In order to support OAuth2.1 and some specific integrations that
leverage the `/.well-known/oauth-authorization-server` endpoint, this PR
adds a handler for the specific endpoint. The
`/.well-known/openid-configuration` endpoint already supports all
configuration items that conform to this endpoint as seen here:
https://datatracker.ietf.org/doc/html/rfc8414
This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.
The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.
A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.
For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)
To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](99ca6ad544/src/routes/device.ts).
Closes#3851Closes#3252Closes#3230Closes#2416
This is a follow-up to #3932.
This makes several improvements, chiefly restoring backwards
compatibility to Hydra before #3932. We now return both the `challenge`
as well as the `consent_request_id` from our APIs and distinguish
between them clearly.
Closes#3941
This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.
Additionally, serializability errors in CockroachDB are now correctly retried.
See https://github.com/ory-corp/cloud/issues/7311
Closes https://github.com/ory/hydra/pull/3895
For the resource owner password grant, the Kratos identity ID is now written to the sub claim, and the username is written to the ext.username claim. Further, token hooks are called for the initial token issuance as well as refresh flows for access tokens issued via the resource owner password grant, allowing users to customize the fields present in the access token (for the jwt strategy) as well as on introspection.
---------
Co-authored-by: Arne Luenser <arne.luenser@ory.sh>
This PR introduces another config option called `oauth2:mirror_top_level_claims` which may be used to disable the mirroring of custom claims into the `ext` claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
```yaml
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
```
Closes https://github.com/ory/hydra/issues/3348
This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
The access token type (`jwt` or `opaque`) can now be set in the client configuration. The value set here will overwrite the global value for all flows concerning that client.
BREAKING CHANGE: This release updates SDK services from `public` and `admin` to `v2`. Methods exposed at the admin interface are now prefixed with `admin` (e.g. `adminCreateOAuth2Client`). Administrative endpoints now have an `/admin` prefix (e.g. `POST /admin/clients`). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.
BREAKING CHANGE: The `hydra keys create|delete|get|import` commands have changed to follow other Ory project's guidelines, including structured output and improved handling. They are now:
```
hydra create jwks
hydra get jwks
hydra delete jwks
hydra import jwk
```
Please head over to the documentation for more information or use the `--help` CLI flag for each command.
BREAKING CHANGE: HTTP endpoint `/oauth2/flush`, used to flush inactive access token was deprecated and has been removed. Please use `hydra janitor` instead.
BREAKING CHANGE: To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.
Additionally, the `hydra create client` command no longer supports flag `--id` and flag `--callbacks` has been renamed to `--redirect-uris`.
Closes#2911
BREAKING CHANGE: The `iss` (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.
Setting
```yaml
urls:
self:
issuer: https://auth.example.com
```
has changed
```patch
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
```
To set a trailing slash make sure to set it in the config value:
```yaml
urls:
self:
issuer: https://auth.example.com/
```
Closes#1482
BREAKING CHANGE: OAuth2 errors can no longer be returned in the legacy error format. Essentially, fields `error_hint`, `error_debug` have been removed. Option `oauth2.include_legacy_error_fields` has been removed.
Jeff Hickman
Jonas Hungershausen
Arne Luenser
Nikos Sklikas
hackerman
Henning Perl
dastein1
Henning Perl
Loïc Mangeonjean
Kevin Goslar
Savvas Mantzouranidis
Grant Zvolsky