Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Tags: pippo/hydra

Tags

v1.8.5

Toggle v1.8.5's commit message
This is a security-focused release with fixes for [CVE-2020-15234](GH…

…SA-grfp-q2mm-hfp6), [CVE-2020-15223](GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](GHSA-rfq3-w54c-f9q5). Additionally, several system dependencies (e.g. Golang) have been upgraded.

A few things have changed as part of these patches:

- OAuth 2.0 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release.
- OAuth 2.0 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaining why the flow failed.

Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed.

Due to several complex CI issues and regressions, build versions v1.8.0 - v1.8.4 failed. v1.8.5 the first and only stable release in the current 1.8.x branch.

New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.

v1.8.0-pre.1

Toggle v1.8.0-pre.1's commit message

Verified

This commit was signed with the committer’s verified signature.
aeneasr hackerman
autogen: pin v1.8.0-pre.1 release commit

v1.8.0-pre.0

Toggle v1.8.0-pre.0's commit message
This is a security-focused release with fixes for [CVE-2020-15234](GH…

…SA-grfp-q2mm-hfp6), [CVE-2020-15223](GHSA-7mqr-2v3q-v2wm), [CVE-2020-15233](GHSA-rfq3-w54c-f9q5). Upgrading is strongly advised!

A few things have changed as part of these patches:

- OAuth2 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and are now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release.
- OAuth2 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaning why the flow failed.

Additionally, the TypeScript SDK generator has changed from OpenAPI's `typescript-node` to `typescript-axios` making the SDK compatible with both browser as well as node environments, which was not the case previously. Please be aware that some of the SDK's API signatures - especially responses - have changed and check your TypeScript output for instructions on upgrading. You may still use an older version of the SDK as none of ORY Hydra's HTTP APIs have changed.

New features have been added and bugs have been closed. No migrations are required when applying this release. Please check the list below for an in-depth overview.

v1.7.4

Toggle v1.7.4's commit message
This release resolves several minor bugs and one slow query. Please b…

…e aware that applying this version requires running SQL migrations.

v1.7.3

Toggle v1.7.3's commit message
This release resolves several minor bugs and one slow query. Please b…

…e aware that applying this version requires running SQL migrations.

v1.7.1

Toggle v1.7.1's commit message
This release resolves several minor bugs and one slow query. Please b…

…e aware that applying this version requires running SQL migrations.

v1.7.0

Toggle v1.7.0's commit message
The new SameSite attribute is now enforced on Google Chrome and may c…

…ause issues with your current ORY Hydra deployment:

`SameSite=None` no longer works without `secure` flag cookies. If you are using the `--dangerous-force-http` flag and have not configured `SameSite=Lax` your users will no longer be able to perform OAuth2 flows.

The next FireFox release will follow this implementation as well. To prevent your users from experiencing issues:

- Remove `--dangerous-force-http` from your deployment. This flag should never be set outside of local development machines anyways!
- Set environment variable `SERVE_COOKIES_SAME_SITE_MODE=Lax` or configuration value `serve.cookies.same_site_mode = Lax`.

By applying this release, the above recommendations will be set per default, for example using `Lax` when `--dangerous-force-http` is set.

Many of you reached out in the past asking about managed / SaaS offerings from ORY, for more support, automated updates, and automated fixes for issues like the `SameSite` behavior above. We would like to invite those interested in that kind of an offering and service to engage in a dialogue to better help us understand how you are using ORY, what requirements your businesses have and how we can better help and service you. Together, we can shape some of this journey together. If you like to be part of this conversation please send an email to [email protected] so we can get in touch directly and begin talking about what an ideal and fully supported offering from ORY would look like for you.

This patch additionally includes a breaking API change for the "Revoke Consent Sessions API endpoint" - please check the breaking changes below. Bugfixes are included in this release as well - such as pretty JSON format logging, fixes to Jaeger configuration, and more!

v1.6.0

Toggle v1.6.0's commit message
We focused on reworking the ORY Hydra documentation in this release.

Even though no breaking changes were introduced with this release, we decided
to bump to the next minor (1.6) version to signal the significance of the
documentation changes.

We also refactored the NodeJS example implementation to use lightweight
TypeScript and the official TypeScript SDK.

v1.5.2

Toggle v1.5.2's commit message
This release contains mostly minor bug fixes and allows more granular…

… control

for listening on unix sockets.

v1.5.1

Toggle v1.5.1's commit message
The 1.5.1 release includes several big changes to the internal code b…

…ase and introduces exciting new features! It combines several beta releases that have been battle-tested by the community. Please use the 1.5.1 release instead of the 1.5.0 release which had issues with the CI pipeline! This release

* changes how migrations work internally. It does not contain breaking changes but please run `hydra migrate sql` **once you have backed up the database**;
* improves CockroachDB ZigZag query performance;
* OAuth2 clients are now able to use other token_endpoint_auth_signing_algorithms than RS256
* introduces Zipkin tracing support;
* improves the documentation in several locations;
* greatly improves structured logging output;
* supports unix sockets in the ORY Hydra CLI;
* uses the new ORY CLI as part of the toolchain;
* and resolves several other bugs and issues!

We would like to thank our amazing community and all contributors that have helped in making this release possible (in no particular order):

* https://github.com/rickwang7712
* https://github.com/bayansar
* https://github.com/sawadashota
* https://github.com/ka3de
* https://github.com/dalcde
* https://github.com/timsazon
* https://github.com/robhinds
* https://github.com/arkady-bagdasarov
* https://github.com/arapaho
* https://github.com/lopezator
* https://github.com/pjediny

If you haven't yet, consider joining our [Slack family](https://slack.ory.sh)!