OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
APACHE-2.0 License
Bot releases are visible (Hide)
Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!
Want to check out Ory Hydra yourself? Try common OAuth2 flows in the Ory OAuth2 Get Started guide!
This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.
Key improvements include:
Thank all contributors who have made this release available!
Return empty slice if requested_scope or audience is null (#3711) (65165e7)
Correct id token type in token exchange response (#3625) (d1f9ba8):
Handle subject mismatch gracefully (#3619) (af0d477):
We now redirect to the original request URL if the subjects between
the remembered Hydra session and what was confirmed by the login
screen does not match.
Handle token hook auth config (#3677) (1a40833):
Incorrect down migration (#3708) (8812e0e), closes /github.com/ory/hydra/pull/3705#discussion_r1471514014
Timeout in jwt-bearer grants when too many grants are available (#3692) (a748797)
Deflake ttl test (6741a49)
Only query access tokens by hashed signature (a21e945)
Reject invalid JWKS in client configuration / dependency cleanup and bump (#3603) (1d73d83)
Restore ability to override auth and token urls for exemplary app (#3590) (dfb129a)
Return proper error when the grant request cannot be parsed (#3558) (26f2d34)
Add prompt=registration (#3636) (19857d2):
Ory Hydra now supports a registration
value for the prompt
parameter of
the authorization request. When specifying prompt=registration
, Ory Hydra
will redirect the user to the URL found under urls.registration
(instead of urls.login
).
Add skip_logout_consent option to clients (#3705) (2a653e6):
Adds a special field which disables the logout consent screen when performing OIDC logout.
Re-enable legacy client IDs (#3628) (5dd7d30):
This patch changes the primary key of the hydra_client
table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.
Remove flow cookie (#3639) (cde3a30):
This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.
Remove login session cookie during consent flow (#3667) (5f41949)
Add more resolution to events and collect client metrics (#3568) (466e66b)
Add state override (b8b9154)
Add support for OIDC VC (#3575) (219a7c0):
This adds initial support for issuing verifiable credentials
as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.
Because the spec is still in draft, public identifiers are
suffixed with draft_00
.
Allow to disable claim mirroring (#3563) (c72a316):
This PR introduces another config option called oauth2:mirror_top_level_claims
which may be used to disable the mirroring of custom claims into the ext
claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
Bump fosite and add some more tracing (0b56f53)
cmd: Add route that redirects to the auth code url (4db6416)
Propagate logout to identity provider (#3596) (c004fee):
This commit improves the integration between Hydra and Kratos when logging
out the user.
This adds a new configuration key for configuring a Kratos admin URL.
Additionally, Kratos can send a session ID when accepting a login request.
If a session ID was specified and a Kratos admin URL was configured,
Hydra will disable the corresponding Kratos session through the admin API
if a frontchannel or backchannel logout was triggered.
Support different jwt scope claim strategies (#3531) (45da11e)
Artifacts can be verified with cosign using this public key.
Published by ory-bot about 1 year ago
Introduces logout compatibility with Ory Kratos.
Add more resolution to events and collect client metrics (#3568) (466e66b)
Add state override (b8b9154)
Add support for OIDC VC (#3575) (219a7c0):
This adds initial support for issuing verifiable credentials
as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.
Because the spec is still in draft, public identifiers are
suffixed with draft_00
.
Allow to disable claim mirroring (#3563) (c72a316):
This PR introduces another config option called oauth2:mirror_top_level_claims
which may be used to disable the mirroring of custom claims into the ext
claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
Bump fosite and add some more tracing (0b56f53)
cmd: Add route that redirects to the auth code url (4db6416)
Propagate logout to identity provider (#3596) (c004fee):
This commit improves the integration between Hydra and Kratos when logging
out the user.
This adds a new configuration key for configuring a Kratos admin URL.
Additionally, Kratos can send a session ID when accepting a login request.
If a session ID was specified and a Kratos admin URL was configured,
Hydra will disable the corresponding Kratos session through the admin API
if a frontchannel or backchannel logout was triggered.
Support different jwt scope claim strategies (#3531) (45da11e)
hydra migrate status
subcommand (#3579)Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
Test release
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
This release optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
We are excited to announce the next Ory Hydra release! This release includes the following important changes:
We appreciate your continuous support and feedback. Please feel free to reach out to us with any further suggestions or issues.
Add index on requested_at for refresh tokens and use it in janitor (#3516) (5b8e712)
Do not use prepared SQL statements and bump deps (#3506) (31b9e66)
sql: Incorrect JWK query (#3499) (13ce0d6):
persister_grant_jwk
had an OR statement without bracket leading to not using the last part of the query.
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
We are excited to share this year's Q1 release of Ory Hydra: v2.1!
Highlights:
Don't want to run the upgrade yourself? Switch to Ory Network!
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
We are excited to share this year's Q1 release of Ory Hydra: v2.1.0!
Highlights:
Don't want to run the upgrade yourself? Switch to Ory Network!
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
autogen: pin v2.1.0-pre.2 release commit
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 1 year ago
autogen: pin v2.1.0-pre.1 release commit
Artifacts can be verified with cosign using this public key.
Published by ory-bot almost 2 years ago
Bugfixes for migration and pagination regressions and a new endpoint.
Add client_id
and client_secret
to revokeOAuth2Token
(#3373) (93bac07)
Docker build (48217bd)
Invalidate tokens with inconsistent state (#3385) (542ea77), closes #3346:
This patch includes SQL migrations targeting environments which have not yet migrated to Ory Hydra 2.0. It removes inconsistent records which resolves issues during the migrations process. Please be aware that some users might be affected by this change. They might need to re-authorize certain apps. However, most active records should not be affected by this.
Installations already on Ory Hydra 2.0 will not be affected by this change.
No longer auto-generate system secret (c5fe043):
This patch changes Ory Hydra's behavior to no longer auto-generate a temporary secret when no global secret was set. The APIs now return an error instead.
Prevent multiple redirections to post logout url (#3366) (50666b9), closes #3342
client_id
and client_secret
to revokeOAuth2Token
(#3373)public
from schema (#3374)Artifacts can be verified with cosign using this public key.
Published by ory-bot almost 2 years ago
This release resolves bugs and SDK publishing issues.
Correct migration file name (01f80a8)
Incorrect consent removal on authentication revokation (ccf2388):
This patch resolves a regression where, in a certain condition, an accepted consent could be incorrectly deleted when the related authentication session was removed.
Isolate transactions for crdb (f22046f)
Scope type should be string instead of int (#3337) (f59f1c6):
Artifacts can be verified with cosign using this public key.
Published by ory-bot almost 2 years ago
Resolves an issues with post-release steps and adds the introspect command to the Ory Hydra CLI.
Artifacts can be verified with cosign using this public key.
Published by ory-bot almost 2 years ago
Ory Hydra 2.0 is available now! It ships major internal data restructuring and adds support for additional OAuth2 flows such as OAuth2 Token Exchange. Ory Hydra now natively integrates with Ory Kratos, an open source Identity Server.
Install the Ory CLI for the best developer experience to try out Ory Hydra 2.0 right away!
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/
brew install ory/tap/cli
create a new project (you may also use Docker)
ory create project --name "Ory Hydra 2.0 Example"
project_id="{set to the id from output}"
and follow the quick & easy steps below.
Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow:
ory create oauth2-client --project $project_id \
--name "Client Credentials Demo" \
--grant-type client_credentials
client_id="{set to client id from output}"
client_secret="{set to client secret from output}"
ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id
access_token="{set to access token from output}"
ory introspect token $access_token --project $project_id
Try out the OAuth 2.0 Authorize Code grant right away!
By accepting permissions openid
and offline_access
at the consent screen, Ory refreshes and OpenID Connect ID token,
ory create oauth2-client --project $project_id \
--name "Authorize Code with OpenID Connect Demo" \
--grant-type authorization_code \
--response-type code \
--redirect-uri ttp://127.0.0.1:4446/callback
code_client_id="{set to client id from output}"
code_client_secret="{set to client secret from output}"
ory perform authorization-code \
--project $project_id \
--client-id $code_client_id \
--client-secret $code_client_secret
code_access_token="{set to access token from output}"
ory introspect token $code_access_token --project $project_id
Find a list of detailed changes below!
To run the SQL migrations using:
hydra migrate sql $DSN
Ory Hydra 1.x is a crucial service at Ory. Version 2.0 streamlines the APIs and SDKs to follow Ory API’s semantics and specification.
To better support TB-scale environments, the OAuth2 Client HTTP API's query
parameters for pagination have changed from limit
and offset
to page_token
and page_size
. The page_token
is an opaque string contained in the HTTP
Link
Header, which expresses the next, previous, first, and last page.
Administrative endpoints now have an /admin
prefix (e.g. POST /admin/keys
instead of POST /keys
). Existing administrative endpoints will redirect to this new prefixed path for backward compatibility.
HTTP endpoint /oauth2/flush
, used to flush inactive access tokens was deprecated and has been removed. Please use hydra janitor
instead.
To conform with the Ory V1 SDK, several SDK methods and payloads were renamed. Please check the CHANGELOG for a complete list of changes.
The iss
(issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.
Setting
urls:
self:
issuer: https://auth.example.com
has changed
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
To set a trailing slash make sure to set it in the config value:
urls:
self:
issuer: https://auth.example.com/
Flags --dangerous-allow-insecure-redirect-url
and --dangerous-force-http
have been removed. Use the --dev
flag instead to denote a development environment with reduced security restrictions.
We now recommend using the Ory CLI to manage OAuth2 resources. As part of this restructuring, some of the commands were renamed. Here are some examples:
- hydra client create
+ ory create oauth2-client
- hydra clients list
+ ory list oauth2-clients
Additionally, array arguments now use the singular form:
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
To manage resources in a do-it-yourself installation, continue using the hydra
CLI.
Please check the CHANGELOG for a complete list of changes.
Ory Hydra 2.0 ships with support for OpenTelemetry. The previous telemetry solution using OpenTracing format is deprecated with this release.
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.AdminDeleteOAuth2Token(context.Background()).
+ OAuth2Api.DeleteOAuth2Token(context.Background()).
ClientId("foobar").Execute()
ory.
- V0alpha2Api.RevokeOAuth2Token(
+ OAuth2Api.RevokeOAuth2Token(
context.WithValue(context.Background(), sdk.ContextBasicAuth, sdk.BasicAuth{
UserName: clientID,
Password: clientSecret,
})).Token(token).Execute()
ory.
- V0alpha2Api.AdminIntrospectOAuth2Token(context.Background()).
+ OAuth2Api.IntrospectOAuth2Token(context.Background()).
Token(token).
Scope("foo bar")).Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+ WellknownApi.DiscoverJsonWebKeys(context.Background()).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+ JwkApi.GetJsonWebKeySet(context.Background(), setID).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
- AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
- Alg: "RS256",
- Use: "sig",
+ JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+ CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+ Alg: "RS256",
+ Use: "sig",
}).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
JsonWebKey(jsonWebKey).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+ JwkApi.SetJsonWebKeySet(context.Background(), setID).
JsonWebKeySet(jsonWebKeySet).Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+ WellknownApi.DiscoverJsonWebKeys(context.Background()).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+ JwkApi.GetJsonWebKeySet(context.Background(), setID).
Execute()
ory.
- V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
- AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
- Alg: "RS256",
- Use: "sig",
+ JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+ CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+ Alg: "RS256",
+ Use: "sig",
}).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+ JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
JsonWebKey(jsonWebKey).Execute()
ory.
- V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+ JwkApi.SetJsonWebKeySet(context.Background(), setID).
JsonWebKeySet(jsonWebKeySet).Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
Execute()
ory.
- V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
Execute()
SDK naming has changed for the following operations:
ory.
- V0alpha2Api.AdminRevokeOAuth2ConsentSessions(cmd.Context()).
+ OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
Client(clientId).Execute()
ory.
- V0alpha2Api.AdminListOAuth2SubjectConsentSessions(cmd.Context(), id).
+ OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
Client(clientId).Execute()
ory.
- V0alpha2Api.AdminListOAuth2SubjectConsentSessions(context.Background()).
+ OAuth2Api.ListOAuth2ConsentSessions(context.Background()).
Subject(subjectId).Execute()
ory.
- V0alpha2Api.AdminRevokeOAuth2LoginSessions(context.Background()).
+ OAuth2Api.RevokeOAuth2LoginSessions(context.Background()).
Subject(subjectId).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2LoginRequest(context.Background()).
+ OAuth2Api.GetOAuth2LoginRequest(context.Background()).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2LoginRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2LoginRequest(context.Background()).
AcceptOAuth2LoginRequest(body).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2LoginRequest(context.Background()).
+ OAuth2Api.RejectOAuth2LoginRequest(context.Background()).
RejectOAuth2Request(body).
LoginChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.GetOAuth2ConsentRequest(context.Background()).
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2ConsentRequest(context.Background()).
AcceptOAuth2ConsentRequest(body).
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2ConsentRequest(context.Background()).
+ OAuth2Api.RejectOAuth2ConsentRequest(context.Background()).
RejectOAuth2Request().
ConsentChallenge(challenge).Execute()
ory.
- V0alpha2Api.AdminAcceptOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.AcceptOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
ory.
- V0alpha2Api.AdminRejectOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.RejectOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
ory.
V0alpha2Api.AdminGetOAuth2LogoutRequest(context.Background()).
+ OAuth2Api.GetOAuth2LogoutRequest(context.Background()).
LogoutChallenge(challenge).
Execute()
- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2LoginRequestAlreadyHandled
- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2ConsentRequestAlreadyHandled
- var OAuth2SuccessResponse SuccessfulOAuth2RequestResponse
+ var OAuth2SuccessResponse OAuth2RedirectTo
Error models in the generated SDK have been renamed:
- oAuth2ApiError
+ errorOAuth2
The SDK API for the following has changed:
// Go example
ory.
- V0alpha2Api.AdminUpdateOAuth2Client(cmd.Context(), id)
+ Oauth2Api.SetOAuth2Client(cmd.Context(), id).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.AdminGetOAuth2Client(cmd.Context(), id).
+ Oauth2Api.GetOAuth2Client(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.AdminDeleteOAuth2Client(cmd.Context(), id).
+ Oauth2Api.DeleteOAuth2Client(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.AdminCreateOAuth2Client(cmd.Context()).
+ Oauth2Api.CreateOAuth2Client(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context(), id).
+ OidcApi.GetOidcDynamicClient(cmd.Context(), id).
Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context()).
+ OidcApi.CreateOidcDynamicClient(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationDeleteOAuth2Client(cmd.Context()).
+ OidcApi.DeleteOidcDynamicClient(cmd.Context()).
OAuth2Client(client).Execute()
ory.
- V0alpha2Api.DynamicClientRegistrationUpdateOAuth2Client(cmd.Context(), id).
+ OidcApi.SetOidcDynamicClient(cmd.Context(), id).
Execute()
We removed compatibility with unsupported database versions (e.g. MySQL 5.6). Ory Hydra v2.x is now compatible with MySQL 8.0.13+, PostgreSQL 11.8+, CockroachDB v22.1.2+.
Configuration keys have changed:
serve: {
public: {
- access_log: {
+ request_log: {
disable_for_health: true
},
},
admin: {
- access_log: {
+ request_log: {
disable_for_health: true
},
}
}
Rename SDK method from deleteOAuth2Token
to adminDeleteOAuth2Token
.
Rename SDK method from oauth2Token
to performOAuth2TokenFlow
.
Rename SDK method from introspectOAuth2Token
to adminIntrospectOAuth2Token
.
Rename SDK method from userinfo
to getOidcUserInfo
.
Rename SDK method from discoverOpenIDConfiguration
to discoverOidcConfiguration
.
Rename SDK method from listTrustedJwtGrantIssuers
to adminListTrustedOAuth2JwtGrantIssuers
.
Rename SDK method from deleteTrustedJwtGrantIssuer
to adminDeleteTrustedOAuth2JwtGrantIssuer
.
Rename SDK method from getTrustedJwtGrantIssuer
to adminGetTrustedOAuth2JwtGrantIssuer
.
Rename SDK method from trustJwtGrantIssuer
to adminTrustOAuth2JwtGrantIssuer
.
Rename SDK method from rejectLogoutRequest
to adminRejectOAuth2LogoutRequest
.
Rename SDK method from rejectConsentRequest
to rejectOAuth2ConsentRequest
.
Rename SDK method from acceptConsentRequest
to adminAcceptOAuth2ConsentRequest
.
Rename SDK method from getOAuth2ConsentRequest
to adminGetOAuth2ConsentRequest
.
Rename SDK method from rejectLoginRequest
to rejectOAuth2LoginRequest
.
Rename SDK method from acceptLoginRequest
to adminAcceptOAuth2LoginRequest
.
Rename SDK method from getLoginRequest
to adminGetOAuth2LoginRequest
.
Rename SDK method from revokeAuthenticationSession
to adminRevokeOAuth2LoginSessions
.
Rename SDK method from adminListSubjectConsentSessions
to adminListOAuth2SubjectConsentSessions
.
Rename SDK method from revokeConsentSessions
to adminRevokeOAuth2ConsentSessions
This release updates SDK services from public
and admin
to v2
. Methods exposed at the admin interface are now prefixed with admin
(e.g. adminCreateJsonWebKeySet
). Administrative endpoints now have an /admin
prefix (e.g. POST /admin/keys
). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
This release updates SDK services from public
and admin
to v2
. Methods exposed at the admin interface are now prefixed with admin
(e.g. adminCreateOAuth2Client
). Administrative endpoints now have an /admin
prefix (e.g. POST /admin/clients
). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
The default names of cookies have changed:
- oauth2_authentication_csrf
+ ory_hydra_login_csrf
- oauth2_consent_csrf
+ ory_hydra_consent_csrf
- oauth2_authentication_session
+ ory_hydra_session
Use the new configuration option to change the cookie names back to v1.x if required.
CLI flag --dangerous-force-http
has been removed. Please use the --dev
flag instead!
CLI flag --dangerous-allow-insecure-redirect-url
has been removed. Please use the --dev
flag instead!
The hydra token revoke
command has been renamed to hydra revoke token
and now supports structured output (JSON, tables, ...).
The hydra token introspect
command has been renamed to hydra introspect token
and now supports structured output (JSON, tables, ...).
The hydra token delete
command has been renamed to hydra delete access-tokens
and now supports structured output (JSON, tables, ...).
The hydra token client
command has been renamed to hydra perform client-credentials
and now supports structured output (JSON, tables, ...).
The hydra keys create|delete|get|import
commands have changed to follow other Ory project's guidelines, including structured output and improved handling. They are now:
hydra create jwks
hydra get jwks
hydra delete jwks
hydra import jwk
Please head over to the documentation for more information or use the --help
CLI flag for each command.
HTTP endpoint /oauth2/flush
, used to flush inactive access token was deprecated and has been removed. Please use hydra janitor
instead.
Command hydra clients import
is now hydra import client
.
Command hydra clients update
is now hydra update client
. Additionally, all flags are now singular:
hydra update client [client-id] \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
To better support TB-scale environments, the OAuth2 Client HTTP API's query parameters for pagination have changed from limit
and offset
to page_token
and page_size
. The page_token
is an opaque string contained in the HTTP Link
Header, which expresses the next, previous, first, and last page.
Command hydra clients list
is now hydra list client
. Please notice that the pagination flags have changed to --page-token
and page-size
!
Command hydra clients delete
is now hydra delete client
.
Command hydra clients get
is now hydra get client
.
Command hydra clients create
is now hydra create client
. Additionally, all flags are now singular:
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
This change is backwards compatible, but changes the default hashing algorithm to PBKDF2. To keep using BCrypt for hashing new OAuth2 Client Secrets set the following configuration option in your configuration file:
oauth2:
hashers:
algorithm: bcrypt
To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.
Additionally, the hydra create client
command no longer supports flag --id
and flag --callbacks
has been renamed to --redirect-uris
.
The iss
(issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.
Setting
urls:
self:
issuer: https://auth.example.com
has changed
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
To set a trailing slash make sure to set it in the config value:
urls:
self:
issuer: https://auth.example.com/
SDK object PatchDocument
was renamed to JsonPatchDocument
.
TLS is no longer enabled by default. We want to make deployments behind TLS termination easier. To expose Ory Hydra directly to the public internet, configure keys serve.<public|admin>.tls
.
JSON Web Keys are no longer prefixed with public
or private
. This affects keys generated in Ory Hydra after upgrading to this patch. Existing keys are unaffected by this.
OAuth2 errors can no longer be returned in the legacy error format. Essentially, fields error_hint
, error_debug
have been removed. Option oauth2.include_legacy_error_fields
has been removed.
The HS512 and HS256 JSON Web Key generators has been removed. It is now only possible to generate asymmetric keys in Ory Hydra. It will still be possible to save HS512 or HS256 keys.
if using MySQL, hydra_jwk/kid and hydra_oauth2_trusted_jwt_bearer_issuer/key_id may only contain ascii/utf-8 symbols 0-127
Encode MySQL columns hydra_oauth2_trusted_jwt_bearer_issuer/key_id and hydra_jwk/kid in ascii as
a workaround for the 3072-byte index entry size limit1.
Signed-off-by: Grant Zvolsky [email protected]
This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that there are no down migrations, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see Hydra 2.x Migration Guide.
Rows with NULL login_challenge in hydra_oauth2_consent_request
and corresponding hydra_oauth2_consent_request_handled
are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.
Signed-off-by: Grant Zvolsky [email protected]
Add CORS to public health handler (#3114) (02c6d5d):
Co-authored-by: Reaper [email protected]
Co-authored-by: Patrik [email protected]
Co-authored-by: Alano Terblanche [email protected]
Co-authored-by: Reaper [email protected]
Add json1 tag everywhere (dd1d733)
Add missing down migrations (a98c067)
Allow retries of unused login & consent requests (51a586b), closes #2914 #3085 #2824
Cache migration status (7e25fdb)
cli: Output format issues (fe3c899)
Cockroach migration fixes (7bed244)
Compile errors (d1f5a0e)
Compile issue (83983c2)
Compile issues (68cb7d5)
Conditionals in db-diff (a006b04)
config: Add default to supported types. (f4812c8)
config: Correct salt detection (2b6350c)
config: Disallow additional properties (9022769)
config: Support number (ab6a9ee)
ConfirmLoginSession, missing FKs; add tests (1f7bf40)
Conformity health check (e163c80)
Consistently use RS256 in hot reloading (6376135)
Default back to RS256 keys (891fb55)
Disable NID tests with HSM enabled (142cd13):
We currently don't support NID isolation in combination with HSM.
Docker image build (1d8a8ff)
Docker instructions (063f61b)
Dont close crdb for reuse purposes (11587ae)
Fix hydra_client pk change mysql down migration (#2791) (560acce)
Fix unbatched select in flushInactiveTokens (a5cc6ea):
chore: code review
chore: format
don't delete more tokens than expected.
correct test.
add nid in flush tokens.
Handle server error when refresh token requests come same time (#3207) (b0196c0)
Hsm compile issues (8571a67)
HSM test (ca748a1)
hsm: Public key extraction (57cf46c)
hsm: Public key extraction everywhere (c9c2e01)
Ignore cypress screenshots in git (668a319)
Improve duration pattern (6c8dda8)
Improve health check reporting (1bd0c52)
Improve jwk generator defaults (ece5ca6)
Improve lazy initialization of JWKs (8cffc5b)
Improve migration status speed (1a4abd6)
Improve time validation (b32ff33)
Incorrect queries (255b4e2)
jwk: Expose correct metadata algorithms (0a786b7)
Lazy load PKI (d65aa3a)
Lint issues (72a5cd8)
Make servicelocator explicit (3a26385)
Move to v0alpha2 api spec (a364db4)
Mysql slice delete (c56b958):
mysql: Fix mysql key too long error (ba16958)
oauth2: Incorrect TTL override (7893a98)
Optimise sql update to avoid redundant writes (#3289) (1aa6cc4), closes #3137:
The SQL update here would potentially update a lot of rows, which did not need updating. In some DB engines, this would not be an issue, because the redundant writes are ignored. But on PostgreSQL engines, it is another story; here it would actually carry out the writes, leading to a potentially high number of redundant iops when the engine is vaccuming outdated records. With this change, the SQL update will only affect the rows which is not in the desired state already.
Pop compile issue (3e7b6b4)
Prefix paths correctly with /admin (e130dfa)
Regression in database layer (1d78e79)
Remove deprecated config value (8994190)
Remove goswagger generated client (e2c8809)
Remove incorrect aliases (2a20080)
Remove obsolete type patches (e670d68)
Remove unnecessary load of TLS certificates at boot (13691d3)
Remove unused swagger struct (4ff0690)
Replace of consent session expires values (e1731ba)
Resolve a merge conflict in migration_test (#2811) (acb16c1)
Resolve conformance build issues (f6ee1d3)
Resolve internal SDK regressions (937e6ba)
Resolve merge conflicts (6eee09c)
Resolve migration regressions (5552e4d)
Resolve test issues and regressions introduced by the new JWK generator (77b1ac7)
Resolve token prefix regression (1fd6ea3)
Retry transient crdb transaction failures (f0f3139)
Revert to normal crdb (c9a248d)
sdk: GenericError type (21c579a)
sdk: Make session uniquely named (468e27d)
sdk: Omit DefaultSession (954aa5f)
sdk: Remove pattern from scope parameter (1332fe6), closes #3142
sdk: Resolve type issues and regenerate SDK (6880fea)
sdk: Use correct struct for response (04b308f)
Speed up health checks (eafa2bb)
Support issuer with and without trailing slash (d746fa4), closes #1482
Update benchmark script (63a84de)
Use --yes flag in db-diff (36ddb61)
Use config func everywhere (d1af32d)
Use correct context (3ceefd7)
Use CreateWith (9fbbbdf)
Use StringSliceJSONFormat instead of StringSlicePipeDelimiter (#3112) (1d9891d):
hydra keys
command (e466d7c)
hydra token client
command (81e79f2)
hydra token delete
command (aa338e1)
hydra token introspect
command (da3e2b4)
hydra token revoke
command (42e75c3)
CLI environment variables HYDRA_URL
has been renamed to ORY_SDK_URL
(08bbbab):
BREKAING CHANGE: To follow ecosystem convention, environment variables HYDRA_URL
, HYDRA_ADMIN_URL
have been renamed to ORY_SDK_URL
.
client: Make OAuth2 Client IDs system-chosen and immutable (4002224), closes #2911
client: Rename SDK methods and introduce /admin
prefix (0752721)
client: Replace limit and offset parameters with page_token and page_size (23585b5)
consent: Rename SDK method from acceptConsentRequest
to adminAcceptOAuth2ConsentRequest
(5885ab3)
consent: Rename SDK method from acceptLoginRequest
to adminAcceptOAuth2LoginRequest
(fa27d0c)
consent: Rename SDK method from adminListSubjectConsentSessions
to adminListOAuth2SubjectConsentSessions
(bb51ba0)
consent: Rename SDK method from getLoginRequest
to adminGetOAuth2LoginRequest
(9053040)
consent: Rename SDK method from getOAuth2ConsentRequest
to adminGetOAuth2ConsentRequest
(475efbc)
consent: Rename SDK method from rejectConsentRequest
to rejectOAuth2ConsentRequest
(e0e3da9)
consent: Rename SDK method from rejectLoginRequest
to rejectOAuth2LoginRequest
(37a8839)
consent: Rename SDK method from rejectLogoutRequest
to adminRejectOAuth2LogoutRequest
(cdffa1e)
consent: Rename SDK method from revokeAuthenticationSession
to adminRevokeOAuth2LoginSessions
(0a5ebe8)
consent: Rename SDK method from revokeConsentSessions
to adminRevokeOAuth2ConsentSessions
(1108409)
Deprecate --dangerous-allow-insecure-redirect-url
flag (46b5887)
Deprecate --dangerous-force-http
flag (062734e)
Drop TLS by default (edb042e)
Environment variable DATABASE_URL
has been deprecated (8023d2a)
Finalize consent SDK methods (53d225a)
Generated UUID variant & version test (#2793) (697813e), closes #2792
Improve performance and reduce data use of consent persistence layer (#2836) (53862f2):
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:
Introduce the hydra sql gen
command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.
Introduce the hack/db-diff.sh
command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.
jwk: No longer prefix keys with public
or private
(5e2ea0b)
jwk: Rename SDK methods and introduce /admin
prefix (cd007bb)
Make commands easier to consume (cc9d9e5)
oauth2: Clean up changes (c12b45c)
oauth2: Rename SDK method from deleteOAuth2Token
to adminDeleteOAuth2Token
(ea4caf7)
oauth2: Rename SDK method from discoverOpenIDConfiguration
to discoverOidcConfiguration
(df467a0)
oauth2: Rename SDK method from introspectOAuth2Token
to adminIntrospectOAuth2Token
(f2bd9a3)
oauth2: Rename SDK method from oauth2Token
to performOAuth2TokenFlow
(51b58e7)
oauth2: Rename SDK method from userinfo
to getOidcUserInfo
(4e554e7)
Remove /oauth2/flush
endpoint (17c226c)
Remove oauth2.include_legacy_error_fields
config (148cadb)
Remove HS512 and HS256 jwk key generator (5fb3049)
Rename access_log
to request_log
(223c8bc)
Rename hydra clients create
command (76eb93c):
Renames the command to hydra create client
and changes CLI flags.
Rename hydra clients delete
command (dea2fdd):
Renames the command to hydra delete client
and changes CLI flags.
Rename hydra clients get
command (edd4b43):
Renames the command to hydra get client
and changes CLI flags.
Rename hydra clients import
command (7de7841):
The hydra clients import
command now supports reading from STDIN as well as the file system, and ships with output formats such as json
and json-pretty
.
Rename hydra clients list
command (1c0f971):
Renames the command to hydra list client
and changes CLI flags.
Rename hydra clients update
command (7482b77)
Replace custom key generator with jose key generator (d2d5512):
sdk: Consent SDK (e800002)
sdk: JSON Web Key SDK API (06d565e)
sdk: OAuth 2.0 Trust Relationship SDK (b0a2b05)
sdk: OAuth2 SDK API (142b55f)
sdk: Rename errors (6b60156)
sdk: Rename oauth2 client operations and payloads (cb742ad)
sdk: Rename PatchDocument to JsonPatchDocument (a54ea69)
trust: Rename SDK method from deleteTrustedJwtGrantIssuer
to adminDeleteTrustedOAuth2JwtGrantIssuer
(e0be7cf)
trust: Rename SDK method from getTrustedJwtGrantIssuer
to adminGetTrustedOAuth2JwtGrantIssuer
(210116e)
trust: Rename SDK method from listTrustedJwtGrantIssuers
to adminListTrustedOAuth2JwtGrantIssuers
(cb7b9e0)
trust: Rename SDK method from trustJwtGrantIssuer
to adminTrustOAuth2JwtGrantIssuer
(7edf8df)
Add db.ignore_unknown_table_columns
configuration property (#3192) (#3193) (5842946):
The property allows to ignore scan errors when columns in the SQL result have no fields in the destination struct.
Add ability to allow token refresh from hook without overriding the session claims (#3146) (afa2ea0), closes #3082
Add new key serve.public.tls.enabled
(ecacc6d)
Add SQLite dependency to SQLite Dockerfile (#3282) (841a153)
Add tag descriptions (c111a4c)
Add token prefixes (60bab08), closes #2845:
This patch adds token prefixes to access tokens (ory_at_
), refresh tokens (ory_rt_
), and authorize codes (ory_ac_
). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs.
Allow config context (d894c97)
Better control for cookie secure flag (90d539f)
client: Respect ip restrictions in client validation (cafe89a)
cli: Improve migrate command handling (e252654)
cli: Significantly improved create client
(bb9c8ba), closes #3091:
This patch adds output formats to hydra create client
and makes all client fields configurable as flags.
Config hot reloading architecture (bbe0406)
Custom client token ttl (#3206) (9ef671f), closes #3157:
This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.
Deprecate autoincrement primary key in hydra_client (#2784) (6d01e2e), closes #2781
Deprecate autoincrement primary key in hydra_jwk (#2789) (b76a151), closes #2788
Implement NID (b7fc2bf)
Improve CLI messages (e934c4f)
Improve cloud cli compatibility (93a626d)
Improve cookie settings (9717cad)
Improve refresh token error messages (2769c9b)
Improved cookie controls (e7834ec):
New cookie configuration options have been introduced, allowing a higher degree of control:
serve:
cookies:
same_site_mode: Lax
same_site_legacy_workaround: false
domain: example.com
names:
login_csrf: ory_hydra_login_csrf
consent_csrf: ory_hydra_consent_csrf
session: ory_hydra_session
Make all ui urls relative (370a487)
Make CORS config hot reloadable (2d5c893)
Make perform commands ory cloud-able (954693f)
Pass options from root (2f91ef4)
Rebuild containers on start (5b616d8)
Replace hydra's transaction impl with ory/popx/transaction (77d8dac)
Respect local DNS restrictions (7eb1d1c)
sdk: Add missing bearer security definition (a85bc7a)
sdk: Type nulls (fe70395)
Support alternate hashing algorithms for client secrets (ddba42f), closes rfc6819#section-5 /datatracker.ietf.org/doc/html/rfc6819#section-5:
This patch adds support for hashing client secrets using pbkdf2 instead of bcrypt, which might be a more appropriate algorithm in certain settings. As we assume that most environments fall in this category, we also changed the default to pbkdf2 with 25.000 rounds (roughly 1-3ms per hash on an Apple M1 Max core).
High hash costs are needed when hashing user-chosen passwords, as users often reuse passwords across sites. A high hash cost will make it much harder for the attacker to guess the user-chosen password and try using it on other sites (e.g. Google).
As most client secrets are auto-generated, using high hash costs is not useful. The password (OAuth2 Client Secret) is not user chosen and unlikely to be reused. As such, there is little point in using excessive hash costs to protect users. High hash costs in a system like Ory Hydra will cause high CPU costs from mostly automated traffic (OAuth2 Client interactions). It has also been a point of critizism from some who wish for better RPS on specific endpoints.
Other systems like Keycloak do not hash client secrets at all, referencing more secure authentication mechanisms such as assertion-based client authentication.
Support ES256 for generating JWTs (9a080ad)
Tls on public port can now be configured without restrictions (73d9517)
Upgrade go-swagger (cce8d60)
create client
db.ignore_unknown_table_columns
configuration property (#3192) (#3193)serve.public.tls.enabled
allowed_top_level_claims
set to nil (#3245)max_age=0
forces authentication/admin
prefixacceptConsentRequest
to adminAcceptOAuth2ConsentRequest
acceptLoginRequest
to adminAcceptOAuth2LoginRequest
adminListSubjectConsentSessions
to adminListOAuth2SubjectConsentSessions
getLoginRequest
to adminGetOAuth2LoginRequest
getOAuth2ConsentRequest
to adminGetOAuth2ConsentRequest
rejectConsentRequest
to rejectOAuth2ConsentRequest
rejectLoginRequest
to rejectOAuth2LoginRequest
rejectLogoutRequest
to adminRejectOAuth2LogoutRequest
revokeAuthenticationSession
to adminRevokeOAuth2LoginSessions
revokeConsentSessions
to adminRevokeOAuth2ConsentSessions
public
or private
/admin
prefixdeleteOAuth2Token
to adminDeleteOAuth2Token
discoverOpenIDConfiguration
to discoverOidcConfiguration
introspectOAuth2Token
to adminIntrospectOAuth2Token
oauth2Token
to performOAuth2TokenFlow
userinfo
to getOidcUserInfo
deleteTrustedJwtGrantIssuer
to adminDeleteTrustedOAuth2JwtGrantIssuer
getTrustedJwtGrantIssuer
to adminGetTrustedOAuth2JwtGrantIssuer
listTrustedJwtGrantIssuers
to adminListTrustedOAuth2JwtGrantIssuers
trustJwtGrantIssuer
to adminTrustOAuth2JwtGrantIssuer
HYDRA_URL
has been renamed to ORY_SDK_URL
hydra keys
commandhydra token client
commandhydra token delete
commandhydra token introspect
commandhydra token revoke
command--dangerous-allow-insecure-redirect-url
flag--dangerous-force-http
flagDATABASE_URL
has been deprecated/oauth2/flush
endpointoauth2.include_legacy_error_fields
configaccess_log
to request_log
hydra clients create
commandhydra clients delete
commandhydra clients get
commandhydra clients import
commandhydra clients list
commandhydra clients update
commandArtifacts can be verified with cosign using this public key.
Published by ory-bot about 2 years ago
This release resolves a critical regression introduced in Ory Hydra v1.11.9. Upgrade to this version and skip Ory Hydra v1.11.9 if you have an existing system. The bug can break existing refresh tokens from working.
It includes no other significant changes.
Artifacts can be verified with cosign using this public key.
Published by ory-bot about 2 years ago
☠️ WARNING ☠️
This version contains a regression which can cause the refresh flow to fail for existing consent sessions. Please do not upgrade to this version. For new systems, you can still use this version.
This release introduces two new features:
Backport fix for client specific CORS (#1754) (#3163) (996258d)
docs: Correct the tracing service name environment variable (6e2343c):
While I believe this used to be specific to OTEL, it now appears to be
configurable "globally", according to spec/config.json
.
Fixed configuration editor for the documentation page (#3105) (0a77a06):
Handle server error when refresh token requests come same time (#3207) (e66ba3c)
Updated process ending instructions (#3176) (b72491e):
cmd + c doesn't end the process on macOS but ctrl + c does.
Add session and requester to refresh token webhook data (#3204) (6d23859), closes #3203
Add token_endpoint_auth_signing_alg to cli (#3148) (ed6eb30)
Custom client token ttl (#3206) (9544c03), closes #3157:
This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 2 years ago
This release resolves issues in the log module, improves the SDK type definitions, and introduces new configuration options to HSM.
Add limit and offset to pagination (#3062) (51f6c5d), closes #3033
Do not use cached version (422d422)
Proper response types for 404 errors (#3072) (e711273), closes #3064
sdk: Correct polymorph type for consent session (#3074) (646459a), closes #3058
Sync ports between Dockerfiles and comments (#3027) (ebd1694)
Use default for env var (2b024b4)
Add hsm key set prefix to support multiple hydra instances on the same hsm partition (#3066) (90523fd):
This pull request adds configuration option hsm.key_set_prefix
to support multiple Ory Hydra instances to store keys on the same HSM partition. For example if hsm.key_set_prefix=app1.
then key set hydra.openid.id-token
would be generated/requested/deleted on HSM with CKA_LABEL=app1.hydra.openid.id-token
This will not affect Hydra API in any way. GET /keys/hydra.openid.id-token
will return key set from HSM with label app1.hydra.openid.id-token
.
Add support for trust grants that can issue tokens for any subject (#3012) (a3c4304), closes #2930:
Previously, a trust relationship had to be setup for every subject
before the issuer could sign a JWT token for it. This change will allow
setting up token services that can issue tokens with any value in the
subject field.
Make sensitive log value redaction text configurable (#3040) (536352c)
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 2 years ago
Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 2 years ago
Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 2 years ago
Ory Hydra has a new place for documentation at github.com/ory/docs and www.ory.sh/docs/hydra! Additionally, the CI/CD infrastructure was moved to GitHub actions.
Artifacts can be verified with cosign using this public key.
Published by ory-bot over 2 years ago
autogen: pin v1.11.4 release commit
Artifacts can be verified with cosign using this public key.