be appended if it is not empty.

• Remove legacy error fields unless configured to do so (e2a7135)

• Support OpenID Connect's response_mode=form_post (8ab9eff), closes #1621:

  This patch adds support for the response_mode parameter as defined in OAuth 2.0 Form Post Response Mode. Additionally, values fragment and query are supported as defined in OAuth 2.0 Multiple Response Type Encoding Practices.

• Support pkger (07a360e)

Tests

• Add timeout to wait (90dfaf5)
• Completely refactor consent tests (defc063)
• Fix jwt e2e tests (1b480d8)
• Improve github action conformity tests (1015e49)
• Improve TestClientCredentialsGrantAllScopes (19409b4)
• Increase timeout for conformity (a65d289)
• Oidc conformity tests should run as workflow dispatch (5b8fa0a)
• Refactor client credential tests (b74cffa)
• Refactor consent logout tests and add failing case (ef12c06)
• Refactor oauth2 auth code tests (c376473)
• Resolve conformity test suite concurrency issues (ef312c3)
• Resolve e2e startup issues (5af4cef)
• Resolve e2e test failures (03f5e8e)
• Resolve failing rotation key tests (8e8b943)
• Resolve flaky test issue (e17a074)
• Resolve incorrect retry loop (ef141c2)
• Retry conformity failures (409ae42)
• Retry interrupted tests (c72367b)
• Skip preloading in migration tests (14272f2)
• Update config to pass validation (6931461)
• Use 16 workers for conformance (9cf0e65)
• Use correct test context (45bc907)
• Use prebuilt images for conformity testing (4dd7a62)

Unclassified

• Format (5f08ff2)

BREAKING CHANGES

• After battling with spf13/viper for several years we finally found a viable alternative with knadh/koanf. The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the --config flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.

• This patch requires running SQL Migrations. Please be aware that a NOT NULL column is being dropped which could require a lot of time when the authentication_session table contains a lot of data.
• This patch removes error_hint and error_debug fields from OAuth2 responses. These are now all merged into error_description which is according to the OAuth2 and OpenID Connect specification. If you wish to keep the old behavior around, set oauth2.include_legacy_error_fields to true in your ORY Hydra configuration.
• Applying this patch requires running SQL migrations. The SQL migrations will remove a UNIQUE constraint and add new INDEX to several tables which should speed up certain operations. Please be aware that this might cause certain databases to lock which could be problematic if there are many rows affected.
• This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, token_type would return access_token or refresh_token. The specification however mandates that token_type is always Bearer. This patch resolves that issue. The previous behaviour of token_type has now been moved to token_use which can be access_token or refresh_token.

Changelog

d849bd50 autogen(docs): generate and format documentation eb0baa20 autogen(docs): generate and format documentation 2d54c1e7 autogen(docs): generate and format documentation 14577a0c autogen(docs): generate and format documentation 450d69b8 autogen(docs): generate and format documentation af4b0115 autogen(docs): generate and format documentation a84a34cc autogen(docs): generate and format documentation a45b64d2 autogen(docs): generate and format documentation f7bed354 autogen(docs): generate and format documentation 876cd963 autogen(docs): generate and format documentation 6529d512 autogen(docs): generate and format documentation b569aca2 autogen(docs): generate and format documentation 7390886d autogen(docs): generate and format documentation 23d6a028 autogen(docs): generate and format documentation 2be52835 autogen(docs): generate and format documentation f267f722 autogen(docs): generate and format documentation c56ff713 autogen(docs): generate and format documentation a0db388b autogen(docs): generate and format documentation ddee4eab autogen(docs): generate and format documentation 97b16632 autogen(docs): generate cli docs 05be6b81 autogen(docs): regenerate and update changelog 7a4d972f autogen(docs): regenerate and update changelog 45674ca3 autogen(docs): regenerate and update changelog c4591ca9 autogen(docs): regenerate and update changelog e46b9d0a autogen(docs): regenerate and update changelog fd5729da autogen(docs): regenerate and update changelog 81076b9d autogen(docs): regenerate and update changelog 84230bf5 autogen(docs): update milestone document 1d7e7a2a autogen(docs): update milestone document 6da7cf42 autogen(docs): update milestone document 95e41ca5 autogen(docs): update milestone document 3f8ea204 autogen(docs): update milestone document ec237ab7 autogen(docs): update milestone document de0db909 autogen(docs): update milestone document c345b419 autogen(docs): update milestone document 7b5d6132 autogen(docs): update milestone document 6d0861c3 autogen(docs): update milestone document c2e6251e autogen(docs): update milestone document de5d09a2 autogen(docs): update milestone document 906ad87a autogen(docs): update milestone document 94c937cf autogen(openapi): Regenerate swagger spec and internal client 91e0396f autogen: add v1.9.0-alpha.2 to version.schema.json 05809d25 autogen: pin v1.9.0-alpha.3 release commit e602dcf8 autogen: pin v1.9.0-alpha.3.pre.0 release commit b6f49cd0 autogen: pin v1.9.0-alpha.3.pre.1 release commit 959aa93c autogen: pin v1.9.0-alpha.3.pre.2 release commit eff69fb4 autogen: pin v1.9.0-alpha.3.pre.3 release commit ec7d9877 autogen: pin v1.9.0-alpha.3.pre.4 release commit e972bcbc chore: apply ory-prettier-styles to cypress tests (#2179) ee1f3cbe chore: clean up code base 3e6c8d23 chore: clean up test code 428df22c chore: clean up viper mentions 755b12d0 chore: format docs according to upgraded prettier styles 2c883f6f chore: style and install 2dd80fe8 chore: update docusaurus template f5291a8b chore: update docusaurus template ddfcd27a chore: update docusaurus template (#2162) caa11170 chore: update docusaurus template (#2174) 775c8c71 chore: update docusaurus template (#2177) 88ddd906 chore: update docusaurus template (#2178) 71ca67be chore: update docusaurus template (#2185) 1169bd52 chore: update docusaurus template (#2186) 9f037ac8 chore: update docusaurus template (#2189) 99ca5158 chore: update docusaurus template (#2196) 1fc4f433 chore: update docusaurus template (#2198) 781201f5 chore: update docusaurus template (#2201) e28d99bc chore: update docusaurus template (#2202) 697f4f8b chore: update docusaurus template (#2203) 7f073239 chore: update docusaurus template (#2205) d37c1edc chore: update docusaurus template (#2210) cebdd4a4 chore: update docusaurus template (#2212) 2ecb2d8b chore: update docusaurus template (#2219) 415a2792 chore: update docusaurus template (#2221) dee7fe43 chore: update docusaurus template (#2223) 6f4b26e4 chore: update docusaurus template (#2225) 396ca19c chore: update package locks 8b4628e2 chore: update repository templates (#2176) 2dc526d9 chore: update repository templates (#2190) ccfbf965 chore: update repository templates (#2197) f6d02228 chore: update repository templates (#2199) 76e31f15 ci: do not require validation c9cc7d4a ci: improve docs release config 3c696c4d ci: increase parallelism 98d1a8cd ci: pin exact prettier version c53f0364 docs: add config debug section 21f3b1f1 docs: add contributing to sidebar (#2209) 5b63aa4b docs: add newsletter banner d4aa9814 docs: add quickstart video (#2220) e7eece2d docs: bcrypt reference config (#2161) 25e96e27 docs: deps are installed automagically and make deps was removed (#2157) d9d719af docs: fix omissions in consent flow description (#2194) 1128cfc5 docs: minor improvements to the concepts/consent page (#2168) 409f2f4b docs: update links and fix typos (#2169) ee4a9edf docs: update toc (#2158) 51c0874c docs: use codefromremote for consent samples 568434ac feat: Only set state-param if it was passed (#2183) bb8b9824 feat: add ability to override oidc discovery urls 4220959c feat: add new request_object_signing_alg_values_supported to oidc discovery 651f4244 feat: add oidc conformity tests 77927158 feat: add support for ElasticAPM tracing (#2155) b7273676 feat: improve and clean up error handling 44ab7472 feat: improve error responses for consent handler fdf142cc feat: improve error stack trace wrapping e2a7135f feat: remove legacy error fields unless configured to do so 8ab9eff6 feat: support OpenID Connect's response_mode=form_post 07a360e3 feat: support pkger 3219c16d fix: add encrypt_at_rest option to config schema d0697fab fix: add required aud, jti claims to userinfo response 02a91370 fix: add standardized client registration errors edc54c25 fix: allow all request object signing algs per default 812a21cf fix: allow lower bcrypt values and add tests b59bdf85 fix: document describe error (#2208) e973ffe0 fix: ensure consistent auth_time in session handling ae027064 fix: increase parallelism to 4 206d1eee fix: mark false gosec positive c708adad fix: nonce is not required for hybrid flows 5ebd984f fix: quickstart yml 4495f56f fix: remove session from store on logout a583d78d fix: remove unrelated quickstart entry (#2214) a8ca333b fix: request_id should not be unique 95a1dfb2 fix: resolve broken quickstart 1c1433ab fix: update deprecated config in quickstart 8d076a5e fix: update invalid quickstart config 18bfc96f fix: update package lock 29763c8f fix: update schema to support new koanf 8fc3e2e3 refactor: deprecate driver semantics 3beddbda refactor: move oauth2 cors to own package 152fd5d4 refactor: rename token_type to token_use in introspection 8c12b27a refactor: replace viper with koanf config management 9ccf762f style: format 0a801dcb style: format 251f9dc9 style: format cypress files 5f08ff2a styles: format 90dfaf56 test: add timeout to wait defc063e test: completely refactor consent tests 1b480d82 test: fix jwt e2e tests 19409b4d test: improve TestClientCredentialsGrantAllScopes 1015e49e test: improve github action conformity tests a65d2892 test: increase timeout for conformity 5b8fa0ae test: oidc conformity tests should run as workflow dispatch b74cffa8 test: refactor client credential tests ef12c068 test: refactor consent logout tests and add failing case c376473c test: refactor oauth2 auth code tests ef312c39 test: resolve conformity test suite concurrency issues 5af4cef9 test: resolve e2e startup issues 03f5e8e5 test: resolve e2e test failures 8e8b943c test: resolve failing rotation key tests e17a0747 test: resolve flaky test issue ef141c28 test: resolve incorrect retry loop 409ae424 test: retry conformity failures c72367b0 test: retry interrupted tests 14272f2a test: skip preloading in migration tests 69314615 test: update config to pass validation 9cf0e653 test: use 16 workers for conformance 45bc9072 test: use correct test context 4dd7a621 test: use prebuilt images for conformity testing

Docker images

• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpha.3-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0-alpha.3
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-alpha.3-sqlite
• docker pull oryd/hydra:latest-sqlite

This release addresses an issue in the update routine of OAuth2 Clients (see kratos#2148) and adds an option which makes ORY Hydra compatible with MITREid.

1.9.0-alpha.2 (2020-10-29)

Bug Fixes

• Add docs format to make format (cfa50fe)
• Client update breaks primary key (#2150) (7662917), closes #2148
• Explicitly use no-CGO images for non-SQLite (1ec2d1d)
• Force brew install statement (0252b5a)
• Update install script (c614c0b)

Documentation

• Add missing trailing slash (97bc47d)
• Replace dex with keycloak (fa877d7), closes #2128
• Version bash-curl script (71b0592), closes #2145

Features

• Add configuration option to grant default client_credential scope when no scope is requested (#2144) (0b1de34), closes #2141:

  Adds an option which allows granting the OAuth2 Client's authorized scope when performing a client_credentials flow without specifying a scope. This enables compatibility with MITREid.

Tests

• Fix misused id field (#2152) (511e8d2)

Changelog

0f0c5095 autogen(docs): generate and format documentation 26ede918 autogen(docs): generate and format documentation c1887396 autogen(docs): generate and format documentation 92bc86c2 autogen(docs): regenerate and update changelog f79ae296 autogen(docs): update milestone document 7df5ea35 autogen(docs): update milestone document 90d311b0 autogen(docs): update milestone document c654010f autogen: add v1.9.0-alpha.1 to version.schema.json 1a7fe913 autogen: pin v1.9.0-alpha.2 release commit 702b0f5d chore: update docusaurus template 12d4eb3d ci: fix replacer script 97bc47d6 docs: add missing trailing slash fa877d76 docs: replace dex with keycloak 71b05923 docs: version bash-curl script 0b1de34a feat: add configuration option to grant default client_credential scope when no scope is requested (#2144) cfa50fe0 fix: add docs format to make format 76629170 fix: client update breaks primary key (#2150) 1ec2d1df fix: explicitly use no-CGO images for non-SQLite 0252b5a2 fix: force brew install statement c614c0b9 fix: update install script 7289f308 style: format 511e8d27 test: fix misused id field (#2152)

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0-alpha.2
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpha.2-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-alpha.2-sqlite
• docker pull oryd/hydra:latest-sqlite

This release focuses on a complete refactor of the internal database abstraction layer (DBAL). We have been using gobuffalo/pop successfully in ORY Kratos and decided to move the ORY Hydra DBAL to gobuffalo/pop as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments.

This is an alpha release as we want to gather feedback from the community regarding performance and other potential issues before tagging the v1.9.0 version branch as stable.

1.9.0-alpha.1 (2020-10-20)

Bug Fixes

• Add support for tracing to SQL (b3dda7c)
• Address pop inconsistencies and update tests (8f3462f)
• CGO build issues on Windows and Go 1.15+ (1c1fe19)
• Do not require sqlite and CGO for other databases (8069205)
• Do not run migrations in background (308edb9)
• Explicitly set pwd in makefile (aeb1090)
• Goreleaser add docker images (7a81908)
• Improve cli flags and add -c config flag (bf3be84)
• Improve schema typing for tracing (4cc25c3)
• Improve tests and pop adapter (1354611)
• Remove explicit cve allowlist (90caeda), closes #2117
• Remove obsolete makefile targets (dc5d37f)
• Remove unnecessary transactions (1df50ec)
• Remove websocket direct dep (d525983), closes #2111
• Run tests only once (4e1d0f6)
• Set context in connection getter (644967a)
• Update docker and quickstart examples (b01c246)
• Update format to goimports (c4438b0)
• Use context in transaction creator (db0ac86)
• Use sqlite for standalone (e5b7147)

Code Refactoring

• Move Dockerfiles to .docker directory (5508f2a)

• Use gobuffalo/pop for SQL abstraction (#2059) (56bce67), closes #1730:

  This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!

Documentation

• Add hypnoglow terraform provider (7ed8870), closes #1304
• Correct port (#2101) (487e733), closes #2100
• Correct port (#2102) (7aca301), closes #2100
• Fix typo (71a4495)
• Remove obsolete doc section (443a225)
• Swagger route headline capitalization (4540ece), closes #2015
• Update code listings and image tags (3cd22c4)
• Update sql instructions (bfed7f2)
• Updates kubernetes helm chart url (6d63a73)

Features

• Implement docker for quickstart (8e64202)
• Re-enable freebsd (2f19837), closes #2116 #2115
• Support sqlite in goreleaser (e946487)

Tests

• Fix confusing expected/got (#2135) (14b6db2):

  And fixed assert.EqualError params in right order in TestStrategyLoginConsent

• Move tests to persistence (46d0571)

• Remove unused expectSession variable (#2134) (eda8532)

• Write migrate logs to file (9a1fbd8)

Changelog

f3056f6c autogen(docs): generate and format documentation afde5c63 autogen(docs): generate and format documentation 6f517027 autogen(docs): generate and format documentation c326ae8b autogen(docs): generate and format documentation f5441d6d autogen(docs): generate and format documentation 8f87c1f1 autogen(docs): generate and format documentation 243adeba autogen(docs): generate and format documentation d56bfb19 autogen(docs): generate and format documentation 8ff756c6 autogen(docs): generate and format documentation 849ead0c autogen(docs): generate and format documentation 049c4157 autogen(docs): generate and format documentation d560807b autogen(docs): generate cli docs 4734c883 autogen(docs): generate cli docs ec71cd9a autogen(docs): generate cli docs 1dee4e35 autogen(docs): generate cli docs 878bd97e autogen(docs): generate cli docs a8c33bc2 autogen(docs): regenerate and update changelog 3e011f63 autogen(docs): regenerate and update changelog 7b604726 autogen(docs): regenerate and update changelog bb041f2c autogen(docs): update milestone document 1d45dec9 autogen(docs): update milestone document e3f71d3f autogen(docs): update milestone document 434a3b1b autogen(docs): update milestone document 0ee3c10c autogen(openapi): Regenerate swagger spec and internal client 0eba003c autogen: add v1.8.5 to version.schema.json 0382fea6 autogen: add v1.9.0-alpha.0.pre.2 to version.schema.json dc19f4a5 autogen: pin v1.9.0-alpha.0.pre.2 release commit a270e4ca autogen: pin v1.9.0-alpha.1 release commit edb221c6 autogen: pin v1.9.0-pre.0 release commit 4fbf3575 autogen: pin v1.9.0-pre.1 release commit 4062f77b chore(deps): bump cci orbs (#2132) 3e259c43 chore(docs): format 3f8f2d7d chore(docs): remove unneeded files (#2121) 1a23377b chore: add schema to gitignore 2fad6048 chore: bump datadog dependency 75cc527f chore: bump gobuffalo/pop eeb45763 chore: bump gobuffalo/pop 8ee09966 chore: bump gobuffalo/pop and integrate new tracing fixes f83f662e chore: update Docker Images to golang 1.15.2, alpine 3.12 (#2127) cf358c55 chore: update docusaurus template (#2104) 4e248246 chore: update docusaurus template (#2137) 92a207b7 chore: update repository templates 70c79980 ci: add docs format checking (#2099) 02edf377 ci: force changelog generation fda87cf3 ci: remove mysql parameters which are set automatically 51d93902 ci: revert multiStatements removal 7ed88703 docs: add hypnoglow terraform provider 487e7335 docs: correct port (#2101) 7aca301a docs: correct port (#2102) 71a4495d docs: fix typo 443a2257 docs: remove obsolete doc section 4540ece1 docs: swagger route headline capitalization These should be the last places, therefore closes #2015 3cd22c4d docs: update code listings and image tags bfed7f22 docs: update sql instructions 6d63a730 docs: updates kubernetes helm chart url 8e64202f feat: implement docker for quickstart 2f198370 feat: re-enable freebsd e946487a feat: support sqlite in goreleaser 1c1fe192 fix: CGO build issues on Windows and Go 1.15+ b3dda7c8 fix: add support for tracing to SQL 8f3462ff fix: address pop inconsistencies and update tests 80692052 fix: do not require sqlite and CGO for other databases 308edb99 fix: do not run migrations in background aeb10903 fix: explicitly set pwd in makefile 7a81908a fix: goreleaser add docker images bf3be849 fix: improve cli flags and add -c config flag 4cc25c34 fix: improve schema typing for tracing 13546110 fix: improve tests and pop adapter 90caedae fix: remove explicit cve allowlist dc5d37ff fix: remove obsolete makefile targets 1df50ec0 fix: remove unnecessary transactions d525983c fix: remove websocket direct dep 4e1d0f6f fix: run tests only once 644967a8 fix: set context in connection getter b01c2467 fix: update docker and quickstart examples c4438b0e fix: update format to goimports db0ac861 fix: use context in transaction creator e5b7147a fix: use sqlite for standalone 5508f2ab refactor: move Dockerfiles to .docker directory 56bce678 refactor: use gobuffalo/pop for SQL abstraction (#2059) 6b2ad6b7 style: format and cleanup 5257f73d style: update tracing docker-compose definition 14b6db20 test: fix confusing expected/got (#2135) 46d0571e test: move tests to persistence eda8532e test: remove unused expectSession variable (#2134) 9a1fbd80 test: write migrate logs to file

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.9
• docker pull oryd/hydra:v1.9.0
• docker pull oryd/hydra:v1.9.0-alpha.1
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.9-alpine
• docker pull oryd/hydra:v1.9.0-alpine
• docker pull oryd/hydra:v1.9.0-alpha.1-alpine
• docker pull oryd/hydra:latest-alpine
• docker pull oryd/hydra:v1-sqlite
• docker pull oryd/hydra:v1.9-sqlite
• docker pull oryd/hydra:v1.9.0-sqlite
• docker pull oryd/hydra:v1.9.0-alpha.1-sqlite
• docker pull oryd/hydra:latest-sqlite

This is a security-focused release with fixes for CVE-2020-15234, CVE-2020-15223, CVE-2020-15233. Additionally, several system dependencies (e.g. Golang) have been upgraded.

A few things have changed as part of these patches:

• OAuth 2.0 Redirection URL error parameters error_hint, error_debug have been deprecated and are now part of error_description. The parameters are still included for compatibility reasons but will be removed in a future release.
• OAuth 2.0 Error revocation_client_mismatch was not standardized and has been removed. Instead, you will now receive unauthorized_client with a description explaining why the flow failed.

Additionally, the TypeScript SDK generator has changed from OpenAPI's typescript-node to typescript-axios making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed.

Due to several complex CI issues and regressions, build versions v1.8.0 - v1.8.4 failed. v1.8.5 the first and only stable release in the current 1.8.x branch.

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.8
• docker pull oryd/hydra:v1.8.5
• docker pull oryd/hydra:v1.8.5
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.8-alpine
• docker pull oryd/hydra:v1.8.5-alpine
• docker pull oryd/hydra:v1.8.5-alpine
• docker pull oryd/hydra:latest-alpine

autogen: pin v1.8.0-pre.1 release commit

1.8.0-pre.1 (2020-10-03)

Bug Fixes

• Resolve gosec issues and false positives (0832138)

Features

• Bump golangci-lint and add lint job (5ea6fb6)

Changelog

fe8fdc5f autogen(docs): generate and format documentation ed6360b0 autogen(docs): generate cli docs 0c9ef69d autogen(docs): update milestone document 861fdb7d autogen: pin v1.8.0-pre.1 release commit bb39d287 chore: bump ory/cli 89abc15e chore: bump ory/x 3e60cbfd ci: bump circleci orbs 24062c12 ci: remove freebsd build due to DataDog build error 5ea6fb65 feat: bump golangci-lint and add lint job 08321381 fix: resolve gosec issues and false positives 5b651002 style: make format

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.8
• docker pull oryd/hydra:v1.8.0
• docker pull oryd/hydra:v1.8.0-pre.1
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.8-alpine
• docker pull oryd/hydra:v1.8.0-alpine
• docker pull oryd/hydra:v1.8.0-pre.1-alpine
• docker pull oryd/hydra:latest-alpine

This release resolves several minor bugs and one slow query. Please be aware that applying this version requires running SQL migrations.

1.7.4 (2020-08-31)

Bug Fixes

• Update e2e docker image (2ce0f14)

Changelog

7e2b6cb9 autogen(docs): generate and format documentation 28b31a7c autogen(docs): regenerate and update changelog ff980e6d autogen: pin v1.7.4 release commit 2ce0f14f fix: update e2e docker image

Docker images

• docker pull oryd/hydra:v1
• docker pull oryd/hydra:v1.7
• docker pull oryd/hydra:v1.7.4
• docker pull oryd/hydra:v1.7.4
• docker pull oryd/hydra:latest
• docker pull oryd/hydra:v1-alpine
• docker pull oryd/hydra:v1.7-alpine
• docker pull oryd/hydra:v1.7.4-alpine
• docker pull oryd/hydra:v1.7.4-alpine
• docker pull oryd/hydra:latest-alpine