<!--
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request.
This text will be included in the changelog. If applicable, include
links to documentation or pieces of code.
If your change includes breaking changes please add a code block
documenting the breaking change:
```
BREAKING CHANGES: This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
behavior please do baz.
```
-->
## Related issue(s)
<!--
If this pull request
1. is a fix for a known bug, link the issue where the bug was reported
in the format of `#1234`;
2. is a fix for a previously unknown bug, explain the bug and how to
reproduce it in this pull request;
3. implements a new feature, link the issue containing the design
document in the format of `#1234`;
4. improves the documentation, no issue reference is required.
Pull requests introducing new features, which do not have a design
document linked are more likely to be rejected and take on average 2-8
weeks longer to
get merged.
You can discuss changes with maintainers either in the Github
Discussions in this repository or
join the [Ory Chat](https://www.ory.sh/chat).
-->
## Checklist
<!--
Put an `x` in the boxes that apply. You can also fill these out after
creating the PR.
Please be aware that pull requests must have all boxes ticked in order
to be merged.
If you're unsure about any of them, don't hesitate to ask. We're here to
help!
-->
- [ ] I have read the [contributing
guidelines](../blob/master/CONTRIBUTING.md).
- [ ] I have referenced an issue containing the design document if my
change
introduces a new feature.
- [ ] I am following the
[contributing code
guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
- [ ] I have read the [security policy](../security/policy).
- [ ] I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability,
I
confirm that I got the approval (please contact
[security@ory.sh](mailto:security@ory.sh)) from the maintainers to push
the changes.
- [ ] I have added tests that prove my fix is effective or that my
feature
works.
- [ ] I have added or changed [the
documentation](https://github.com/ory/docs).
## Further Comments
<!--
If this is a relatively large or complex change, kick off the discussion
by explaining why you chose the solution
you did and what alternatives you considered, etc...
-->
This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.
Additionally, serializability errors in CockroachDB are now correctly retried.
See https://github.com/ory-corp/cloud/issues/7311
Closes https://github.com/ory/hydra/pull/3895
This patch changes the primary key of the `hydra_client` table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.
This adds a new boolean parameter `skip_consent` to the admin APIs of
the OAuth clients. This parameter will be forwarded to the consent app
as `client.skip_consent`.
It is up to the consent app to act on this parameter, but the canonical
implementation accepts the consent on the user's behalf, similar to
when `skip` is set.
BREAKING CHANGE: This release updates SDK services from `public` and `admin` to `v2`. Methods exposed at the admin interface are now prefixed with `admin` (e.g. `adminCreateOAuth2Client`). Administrative endpoints now have an `/admin` prefix (e.g. `POST /admin/clients`). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
BREAKING CHANGE: To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.
Additionally, the `hydra create client` command no longer supports flag `--id` and flag `--callbacks` has been renamed to `--redirect-uris`.
Closes#2911
This feature adds first-class support for two IETF RFCs and one OpenID Spec:
- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
- [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
- [OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592)
To enable this feature, which is disabled by default, set
```yaml
oidc:
dynamic_client_registration:
enabled: true
```
in your Ory Hydra configuration. Once enabled, endpoints `POST`, `GET`, `PUT`, and `DELETE` for `/connect/register` will be available at the public port!
Closes#2568Closes#2549
BREAKING CHANGES: Endpoint `PUT /clients` now returns a 404 error when the OAuth2 Client to be updated does not exist. It returned 401 previously. This change requires you to run SQL migrations!
Co-authored-by: fjviera <javier.viera@mindcurv.com>
Implements a new endpoint `PATCH /clients/{id}` which uses JSON Patch syntax to update an OAuth2 client partially. This removes the need to do `PUT /clients/{id}` with the full OAuth2 Client in the payload.
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
BREAKING CHANGES: After battling with [spf13/viper](https://github.com/spf13/viper) for several years we finally found a viable alternative with [knadh/koanf](https://github.com/knadh/koanf). The complete internal configuration infrastructure has changed, with several highlights:
1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the `--config` flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.
Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.
This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!
Closes#1730
Co-authored-by: aeneasr <aeneas@ory.sh>
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
This patch deprecates the previous migration system (sql-migrate) in favor of gobuffalo/fizz. No functional changes have been made.
BREAKING CHANGES: Please run `hydra migrate sql` before applying this release.
This patch significantly refactors internal configuration and service management with the goal of making configuration changes possible without service restarts. This patch prepares the possibility to configure ORY Hydra from a remote source (etcd, consul) and watch for changes. This patch also introduces the possibility to configure ORY Hydra from a configuration file on top of environment variables.
The following issues have been fixed as well:
- Key rotation of the system secret is now much simpler (closes#1316)
- Database connectivity parameters such as max_conns no longer cause issues with older postgres versions (closes#1327)
- Non-existing routes now return a JSON error instead of `text/plain` when `application/json` was requested (clsoes #1244)
- We now push tags latest, X, X.Y, X.Y.Z to docker hub (closes#1289)
- The quickstart guide no longer builds the source code but instead pulls latest tag (closes#1309)
- We moved to goreleaser and godownloader for release management (closes#1107)
- The quickstart Docker Compose files are now reusable (closes#1196)
The following issues are also resolved:
- Closes#1121
Signed-off-by: aeneasr <aeneas@ory.sh>
hackerman
Paul
Henning Perl
Patrik
Henning Perl
Arne Luenser
Kevin Goslar
Ferdynand Naczynski
Grant Zvolsky
Luis Pedrosa
Matt Bonnell
Joshua Obasaju
aeneasr
pike1212
arekkas