mirror
/
hydra
mirror of https://github.com/ory/hydra
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,044 Commits 131 Branches 234 Tags 228 MiB
Commit Graph

14 Commits

Author SHA1 Message Date
Patrik cc92fea45f
chore: bump dependencies and move tools (#3968) 2025-03-28 12:42:50 +01:00
Nikos Sklikas 5215d2482a
feat: implement RFC 8628 (#3912) 
This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.

The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.

A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.

For more details, please check out the documentation
(https://github.com/ory/docs/pull/2026)

To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](99ca6ad544/src/routes/device.ts).

Closes #3851
Closes #3252
Closes #3230
Closes #2416
 2025-02-26 13:41:41 +01:00
Arne Luenser a21e945194 fix: only query access tokens by hashed signature 2023-08-08 16:09:06 +02:00
Kevin Goslar d768cf6580
docs: standardize license headers (#3216) 2022-11-03 10:10:12 -05:00
Grant Zvolsky 1f7bf40e4f fix: ConfirmLoginSession, missing FKs; add tests 2022-09-07 08:10:31 +02:00
Grant Zvolsky a2c5e14204 feature: create networks table 2022-09-07 08:10:31 +02:00
Grant Zvolsky 53862f290c refactor: improve performance and reduce data use of consent persistence layer (#2836) 
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:

* Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.

* Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.

BREAKING CHANGES: This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that *there are no down migrations*, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://www.ory.sh/hydra/docs/guides/migrate-v2).

Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.

Signed-off-by: Grant Zvolsky <grant@zvolsky.org>
 2022-09-07 08:10:31 +02:00
aeneasr 42fec62c07 fix: missing imports 2022-01-06 12:36:15 +01:00
aeneasr b284353de6 fix: use pop/v6 2022-01-06 12:36:15 +01:00
Vladimir Kalugin 858f2cf362
feat: support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 (#2384) 
This change adds support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523).
Users of Ory Hydra will be able to grant permission for OAuth 2.0 Client to act on behalf of some Resource Owner using JWT Bearer Assertions.

For more information about this feature, please head over to the documentation: https://www.ory.sh/hydra/docs/next/guides/oauth2-grant-type-jwt-bearer

Closes #2229

BREAKING CHANGES: Please notice that this change requires SQL migrations to be applied! As always, please make a backup before applying them!

Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
Co-authored-by: Jagoba Gascón <jagoba@arima.eu>
Co-authored-by: Gajewski Dmitriy <dmit8815@gmail.com>
 2021-12-26 20:15:53 +02:00
hackerman 94057d9400
refactor: move migrations to gobuffalo/fizz (#1775) 
This patch deprecates the previous migration system (sql-migrate) in favor of gobuffalo/fizz. No functional changes have been made.

BREAKING CHANGES: Please run `hydra migrate sql` before applying this release.
 2020-04-30 10:58:57 +02:00
Patrik 700d17d3b7
Merge pull request from GHSA-3p3g-vpw6-4w66 
BREAKING CHANGE: This patch requires a new SQL Table which needs to be created using `hydra migrate sql`. No other breaking changes have been introduced by this patch.

This patch introduces a blacklist for JTIs which prevents a potential replay of `private_key_jwt` JWTs when performing client authorization.

## GHSA-3p3g-vpw6-4w66

### Impact

When using client authentication method "private_key_jwt" [1], OpenId specification says the following about assertion `jti`:

> A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties

Hydra does not seem to check the uniqueness of this `jti` value. Here is me sending the same token request twice, hence with the same `jti` assertion, and getting two access tokens:

```
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"zeG0NoqOtlACl8q5J6A-TIsNegQRRUzqLZaYrQtoBZQ.VR6iUcJQYp3u_j7pwvL7YtPqGhtyQe5OhnBE2KCp5pM","expires_in":3599,"scope":"application openid","token_type":"bearer"}⏎            ~$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"wOYtgCLxLXlELORrwZlmeiqqMQ4kRzV-STU2_Sollas.mwlQGCZWXN7G2IoegUe1P0Vw5iGoKrkOzOaplhMSjm4","expires_in":3599,"scope":"application openid","token_type":"bearer"}
```

### Severity

We rate the severity as medium because the following reasons make it hard to replay tokens without the patch:

- TLS protects against MITM which makes it difficult to intercept valid tokens for replay attacks
- The expiry time of the JWT gives only a short window of opportunity where it could be replayed

### Patches

This will be patched with v1.4.0+oryOS.17

### Workarounds

Two workarounds have been identified:

- Do not allow clients to use `private_key_jwt`
- Use short expiry times for the JWTs

### References

https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

### Upstream

This issue will be resolved in the upstream repository https://github.com/ory/fosite
 2020-04-02 11:35:32 +02:00
hackerman bbeee653de
Implement OpenID Connect Front-/Backchannel logout (#1376) 
Closes #1368 
Closes #1004 
Closes #834

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-04-25 23:17:57 +02:00
hackerman 95a51deb31
Improve configuration and service management (#1314) 
This patch significantly refactors internal configuration and service management with the goal of making configuration changes possible without service restarts. This patch prepares the possibility to configure ORY Hydra from a remote source (etcd, consul) and watch for changes. This patch also introduces the possibility to configure ORY Hydra from a configuration file on top of environment variables.

The following issues have been fixed as well:

- Key rotation of the system secret is now much simpler (closes #1316)
- Database connectivity parameters such as max_conns no longer cause issues with older postgres versions (closes #1327)
- Non-existing routes now return a JSON error instead of `text/plain` when `application/json` was requested (clsoes #1244)
- We now push tags latest, X, X.Y, X.Y.Z to docker hub (closes #1289)
- The quickstart guide no longer builds the source code but instead pulls latest tag (closes #1309)
- We moved to goreleaser and godownloader for release management (closes #1107)
- The quickstart Docker Compose files are now reusable (closes #1196)

The following issues are also resolved:

- Closes #1121 

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-04-02 11:52:21 +02:00