In order to support OAuth2.1 and some specific integrations that
leverage the `/.well-known/oauth-authorization-server` endpoint, this PR
adds a handler for the specific endpoint. The
`/.well-known/openid-configuration` endpoint already supports all
configuration items that conform to this endpoint as seen here:
https://datatracker.ietf.org/doc/html/rfc8414
This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.
The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.
A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.
For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)
To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](99ca6ad544/src/routes/device.ts).
Closes#3851Closes#3252Closes#3230Closes#2416
This is a follow-up to #3932.
This makes several improvements, chiefly restoring backwards
compatibility to Hydra before #3932. We now return both the `challenge`
as well as the `consent_request_id` from our APIs and distinguish
between them clearly.
Closes#3941
This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.
Additionally, serializability errors in CockroachDB are now correctly retried.
See https://github.com/ory-corp/cloud/issues/7311
Closes https://github.com/ory/hydra/pull/3895
For the resource owner password grant, the Kratos identity ID is now written to the sub claim, and the username is written to the ext.username claim. Further, token hooks are called for the initial token issuance as well as refresh flows for access tokens issued via the resource owner password grant, allowing users to customize the fields present in the access token (for the jwt strategy) as well as on introspection.
---------
Co-authored-by: Arne Luenser <arne.luenser@ory.sh>
This PR introduces another config option called `oauth2:mirror_top_level_claims` which may be used to disable the mirroring of custom claims into the `ext` claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
```yaml
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
```
Closes https://github.com/ory/hydra/issues/3348
This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
The access token type (`jwt` or `opaque`) can now be set in the client configuration. The value set here will overwrite the global value for all flows concerning that client.
Patrik
Henning Perl
Philippe Gaultier
hackerman
Jeff Hickman
Jonas Hungershausen
Arne Luenser
Nikos Sklikas
dastein1
Henning Perl
Loïc Mangeonjean
Kevin Goslar
Savvas Mantzouranidis