Tags: bludash/hydra
Tags
We are excited to present the next big step towards ORY Hydra 1.9! In… … this release we completely refactored the configuration internals and moved from [spf13/viper](https://github.com/spf13/viper) to [knadh/koanf](https://github.com/knadh/koanf): 1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving the developer experience when changing or updating configuration. 2. Configuration reloading has improved significantly and works excellently on Kubernetes. 3. Performance gains that remove the need for a cache layer between the configuration system and ORY Hydra. 4. Loading of several config files using the `--config` flag now possible. 5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled. Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration due to a significantly improved validation process. In addition, this release includes the new OpenID Connect Conformity Test Suite as part of the ORY Hydra CI pipeline. This means every PR and change will be checked for OpenID Connect Compliance. As part of these tests, we uncovered some regression issues which have since been resolved. Please be aware that fields `error_hint` and `error_debug` will no longer be sent. You can re-enable those legacy fields by setting `oauth2.include_legacy_error_fields` to `true`. Furthermore, support for OpenID Connect flows `response_mode=form_post` was added and has been tested with the OpenID Connect Conformity Test Suite, making it ready for production. Several other bugs have been resolved and we have completely overhauled the tests, deprecating test tables in favor of test suites. This greatly improves the readability of our tests and allows new contributors to more easily understand what is going on! If you wish to get into ORY Hydra, check out the newly published YouTube tutorial: [](https://www.youtube.com/watch?v=tlO9p2E501A)
This release addresses an issue in the update routine of OAuth2 Clien… …ts (see [kratos#2148](ory#2148)) and adds an option which makes ORY Hydra compatible with MITREid.
This release focuses on a complete refactor of the internal database … …abstraction layer (DBAL). We have been using [gobuffalo/pop](https://github.com/gobuffalo/pop) successfully in [ORY Kratos](https://github.com/ory/kratos) and decided to move the ORY Hydra DBAL to [gobuffalo/pop](https://github.com/gobuffalo/pop) as well. As part of this refactoring, ORY Hydra now supports SQLite for both in-memory as well as on-disk databases, de-duplicating the codebase and allowing for quick and easy persistence in test environments. This is an alpha release as we want to gather feedback from the community regarding performance and other potential issues before tagging the v1.9.0 version branch as stable.
This is a security-focused release with fixes for [CVE-2020-15234](GH… …SA-grfp-q2mm-hfp6), [CVE-2020-15223](GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](GHSA-rfq3-w54c-f9q5). Additionally, several system dependencies (e.g. Golang) have been upgraded. A few things have changed as part of these patches: - OAuth 2.0 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release. - OAuth 2.0 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaining why the flow failed. Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed. Due to several complex CI issues and regressions, build versions v1.8.0 - v1.8.4 failed. v1.8.5 the first and only stable release in the current 1.8.x branch. New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.
This is a security-focused release with fixes for [CVE-2020-15234](GH… …SA-grfp-q2mm-hfp6), [CVE-2020-15223](GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](GHSA-rfq3-w54c-f9q5). Upgrading is strongly advised! A few things have changed as part of these patches: - OAuth2 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release. - OAuth2 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaning why the flow failed. Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed. New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.
The new SameSite attribute is now enforced on Google Chrome and may c… …ause issues with your current ORY Hydra deployment: `SameSite=None` no longer works without `secure` flag cookies. If you are using the `--dangerous-force-http` flag and have not configured `SameSite=Lax` your users will no longer be able to perform OAuth2 flows. The next FireFox release will follow this implementation as well. To prevent your users from experiencing issues: - Remove `--dangerous-force-http` from your deployment. This flag should never be set outside of local development machines anyways! - Set environment variable `SERVE_COOKIES_SAME_SITE_MODE=Lax` or configuration value `serve.cookies.same_site_mode = Lax`. By applying this release, the above recommendations will be set per default, for example using `Lax` when `--dangerous-force-http` is set. Many of you reached out in the past asking about managed / SaaS offerings from ORY, for more support, automated updates, and automated fixes for issues like the `SameSite` behavior above. We would like to invite those interested in that kind of an offering and service to engage in a dialogue to better help us understand how you are using ORY, what requirements your businesses have and how we can better help and service you. Together, we can shape some of this journey together. If you like to be part of this conversation please send an email to [email protected] so we can get in touch directly and begin talking about what an ideal and fully supported offering from ORY would look like for you. This patch additionally includes a breaking API change for the "Revoke Consent Sessions API endpoint" - please check the breaking changes below. Bugfixes are included in this release as well - such as pretty JSON format logging, fixes to Jaeger configuration, and more!
PreviousNext