mirror
/
hydra
mirror of https://github.com/ory/hydra
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

autogen: prepare for OSS release - v25.4.0 

GitOrigin-RevId: 8a80ff652290d5faf26d05286b077325672b6fc5
This commit is contained in:
github-actions[bot] 2025-11-07 13:15:34 +01:00 committed by ory-bot
parent ab35ad473a
commit de9baaa9bc
3 changed files with 1256 additions and 350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

411
.schema/config.schema.json
View File

@ -18,196 +18,6 @@
"TRACE"
]
},
"portNumber": {
"description": "The port to listen on.",
"minimum": 1,
"maximum": 65535
},
"socket": {
"type": "object",
"additionalProperties": false,
"description": "Sets the permissions of the unix socket",
"properties": {
"owner": {
"type": "string",
"description": "Owner of unix socket. If empty, the owner will be the user running hydra.",
"default": ""
},
"group": {
"type": "string",
"description": "Group of unix socket. If empty, the group will be the primary group of the user running hydra.",
"default": ""
},
"mode": {
"type": "integer",
"description": "Mode of unix socket in numeric form, base 10.",
"default": 493,
"minimum": 0,
"maximum": 511
}
}
},
"cors": {
"type": "object",
"additionalProperties": false,
"description": "Configures Cross Origin Resource Sharing for public endpoints.",
"properties": {
"enabled": {
"type": "boolean",
"description": "Sets whether CORS is enabled.",
"default": false
},
"allowed_origins": {
"type": "array",
"description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.",
"items": {
"type": "string",
"minLength": 1,
"not": {
"type": "string",
"description": "does match all strings that contain two or more (*)",
"pattern": ".*\\*.*\\*.*"
},
"anyOf": [
{
"format": "uri"
},
{
"const": "*"
}
]
},
"uniqueItems": true,
"default": [],
"examples": [
[
"*",
"https://example.com",
"https://*.example.com",
"https://*.foo.example.com"
]
]
},
"allowed_methods": {
"type": "array",
"description": "A list of HTTP methods the user agent is allowed to use with cross-domain requests.",
"default": [
"POST",
"GET",
"PUT",
"PATCH",
"DELETE",
"CONNECT",
"HEAD",
"OPTIONS",
"TRACE"
],
"items": {
"type": "string",
"enum": [
"POST",
"GET",
"PUT",
"PATCH",
"DELETE",
"CONNECT",
"HEAD",
"OPTIONS",
"TRACE"
]
}
},
"allowed_headers": {
"type": "array",
"description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
"default": [
"Accept",
"Content-Type",
"Content-Length",
"Accept-Language",
"Content-Language",
"Authorization"
],
"items": {
"type": "string"
}
},
"exposed_headers": {
"type": "array",
"description": "Sets which headers are safe to expose to the API of a CORS API specification.",
"default": [
"Cache-Control",
"Expires",
"Last-Modified",
"Pragma",
"Content-Length",
"Content-Language",
"Content-Type"
],
"items": {
"type": "string"
}
},
"allow_credentials": {
"type": "boolean",
"description": "Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.",
"default": true
},
"max_age": {
"type": "integer",
"description": "Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.",
"default": 0,
"minimum": 0
},
"debug": {
"type": "boolean",
"description": "Adds additional log output to debug server side CORS issues.",
"default": false
}
}
},
"cidr": {
"description": "CIDR address range.",
"type": "string",
"oneOf": [
{
"pattern": "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
{
"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
}
],
"examples": ["127.0.0.1/32"]
},
"pem_file": {
"type": "object",
"oneOf": [
{
"properties": {
"path": {
"type": "string",
"description": "The path to the pem file.",
"examples": ["/path/to/file.pem"]
}
},
"additionalProperties": false,
"required": ["path"]
},
{
"properties": {
"base64": {
"type": "string",
"description": "The base64 encoded string (without padding).",
"contentEncoding": "base64",
"contentMediaType": "application/x-pem-file",
"examples": ["b3J5IGh5ZHJhIGlzIGF3ZXNvbWUK"]
}
},
"additionalProperties": false,
"required": ["base64"]
}
]
},
"duration": {
"type": "string",
"pattern": "^(\\d+(ns|us|ms|s|m|h))+$",
@ -216,39 +26,6 @@
"1h5m1s"
]
},
"tls_config": {
"type": "object",
"description": "Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.",
"properties": {
"enabled": {
"type": "boolean",
"description": "Setting enabled to false drops the TLS requirement for the admin endpoint, even if TLS is enabled on the public endpoint."
},
"key": {
"description": "Configures the private key (pem encoded).",
"allOf": [
{
"$ref": "#/definitions/pem_file"
}
]
},
"cert": {
"description": "Configures the public certificate (pem encoded).",
"allOf": [
{
"$ref": "#/definitions/pem_file"
}
]
},
"allow_termination_from": {
"type": "array",
"description": "Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.",
"items": {
"$ref": "#/definitions/cidr"
}
}
}
},
"webhook_config": {
"type": "object",
"additionalProperties": false,
@ -266,6 +43,7 @@
"required": ["type", "config"],
"properties": {
"type": {
"type": "string",
"const": "api_key"
},
"config": {
@ -274,6 +52,7 @@
"required": ["name", "value"],
"properties": {
"in": {
"type": "string",
"enum": ["header", "cookie"]
},
"name": {
@ -339,96 +118,35 @@
"description": "Controls the configuration for the http(s) daemon(s).",
"properties": {
"public": {
"type": "object",
"additionalProperties": false,
"description": "Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json",
"properties": {
"port": {
"default": 4444,
"type": "integer",
"allOf": [
{
"$ref": "#/definitions/portNumber"
}
]
"allOf": [
{
"$ref": "ory://serve-config"
},
"host": {
"type": "string",
"description": "The interface or unix socket Ory Hydra should listen and handle public API requests on. Use the prefix `unix:` to specify a path to a unix socket. Leave empty to listen on all interfaces.",
"default": "",
"examples": ["localhost"]
},
"cors": {
"$ref": "#/definitions/cors"
},
"socket": {
"$ref": "#/definitions/socket"
},
"request_log": {
"type": "object",
"additionalProperties": false,
"description": "Access Log configuration for public server.",
{
"properties": {
"disable_for_health": {
"type": "boolean",
"description": "Disable access log for health endpoints.",
"default": false
"cors": {
"$ref": "ory://cors-config"
}
}
},
"tls": {
"$ref": "#/definitions/tls_config"
}
}
]
},
"admin": {
"type": "object",
"additionalProperties": false,
"properties": {
"port": {
"default": 4445,
"type": "integer",
"allOf": [
{
"$ref": "#/definitions/portNumber"
}
]
"allOf": [
{
"$ref": "ory://serve-config"
},
"host": {
"type": "string",
"description": "The interface or unix socket Ory Hydra should listen and handle administrative API requests on. Use the prefix `unix:` to specify a path to a unix socket. Leave empty to listen on all interfaces.",
"default": "",
"examples": ["localhost"]
},
"cors": {
"$ref": "#/definitions/cors"
},
"socket": {
"$ref": "#/definitions/socket"
},
"request_log": {
"type": "object",
"additionalProperties": false,
"description": "Access Log configuration for admin server.",
{
"properties": {
"disable_for_health": {
"type": "boolean",
"description": "Disable access log for health endpoints.",
"default": false
"cors": {
"$ref": "ory://cors-config"
}
}
},
"tls": {
"allOf": [
{
"$ref": "#/definitions/tls_config"
}
]
}
}
]
},
"tls": {
"$ref": "#/definitions/tls_config"
"$ref": "ory://tls-config"
},
"cookies": {
"type": "object",
@ -700,6 +418,7 @@
"properties": {
"supported_types": {
"contains": {
"type": "string",
"const": "pairwise"
}
}
@ -937,6 +656,17 @@
"login_consent_request": {
"description": "Configures how long a user login and consent flow may take.",
"default": "30m",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
}
]
},
"authentication_session": {
"description": "Configures how long the authentication session cookie will be valid after login has been remembered. The larger this value is, the more database storage is needed. Defaults to 30 days.",
"default": "720h",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
@ -944,8 +674,9 @@
]
},
"access_token": {
"description": "Configures how long access tokens are valid.",
"description": "Configures how long access tokens are valid. The larger this value is, the more database storage is needed.",
"default": "1h",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
@ -953,7 +684,7 @@
]
},
"refresh_token": {
"description": "Configures how long refresh tokens are valid. Set to -1 for refresh tokens to never expire.",
"description": "Configures how long refresh tokens are valid. The larger this value is, the more database storage is needed. Set to -1 for refresh tokens to never expire, which is not recommended as the database can not be cleaned from stale tokens.",
"default": "720h",
"oneOf": [
{
@ -970,6 +701,7 @@
"id_token": {
"description": "Configures how long id tokens are valid.",
"default": "1h",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
@ -977,8 +709,9 @@
]
},
"auth_code": {
"description": "Configures how long auth codes are valid.",
"description": "Configures how long auth codes are valid. The larger this value is, the more database storage is needed.",
"default": "10m",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
@ -986,7 +719,7 @@
]
},
"device_user_code": {
"description": "Configures how long device & user codes are valid.",
"description": "Configures how long device & user codes are valid. The larger this value is, the more database storage is needed.",
"default": "10m",
"allOf": [
{
@ -1119,13 +852,21 @@
"properties": {
"rotation_grace_period": {
"title": "Refresh Token Rotation Grace Period",
"description": "Configures how long a Refresh Token remains valid after it has been used. The maximum value is 5 minutes.",
"description": "Configures how long a Refresh Token remains valid after it has been used. The maximum value is 5 minutes, unless also a reuse count is configured, in which case the maximum is 180 days.",
"default": "0s",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
}
]
},
"rotation_grace_reuse_count": {
"title": "Refresh Token Rotation Grace Period Reuse Count",
"description": "Configures how many times a Refresh Token can be reused during the grace period. This is only effective if combined with a rotation grace period.",
"default": 0,
"type": "integer",
"minimum": 0
}
}
},
@ -1147,6 +888,7 @@
"max_ttl": {
"description": "Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be. This feature uses the `exp` claim and `iat` claim to calculate assertion age. Assertions exceeding the max age will be denied. Useful as a safety measure and recommended to keep below 720h. This governs the `grant.jwt.max_ttl` setting.",
"default": "720h",
"type": "string",
"allOf": [
{
"$ref": "#/definitions/duration"
@ -1184,11 +926,39 @@
"description": "Configures how often a non-interactive device should poll the device token endpoint, this is a purely informational configuration and does not enforce rate-limiting.",
"examples": ["5s", "15s", "1m"]
},
"user_code_entropy": {
"type": "string",
"description": "Sets the entropy for the user codes.",
"default": "medium",
"enum": ["high", "medium", "low"]
"user_code": {
"type": "object",
"description": "Configures the user code settings.",
"oneOf": [
{
"properties": {
"entropy_preset": {
"type": "string",
"description": "Presets for the user-code length and character set.",
"enum": ["high", "medium", "low"]
}
},
"required": ["entropy_preset"],
"additionalProperties": false
},
{
"properties": {
"length": {
"type": "integer",
"description": "The length of the user code.",
"minimum": 6
},
"character_set": {
"type": "string",
"description": "The character set to use for the user code. Provide the raw characters that should be used.",
"examples": ["ABCDEFGHJKLMNPQRSTUVWXYZ23456789"],
"minLength": 8
}
},
"required": ["length", "character_set"],
"additionalProperties": false
}
]
}
}
},
@ -1205,8 +975,8 @@
}
]
}
}
},
}
},
"secrets": {
"type": "object",
"additionalProperties": false,
@ -1229,7 +999,22 @@
},
"cookie": {
"type": "array",
"description": "A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
"description": "Secrets that are used for cookie session encryption. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
"items": {
"type": "string",
"minLength": 16
},
"examples": [
[
"this-is-the-primary-secret",
"this-is-an-old-secret",
"this-is-another-old-secret"
]
]
},
"pagination": {
"type": "array",
"description": "Secrets that are used for pagination token encryption. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
"items": {
"type": "string",
"minLength": 16
@ -1251,7 +1036,7 @@
"examples": ["cpu"]
},
"tracing": {
"$ref": "ory://tracing-config"
"$ref": "https://raw.githubusercontent.com/ory/hydra/ab35ad47/oryx/otelx/config.schema.json"
},
"sqa": {
"type": "object",

1189
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

6
quickstart.yml
View File

@ -16,7 +16,7 @@ services:
- hydra-sqlite:/mnt/sqlite
command: "chmod -R 777 /mnt/sqlite"
hydra:
image: oryd/hydra:v2.3.0
image: oryd/hydra:v25.4.0
build:
context: .
dockerfile: .docker/Dockerfile-local-build
@ -40,7 +40,7 @@ services:
networks:
- intranet
hydra-migrate:
image: oryd/hydra:v2.3.0
image: oryd/hydra:v25.4.0
build:
context: .
dockerfile: .docker/Dockerfile-local-build
@ -61,7 +61,7 @@ services:
consent:
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
image: oryd/hydra-login-consent-node:v2.3.0
image: oryd/hydra-login-consent-node:v25.4.0
ports:
- "3000:3000"
restart: unless-stopped