This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:
* Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.
* Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.
BREAKING CHANGES: This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that *there are no down migrations*, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://www.ory.sh/hydra/docs/guides/migrate-v2).
Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.
Signed-off-by: Grant Zvolsky <grant@zvolsky.org>
This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.
See #3157
Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
Co-authored-by: Andreas Bucksteeg <andreas@bucksteeg.de>
Previously, end-to-end tests ran sequentially and took about ~30 mins to
complete. With this patch, they now run in parallel, bringing down the
total run-time to roughly about 5.5 mins. We further shave off a couple
of minutes by pre-building Hydra (setup-e2e job), and caching the built
binary. Before the start of every test run, we restore the binary at
test/e2e/hydra.
See ory-corp/cloud#1796
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
Co-authored-by: ory-bot <60093411+ory-bot@users.noreply.github.com>
This release adds important security updates for the base Docker Images (e.g. Alpine). Additionally, Ory Hydra now has full ARM support have been resolved and the binaries are now downloadable for all major platforms.
BREAKING CHANGE: To celebrate this change, we cleaned up the ways you install Ory software. There is now one central brew / bash curl repository:
```patch
-brew install ory/hydra/hydra
+brew install ory/tap/hydra
-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) hydra
```
This change introduces support for Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.
If enabled, the Hardware Security Module is used to look up any keys. If no key is found, the software module is used as a fallback for lookup. This allows you to use the HSM for privileged keys, and the software module to manage lifecycle keys (e.g. for Token Exchange).
For more information, please [read the guide](https://www.ory.sh/hydra/docs/next/guides/hsm-support).
Thank you to [aarmam](https://github.com/aarmam) for this great contribution!
Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
This feature adds first-class support for two IETF RFCs and one OpenID Spec:
- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
- [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
- [OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592)
To enable this feature, which is disabled by default, set
```yaml
oidc:
dynamic_client_registration:
enabled: true
```
in your Ory Hydra configuration. Once enabled, endpoints `POST`, `GET`, `PUT`, and `DELETE` for `/connect/register` will be available at the public port!
Closes#2568Closes#2549
BREAKING CHANGES: Endpoint `PUT /clients` now returns a 404 error when the OAuth2 Client to be updated does not exist. It returned 401 previously. This change requires you to run SQL migrations!
Co-authored-by: fjviera <javier.viera@mindcurv.com>
This change adds support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523).
Users of Ory Hydra will be able to grant permission for OAuth 2.0 Client to act on behalf of some Resource Owner using JWT Bearer Assertions.
For more information about this feature, please head over to the documentation: https://www.ory.sh/hydra/docs/next/guides/oauth2-grant-type-jwt-bearerCloses#2229
BREAKING CHANGES: Please notice that this change requires SQL migrations to be applied! As always, please make a backup before applying them!
Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
Co-authored-by: Jagoba Gascón <jagoba@arima.eu>
Co-authored-by: Gajewski Dmitriy <dmit8815@gmail.com>
Henning Perl
Grant Zvolsky
hackerman
Maurice Freitag
Anirudh Oppiliappan
Vincent
mig5
aeneasr
Andrew Minkin
Mart Aarma
Matouš Dzivjak
Vladimir Kalugin
Mitar
Yuki Hirasawa
wanderer163
Hendrik Heil
Amaan Iqbal