This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.
The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.
A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.
For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)
To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](99ca6ad544/src/routes/device.ts).
Closes#3851Closes#3252Closes#3230Closes#2416
This is a follow-up to #3932.
This makes several improvements, chiefly restoring backwards
compatibility to Hydra before #3932. We now return both the `challenge`
as well as the `consent_request_id` from our APIs and distinguish
between them clearly.
Closes#3941
This change adds the ability to revoke token chains by "consent
challenge ID".
## "Consent sessions"
Each time the user goes through a `GET
/oauth2/auth?response_type=code&...` auth code flow, we persist a new
"consent session" to the database.
This is independent of whether the user has previously logged in and/or
granted consent, or whether the user was actively asked to grant consent
by the consent app. A successful journey through the auth code flow
results in a new "consent session".
This consent session is uniquely identified by its "consent challenge
ID". This ID is obtained from the [`GET
/admin/oauth2/auth/requests/consent?consent_challenge=...`](https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/getOAuth2ConsentRequest)
API. Note that it is not the same as the `consent_challenge=...` query
parameter!
Any access and refresh tokens obtained from a token exchange following
that particular user journey are bound to that consent session.
We call the totality of all refresh+access tokens derived from a
particular consent session a "token chain".
## Token revocation
Revoking an access token (AT) is simple: send the AT to `/oauth2/revoke`
and it is revoked. If this AT was derived from a refresh token (RT), the
parent RT is not revoked.
Revoking a refresh token (RT) also revokes associated access tokens.
## Revocation by consent challenge ID
During an authorization code flow, save the consent challenge ID into
the access token session data:
```
GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef
```
Response:
```
{
"acr": ...,
"challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need
...
}
```
Accept the consent request:
```
PUT /admin/oauth2/auth/requests/consent/accept?consent_challenge=abcdef
{
"remember": true,
"remember_for": 3600,
"session": {
"access_token": {
"ccid": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix"
}
},
...
}
```
To revoke the token chain associated with this consent challenge ID, use
```
POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix
```
* feat: propagate logout to identity provider
This commit improves the integration between Hydra and Kratos when logging
out the user.
This adds a new configuration key for configuring a Kratos admin URL.
Additionally, Kratos can send a session ID when accepting a login request.
If a session ID was specified and a Kratos admin URL was configured,
Hydra will disable the corresponding Kratos session through the admin API
if a frontchannel or backchannel logout was triggered.
* fix: add special case for MySQL
* chore: update sdk
* chore: consistent naming
* fix: cleanup persister
This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
It is now possible to extend session lifespans when accepting login challenges.
Closes#1690Closes#1557Closes#2246Closes#2848
Co-authored-by: Mart Aarma <mart.aarma@nortal.com>
Co-authored-by: Henning Perl <henning.perl@gmail.com>
Co-authored-by: ory-bot <60093411+ory-bot@users.noreply.github.com>
BREAKING CHANGE: To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.
Additionally, the `hydra create client` command no longer supports flag `--id` and flag `--callbacks` has been renamed to `--redirect-uris`.
Closes#2911
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:
* Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.
* Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.
BREAKING CHANGES: This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that *there are no down migrations*, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://www.ory.sh/hydra/docs/guides/migrate-v2).
Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.
Signed-off-by: Grant Zvolsky <grant@zvolsky.org>
Nikos Sklikas
Arne Luenser
hackerman
Jonas Hungershausen
Henning Perl
Serhii Halchenko
Kevin Goslar
Grant Zvolsky
Jon Kjennbakken