This patch resolves various table growth issues caused by expired/inactive login and consent flows never being purged from the database.
You may now use the new `hydra janitor` command to remove access & refresh tokens and login & consent requests which are no longer valid or used. The command follows the `notAfter` safe-guard approach to ensure records needed to be kept are not deleted.
To learn more, please use `hydra help janitor`.
This patch phases out the `/oauth2/flush` endpoint as the janitor is better suited for background tasks, is easier to run in a targeted fashion (e.g. as a singleton job), and does not cause HTTP timeouts.
Closes#1574
BREAKING CHANGES: After battling with [spf13/viper](https://github.com/spf13/viper) for several years we finally found a viable alternative with [knadh/koanf](https://github.com/knadh/koanf). The complete internal configuration infrastructure has changed, with several highlights:
1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the `--config` flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.
Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.
This patch enables developers to whitelist insecure redirect URLs while using flag `--dangerous-force-http`.
Closes#1021
Signed-off-by: aeneasr <aeneas@ory.sh>
This patch significantly refactors internal configuration and service management with the goal of making configuration changes possible without service restarts. This patch prepares the possibility to configure ORY Hydra from a remote source (etcd, consul) and watch for changes. This patch also introduces the possibility to configure ORY Hydra from a configuration file on top of environment variables.
The following issues have been fixed as well:
- Key rotation of the system secret is now much simpler (closes#1316)
- Database connectivity parameters such as max_conns no longer cause issues with older postgres versions (closes#1327)
- Non-existing routes now return a JSON error instead of `text/plain` when `application/json` was requested (clsoes #1244)
- We now push tags latest, X, X.Y, X.Y.Z to docker hub (closes#1289)
- The quickstart guide no longer builds the source code but instead pulls latest tag (closes#1309)
- We moved to goreleaser and godownloader for release management (closes#1107)
- The quickstart Docker Compose files are now reusable (closes#1196)
The following issues are also resolved:
- Closes#1121
Signed-off-by: aeneasr <aeneas@ory.sh>
This allows the use of strings like "unix:/path/to/socket" as PUBLIC_HOST and/or PRIVATE_HOST.
Signed-off-by: Janis Meybohm <meybohm@traum-ferienwohnungen.de>
This patch adds the ability to whitelist and request an audience
when performing any OAuth 2.0 Flow. The audience is useful in multi-
tenant environments where access tokens should be restricted to certain
resources.
Closes#883Closes#1144
Signed-off-by: arekkas <aeneas@ory.am>
* tracing: add support for tracing interactions with the database
* tracing: add tests for new BackendConnector options
* tracing:
• export connector options and hide hydra specific connector options
• remove config for allowing SQL query args to be included in spans
* tracing: use keyed fields when instantiating TracedBCrypt + helper to determine if Tracing has been configured to DRY up code
* tracing: document the TRACE_ environment variables
* tracing: fixes bug in WithTracing() and adds test coverage
* tracing: add sample tracing configuration in docker-compose
Signed-off-by: Amir Aslaminejad <aslaminejad@gmail.com>
This patch introduces two ports, public and administrative. The public
port is responsible for handling API requests to public endpoints such
as /oauth2/auth, while the administrative port handles requests to
JWK, OAuth 2.0 Client, and Login & Consent endpoints.
Closes#904
Signed-off-by: arekkas <aeneas@ory.am>
This patch adds the (experimental) ability to issue JSON Web Tokens instead of ORY Hydra's opaque access tokens. Please be aware that this feature has had little real-world and unit testing and may not be suitable for production.
Simple integration tests using the JWT strategy have been added to ensure functionality.
To use the new JWT strategy, set environment variable `OAUTH2_ACCESS_TOKEN_STRATEGY` to `jwt`. For example: `export OAUTH2_ACCESS_TOKEN_STRATEGY=jwt`.
Please be aware that we (ORY) do not recommend using the JWT strategy for various reasons. If you can, use the default and recommended "opaque" strategy instead.
Closes#248
Signed-off-by: arekkas <aeneas@ory.am>
Environment variable `OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE` was added in order to better implement the OpenID Connect Dynamic Client Registration protocol. The mentioned protocol does not support the concept of whitelisting OAuth 2.0 Scope on a per-client basis. Therefore, the functionality to define the default OAuth 2.0 Scope has been defined.
Keep in mind that exposing the OpenID Connect Dynamic Client Registration functionality to the public effectively disables the OAuth 2.0 Scope whitelisting functionality, as each caller of that API can define which OAuth 2.0 Scope a client may request.
If you decide to expose that functionality, you should NEVER assume that the granted OAuth 2.0 Scope has any meaning when handling requests at your consent endpoint, or when validating requests with tokens issued by the client_credentials flow.
This patch deprecates the `hydra connect` command as internal
access control has been removed from ORY Hydra and this command
no longer serves any purpose.
Instead, all commands are supplied with environment variables `HYDRA_URL`,
`OAUTH2_CLIENT_ID`, `OAUTH2_CLIENT_SECRET`, `OAUTH2_ACCESS_TOKEN`.
Please check out `hydra help <command>` for usage instructions. You
should also check out the upgrade guide for more detailed upgrade instructions.
This patch also renames some flags and command names which have been
documented in the upgrade guide.
Closes#841Closes#840
Kevin Goslar
aeneasr
Andrew Minkin
Alano Terblanche
nessita
aeneasr
Shankar Dhanasekaran
jayme-github
Amir Aslaminejad
hackerman
arekkas