mirror
/
hydra
mirror of https://github.com/ory/hydra
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,345 Commits 131 Branches 234 Tags 228 MiB
Commit Graph

174 Commits

Author SHA1 Message Date
ory-bot 106865db8b fix(deps): update dependency prettier to v3.7.4 
GitOrigin-RevId: cb8a427821526c5a9a7e330a510072ba85f7c930
 2025-12-05 09:28:37 +00:00
Henning Perl eaa9393868 chore: fix golangci-lint issues in Hydra 
GitOrigin-RevId: 03eb601af45a17c6e7403f37a13cba79775b44ef
 2025-12-04 17:20:45 +00:00
hackerman fbc982ac8a fix: implicit transactions for cockroach v23.5 and simplified migration logic 
GitOrigin-RevId: 003ed88700d3eeb853132633d447dd223489e3be
 2025-10-29 07:57:24 +00:00
hackerman 4999d20db2 chore: fix all hydra linter issues 
GitOrigin-RevId: 75db758dab3afb34587dcfaf40935ee4ea69c7b6
 2025-09-29 09:07:24 +00:00
Arne Luenser dde63d87ca fix: hydra CI 
GitOrigin-RevId: 6dfadcf84bf4901b8867fd1f0bcfa685a0ac8290
 2025-09-08 19:48:24 +00:00
Arne Luenser 061d3fbae4 fix: towards fixing fosite CI 
GitOrigin-RevId: b2b15cb088b3cdcfa788920176e92e0e30cc05ba
 2025-09-08 17:06:02 +00:00
Arne Luenser e55a1fab89 chore: bump Go everywhere 
GitOrigin-RevId: e381f03d1eb905f631c633bfb78d9184435782c8
 2025-09-08 14:21:58 +00:00
Henning Perl c9009858dc fix: failing CI in OSS repos 
GitOrigin-RevId: 3d1f84b0f0d006971aea9489322b3e0f32a6a7e3
 2025-08-22 11:17:04 +00:00
hackerman 6b496e21c3 chore: upgrade crdb to v25.2 everywhere & deflake CI! 
GitOrigin-RevId: 5eb5923e0792eea31ddb8ef34d28292c2c9d54f7
 2025-08-14 01:02:32 +00:00
Patrik 7840b0e0aa test(hydra): clean up some helpers 
GitOrigin-RevId: 2b93dfbc4c27602a6ad053ccd0f25962f600419f
 2025-08-08 08:43:37 +00:00
Henning Perl 6581e01679 feat: use vendored ory/x 
GitOrigin-RevId: 994f3b754946ca5b2bd1bab0fe20532f5d5ab62f
 2025-07-07 07:49:44 +00:00
Patrik cbf14c0b9c fix(changelog-oel): use keyset pagination instead of offset 
GitOrigin-RevId: 61645585277edd95914705499afd7211a85983eb
 2025-06-27 12:45:44 +00:00
hackerman 96aec6f351 chore: use dedicated ory fork of pop 
GitOrigin-RevId: dab6bce5af05a882f8fc81d61c9879f350bf8c05
 2025-06-20 11:11:49 +00:00
hackerman 35d5d586aa fix(changelog-oel): cap grace period for refresh token rotation at 30d 
GitOrigin-RevId: a8785b2760897612d8b72d62b95622f35ee8ac36
 2025-06-18 15:22:12 +00:00
hackerman 0b26e279d8 fix(changelog-oel): replace `returning *` with defined column names 
GitOrigin-RevId: 8fa1912556293bba8f9c841ec316da18a52ea61e
 2025-06-17 10:15:24 +00:00
Adam Wałach f6720c4e62 fix: update debian version in httpd test image 
GitOrigin-RevId: 4251fd1bab4a548b0796790381f4c79930592bc8
 2025-06-17 10:15:12 +00:00
hackerman 7f1b9221b7 ci: renew certificates and increase validity days 
GitOrigin-RevId: 7ed0a28d04ff4bd531629e9fdd38b5cf74429add
 2025-06-04 17:03:18 +00:00
Adam Wałach c6f6ae4258 chore: run oss cypress tests on custom runners 
GitOrigin-RevId: 07c7f1e66333487a31d0f390bfa7cff064eeb9e6
 2025-06-03 17:47:34 +00:00
Arne Luenser 38efece55b
fix: migrations on CockroachDB v25+ (#3994) 
I've added some output to the generated migrations files to make them
easier to recreate, hence the big diff.

These are important:

```
persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.down.sql
persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.up.sql
persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.down.sql
persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.up.sql

persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.down.sql
persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.up.sql
persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.down.sql
persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.up.sql

persistence/sql/src/20220210000001_nid/20220210000001000000_nid.cockroach.up.sql
```

Closes #3964 
Supersedes #3993 (thanks @hperl)
 2025-05-20 08:56:06 +02:00
Patrik 82ea6a2f9b
chore: replace ThalesIgnite/crypto11 with ThalesGroup/crypto11 (#3966) 2025-03-27 11:55:35 +01:00
Nikos Sklikas 5215d2482a
feat: implement RFC 8628 (#3912) 
This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.

The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.

A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.

For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)

To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](99ca6ad544/src/routes/device.ts).

Closes #3851
Closes #3252
Closes #3230
Closes #2416
 2025-02-26 13:41:41 +01:00
hackerman 8ca6cbd1ab
fix: improve docker set up (#3924) 
Improves the docker set up and removes some unused files.

Closes #3914
Closes https://github.com/ory/hydra/issues/3916
Closes https://github.com/ory/hydra/issues/3685
Closes #3683
 2025-01-11 13:32:35 +01:00
hackerman 512ba18062 Revert "chore: synchronize workspaces" 
This reverts commit 05b1495575.
 2025-01-11 13:31:25 +01:00
aeneasr 05b1495575 chore: synchronize workspaces 2025-01-11 13:30:23 +01:00
dependabot[bot] 63736bab13
chore(deps): bump path-to-regexp and express in /test/e2e/oauth2-client (#3901) 
Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `path-to-regexp` from 0.1.10 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12)

Updates `express` from 4.21.0 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.0...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-type: indirect
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-12-09 11:10:29 +01:00
hackerman d27882faf1
feat: add migrate sql up|down|status (#3894) 
This patch adds the ability to execute down migrations using:

```
hydra migrate sql down -e --steps {num_of_steps}
```

Please read `hydra migrate sql down --help` carefully.

Going forward, please use the following commands

```
hydra migrate sql up ...
hydra migrate sql status ...
```

instead of the previous, now deprecated

```
hydra migrate sql ...
hydra migrate status ...
```

commands.

See https://github.com/ory-corp/cloud/issues/7350
 2024-11-27 14:14:13 +01:00
dependabot[bot] fe48d49dd4
chore(deps): bump send and express in /test/e2e/oauth2-client (#3839) 
Bumps [send](https://github.com/pillarjs/send) to 0.19.0 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `send` from 0.18.0 to 0.19.0
- [Release notes](https://github.com/pillarjs/send/releases)
- [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md)
- [Commits](https://github.com/pillarjs/send/compare/0.18.0...0.19.0)

Updates `express` from 4.19.2 to 4.21.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.19.2...4.21.0)

---
updated-dependencies:
- dependency-name: send
  dependency-type: indirect
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-16 13:12:33 +02:00
Arne Luenser 93edc9ad89 chore: remove json1 build tag everywhere 
This is no longer necessary since SQLite 3.38, and was in fact removed completely in go-sqlite v1.14.13
 2024-08-30 12:29:35 +02:00
Arne Luenser cd7e7eff91
feat: upgrade to jackc/pgx/v5 (#3798) 2024-08-29 13:53:03 +00:00
Arne Luenser ffdfb7362a
fix: use docker compose rather than docker-compose (#3815) 2024-08-06 14:57:49 +02:00
beforetech de3c018a18 chore: fix some comments 
Signed-off-by: beforetech <mail@before.tech>
 2024-08-05 13:23:29 +02:00
Patrik 477abaeb7d
chore: bump dependencies and generate internal SDK aligned with the published SDK (#3807) 2024-07-31 13:26:57 +02:00
dependabot[bot] 2bda9e6c79
chore(deps-dev): bump braces in /test/e2e/oauth2-client (#3788) 
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-10 16:15:17 +02:00
dependabot[bot] 17ec13773d
chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#3739) 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.4 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.4...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-04-04 17:48:37 +02:00
dependabot[bot] 4f786c6296
chore(deps): bump express in /test/e2e/oauth2-client (#3750) 
Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.19.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.18.2...4.19.2)

---
updated-dependencies:
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-27 16:40:00 +01:00
dependabot[bot] 8fff30d4f6
chore(deps): bump jose from 2.0.5 to 2.0.7 in /test/e2e/oauth2-client (#3732) 
Bumps [jose](https://github.com/panva/jose) from 2.0.5 to 2.0.7.
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/v2.0.7/CHANGELOG.md)
- [Commits](https://github.com/panva/jose/compare/v2.0.5...v2.0.7)

---
updated-dependencies:
- dependency-name: jose
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-13 13:23:21 +01:00
dependabot[bot] 18d97936aa
chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#3697) 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.2 to 1.15.4.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.2...v1.15.4)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-30 16:19:17 +01:00
Arne Luenser 24c3be574a
fix: improved SSRF protection (#3669) 2023-11-22 17:32:03 +01:00
Henning Perl 5f41949ad2
feat: remove login session cookie during consent flow (#3667) 2023-11-15 10:05:49 +01:00
dependabot[bot] 9fd59e2b6e
chore(deps): bump semver from 5.7.0 to 5.7.2 in /test/e2e/oauth2-client (#3570) 
Bumps [semver](https://github.com/npm/node-semver) from 5.7.0 to 5.7.2.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md)
- [Commits](https://github.com/npm/node-semver/compare/v5.7.0...v5.7.2)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-12 11:06:49 +02:00
Henning Perl f29fe3af97
feat: stateless authorization code flow (#3515) 
This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens. 

BREAKING CHANGE:

* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
 2023-06-12 20:27:00 +02:00
Mykhailo Kozii e2b7665c1a
chore: update nodemon version for oauth2 client (#3503) 2023-04-28 07:19:35 -07:00
Henning Perl 4f65365f14
feat: allow skipping consent for trusted clients (#3451) 
This adds a new boolean parameter `skip_consent` to the admin APIs of
the OAuth clients. This parameter will be forwarded to the consent app
as `client.skip_consent`.

It is up to the consent app to act on this parameter, but the canonical
implementation accepts the consent on the user's behalf, similar to
when `skip` is set.
 2023-03-02 12:47:30 +01:00
Henning Perl 023167d6f7
chore: update tls certs (#3455) 2023-03-01 15:21:49 +01:00
Henning Perl 50bc1b4267
fix: broken OIDC compliance images (#3454) 2023-03-01 11:28:49 +01:00
Arne Luenser f56e5fad74 fix: append /v2 to module path 2023-01-28 08:40:41 +01:00
dependabot[bot] b28bad38d7
chore(deps): bump decode-uri-component in /test/e2e/oauth2-client (#3377) 
Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2.
- [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases)
- [Commits](https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.2)

---
updated-dependencies:
- dependency-name: decode-uri-component
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-12-07 14:10:10 +01:00
dependabot[bot] cb23cca04a
chore(deps): bump minimatch in /test/e2e/oauth2-client (#3381) 
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.2.
- [Release notes](https://github.com/isaacs/minimatch/releases)
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.1.2)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-12-07 13:50:39 +01:00
dependabot[bot] 316b582030
chore(deps): bump qs, body-parser and express in /test/e2e/oauth2-client (#3379) 
Bumps [qs](https://github.com/ljharb/qs) to 6.11.0 and updates ancestor dependencies [qs](https://github.com/ljharb/qs), [body-parser](https://github.com/expressjs/body-parser) and [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `qs` from 6.7.0 to 6.11.0
- [Release notes](https://github.com/ljharb/qs/releases)
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ljharb/qs/compare/v6.7.0...v6.11.0)

Updates `body-parser` from 1.19.0 to 1.20.1
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/body-parser/compare/1.19.0...1.20.1)

Updates `express` from 4.17.1 to 4.18.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.17.1...4.18.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-type: indirect
- dependency-name: body-parser
  dependency-type: direct:production
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-12-06 17:51:07 +01:00
aeneasr f22046fcee fix: isolate transactions for crdb 2022-11-10 17:15:57 +01:00