Skip to content

Latest commit

 

History

History
2807 lines (2073 loc) · 185 KB

CHANGELOG.md

File metadata and controls

2807 lines (2073 loc) · 185 KB

Table of Contents generated with DocToc

Change Log

Full Changelog

Closed issues:

  • Feature request: CockroachDB support #990

v1.0.0-rc.12 (2019-05-10)

Full Changelog

Implemented enhancements:

  • cmd: add the post logout redirect uris flag to the clients create command #1426
  • all: add cockroachdb support #1348 (lopezator)

Closed issues:

  • Invalid namespace on composer.json #1429
  • CORS No 'Access-Control-Allow-Origin' header is present #1421
  • client_secret_basic fails when client_secret is auto-generated #1419

Merged pull requests:

v1.0.0-rc.11 (2019-05-02)

Full Changelog

Fixed bugs:

  • consent: Regression causes login to skip remember on consecutive calls #1409
  • jwk: Remove duplicates from jwks list #1408
  • nil pointer panic on /oauth2/sessions/logout without id token hint #1403

Closed issues:

  • jwk: Remove duplicates from jwks list #1413
  • Help message for migrate sql is unclear regarding source of database URL. #1411
  • Documentation is incorrect for some admin URLs #1410
  • Accept login request 404s #1406
  • Audience is not set on access tokens #1405
  • cors: Apply sane defaults for cors #1400
  • sql: insert/update statements are slow on MySQL 8.0.x #1397

Merged pull requests:

  • consent: Resolve nil pointer panic in logout flow #1418 (aeneasr)
  • cors: Use sane default settings for CORS options #1417 (aeneasr)
  • config: Remove duplicates JWKS IDs from wellknown config #1416 (aeneasr)
  • consent: Do not confirmLoginSession when skip is true (#1414) #1415 (aeneasr)
  • Do not confirmLoginSession when skip is true to prevent remember reset to false #1414 (saadtazi)
  • Fix migrate SQL command message regarding config file. #1412 (dkushner)
  • ttl is a top-level config value #1407 (MDrollette)
  • fix fallback routes and templates #1402 (MDrollette)
  • docs: Add OIDC FC/BC changes to upgrade guide #1401 (aeneasr)

v1.0.0-rc.10 (2019-04-29)

Full Changelog

Implemented enhancements:

  • cmd: Add plans to migrations #1139
  • docker: Investigate adding entrypoint.sh #1108
  • client: Whitelist logout redirect URL per client #1004
  • cmd: Remove notice about BETA in OAUTH2_ACCESS_TOKEN_STRATEGY #946
  • oauth2: Consider implementing OIDC Session Management #834
  • consent: Move to query parameters #1375 (aeneasr)

Closed issues:

  • [Question] What is the correct way to run hydra token client CLI command ? #1396
  • /.well-known/jwks.json output wrong keys #1395
  • test: Add consent revokation to e2e testing #1389
  • go sdk is broken in rc9 #1388
  • CORS for public is disabled? #1387
  • Class naming inconsistent in swagger comment to cause swagger generated sdk could not be built on case sensitive os. #1384
  • Outdated hydra PHP composer package #1382
  • Add support for ACME TLS Certificates #1378
  • SDK documentation dissapeared #1377
  • Access Tokens JWT signed with ID Token key when AcessTokenStrategy is JWT #1371
  • /.well-known/jwks.json only returns OpenIDConnect keys when strategy is JWT #1369
  • Introduce e2e testing using cypress #1368
  • how to get userinfo #1367
  • Unable to test silent refresh in local development #1364
  • Memory leak with jaeger tracing enabled #1363
  • docs: Are refresh tokens introspectable or not? #1250

Merged pull requests:

Full Changelog

Implemented enhancements:

  • consent: Login and consent request challenge should be sent as query parameter #1307
  • oauth2: Support OAuth2 discovery #1127
  • pagination: Add paging to output #1047
  • Allow for insecure redirect URI for development #1021
  • consent: Share session state between login and consent #1003
  • cli: Add retry for broken network #846
  • cmd: Add resilience to CLI REST commands #1359 (aeneasr)

Fixed bugs:

  • Missing /.well-known/jwks.json endpoint #1349

Closed issues:

  • Misuse of http.Header{}.Write\(...\) #1361
  • Hydra (Linux Container) on Windows docker cannot reach PostgreSQL #1360
  • Migrations have stopped working on tests locally #1357
  • Reenable Config Option #1344
  • OpenID Connect Discovery endpoint is missing revocation_endpoint #1268
  • Error: "Command failed because error occurred: invalid character 'p' after top-level value" on running hydra client create #1244
  • Problem with import path for go-resty and go1.11 modules #1063

Merged pull requests:

Full Changelog

Merged pull requests:

Full Changelog

Implemented enhancements:

  • cmd: Clients list command #1310
  • Empty subject not validated during login/consent #1254
  • consent: Remember logic confuses developers #1165

Fixed bugs:

  • Call to consent accept/reject for a second time gives error #1256
  • Profiling doesn't log any data #1061
  • oauth2: Fix swagger documentation for oauth2/token #1284 (aeneasr)

Closed issues:

  • Rest API Logs user out by deleting the session cookie is not working #1329
  • max_conns and max_idle_conns are not removed from DSN #1327
  • Update docker-compose to v3 #1321
  • Token user container exit after getting the access token for a single login. #1320
  • cmd: Support client secret encryption at stdout #1317
  • jwk: Improve key rotation #1316
  • docker-compose restart value is wrong #1312
  • docs: Improve Quickstart guide #1309
  • Terraform Provider #1304
  • ERROR: Service 'hydra-migrate' failed to build: The command '/bin/sh -c go mod download' returned a non-zero code: 1 #1298
  • Invalid expiration time during introspection the token refresh #1296
  • 504 Timeout when refreshing token #1295
  • Website displays 0 github stars #1292
  • Ambiguous Dockerfile versions #1289
  • flush endpoint throw error #1288
  • Redirect url is not getting the access token and refresh token when changed. #1287
  • How to store my access token in the browser storage? #1286
  • Consent /reject without error data will always return an invalid_request error #1285
  • Support multi proxies between TLS termination proxy and hydra #1282
  • Is the hydra security console open source? #1281
  • CSRF value not present in session cookie in ory hydra login flow #1280
  • Log readiness and liveness routes in debug log level #1278
  • oAuth calls failing with 404 not found #1276
  • Not Generating other token #1275
  • Help needed for API endpoints #1274
  • CI: cannot install gometalinter at CircleCI #1272
  • CVE-2019-6486 - DoS vulnerability in the crypto/elliptic implementations #1270
  • Website caveat #1269
  • sql: Unable to connect to database URL with special chars in username/password #1266
  • localhost https bug x-forward-proto is back #1265
  • Granted audience not set in OIDC token #1264
  • CI: can't load package github.com/stretchr/testify v1.3.0 #1261
  • Revoking consent session breaks database #1255
  • Deployment on Heroku #1253
  • oauth2: token introspection does not work #1252
  • Support fosite delegated transactions in SQL storage #1247
  • Refresh token not works properly #1246
  • Error : The "redirect_uri" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls #1245
  • Feature request: Service account #1221
  • DX: Easily support different workflows by sharing compose configurations #1196
  • cmd: Replace checkDependency with privates & getter/setter #1121
  • Replace gox and ghr with goreleaser #1107

Merged pull requests:

Full Changelog

Fixed bugs:

  • Scope value double-escaping? #1201

Closed issues:

  • sql: Scan error on column index 13, name "login_challenge": unsupported Scan, storing driver.Value type <nil> into type *string #1240
  • Security: bump Golang version to 1.11.3 (CVE-2018-16875) #1238
  • Why is the Ory Hydra Docker image nearly 1GB in size? #1237
  • Feature request: Database migrations without downtime #1236
  • typo in "building from source" #1235

Merged pull requests:

Full Changelog

Implemented enhancements:

  • Keep tests exportable #1204

Closed issues:

  • Running the migrate database does not work properly #1227

Merged pull requests:

v1.0.0-rc.4+oryOS.9 (2018-12-12)

Full Changelog

Implemented enhancements:

  • client: Track when clients are created #1120
  • client: Add created/updated at fields #1207 (aeneasr)

Fixed bugs:

  • Unable to return consent sessions for a user #1203
  • consent: Show all granted consent requests #1206 (aeneasr)

Closed issues:

  • Unable to run migrate when comming from beta.7 (mysql) #1225
  • Migration from beta.9 fails on google cloudsql #1224
  • Service account #1220
  • service account #1219
  • Implement "on behalf of" flow / token exchange #1218
  • Bump github.com/ory/x to v0.0.33 #1213
  • OAuth2 Authorization Endpoint Doesn't Use CORS #1211
  • hydra migrate sql requires superuser privileges #1209
  • Accept consent flow cause bug with id_token have field in utf8 value for MySQL 5.7+ #1205
  • Key rotation CLI message is unclear how to use ROTATED_SYSTEM_SECRET #1187

Merged pull requests:

v1.0.0-rc.3+oryOS.9 (2018-12-06)

Full Changelog

Closed issues:

  • PHP-SDK: Composer autoloading broken #1199
  • sql: Unable to run migrations when coming from beta.9 #1185

Merged pull requests:

v1.0.0-rc.2+oryOS.9 (2018-11-21)

Full Changelog

Merged pull requests:

  • sql: Resolve beta.9 -> rc.1 migration issue #1186 (aeneasr)

v1.0.0-rc.1+oryOS.9 (2018-11-21)

Full Changelog

Implemented enhancements:

  • cmd: token user should be able to set up ssl #1147
  • client: Deleting a client should delete all associated data too #1131
  • Use -mod=vendor when building binaries / docker #1112
  • Switch to go mod #1074
  • CORS_ALLOWED_ORIGINS doesn't respect wildcards #1073
  • consent: Add authorize code URL to consent and login response payloads #1046
  • [Feature Request] Update consent tests to match oauth2/client tests #1043
  • cmd/server: Export useful bootstrap function #973
  • sdk: C# language SDK #958
  • Opentracing tracing integration #931
  • consent: Add ability to specify Access Token Audience #883
  • Prepare v1.0.0-rc.1 release #1175 (aeneasr)
  • vendor: Update fosite to 0.27.3 #1164 (aeneasr)
  • sdk: Document userinfo as GET instead of POST #1161 (aeneasr)
  • oauth2: Add audience and improve refresh flow #1156 (aeneasr)
  • cmd: Improve issuer error message #1152 (aeneasr)
  • oauth2: Add OAuth2 audience claim and improve migrations #1145 (aeneasr)
  • Switch to go modules #1077 (aeneasr)
  • cmd: Fix flaky port finder #1076 (aeneasr)
  • rand: Fix flaky random test #1075 (aeneasr)

Fixed bugs:

  • tracing: sql args are added as tags when they should be omitted #1181
  • consent: Require proof of authentication before ending user session #1154
  • oauth2: Audience is potentially not being refreshed #1153
  • Hydra shut down after a race condition #1141
  • oauth2: Tables oidc, code, openid, refresh are missing indices #1140
  • consent: SQL field subject\_obfuscated does not have an index #1138
  • Setting up a fresh hydra installation results in panic #1137
  • Copy-paste error in manager_0_sql_migrations_test.go #1135
  • cmd: Error message regarding IssuerURL should contain environment variable name #1133
  • client: Deleting a client should delete all associated data too #1131
  • CORS\_ALLOWED\_ORIGINS doesn't respect wildcards #1073
  • OpenID configuration endpoint returns wrong registration endpoint #1072
  • OAuth2 Token Revoke call results in 404 Not Found #1070
  • Missing database indices #1067
  • Use PKCE with hybrid flow #1060
  • cmd: Consent timeout is currently hardcoded but environment variable exists #1057
  • ACR claim not being set on id token when requested by login accept request #1032
  • List all consent sessions returns 404 #1031
  • Introspect endpoint reports expiration time for refresh tokens #1025
  • sql: Resolve index/fk regression issues #1178 (aeneasr)
  • Prepare v1.0.0-rc.1 release #1175 (aeneasr)
  • consent: Ignore row count in revoke #1173 (aeneasr)
  • vendor: Upgrade to fosite 0.27.4 #1171 (aeneasr)
  • vendor: Update fosite to 0.27.3 #1164 (aeneasr)
  • consent: Properly propagate acr value #1160 (aeneasr)
  • cmd: Resolve broken wildcard cors #1159 (aeneasr)
  • cmd: Resolve panic in migration handler #1151 (aeneasr)
  • consent: Only fetch latest consent state #1124 (aeneasr)
  • server: Instantiate PKCE after oidc #1123 (aeneasr)
  • cli: Improve migrate error messages #1080 (aeneasr)
  • cmd: Fix flaky port finder #1076 (aeneasr)

Closed issues:

  • Resolve regression issues related to foreign keys #1177
  • DELETE /oauth2/auth/sessions/login/{user} returns 404 #1168
  • How to authenticate with POST /clients endpoint #1148
  • Implementation of user idel time sout #1146
  • Move SQL migrations to files and improve test pipeline #1144
  • cmd: Show error hint in oauth2 error view #1143
  • Login time deteriorates over time #1119
  • why hydra-login-consent-go didn't work, is there will have login provider and consent provider with golang? #1117
  • Intro Blog source code is unreadable #1111
  • consent: ignores extra claims for id and access token #1106
  • Invalid_request while generate the Access token in own OAuth 2.0 server #1104
  • Invalid_request while generate the Access token in own OAuth 2.0 server #1103
  • Document query parameters for /oauth2/auth #1100
  • PHP SDK is not PSR-4 compliant #1099
  • CHALLENGE_TOKEN_LIFESPAN unused #1097
  • Improve follow-up on numerous ORY repos #1093
  • Run your own OAuth 2.0 Server : " Client authentication failed " #1091
  • govet cmd/tooken_user.go: the cancel function returned by context.WithTimeout should be called #1090
  • Enhancement: specify lifespan for refresh_token #1088
  • Add at_hash claim to id_token in code flow. #1085
  • Disable https://api.segment.io POST request #1083
  • Move internal dependencies to ory/x #1081
  • Support Kubernetes Secrets #1079
  • Silent token refresh fails with "The Authorization Server requires End-User consent" #1068
  • Invalid login_challenge #1065
  • sql: Add auto-increment PKs #1059
  • Feature: admin endpoint for deleting expired tokens #1058
  • consent: Send error response if consent or login challenge is expired or invalid #1056
  • consent: Add original request URL to login and consent request payloads #1055
  • Fix flaky random-port generator #1054
  • Fix flaky pseudo-random test #1053
  • API doc: GET /userinfo works but not documented #1049
  • go SDK userInfo response does not support extra claims #1048
  • Issuer url is allways fallowed by / even when defined without #1041
  • missing end_session_endpoint from .well-known doc #1040
  • oryd/hydra:v1.0.0-beta.9 clients api return 404 #1036
  • DELETE login/{user} and DELETE consent/{user} can not redirect to Login page #1035
  • remember in requests/login/{challenge}/accept api cause get same subject always #1034
  • Out of Band OAuth2 Authorization #1033
  • [Cleanup] CORS Settings #1028
  • Key rotation leads to "Could not fetch private signing key for OpenID Connect" #1026

Merged pull requests:

v1.0.0-beta.9 (2018-09-01)

Full Changelog

Implemented enhancements:

  • Duplicate entry error for second consent request #1007
  • cmd: Print version when booting up #987
  • client: client specific CORS settings #957
  • cmd: Add cli helper for importing and exporting environments (clients, policies, keys) #699
  • sql: jsonb support for postgres #516
  • client: filter oauth2 clients by field through REST API #505
  • cmd: Allow SYSTEM_SECRET key rotation #73
  • consent: Forward session and login information #1013 (aeneasr)
  • jwk: Add ability to rotate SYSTEM_SECRET #1012 (aeneasr)
  • vendor: Upgrade sqlcon to 0.0.6 #1008 (aeneasr)
  • cmd: Use viper for cors detection #998 (aeneasr)
  • cmd: Disable CORS by default #997 (aeneasr)
  • cmd: Add version to banner #995 (aeneasr)
  • sdk: Add new methods to SDK interface #994 (aeneasr)

Fixed bugs:

  • Client creation gives incorrect error message #1016
  • oauth2: id_token_hint should work with expired ID tokens #1014
  • cors: Don't automatically auto-allow CORS #996
  • Use ID_TOKEN_LIFESPAN when doing refresh #985
  • MySQL/MariDB broken on default Debian installations #377
  • cmd: Clarify HYDRA_ADMIN_URL in missing endpoint message #1018 (aeneasr)
  • oauth2: Accept expired JWTs as id_token_hint #1017 (aeneasr)
  • cmd: Disable CORS by default #997 (aeneasr)
  • consent: Populate consent session with default values #989 (aeneasr)

Closed issues:

  • cmd: Replace cors fork with upstream #1010
  • Auth State mismatch. URL Double Encoding #1005
  • Can not remember consent because no user interaction was required with resp['skip'] false #999
  • invalid if condition about SubjectTypesSupport #992
  • sdk: add oauthapi functions to golang interface #991
  • After redirecting from consent -- runtime error: invalid memory address or nil pointer dereference #988

Merged pull requests:

v1.0.0-beta.8 (2018-08-10)

Full Changelog

Implemented enhancements:

  • Allow logging out and deleting a single session cookie #970
  • vendor: Upgrade to MySQL 1.4 driver #965
  • oauth2: abstract oauth2/handler JWT Strategies #960
  • consent: expose a list of all clients authorized by a user #953
  • oauth2: Support for Pairwise Subject Identifier Type #950
  • [Enhancement/Proposal] Update Plugin System #949
  • The JWK api should be able to export .pem #175
  • cmd: Add flags for new client fields in create #939
  • client: Deprecate the public flag #938
  • client: Clarify error message regarding client auth method #936
  • cmd: Add option to specify new oidc parameters in client #935
  • consent: Obtain previously selected scopes #902
  • oauth2: allow issuing of JWT access tokens #248
  • oauth2: Add scope to introspection test suite #941 (aeneasr)
  • consent: Add logout api endpoint #984 (aeneasr)
  • sdk: Upgrade superagent to 3.7.0 #983 (aeneasr)
  • vendor: Upgrade to latest sqlcon #975 (aeneasr)
  • oauth2: Refactor JWT strategy #972 (someone1)
  • oauth2: Removes authorization from introspection #969 (aeneasr)
  • oauth2: Support for Pairwise Subject Identifier Type #966 (aeneasr)
  • cmd: Introduce public and administrative ports #963 (aeneasr)
  • oauth2: Adds JWT Access Token strategy #947 (aeneasr)
  • oauth2: Improve token endpoint authentication error message #942 (aeneasr)

Fixed bugs:

  • client: Improve error messages from managers #976
  • consent: Duplicate row error should return a better error message #880
  • oauth2: error_hint, error_debug are not shared when redirect fails #974
  • oauth2: Introspect response is empty when active is false. #964
  • consent: MemoryManager should return errNoPreviousConsentFound when no previous consent was found #959
  • consent: Auth session should check for pkg.ErrNotFound, not sql.ErrNoRows #944
  • sdk: Add AdminURL and PublicURL to configuration #968 (aeneasr)
  • cmd: Introduce public and administrative ports #963 (aeneasr)
  • consent: Properly identify revoked login sessions #945 (aeneasr)

Closed issues:

  • Refresh token and access token share same lifetime #955
  • Id_token_hint doesn't work as expected #951
  • consent: Check if helper rejects unknown JSON fields #940
  • Unable to specify a custom claim to hydra #937
  • [HTTP API] get /version returns empty #934
  • docs: Add limitations section #839
  • Expose administrative APIs at a different port (e.g. 4445) #904

Merged pull requests:

  • client: Improve memory manager error messages #978 (aeneasr)
  • consent: Add ListUserConsentSessions to OAuth2API interface #977 (clausdenk)
  • docker: Update .dockerignore #967 (aeneasr)
  • cli: fix reporting of epected vs. received status codes #961 (rjw57)
  • all: Introduce database backend interface and update plugin system an… #956 (someone1)
  • Add api endpoint to list all authorized clients by user #954 (kingjan1999)
  • Use spdx expression for license in package.json #952 (kingjan1999)
  • Improve client API compatibility with oidc dynamic discovery #943 (aeneasr)
  • oauth2: Share error details with redirect fallback #982 (aeneasr)
  • cli: Print "active:false" when token is inactive #981 (aeneasr)
  • consent: Return proper error when no consent was found #980 (aeneasr)
  • vendor: Upgrade sqlcon to 0.0.5 #979 (aeneasr)

v1.0.0-beta.7 (2018-07-16)

Full Changelog

Implemented enhancements:

  • Panic when calling oauth2/auth/sessions/consent/{user} or oauth2/auth/sessions/consent/{user}/{client} #928
  • client: Improve handling of legacy id field #927 (aeneasr)

Fixed bugs:

  • Panic when calling oauth2/auth/sessions/consent/{user} or oauth2/auth/sessions/consent/{user}/{client} #928
  • jwk: Auto-remove old keys when upgrading from < beta.7 #925 (aeneasr)

Closed issues:

  • migration 0.11.10 > 1.0 : did you forget to run hydra migrate sql" or forget to set the SYSTEM_SECRET #926
  • ClientID property is ignored when creating a new OAuth2 Client #924
  • The CSRF value from the token does not match the CSRF value from the data store #923
  • Which version is stable? #922
  • JSON Web Key Store default keys broken after upgrading to beta.6 #921

Merged pull requests:

v1.0.0-beta.6 (2018-07-11)

Full Changelog

Implemented enhancements:

  • consent: Add endpoint to revoke authentication and consent sessions #856
  • jwk: improve JWK tests #588
  • cli/clients: allow to import multiple clients with one file #388
  • oauth2: allow token revocation without knowing the token (i.e. per user) #304
  • cmd: CLI should be able to import PEM keys to JWK store #98

Fixed bugs:

  • migration 0.9.x -> 1.0: sector_identifier_uri contains null values #918

Closed issues:

  • Hydra version 0.11.13-alpine break cli #917
  • health: Check if and why the health endpoint returns a HTTPS response #879
  • docs: disallow secrets from docs/tutorials in production mode #573

Merged pull requests:

  • client: Fix sql migration step for oidc #919 (aeneasr)
  • cmd: Allows import of PEM/DER/JSON encoded keys #916 (aeneasr)

v1.0.0-beta.5 (2018-07-07)

Full Changelog

Implemented enhancements:

  • client: Improve and DRY validation in handler #909
  • cmd/server: Die when system secret is in wrong format #817
  • OpenID Connect Certification #689

Fixed bugs:

  • Public and private key pair fetched from store does not match #912
  • 500 error returned on GET /clients/{id} when client doesn't exist #903
  • metrics: Properly handle metrics log messages #833

Closed issues:

  • go get return error #913
  • Can't create clients using the CLI #911
  • is hydra can build on window ? #910
  • Let's improve the docs! #385
  • Add benchmarks to documentation #161

Merged pull requests:

  • consent: Adds ability to revoke consent and login sessions #915 (aeneasr)
  • jwk: Tests for simple equality in JWT strategy #914 (aeneasr)
  • Adds OpenID Connect Dynamic Client Registration #908 (aeneasr)
  • docs: Adds link to examples repository #907 (aeneasr)
  • docs: Removes obsolete issue template #906 (aeneasr)

v0.11.14 (2018-06-15)

Full Changelog

Fixed bugs:

  • Missing commits between v0.11.10 and v0.11.12 #894

v1.0.0-beta.4 (2018-06-13)

Full Changelog

v1.0.0-beta.3 (2018-06-13)

Full Changelog

Implemented enhancements:

  • cmd: Allows reading database from env in migrate sql #898 (aeneasr)

Fixed bugs:

  • oidc_context empty #900
  • consent: Propagates oidc_context to consent request #901 (aeneasr)

Closed issues:

  • cmd: Add flag to allow reading database url in migration command from env #896

Merged pull requests:

v1.0.0-beta.2 (2018-05-29)

Full Changelog

Closed issues:

  • 1.0.0-alpha.1 Release Notes #885

Merged pull requests:

v1.0.0-beta.1 (2018-05-29)

Full Changelog

Implemented enhancements:

  • oauth2: Revoke tokens when performing refreshing grant #889
  • docs: Explicitly document in upgrade guide that hydra is no longer protected by default #888
  • Extend status page to check dependencies. #887
  • oauth2: Revoke previous and future access tokens when revoking a token #884
  • consent: Investigate if prompt=none should be allowed with implicit flows #866
  • consent: Implement login_hint capabilities #860
  • consent: Always remove session if rememberLogin=false #859
  • consent: Resolve broken time out #852
  • oauth2: Support max_age #851
  • consent: Include id_token_hint in oidc context #850
  • health: Document prometheus endpoint #844
  • config: Deprecate ClusterURL, ClientID, ClientSecret #841
  • oauth2: Return token type on token introspection #831
  • oauth2: Support id_token_hint at authorization endpoint #826
  • consent app: Restart consent flow #809
  • oauth2: Allow multiple audience claims on ID token #790
  • client: Add field client\_secret\_expires\_at to create #778
  • all: All JSON output/input should be using \_ instead of camelCase #777
  • oauth2: Reject authorization requests for invalid scopes before redirecting to consent endpoint #776
  • oauth2: Improving the consent flow design #772
  • oauth2: Expire consent request on successful consent interaction #771
  • health: Add ability to retrieve version (protected endpoint) #743
  • Deprecate hydra policies create -f #708
  • Disallow unknown JSON fields #707
  • oauth2: Remember authentication and application authorization #697
  • oauth2: Revoke access and refresh tokens when authorization code is used twice #693
  • oauth2: Require consent for OAuth 2.0 public clients #692
  • oauth2: Reintroduce audience claim #687
  • policy: evaluate wildcard matching strategy #580
  • installer: homebrew recipe for macOS users #572
  • Warden group metadata #387
  • policy: search policies by subject and resource #362
  • warden: check against multiple policies #264
  • core: add warden context everywhere #238
  • better and more e2e tests #192
  • Health and test improvements #891 (aeneasr)
  • Resolves various issues related to OAuth2 #890 (aeneasr)
  • Improve oidc conformity #876 (aeneasr)
  • Improves compatibility with OIDC Conformity Tests #873 (aeneasr)
  • sdk: Remove the need for OAuth2 credentials #869 (aeneasr)
  • Minor improvements #868 (aeneasr)
  • consent: Always bust auth session if remember is false #864 (aeneasr)
  • oauth2: Returns token type on introspection #832 (aeneasr)

Fixed bugs:

  • Incorrect CORS-related env vars parsing #886
  • consent: Remove the client secret from consent/login response #878
  • oauth2: ID Token must be returned in both authorize and token response in hybrid flows with response type code #875
  • consent: On first prompt=none after authentication, times mismatch #874
  • oauth2: Reject requests without nonce unless using the code flow #867
  • oauth2: max_age fails if max_age=1 #862
  • oauth2: Figure out why MySQL tests are flaky on CI #861
  • oauth2: Resolve broken prompt parameter #843
  • oauth2: Duplicate requests to /oauth2/token cause 500 #828
  • consent app: Restart consent flow #809
  • Hydra connect fails when the client secret contains "%" #631
  • Health and test improvements #891 (aeneasr)
  • Resolves various issues related to OAuth2 #890 (aeneasr)
  • Improves OpenID Connect Conformity #882 (aeneasr)
  • Improve oidc conformity #876 (aeneasr)
  • cmd: Adds jwt strategy and fixes nil pointer exception #865 (aeneasr)

Closed issues:

  • consent: Authentication session cookie invalidation scenarios #855
  • consent: Investigate if failure during consent should cause session to be revoked #854
  • Please support Type Definition (d.ts) for typescript. #848
  • security: add HttpOnly cookie flag #847
  • cmd: Deprecate hydra connect and replace with per-command flags and environment variables #840
  • REST API /clients limit & offset bug #838
  • Allow configuring consent URL per client #837
  • Duplicate client creation results in 500 #835
  • Error 1406: Data too long for column 'subject' at row 1 #829
  • Does warden groups work with internal Hydra APIs? #823
  • Hydra sdk error hydra.introspectOauth2Token is not a function #822
  • Improve the lint percentage #818
  • docs: Refactor examples / tutorials #810
  • Moving the access control engine to Oathkeeper #807
  • Can you build an identity provider with hydra or not? #789
  • docker: Add image capable of loading policies/clients/jwks from an init.d directory #760
  • Add PUT method for /warden/groups/:id #745
  • Document that the install guide is different from the 5 minute guide #718
  • Prometheus metrics #669
  • docs: Port numbers from docker compose and the lengthy tutorial do not match #653
  • docs: add subject + id mocks in the policy section of the swagger specs for each endpoint #614
  • docs: /warden/allowed do not fully specify security parameters #565
  • docs: explain oauth2 better #356
  • docs: have a "running hydra in production" section #354
  • docs: clarify that the consent app is responsible for implementing full OIDC #353
  • docs: add auth0 seminar to docs #347
  • docs: add bug bounty section to readme #84
  • docs: add passport.js real-world example #83

Merged pull requests:

v0.11.12 (2018-04-08)

Full Changelog

Fixed bugs:

  • sdk: PHP sdk missing from releases #781

Closed issues:

  • Special characters in redirect url #819
  • "Could not fetch signing key for OpenID Connect" #816

Merged pull requests:

v0.11.10 (2018-03-19)

Full Changelog

Closed issues:

  • docs: Link to php sdk README is wrong #811

Merged pull requests:

v0.11.9 (2018-03-10)

Full Changelog

Implemented enhancements:

  • telemetry: Add version and build info as custom dimensions #802
  • docs: Adds redirects for broken guide links #798 (aeneasr)

Fixed bugs:

  • id_token not returned after request at the /oauth2/token endpoint using the refresh_token #794
  • docker: Build time always return time.Now() #792
  • cmd: Resolves an issue with broken build time display #799 (aeneasr)
  • cmd: Adds OpenID Connect refresh handler #797 (aeneasr)

Closed issues:

  • docs: document difference between scopes and policies #590

Merged pull requests:

v0.11.7 (2018-03-03)

Full Changelog

Implemented enhancements:

  • make --skip-newsletter the default #779
  • group: Add pagination to group management #741
  • jwk: Add pagination to jwk lists #740
  • client: Add pagination to client list #739
  • ConsentRequest should use time.Now().UTC() for ExpiresAt. #679
  • sdk: add python sdk #639
  • Importing a client should fail when an unrecognized field is found #357
  • ci: Automatically pushes docs to website #784 (aeneasr)
  • oauth2: Forces UTC in consent strategy #775 (aeneasr)
  • client: Introduces pagination to client management #774 (aeneasr)

Fixed bugs:

  • oauth2: Remove exp and iat from ID token header #787
  • Don't push to coveralls in CI when PR comes from fork #782
  • policy: List tests do not care about offset/limit - fix that #746

Closed issues:

  • A way to skip the consent screen for certain clients (first party) #791
  • Where's the tutorial? #788
  • Feature Request: oauth2/token endpoint json payload option #786
  • docs: Deprecate recovering root access section #756
  • oauth2: Document how to make the well known endpoint public #688
  • oauth2: replace redirect uri exact match with protocol/host/path match #257

Merged pull requests:

v0.11.6 (2018-02-07)

Full Changelog

Implemented enhancements:

  • server: Add default policy for well-known/jwks.json #761
  • cmd: Add newsletter info and sign up #755
  • metrics: Improve metrics endpoint #742
  • oauth2: Add ability to purge old access tokens #738
  • jwk: refactor jwk id generation #589
  • oauth2: Adds support for PKCE (IETF RFC7636) #769 (aeneasr)
  • Forces unique JWK IDs and allows anonymous access to ./well-known/jwks.json #762 (aeneasr)

Fixed bugs:

  • Do not show client secret when client is public in CLI #737
  • oauth2: Client secret error message should be shown on creation #725
  • sdk: Resolves composer license complaint #763 (aeneasr)

Closed issues:

  • docker-compose encountered errors #758
  • AWS Lambda Support? #749
  • cmd/client: Ask for security newsletter sign up when using client side CLI #747
  • oauth2: Add PKCE support #744

Merged pull requests:

v0.11.4 (2018-01-23)

Full Changelog

v0.11.3 (2018-01-23)

Full Changelog

Implemented enhancements:

Closed issues:

  • possible consent session id attack? #753

v0.11.2 (2018-01-22)

Full Changelog

Fixed bugs:

  • client: Returns 404 only when policy allows getting a client #751 (aeneasr)

Merged pull requests:

  • oauth2: Protects consent flow against session fixation #754 (aeneasr)

v0.11.1 (2018-01-18)

Full Changelog

Implemented enhancements:

  • groups: Add ability to list all groups, not just by member #729

Fixed bugs:

Closed issues:

  • Timezone Issue with new consent flow in 0.10? #735
  • policies: change effect type from string to boolean #666
  • cmd: hydra connect --url should work with and without trailing slash #650

Merged pull requests:

  • add a save way to get the ClusterURL and append to it #748 (zepatrik)

v0.11.0 (2018-01-08)

Full Changelog

Implemented enhancements:

  • group: List groups without owner #732
  • Add an alias for offline scope called offline_access #722
  • oauth2: Print debug message to logs and evaluate transmitting it to clients too #715
  • groups: Add ability to list all groups, not just by member #734 (aeneasr)
  • sdk: Adds php registry dummy #733 (aeneasr)
  • oauth2: Prints debug message to logs and evaluate transmitting it to clients too #727 (aeneasr)
  • vendor: Adds offline_access scope alias #724 (aeneasr)

Fixed bugs:

  • health: Should not require x-forwarded-proto #726
  • health: Stop requiring x-forwarded-proto #731 (aeneasr)

Closed issues:

  • variable part in the subject and resource in ladon policy to be filled by request #730
  • Trailing slash redirect strips directories from path #723
  • Resolve broken docker-compose tutorial guide #717
  • Document external dependencies #716

Merged pull requests:

  • docs: Adds documentation on third-party deps #728 (aeneasr)

v0.10.10 (2017-12-16)

Full Changelog

Implemented enhancements:

  • Make scopes in hydra token client command configurable #711
  • cmd: Makes scopes in token command configurable #712 (aeneasr)
  • cmd: Adds a dedicated command for importing policies #709 (aeneasr)

Fixed bugs:

  • Misleading error message when using the SDK #686
  • sdk/go: Resolves incorrect error message #713 (aeneasr)

Closed issues:

  • Docker readme, in case it is lost #719
  • Keep track of version and build hash #706
  • Scope is documented as hydra.groups but should by hydra.warden.groups #702
  • Rename hydra policies create -f to hydra policies import #701

Merged pull requests:

  • docs: Resolves issue with broken 5-minute tutorial #721 (aeneasr)
  • Improves userinfo endpoint #714 (aeneasr)
  • groups: Corrects group scope documentation #710 (aeneasr)

v0.10.9 (2017-12-13)

Full Changelog

Implemented enhancements:

  • Reintroduce alpine based image with shell #703

Merged pull requests:

  • pkg: Fixes returning nil instead of empty array in split #705 (aeneasr)

v0.10.8 (2017-12-12)

Full Changelog

Implemented enhancements:

  • oauth2: Add token_endpoint_auth_methods_supported to openid-configuration #695

Closed issues:

  • docs: Add introspect bc to upgrade #698

Merged pull requests:

  • Reintroduces alpine based docker image #704 (aeneasr)

v0.10.7 (2017-12-09)

Full Changelog

v0.10.6 (2017-12-09)

Full Changelog

Closed issues:

  • oauth2: Write test for userinfo endpoint without token and test for 401 #691

Merged pull requests:

v0.10.5 (2017-12-09)

Full Changelog

Closed issues:

  • oauth2: Support userinfo endpoint #652

v0.10.4 (2017-12-09)

Full Changelog

Merged pull requests:

v0.10.3 (2017-12-08)

Full Changelog

v0.10.2 (2017-12-08)

Full Changelog

v0.10.1 (2017-12-08)

Full Changelog

Implemented enhancements:

  • Open source policy naming guidelines #680

Closed issues:

  • docs: docker --link should be replaced by networks #555

v0.10.0 (2017-12-08)

Full Changelog

Implemented enhancements:

  • docs: Improve release and breaking changes management #675
  • oauth2: Make sub explicit in the database #658
  • oauth2: Add access control to token introspection endpoint #655
  • all: make policy resource and action names configurable #640
  • Subject field #674 (aeneasr)
  • Add changelog #673 (aeneasr)

Fixed bugs:

  • oauth2: Token revokation should check client id before revoking tokens #676
  • cli/policies: removing a policy subject adds the subject Instead #662
  • jwk: Rename ES521 key generation algorithm to ES512 #651
  • oauth2: Fixes clients being able to revoke any token #677 (aeneasr)

Closed issues:

  • Json logging #670
  • swagger: scope pattern requires a space #661
  • docs: Add list of undisclosed adopters with requests ranges to readme #659

Merged pull requests:

v0.10.0-alpha.21 (2017-11-27)

Full Changelog

Closed issues:

  • Add support for CORS #506

Merged pull requests:

  • cli: Fix hydra cli adding policy subjects on subject remove #665 (jamesnicolas)

v0.10.0-alpha.20 (2017-11-26)

Full Changelog

Merged pull requests:

  • cmd: Added cors support to host process #664 (aeneasr)

v0.10.0-alpha.19 (2017-11-26)

Full Changelog

Closed issues:

  • Working with flask-oidc #660
  • Multi stage build process removes the ability to shell into hydra container #657
  • Support ES256 JWK Algo #627
  • oauth2/introspect: skip omitempty in active flag #607
  • oauth2: provide CWT token generation #577

Merged pull requests:

  • vendor: Upgraded ladon and dockertest versions #663 (aeneasr)
  • pkg: Make low entropy RSA key generation explicit in function name #656 (aeneasr)
  • docs: Update hydra versions #649 (aeneasr)

v0.10.0-alpha.18 (2017-11-06)

Full Changelog

v0.10.0-alpha.17 (2017-11-06)

Full Changelog

v0.10.0-alpha.16 (2017-11-06)

Full Changelog

Merged pull requests:

v0.10.0-alpha.15 (2017-11-06)

Full Changelog

Merged pull requests:

v0.10.0-alpha.14 (2017-11-06)

Full Changelog

Fixed bugs:

  • sql/postgres: wherever limit/offset is used, include ORDER BY clause #619
  • oauth2: fix racy memory consent manager with RW mutex #600

Merged pull requests:

  • Fix racy behaviour in oauth2 memory managers #646 (aeneasr)

v0.10.0-alpha.13 (2017-11-06)

Full Changelog

Implemented enhancements:

  • Would it make sense to build hydra statically #374

Merged pull requests:

  • docker: Stop building from source in docker image #645 (aeneasr)

v0.10.0-alpha.11 (2017-11-06)

Full Changelog

v0.10.0-alpha.12 (2017-11-06)

Full Changelog

Closed issues:

  • Add license header to all source files #643
  • warden: remove obsolete http manager #616

Merged pull requests:

v0.10.0-alpha.10 (2017-10-26)

Full Changelog

Implemented enhancements:

  • jwk: use cryptopasta library #629
  • Feature Request: ability to list all groups #594

Closed issues:

  • jwk: add es256 generator to jwk handler in master #634
  • groups: add ability to list all groups to master branch #633
  • travis: run genswag and gensdk before npm publish #610

v0.10.0-alpha.9 (2017-10-25)

Full Changelog

Closed issues:

  • docs: followed the installation guide and was unable to get a successful consent #623
  • tests: run manager tests in parallel #617

Merged pull requests:

v0.9.16 (2017-10-23)

Full Changelog

Closed issues:

  • docs: adding policy to consent app doesn't work as resource using <.*> #621
  • documentation vague regarding returned client_secret #620

Merged pull requests:

  • updated links to apiary as the old ones didn't work #626 (abusaidm)
  • docs: updated hydra version in the tutorial to v0.10.0-alpha.8 and consent app to v0.10.0-alpha.9 #625 (abusaidm)
  • docs: fixed spelling and wording #624 (abusaidm)
  • docs: fix bash command and version used in tutorial #622 (abusaidm)
  • add ability to list all groups #612 (joshuarubin)

v0.10.0-alpha.8 (2017-10-18)

Full Changelog

Closed issues:

  • docs: SDK for Go is actually for Node, fix this typo #615
  • server.injectConsentManager doesn't use ConsentRequestSQLManager even if *config.SQLConnection exists #613

Merged pull requests:

  • cmd/server: SQLConnection should load SQLRequestManager #618 (aeneasr)
  • Clean up helpers and increase test coverage #611 (aeneasr)
  • sdk: format js sdk and remove mock tests #609 (aeneasr)

v0.9.15 (2017-10-11)

Full Changelog

Merged pull requests:

v0.9.14 (2017-10-06)

Full Changelog

v0.10.0-alpha.7 (2017-10-06)

Full Changelog

v0.10.0-alpha.6 (2017-10-05)

Full Changelog

v0.10.0-alpha.5 (2017-10-05)

Full Changelog

v0.10.0-alpha.4 (2017-10-05)

Full Changelog

Merged pull requests:

  • travis: move deploy scripts to its own file #604 (aeneasr)
  • tests: skip cpu intense jwk generation in short mode #603 (aeneasr)

v0.10.0-alpha.3 (2017-10-05)

Full Changelog

v0.10.0-alpha.2 (2017-10-05)

Full Changelog

Implemented enhancements:

  • all: refactor http client endpoint logic #584
  • oauth2: refresh openid connect id token via refresh_token grant #556
  • oauth2: change scope semantics to wildcard #550
  • warden: need endpoint that just introspects tokens #539
  • sdk: client libraries for all languages #249
  • core: enable usage statistics reporting #230
  • core: introduce a way to test for bc breaks in datastore #193

Merged pull requests:

v0.10.0-alpha.1 (2017-10-05)

Full Changelog

Implemented enhancements:

  • oauth2: write test for handling consent deny #597
  • group: add warden tests #591
  • health: remove TLS restriction on health endpoint when termination is set #586

Fixed bugs:

  • cmd: policies delete says Connection \<id\> deleted instead of Policy \<id\> deleted #583

Closed issues:

  • oauth2: change meaning of audience claim #595
  • sdk/go: write interfaces for APIs & responses #593

Merged pull requests:

v0.9.13 (2017-09-26)

Full Changelog

Implemented enhancements:

  • RFC: Refactor consent flow #578
  • oauth2: remove scope parameter from introspection request #551
  • "Subject claim can not be empty" error when trying to retrieve ID Token #460

Fixed bugs:

  • cmd: token user no longer uses cluster url #581
  • warden: do not use refresh tokens as proof of authorization #549
  • Fix import path for logrus #477

Closed issues:

  • Support for RFC 7636 #576
  • authorization header in /oauth2/token endpoint is case sensitive #575
  • DATABASE_URL=memory go run main.go host Error #571
  • error on mismatch uris #569
  • Relation "hydra_jwk" does not exist #568
  • Freemium Crap #567
  • Warden API docs do not talk about access_token #564
  • When the client is run through a container, it should pick up configuration from environment #563
  • Docker hub documentation showing up as HTML #562
  • Allow people to configure the Hydra service using a config file. #561
  • Error on go get the project #560
  • Open a Patreon account #558
  • GET /client/:id broken on master #538

Merged pull requests:

v0.9.12 (2017-07-06)

Full Changelog

Implemented enhancements:

  • oauth2: use wildcards for scope strategy #552

Merged pull requests:

v0.9.11 (2017-06-30)

Full Changelog

Merged pull requests:

v0.9.10 (2017-06-29)

Full Changelog

Implemented enhancements:

  • cmd/host: move status info from health endpoint to another one and protect it #532

Fixed bugs:

  • Decode Basic Auth Credentials #536

Closed issues:

  • Cannot try tutorial install, not existing dependencies #541
  • [docker-compose] ERROR: for postgresd expected string or buffer #540

Merged pull requests:

  • vendor: update fosite to remove forced nonce #542 (aeneasr)
  • oauth2: form-urldecode authorization basic header #537 (aeneasr)
  • [DOC] Update "Build from source" section to actual state #534 (dolbik)
  • cmd/host: move status info to dedicated endpoint #533 (aeneasr)

v0.9.9 (2017-06-17)

Full Changelog

Fixed bugs:

  • cmd/policy/create: not exiting on error #527

Merged pull requests:

v0.9.8 (2017-06-17)

Full Changelog

Fixed bugs:

  • Updating policies may cause loss of policy data #503

Closed issues:

  • oauth2: investigate panic #512

Merged pull requests:

  • oauth2: resolve panic with nested at_ext and id_ext #529 (aeneasr)
  • vendor: update to ladon 0.8.0 - closes #503 #528 (aeneasr)

v0.9.7 (2017-06-16)

Full Changelog

Closed issues:

  • Fatal error when running docker container #525

Merged pull requests:

  • cmd/server: supply admin client policy with id #526 (aeneasr)

v0.9.6 (2017-06-15)

Full Changelog

Merged pull requests:

v0.9.5 (2017-06-15)

Full Changelog

Merged pull requests:

v0.9.4 (2017-06-14)

Full Changelog

Merged pull requests:

v0.9.3 (2017-06-14)

Full Changelog

Closed issues:

  • Generating Client ID/Secret in >= 0.8.0 #517
  • Could not gracefully run server #513
  • authorize_code without password #511

Merged pull requests:

v0.9.2 (2017-06-13)

Full Changelog

Merged pull requests:

  • cmd/server: print full error message on http startup #514 (aeneasr)

v0.9.1 (2017-06-12)

Full Changelog

Merged pull requests:

v0.9.0 (2017-06-07)

Full Changelog

Implemented enhancements:

  • cmd/cli: add flag for X-Forwarded-Proto for faking https termination #349
  • metrics: add metrics and telemetry package #500 (aeneasr)

Fixed bugs:

  • warden/group: investigate missing transaction rollback in group manager #462
  • policies: validate conditions and return error instead of silently dropping them #350

Closed issues:

  • Headers should be case-insensitive #496
  • docs: add FAQ on missing migrate in docker image #484
  • docs: include oauth2 example #358
  • warden: allow scopes in policies #330

Merged pull requests:

  • sdk: add simple example of hydra sdk #499 (aeneasr)
  • docs: add FAQ on missing migrate in docker image #498 (aeneasr)
  • vendor: upgrade to ladon 0.7.4 - closes #350 #497 (aeneasr)
  • docs: add scopes to oauth2 #495 (aeneasr)
  • warden/group: add rollback to transactions #494 (aeneasr)

v0.8.7 (2017-06-05)

Full Changelog

Implemented enhancements:

  • oauth2: add possibility for denying consent requests #400
  • oauth2: allow redirection to client if consent was denied #371

Fixed bugs:

  • Introspection endpoint responds with 401 on invalid payload token #457

Closed issues:

  • Allow configuration of DB\_HOST, DB\_PASS, DB\_USER, DB\_NAME separately. #480

Merged pull requests:

  • all: implement --fake-tls-termination flag #493 (aeneasr)
  • oauth2/introspect>: resolve 401 on invalid token #492 (aeneasr)
  • client/manager_sql: return an empty slice if string is empty #491 (faxal)

v0.8.6 (2017-06-05)

Full Changelog

Implemented enhancements:

  • Assign clients different consent urls #378

Fixed bugs:

  • Creating policies via the CLI does not populate the 'description' field #472
  • Missing "iss" field from /oauth2/introspect response #399
  • client: getting a non-existing client raises 500 instead of 404 #348

Closed issues:

  • Libraries version problem, build break. #481
  • oauth2: update to latest fosite which removed implicit storage #468
  • Unable to set Public flag to false #463
  • oauth2: allow client specific token TTLs #428
  • docs: hint at health check #355
  • Hydra URLs mounted to a subpath #352
  • oidc: hydra as federated user auth for AWS Console/API #315
  • jwk: when retrieving a key, stray request missing a subject 403 #271

Merged pull requests:

  • oauth2/introspect: send issuer in introspection #490 (aeneasr)
  • oauth2: allow redirection to client if consent was denied #489 (aeneasr)
  • docs: add health check to swagger and resolve swagger issues #488 (aeneasr)
  • jwk/handler: nest ac check and resolve stray log message #487 (aeneasr)
  • pkg/errors: make ErrNotFound return a status code #486 (aeneasr)
  • cmd/policies: description is a string field, not slice #485 (aeneasr)
  • Vendor update #483 (aeneasr)
  • vendor: update to latest versions #482 (aeneasr)
  • client/manager: remove merging of stored and updated client #478 (faxal)
  • Fix Swagger for Warden Groups #476 (pbarker)

v0.8.5 (2017-06-01)

Full Changelog

Fixed bugs:

  • max_conns and max_conn_lifetime breaks db.Ping #464
  • cmd/server: resolve gorilla session mem leak - closes #461 #475 (aeneasr)

Closed issues:

  • Container is not Running #474
  • Random periodic crashes #461

Merged pull requests:

v0.8.4 (2017-05-24)

Full Changelog

Closed issues:

  • Kubernetes Helm chart #430

Merged pull requests:

v0.8.3 (2017-05-23)

Full Changelog

Implemented enhancements:

  • http: harden http server for public net #334

Fixed bugs:

  • config: remove sql control parameters from dsn before connecting #465 (aeneasr)

Closed issues:

  • Listing policies not working with database #458
  • go install github.com/ory/hydra Fails to compile #456
  • Challenge claims redirect http instead of https #455
  • core/store: document aes gcm nonce limitation #76

Merged pull requests:

v0.8.2 (2017-05-10)

Full Changelog

Implemented enhancements:

  • Missing kid parameter in ID token header #433
  • no /.well-known/openid-configuration endpoint implementation #379

Merged pull requests:

v0.8.1 (2017-05-08)

Full Changelog

Implemented enhancements:

  • cmd: database migrations should not be run automatically but have a cmd instead #444
  • all: move herodot to ory/herodot #436

Fixed bugs:

  • cmd: token client fails in ci sometimes #443

Closed issues:

  • all: deprecating rethinkdb and redis support #425
  • oauth2: consent anti-csrf token should be forcefully removed #367

v0.8.0 (2017-05-07)

Full Changelog

Closed issues:

  • Refresh token doesn't work #449

Merged pull requests:

v0.7.13 (2017-05-03)

Full Changelog

Implemented enhancements:

  • ui: implement a basic management interface with react for oauth2 client, jwk, social connections and others #215

Fixed bugs:

  • herodot: resolve issue with infinite loop caused by certain error chain #441
  • "Could not fetch signing key for OpenID Connect" #439
  • vendor: upgrade fosite to resolve regression issue #446 (aeneasr)

Closed issues:

  • Peculiar EOF instead of response from the introspect endpoint. #368

Merged pull requests:

v0.7.12 (2017-04-30)

Full Changelog

Fixed bugs:

  • herodot: resolve issue with infinite loop caused by certain error chain #442 (aeneasr)

Closed issues:

  • Freeze dependencies #437

v0.7.11 (2017-04-28)

Full Changelog

Closed issues:

  • Mismatch between library versions #434
  • Data Passthrough to IDP #431
  • Api protection #429
  • Gitter.im or irc channel #426
  • Outdated fosite #424
  • oauth2: resource owner password credentials proposal #214

Merged pull requests:

  • vendor: resolve issues with glide lock file #438 (aeneasr)

v0.7.10 (2017-04-14)

Full Changelog

Closed issues:

  • Build instructions from Readme fail #420
  • API error (500) during tests #419
  • Uname in session #418
  • Resource owner password credentials grant #417
  • ory vs ory-am #414
  • Cockroachdb support #413
  • Small doc error #411
  • Rest API documentation not working #410

Merged pull requests:

v0.7.9 (2017-04-02)

Full Changelog

Closed issues:

  • Flow Using Curl help (token auth) #405
  • Add support to mongodb #401

Merged pull requests:

v0.7.8 (2017-03-24)

Full Changelog

Implemented enhancements:

  • sdk: add consent helper #397
  • Transition Dockerfile to Alpine Linux #393
  • redirect_uri domains are case-sensitive #380
  • Per-client consent URLs #351
  • sdk: add consent helper - closes #397 #398 (aeneasr)
  • docs: add example policy for consent app signing #389 (aeneasr)

Fixed bugs:

  • cli handler_groups type error? #383

Closed issues:

  • oauth2: token introspection fails on HTTP without dangerous-force-http #395
  • Create User based on access token provided by Social Provider #394
  • investigate why import from json fails #390
  • gitter link doesn't work #386
  • Possible security bug in warden/group package #382
  • relation "hydra_client" does not exist (postgres) #381
  • Native login support #375
  • Request denied by default #373

Merged pull requests:

v0.7.7 (2017-02-11)

Full Changelog

v0.7.4 (2017-02-11)

Full Changelog

v0.7.5 (2017-02-11)

Full Changelog

v0.7.6 (2017-02-11)

Full Changelog

Implemented enhancements:

  • sql: limit maximum open connections, document timeout options through DSN #359

Fixed bugs:

  • oauth2: invalid consent response causes panic #369
  • oauth2: resolve issue with cookie store #376 (aeneasr)

Closed issues:

  • Can hydra be easily integrated (embedded) into any golang http application? #372

Merged pull requests:

  • oauth2: invalid consent response causes panic - closes #369 #370 (aeneasr)
  • Resolve issues with SQL maximum open connections #360 (aeneasr)

v0.7.3 (2017-01-22)

Full Changelog

Fixed bugs:

  • policy: investigate potential sql connection leak - closes #363 #365 (aeneasr)

Closed issues:

  • Have Hydra store usernames linked to tokens #364
  • policy: investigate potential sql connection leak #363
  • crypto/bcrypt: hashedPassword is not the hash of the given password #346

Merged pull requests:

v0.7.2 (2017-01-02)

Full Changelog

Fixed bugs:

  • Problems with the authorization code flow #342
  • sql: deleting policies does not delete associated records with mysql driver #326
  • vendor: update to fosite 0.6.11 - closes #338 #343 (aeneasr)

Closed issues:

  • oidc: at_hash / c_hash mismatch #338
  • oidc: SCIM compliance #320

Merged pull requests:

v0.7.1 (2016-12-30)

Full Changelog

v0.7.0 (2016-12-30)

Full Changelog

Implemented enhancements:

  • Implement RemoveSubjectFromPolicy and RemoveResourceFromPolicy #336
  • policy: provide rest endpoint for policy updates #305
  • 0.7.0: SQL Migrate, Groups, Hardening #329 (aeneasr)

Fixed bugs:

Closed issues:

  • Replace # with ? in authentication response #337

v0.6.10 (2016-12-26)

Full Changelog

Implemented enhancements:

  • oauth2/consent: force jti echo in consent response #322
  • include a migration routine for databases #194
  • warden: add group management and group based policy checks #68
  • Improve http-based warden/introspection error responses #335 (aeneasr)

v0.6.9 (2016-12-20)

Full Changelog

Implemented enhancements:

  • cmd: add configuration options for hydra token user #327
  • core: add api key flow #234

Fixed bugs:

  • openid: support response_type=code id_token - closes #332 #333 (aeneasr)

Closed issues:

  • openid: support response_type=code id_token #332
  • Apparent failure on load with ECDSA key #328
  • Why hydra github homepage crash when I visit ( while scrolling down) #323
  • JsonWebTokenError: jwt must be provided #321
  • write tests for cmd helpers #186

Merged pull requests:

v0.6.8 (2016-12-06)

Full Changelog

Implemented enhancements:

  • oauth2: http introspector should return well known error #319 (aeneasr)

v0.6.7 (2016-12-04)

Full Changelog

Merged pull requests:

  • all: improve cli and oauth2 error reporting #318 (aeneasr)

v0.6.6 (2016-12-04)

Full Changelog

Implemented enhancements:

  • core: Redis backend #306

Closed issues:

  • oauth2: aud parameter does not allow arrays #314

Merged pull requests:

  • add missing work in docs/oauth2.md #317 (bbigras)
  • docker: --name should be before the image's name #316 (bbigras)

v0.6.5 (2016-11-28)

Full Changelog

Implemented enhancements:

  • store/redis: redis backend for hydra #313 (115100)

v0.6.4 (2016-11-22)

Full Changelog

Implemented enhancements:

  • oauth2/revocation: token revocation fails silently with sql store #312 (aeneasr)

Fixed bugs:

  • oauth2/revocation: token revocation fails silently with sql store #311
  • oauth2/revocation: token revocation fails silently with sql store #312 (aeneasr)

Closed issues:

  • docs: clean up TokenValid leftovers #310

v0.6.3 (2016-11-17)

Full Changelog

Implemented enhancements:

  • Rejection reason code to /warden/token/allowed #308

Fixed bugs:

  • oauth2: resolve issues with token introspection on user tokens #309 (aeneasr)

v0.6.2 (2016-11-05)

Full Changelog

Implemented enhancements:

  • github: comply with Go license terms #300

Merged pull requests:

v0.6.1 (2016-10-26)

Full Changelog

Fixed bugs:

  • MySQL DB not creating on start – JSON column types only supported from MySQL 5.7 and onwards #299
  • 0.6.1 #301 (aeneasr)

Merged pull requests:

v0.6.0 (2016-10-25)

Full Changelog

Implemented enhancements:

  • Make it possible for travis-ci to build forked repos #295
  • core: add sql support #292
  • travis: execute gox build only when new commit is a new tag #285
  • cmd: prettify the hydra token user output #281
  • warden: make it clear that ladon.Request.Subject is not required or break bc and remove it #270
  • connections: remove connections API #265
  • consider signing up for Core Infrastructure Initiative badge #246
  • oauth2: token revocation endpoint #233
  • oauth2/rethinkdb: clear expired access tokens from memory #228
  • 0.6.0 #293 (aeneasr)

Fixed bugs:

  • all: coverage report is missing covered lines of nested packages #296
  • oauth2/introspect: make endpoint rfc7662 compatible #289
  • rethink: figure out how to deal with unreliable changefeed #269
  • oauth2: requests waste a lot of time in fosite storer requestFromRDB\(\) routine #260
  • 0.6.0 #293 (aeneasr)

Closed issues:

  • docs: fix typo in consent.md #294
  • docs/apiary: add at_ext note to warden endpoints #287
  • core/storage: with rethinkdb being closed, what is our path forward? #286
  • docs: warden resource names are wrong on apiary #268
  • Request for Comment: Fair Source License / Business Source License #227
  • core: (health) monitoring endpoint #216
  • add much simpler identity provider and oauth2 consumer example #172
  • 2fa: add two factor authentication helper API #69

Merged pull requests:

  • cmd: fix typo in host command help text #291 (faxal)
  • travis: Only gox build on tags and go1.7 #288 (emilva)
  • docs: improve introduction #267 (aeneasr)

v0.5.8 (2016-10-06)

Full Changelog

Fixed bugs:

  • oauth2: refresh token does not migrate session object to new token #283
  • oauth2: refresh token does not migrate session object to new token #284 (aeneasr)

v0.5.7 (2016-10-04)

Full Changelog

Implemented enhancements:

  • jwk: add use parameter to generated JWKs #279
  • jwk: add use parameter to generated JWKs - closes #279 #280 (aeneasr)

v0.5.6 (2016-10-03)

Full Changelog

Implemented enhancements:

  • oauth2: scopes should be separated by %20 and not +, to ensure javascript compatibility #278 (aeneasr)

Fixed bugs:

  • cmd: hydra help host profiling typo #274
  • cmd: hydra help host typos #272

Closed issues:

  • Scopes should be separated by %20 and not +, to ensure javascript compatibility #277

Merged pull requests:

  • cmd: fix #272 typos in the host command controls #276 (cixtor)
  • Fix #274 - replace HYDRA_PROFILING with PROFILING #275 (otremblay)

v0.5.5 (2016-09-29)

Full Changelog

v0.5.4 (2016-09-29)

Full Changelog

v0.5.3 (2016-09-29)

Full Changelog

Implemented enhancements:

  • docker: add http-only dockerfile and upgrade to go 1.7 base image #273 (aeneasr)

Fixed bugs:

  • investigate if and why slow rethinkdb connection causes client root to be recreated #191

Closed issues:

  • Consider extract Go SDK package into separate repository #266
  • Showcase: How and where are you using Hydra? #115

v0.5.2 (2016-09-23)

Full Changelog

v0.5.0 (2016-09-22)

Full Changelog

v0.5.1 (2016-09-22)

Full Changelog

Implemented enhancements:

  • oauth2: include original request query parameters in the consent challenge #256
  • Need a better health check for a load balancer #251
  • client: add ability to update client #250
  • oauth2: allow access token validation for public clients #245
  • all: improve error messages regarding token validation #244
  • all: resolve naming inconsistencies in jwk set names used in hydra #239
  • sdk: resolve naming inconsistencies #226
  • oidc: support kid hint in header #222
  • 0.5.0-errors #263 (aeneasr)
  • 0.5.0 #243 (aeneasr)

Fixed bugs:

  • When invalid/expired token is used for /warden/allowed endpoint, status 500 is returned #262
  • docs: fix images in readme #261
  • Bad HTML encoding of the scope parameter #259
  • docs: images are broken #258
  • oauth2: id token hashes are not base64 url encoded #255
  • oauth2: state parameter is missing when response_type=id_token #254
  • jwk: anonymous request can't read public keys #253
  • travis: ld flags are wrong #242
  • cmd: hydra token user should show id token in browser #224
  • oidc: hybrid flow using token+code+id\_token returns multiple tokens of the same type #223
  • hydra clients import doesn't print client's secret #221
  • 0.5.0-errors #263 (aeneasr)
  • 0.5.0 #243 (aeneasr)

Closed issues:

  • core: document hard-wired JWK sets #247
  • managing client definitions #197

Merged pull requests:

v0.4.2-alpha.4 (2016-09-03)

Full Changelog

v0.4.2 (2016-09-03)

Full Changelog

v0.4.3 (2016-09-03)

Full Changelog

v0.4.2-alpha.3 (2016-09-02)

Full Changelog

v0.4.2-alpha.2 (2016-09-01)

Full Changelog

v0.4.2-alpha.1 (2016-09-01)

Full Changelog

0.4.2-alpha (2016-09-01)

Full Changelog

Implemented enhancements:

  • Add version option to Hydra's CLI #218
  • autobuild #240 (aeneasr)
  • Update jwt-go and resolve warden regression issue #232 (aeneasr)

Fixed bugs:

  • warden: firewal.Audience overridden with requesting clients subject #236 (faxal)
  • Update jwt-go and resolve warden regression issue #232 (aeneasr)

Closed issues:

  • how to use hydra without "--dangerous-auto-logon"? #241
  • warden: firewal.Audience overridden with requesting clients subject #237
  • Vendor: Upgrade to jwt-go 3.0.0 #229
  • docs: warden sdk example is misleading #225
  • Typo in the apiary documentation #220
  • Importing clients with the CLI doesn't work #219
  • doc: add "what is hydra not?" section to readme #217
  • figure out a process to autobuild releases #210

Merged pull requests:

v0.4.1 (2016-08-18)

Full Changelog

Fixed bugs:

  • error bad request when running tutorial #211
  • cmd: resolve issue with token user flow #212 (aeneasr)

v0.4.0 (2016-08-17)

Full Changelog

Implemented enhancements:

Fixed bugs:

Closed issues:

  • docs/guide: warden docs are outdated #206
  • fix sdk examples in readme #196
  • add tests for clients import #163
  • remove go get -t ./... from travis #71

v0.3.1 (2016-08-17)

Full Changelog

Implemented enhancements:

  • oauth2: introspection should return custom session values #205
  • warden: move IntrospectToken from warden sdk to oauth2 #201
  • warden: rename InspectToken to IntrospectToken #200

Fixed bugs:

  • AccessTokens get overridden during startup of hydra #207
  • warden: IntrospectToken always throws an error on Hydra logs #199
  • resolve issue with at extra data #198
  • Fix 207 #208 (aeneasr)

v0.3.0 (2016-08-09)

Full Changelog

Implemented enhancements:

Fixed bugs:

v0.2.0 (2016-08-09)

Full Changelog

Implemented enhancements:

  • warden sdk should not make distinction between token and request #190
  • core scope should not be mandatory #189
  • id token claims should be set by consent challenge id\_token claim #188
  • provide default consent endpoint in hydra #185
  • make bcrypt cost configurable #184
  • make lifespans configurable #183
  • improve env to config #182
  • add memory profiling and cpu profiling #179
  • add basic http request logging #178
  • support edge tls termination #177
  • Make client HTTPManager not compatible with fosite.Storage #173
  • clean up stale branches #171
  • improve hydra connect dialogue #170
  • investigate if token creation can be speeded up #168
  • consent: allow proxying of id token claims #167
  • warden: rename authorized / allowed endpoints to something more meaningful #162
  • warden: rename assertion to token #158
  • Implement strict mode for warden #156
  • Implement token introspection endpoint #155
  • Don't log database credentials #147
  • OpenID Connect Session Management #143
  • [Feature request] Import clients on startup #140
  • Warden for anonymous users #139
  • oauth2/consent: id token expiry should be configurable #127
  • warden: endpoint should only require valid client, not policy based access control #121
  • Improve error message of wrong system secret #104
  • warden: rename authorized / allowed endpoints to something more meaningful #187 (aeneasr)
  • 0.2.0 #165 (aeneasr)
  • all: add test cases for methods returning slices or maps of entities #152 (aeneasr)
  • Resolve rethinkdb connection when idle #148 (aeneasr)
  • all: resolve issues with the sdk and cli #142 (aeneasr)
  • cli: add token validation #134 (aeneasr)
  • Add wrapper library for HTTP Managers #130 (faxal)

Fixed bugs:

  • investigate runtime panic on warden allowed #181
  • oauth2 implicit flow should allow custom protocols #180
  • support edge tls termination #177
  • Token generation should be always consistent, not eventually consistent #176
  • consent: allow proxying of id token claims #167
  • config: do not store database config in hydra config #164
  • OAuth2 token endpoint does not allow GET method but reads query parameters #160
  • OAuth2 token endpoint should be able to handle simple form encoded requests #159
  • --dry option does not work correctly #157
  • client.GetClients() returns invalid information #150
  • RethinkDB connection dies after a certain amount of inactive time #146
  • Fails to startup when a SSO connection is added. #141
  • id_token: at_hash / c_hash is null #129
  • oauth2: some scopes are included twice #126
  • warden: iat / exp values are not being set #125
  • investigate missing scopes issue #124
  • rethinkdb: resolve an issue where missing refresh tokens cause duplicate key error #122
  • 0.2.0 #165 (aeneasr)
  • ensure client endpoint is initialised for CLI "clients import" command #149 (boyvinall)
  • Resolve rethinkdb connection when idle #148 (aeneasr)
  • all: resolve issues with the sdk and cli #142 (aeneasr)
  • Resolve warden issues #128 (aeneasr)
  • Various bugfixes #123 (aeneasr)

Closed issues:

  • Error trying to create a token via curl #174
  • gorethink: could not decode type []uint8 into Go value of type string #169
  • document warden interface sdk #166
  • Document what OpenID Connect is and how to use it #154
  • Warden endpoints #137
  • Environment variables naming scheme #136
  • Implicit Flow redirect_uri does not match #133
  • hydra 2FA on cloud providers #132
  • Document HTTP client libraries for go #101
  • Document error redirect to identity provider #96
  • use dropbox example to explain oauth2 #95

Merged pull requests:

0.1-beta.4 (2016-06-26)

Full Changelog

Implemented enhancements:

  • Connect to rethinkdb over SSL with self-signed certificate #114

Fixed bugs:

  • clients endpoint returns client secret base64 encoded #119
  • firewall 403s on warden endpoints #118
  • Client secrets should not be hashed when POSTing #113
  • Resolve issues with warden and client api #120 (aeneasr)
  • client: return client secret on POST and remove it from GET #117 (aeneasr)

Merged pull requests:

0.1-beta.3 (2016-06-20)

Full Changelog

Implemented enhancements:

  • docker: remove wait time on boot and use restart unless-stopped option #105 (aeneasr)

Fixed bugs:

  • Warden handlers are not mounted #109

Closed issues:

  • Installation fails #108
  • Exchange token from browser client #107
  • Temporary Client not working #106
  • Could not fetch initial state with docker-compose #103

Merged pull requests:

  • all: update jwt-go to versioned package and update dependencies #111 (aeneasr)
  • Mount warden handler #110 (faxal)

0.1-beta.2 (2016-06-14)

Full Changelog

Implemented enhancements:

  • CLI should have -dry option to show what the HTTP request looks like #99
  • Add offline scope for refresh tokens #97
  • extend jwk cert store #92
  • Creating clients with predefined credentials #91
  • Passing key and certificate to hydra #88
  • AES-GCM key should be sha256(secret)[:32] #86
  • Update GoRethink imports #78
  • link exemplary policies in the docs #75
  • support SAML in addition to OAuth2 #29
  • 0.1-beta2 #90 (aeneasr)
  • vendor: switch to versioned gorethink api #81 (aeneasr)

Fixed bugs:

  • fix issue where tls certificate is regenerated on boot #93
  • typo: singing instead of signing #89
  • 404 in the gitbook #85
  • Update GoRethink imports #78
  • client: resolved that secrets can not be set when using http or cli #102 (aeneasr)

Closed issues:

  • document security architecture #82
  • go install fails #77
  • Security audit based on rfc6819 #42

Merged pull requests:

0.1-beta1 (2016-05-29)

Implemented enhancements:

  • client rest endpoint: rename name to client\_name #72
  • allow using not self-signed TLS certificates #70
  • Implement OpenID Connect Dynamic Client Registration 1.0 #65
  • Implement default identity provider using postgres #63
  • Implement generic connectors #61
  • Replace osin with ory-am/fosite #46
  • Remove dockertest dependency from handlers #43
  • adding RethinkDB as a Store #39
  • Add more IdPs #33
  • Make JWT as access tokens optional and replace with a custom strategy #32
  • support for ldap for user storage #28
  • Migrate from mux to httprouter #14
  • Decompositioning, implement Fosite #62 (aeneasr)

Fixed bugs:

  • spec: /jwk/:set/:kid must return array #74
  • client rest endpoint: rename name to client\\_name #72
  • Too many open files probably caused by http client #47

Closed issues:

  • Add Dockerfile for autobuild #60
  • CLI refactor and initial account set up #59
  • ory-am ssl cert invalid #58
  • Granted Endpoint Proposal: Performant access decisions for resource providers using REST #48
  • Security "audit" pre-analysis (based on rfc6749) #41
  • wrong repo #40
  • Rename providers to connectors #38
  • Are there standards for connecting to third party providers #37
  • Add support for scopes #36
  • Readme: Accounts CLI Usage #31
  • Continue using JWT as access tokens? #22
  • remove refresh token claims #21
  • godeps should only be commited on release #19
  • refactor POST workflow #13
  • JWT assertions #5
  • Check JWT Algorithm #3

Merged pull requests:

* This Change Log was automatically generated by github_changelog_generator