Update oryd/hydra Docker tag to v2

[renovate]

This PR contains the following updates:

Package	Update	Change
oryd/hydra (source)	major	v1.11.10 -> v2.2.0

---

Release Notes

ory/hydra (oryd/hydra)

v2.2.0

Compare Source

Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!

Want to check out Ory Hydra yourself? Try common OAuth2 flows in the Ory OAuth2 Get Started guide!

This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.

Key improvements include:

• Enhanced integration with Ory Kratos, ensuring seamless synchronization of login and logout states across both services. Users logged out from Ory Hydra will automatically log out from Ory Kratos, enhancing security and user experience.
• The ability to bypass the logout consent screen for specific clients, streamlining the logout process.
• Simplified migration with the new feature to import OAuth2 Client IDs, making the transition to Ory Hydra smoother.
• Support for the OIDC Verifiable Credentials specification, expanding the server's capabilities in identity verification.

Thank all contributors who have made this release available!

Bug Fixes

• Return empty slice if requested_scope or audience is null (#​3711) (65165e7)

• Correct id token type in token exchange response (#​3625) (d1f9ba8):

  Closes https://github.com/ory/client-go/issues/2

• Dropped persistence/sql test errors (#​3670) (22f0119)

• Handle logout double-submit gracefully (#​3675) (5133cf9)

• Handle subject mismatch gracefully (#​3619) (af0d477):

  We now redirect to the original request URL if the subjects between
  the remembered Hydra session and what was confirmed by the login
  screen does not match.

• Handle token hook auth config (#​3677) (1a40833):

  • fix: handle token hook auth config
  • fix: bump golangci-lint

• Improved SSRF protection (#​3669) (24c3be5)

• Incorrect down migration (#​3708) (8812e0e), closes /github.com/ory/hydra/pull/3705#discussion_r1471514014

• Remove required mark (#​3693) (3a764a0)

• Timeout in jwt-bearer grants when too many grants are available (#​3692) (a748797)

• Verifiable credentials JWT format (#​3614) (0176adc)

• Add exceptions for internal IP addresses (#​3608) (1f1121c)

• Add kid to verifiable credential header (#​3606) (9f1c8d1)

• Deflake ttl test (6741a49)

• Docker build (#​3609) (01ff9da)

• Enable CORS with hot-reloaded origins (#​3601) (6f592fc)

• Only query access tokens by hashed signature (a21e945)

• Racy random string generation (#​3555) (1b26c4c)

• Reject invalid JWKS in client configuration / dependency cleanup and bump (#​3603) (1d73d83)

• Restore ability to override auth and token urls for exemplary app (#​3590) (dfb129a)

• Return proper error when the grant request cannot be parsed (#​3558) (26f2d34)

• Use correct tracer in middleware (#​3567) (807cbd2)

Documentation

• Fix typo (#​3649) (f0501d2)

Features

• Add --skip-logout-consent flag to CLI (#​3709) (f502d6e)

• Add authentication options to hooks (#​3633) (5c8e792)

• Add flag to export public keys (#​3684) (62c006b)

• Add missing index for jwk table (#​3691) (39ee5e1)

• Add prompt=registration (#​3636) (19857d2):

  Ory Hydra now supports a registration value for the prompt parameter of
  the authorization request. When specifying prompt=registration, Ory Hydra
  will redirect the user to the URL found under urls.registration
  (instead of urls.login).

• Add skip_logout_consent option to clients (#​3705) (2a653e6):

  Adds a special field which disables the logout consent screen when performing OIDC logout.

• Allow injecting extra fosite strategies (#​3646) (88b0b7c)

• Re-enable legacy client IDs (#​3628) (5dd7d30):

  This patch changes the primary key of the hydra_client table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.

• Remove flow cookie (#​3639) (cde3a30):

  This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.

• Remove login session cookie during consent flow (#​3667) (5f41949)

• Support multiple token URLs (#​3676) (95cc273)

• Add hydra migrate status subcommand (#​3579) (749eb8d)

• Add more resolution to events and collect client metrics (#​3568) (466e66b)

• Add state override (b8b9154)

• Add support for OIDC VC (#​3575) (219a7c0):

  This adds initial support for issuing verifiable credentials
  as specified in https://openid.net/specs/openid-connect-userinfo-vc-1\_0.html.

  Because the spec is still in draft, public identifiers are
  suffixed with draft_00.

• Allow additional SQL migrations (#​3587) (8900cbb)

• Allow Go migrations (#​3602) (8eed306)

• Allow to disable claim mirroring (#​3563) (c72a316):

  This PR introduces another config option called oauth2:mirror_top_level_claims which may be used to disable the mirroring of custom claims into the ext claim of the jwt.
  This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.

  Example:

  oauth2:
    allowed_top_level_claims:
      - test_claim
    mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext

  Closes https://github.com/ory/hydra/issues/3348

• Bump fosite and add some more tracing (0b56f53)

• cmd: Add route that redirects to the auth code url (4db6416)

• Parallel generation of JSON web key set (#​3561) (5bd9002)

• Propagate logout to identity provider (#​3596) (c004fee):

  • feat: propagate logout to identity provider

  This commit improves the integration between Hydra and Kratos when logging
  out the user.

  This adds a new configuration key for configuring a Kratos admin URL.
  Additionally, Kratos can send a session ID when accepting a login request.
  If a session ID was specified and a Kratos admin URL was configured,
  Hydra will disable the corresponding Kratos session through the admin API
  if a frontchannel or backchannel logout was triggered.

  • fix: add special case for MySQL
  • chore: update sdk
  • chore: consistent naming
  • fix: cleanup persister

• Support different jwt scope claim strategies (#​3531) (45da11e)

Changelog

• b346f90 autogen(docs): generate and bump docs
• 01aeffc autogen(docs): regenerate and update changelog
• 3a65840 autogen(docs): regenerate and update changelog
• 2dc52b4 autogen(docs): regenerate and update changelog
• 7473259 autogen(docs): regenerate and update changelog
• 4b8c971 autogen(docs): regenerate and update changelog
• d0dfc0f autogen(docs): regenerate and update changelog
• 9e9be2d autogen(docs): regenerate and update changelog
• ada59a5 autogen(docs): regenerate and update changelog
• cdd2647 autogen(docs): regenerate and update changelog
• e4c160f autogen(docs): regenerate and update changelog
• 5121dba autogen(docs): regenerate and update changelog
• 21e0a9b autogen(docs): regenerate and update changelog
• 89b1b1b autogen(docs): regenerate and update changelog
• 0a5e043 autogen(docs): regenerate and update changelog
• 6cbe089 autogen(docs): regenerate and update changelog
• 7861702 autogen(docs): regenerate and update changelog
• c9f4b5f autogen(docs): regenerate and update changelog
• fe260d1 autogen(docs): regenerate and update changelog
• fbf39dd autogen(docs): regenerate and update changelog
• 9b33fc5 autogen(docs): regenerate and update changelog
• f9cee32 autogen(docs): regenerate and update changelog
• 841d58b autogen(docs): regenerate and update changelog
• 4a8e9a4 autogen(docs): regenerate and update changelog
• cdc0bec autogen(openapi): regenerate swagger spec and internal client
• 4a00e3e autogen(openapi): regenerate swagger spec and internal client
• dedcf5b autogen(openapi): regenerate swagger spec and internal client
• 92eb03a autogen(openapi): regenerate swagger spec and internal client
• f9a87d3 autogen(openapi): regenerate swagger spec and internal client
• 1ff8f20 autogen(openapi): regenerate swagger spec and internal client
• 11bf9df autogen(openapi): regenerate swagger spec and internal client
• e796893 autogen(openapi): regenerate swagger spec and internal client
• 27f2ef5 autogen(openapi): regenerate swagger spec and internal client
• 35d6295 autogen(openapi): regenerate swagger spec and internal client
• ce00a42 autogen(openapi): regenerate swagger spec and internal client
• db4fd7d autogen(openapi): regenerate swagger spec and internal client
• 146b162 autogen(openapi): regenerate swagger spec and internal client
• e1636d1 autogen(openapi): regenerate swagger spec and internal client
• 9389773 autogen(openapi): regenerate swagger spec and internal client
• af859fe autogen(openapi): regenerate swagger spec and internal client
• f1708f2 autogen(openapi): regenerate swagger spec and internal client
• 3e8413e autogen(openapi): regenerate swagger spec and internal client
• 11c8c72 autogen(openapi): regenerate swagger spec and internal client
• 800ce0a autogen: add v2.2.0-rc.3 to version.schema.json
• 8168ee3 autogen: pin v2.2.0-pre.1 release commit
• 0487217 autogen: render config schema
• a0c06ec chore(deps): bump @​cypress/request and cypress (#​3641)
• b177f81 chore(deps): bump axios and @​openapitools/openapi-generator-cli (#​3701)
• 23c8194 chore(deps): bump debug from 3.2.6 to 3.2.7 (#​3640)
• 18d9793 chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#​3697)
• 4fa2889 chore(deps): bump github.com/docker/docker (#​3707)
• 2ba3547 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#​3680)
• efc00a8 chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#​3645)
• 083c90d chore: build tag (#​3613)
• 3615e3d chore: bump docker base images (#​3632)
• aa8a364 chore: bump openapi-generator (#​3696)
• 2dc6606 chore: improve context (#​3656)
• 8e94929 chore: update otel (#​3686)
• f0501d2 docs: fix typo (#​3649)
• f502d6e feat: add --skip-logout-consent flag to CLI (#​3709)
• 5c8e792 feat: add authentication options to hooks (#​3633)
• 62c006b feat: add flag to export public keys (#​3684)
• 39ee5e1 feat: add missing index for jwk table (#​3691)
• 19857d2 feat: add prompt=registration (#​3636)
• 2a653e6 feat: add skip_logout_consent option to clients (#​3705)
• 88b0b7c feat: allow injecting extra fosite strategies (#​3646)
• 5dd7d30 feat: re-enable legacy client IDs (#​3628)
• cde3a30 feat: remove flow cookie (#​3639)
• 5f41949 feat: remove login session cookie during consent flow (#​3667)
• 95cc273 feat: support multiple token URLs (#​3676)
• d1f9ba8 fix: correct id token type in token exchange response (#​3625)
• 22f0119 fix: dropped persistence/sql test errors (#​3670)
• 5133cf9 fix: handle logout double-submit gracefully (#​3675)
• af0d477 fix: handle subject mismatch gracefully (#​3619)
• 1a40833 fix: handle token hook auth config (#​3677)
• 24c3be5 fix: improved SSRF protection (#​3669)
• 8812e0e fix: incorrect down migration (#​3708)
• 3a764a0 fix: remove required mark (#​3693)
• a748797 fix: timeout in jwt-bearer grants when too many grants are available (#​3692)
• 0176adc fix: verifiable credentials JWT format (#​3614)
• 8e6c4bf autogen(docs): regenerate and update changelog
• 33950db autogen(docs): regenerate and update changelog
• 28e9e31 autogen(openapi): regenerate swagger spec and internal client
• 57096be autogen: pin v2.2.0 release commit
• bfc05d0 chore(deps): bump github.com/opencontainers/runc from 1.1.8 to 1.1.12 (#​3710)
• 65165e7 fix: return empty slice if requested_scope or audience is null (#​3711)

Artifacts can be verified with cosign using this public key.

v2.1.2

Compare Source

We are excited to announce the next Ory Hydra release! This release includes the following important changes:

• Fixed a memory leak in the OpenTelemetry implementation, improving overall memory usage and stability.
• Added a missing index for faster janitor cleanup, resulting in quicker and more efficient cleanup operations.
• Fixed a bug related to SameSite in dev mode, ensuring proper functionality and consistency in handling SameSite attributes during development.

We appreciate your continuous support and feedback. Please feel free to reach out to us with any further suggestions or issues.

Bug Fixes

• Add index on requested_at for refresh tokens and use it in janitor (#​3516) (5b8e712)

• Disable health check request logs (#​3496) (eddf7f3)

• Do not use prepared SQL statements and bump deps (#​3506) (31b9e66)

• Proper SameSite=None in dev mode (#​3502) (5751fae)

• Sqa config values unified across projects (#​3490) (1b1899e)

• sql: Incorrect JWK query (#​3499) (13ce0d6):

  persister_grant_jwk had an OR statement without bracket leading to not using the last part of the query.

Code Generation

• Pin v2.1.2 release commit (d94ed6e)

Documentation

• Incorrect json output format example (#​3497) (b71a36b)

Features

• Add --skip-consent flag to hydra cli (#​3492) (083d518)

Changelog

• 0e84c24 autogen(docs): generate and bump docs
• 9f37172 autogen(docs): regenerate and update changelog
• 872720b autogen(docs): regenerate and update changelog
• 4907223 autogen(docs): regenerate and update changelog
• ba45af0 autogen(docs): regenerate and update changelog
• 3703e5a autogen(docs): regenerate and update changelog
• ca85a17 autogen(docs): regenerate and update changelog
• 0e7e95f autogen(docs): regenerate and update changelog
• be8f726 autogen: add v2.1.1 to version.schema.json
• d94ed6e autogen: pin v2.1.2 release commit
• 20c6fa7 autogen: render config schema
• 400b9af chore(deps): bump @​nestjs/core and @​openapitools/openapi-generator-cli (#​3493)
• f2f007d chore(deps): bump github.com/docker/distribution (#​3514)
• b69a332 chore: bump ory/x (#​3518)
• cf20054 chore: remove unneeded dependency (#​3494)
• e2b7665 chore: update nodemon version for oauth2 client (#​3503)
• b71a36b docs: incorrect json output format example (#​3497)
• 083d518 feat: add --skip-consent flag to hydra cli (#​3492)
• 13ce0d6 fix(sql): incorrect JWK query (#​3499)
• 5b8e712 fix: add index on requested_at for refresh tokens and use it in janitor (#​3516)
• eddf7f3 fix: disable health check request logs (#​3496)
• 31b9e66 fix: do not use prepared SQL statements and bump deps (#​3506)
• 5751fae fix: proper SameSite=None in dev mode (#​3502)
• 1b1899e fix: sqa config values unified across projects (#​3490)

Artifacts can be verified with cosign using this public key.

v2.1.1

Compare Source

We are excited to share this year's Q1 release of Ory Hydra: v2.1!

Highlights:

• Support for Datadog tracing (#​3431).
• Ability to skip consent for trusted clients (#​3451).
• Setting access token type in the OAuth2 Client is now possible (#​3446).
• Revoke login sessions by SessionID (#​3450).
• Session lifespan extended on session refresh (#​3464).
• Token request hooks added for all grant types (#​3427).
• Reduced SQL tracing noise (#​3481).

Don't want to run the upgrade yourself? Switch to Ory Network!

Bug Fixes

• Double-hashed access token signatures (#​3486) (8720b25), closes #​3485
• Reduce SQL tracing noise (#​3481) (6e1f545)

Code Generation

• Pin v2.1.1 release commit (6efae7c)

Changelog

• df16a26 autogen(docs): generate and bump docs
• ed2ac06 autogen(docs): regenerate and update changelog
• 6078f85 autogen(docs): regenerate and update changelog
• ddfbd65 autogen: add v2.1.0 to version.schema.json
• 6efae7c autogen: pin v2.1.1 release commit
• ad549d6 autogen: pin v2.1.1 release commit
• 2f7cda5 autogen: render config schema
• 0448284 chore: update ory/x (#​3480)
• 8720b25 fix: double-hashed access token signatures (#​3486)
• 6e1f545 fix: reduce SQL tracing noise (#​3481)

Artifacts can be verified with cosign using this public key.

v2.1.0

Compare Source

We are excited to share this year's Q1 release of Ory Hydra: v2.1.0!

Highlights:

• Support for Datadog tracing (#​3431).
• Ability to skip consent for trusted clients (#​3451).
• Setting access token type in the OAuth2 Client is now possible (#​3446).
• Revoke login sessions by SessionID (#​3450).
• Session lifespan extended on session refresh (#​3464).
• Token request hooks added for all grant types (#​3427).
• Reduced SQL tracing noise (#​3481).

Don't want to run the upgrade yourself? Switch to Ory Network!

Bug Fixes

• Reduce SQL tracing noise (#​3481) (6e1f545)

Code Generation

• Pin v2.1.0 release commit (3649832)

Changelog

• 5c2e227 autogen(docs): regenerate and update changelog
• 3649832 autogen: pin v2.1.0 release commit
• 6e1f545 fix: reduce SQL tracing noise (#​3481)

Artifacts can be verified with cosign using this public key.

v2.0.3

Compare Source

Bugfixes for migration and pagination regressions and a new endpoint.

Bug Fixes

• Add client_id and client_secret to revokeOAuth2Token (#​3373) (93bac07)

• Docker build (48217bd)

• Introspect command CLI example (#​3353) (4ee4456)

• Invalidate tokens with inconsistent state (#​3385) (542ea77), closes #​3346:

  This patch includes SQL migrations targeting environments which have not yet migrated to Ory Hydra 2.0. It removes inconsistent records which resolves issues during the migrations process. Please be aware that some users might be affected by this change. They might need to re-authorize certain apps. However, most active records should not be affected by this.

  Installations already on Ory Hydra 2.0 will not be affected by this change.

• No longer auto-generate system secret (c5fe043):

  This patch changes Ory Hydra's behavior to no longer auto-generate a temporary secret when no global secret was set. The APIs now return an error instead.

  See https://github.com/ory/network/issues/185

• Prevent multiple redirections to post logout url (#​3366) (50666b9), closes #​3342

• Strip public from schema (#​3374) (3831b44), closes #​3367

• Token pagination (#​3384) (e8d8de9), closes #​3362

Code Generation

• Pin v2.0.3 release commit (16831c5)

Features

• List consent sessions by session id (#​2853) (d275ad6)

Changelog

• 5d79e57 autogen(docs): generate and bump docs
• bd19086 autogen(docs): regenerate and update changelog
• 2720839 autogen(docs): regenerate and update changelog
• a400a35 autogen(docs): regenerate and update changelog
• 6710ddc autogen(docs): regenerate and update changelog
• d7a28e9 autogen(docs): regenerate and update changelog
• f2925ee autogen(docs): regenerate and update changelog
• 2986605 autogen(docs): regenerate and update changelog
• c586e03 autogen(openapi): regenerate swagger spec and internal client
• c65342e autogen: add v2.0.2 to version.schema.json
• 16831c5 autogen: pin v2.0.3 release commit
• b28bad3 chore(deps): bump decode-uri-component in /test/e2e/oauth2-client (#​3377)
• cb23cca chore(deps): bump minimatch in /test/e2e/oauth2-client (#​3381)
• 93fc0a1 chore(deps): bump qs from 6.5.2 to 6.5.3 (#​3380)
• 316b582 chore(deps): bump qs, body-parser and express in /test/e2e/oauth2-client (#​3379)
• f9f0337 chore: list contributors in file (#​3345)
• d275ad6 feat: list consent sessions by session id (#​2853)
• 93bac07 fix: add client_id and client_secret to revokeOAuth2Token (#​3373)
• 48217bd fix: docker build
• 4ee4456 fix: introspect command CLI example (#​3353)
• 542ea77 fix: invalidate tokens with inconsistent state (#​3385)
• c5fe043 fix: no longer auto-generate system secret
• 50666b9 fix: prevent multiple redirections to post logout url (#​3366)
• 3831b44 fix: strip public from schema (#​3374)
• e8d8de9 fix: token pagination (#​3384)

Artifacts can be verified with cosign using this public key.

v2.0.2

Compare Source

This release resolves bugs and SDK publishing issues.

Bug Fixes

• Add v2 suffix (#​3340) (c54b9db)

• Correct migration file name (01f80a8)

• Incorrect consent removal on authentication revokation (ccf2388):

  This patch resolves a regression where, in a certain condition, an accepted consent could be incorrectly deleted when the related authentication session was removed.

• Incorrect jwk import order (#​3344) (729102f), closes #​3343

• Isolate transactions for crdb (f22046f)

• Scope type should be string instead of int (#​3337) (f59f1c6):

  Closes https://github.com/ory/sdk/pull/223

Code Generation

• Pin v2.0.2 release commit (ce96826)

Documentation

• Add refresh token grant type (c752125)
• Fix typo (dcfd11f)
• Standardize license headers (#​3216) (d768cf6)
• Update README link (6184b6a)

Features

• Enable simultaneous auth flows by creating client related csrf co… (#​3059) (16bd568), closes #​3019

Tests

• Fix flaky test (c417be1)
• Resolve time race (643e88c)

Changelog

• 94aadf8 autogen(docs): generate and bump docs
• 0eeea90 autogen(docs): regenerate and update changelog
• 8d92030 autogen(docs): regenerate and update changelog
• 48603ba autogen(docs): regenerate and update changelog
• bedaf48 autogen(docs): regenerate and update changelog
• 3749a73 autogen(docs): regenerate and update changelog
• cec489f autogen(docs): regenerate and update changelog
• d37b323 autogen(docs): regenerate and update changelog
• cdfcf45 autogen(docs): regenerate and update changelog
• 70e6fe9 autogen(docs): regenerate and update changelog
• 4fd6baa autogen(docs): regenerate and update changelog
• fd02049 autogen(openapi): regenerate swagger spec and internal client
• 74d4569 autogen(openapi): regenerate swagger spec and internal client
• 164f4b5 autogen: add v2.0.1 to version.schema.json
• ce96826 autogen: pin v2.0.2 release commit
• 80a1335 chore: license checker (#​3328)
• f8a7ced chore: remove obsolete header (#​3334)
• 90152fa chore: update Ory CLI with breaking changes to the format task (#​3338)
• 0b32280 chore: update repository templates to ory/meta@852a1ae
• cda9fd4 chore: update repository templates to ory/meta@a2fba7e
• 5418433 chore: update repository templates to ory/meta@b41b1ee
• 736aaef chore: update repository templates to ory/meta@d3f8710
• c752125 docs: add refresh token grant type
• dcfd11f docs: fix typo
• d768cf6 docs: standardize license headers (#​3216)
• 6184b6a docs: update README link
• 16bd568 feat: enable simultaneous auth flows by creating client related csrf co… (#​3059)
• c54b9db fix: add v2 suffix (#​3340)
• 01f80a8 fix: correct migration file name
• ccf2388 fix: incorrect consent removal on authentication revokation
• 729102f fix: incorrect jwk import order (#​3344)
• f22046f fix: isolate transactions for crdb
• f59f1c6 fix: scope type should be string instead of int (#​3337)
• c417be1 test: fix flaky test
• 643e88c test: resolve time race

Artifacts can be verified with cosign using this public key.

v2.0.1

Compare Source

Resolves an issues with post-release steps and adds the introspect command to the Ory Hydra CLI.

Bug Fixes

• Add missing introspect command (c43aba3)
• Bump quickstart images to 2.0.0 (8c763ad)
• Post-release steps with yq (b6300e3)

Code Generation

• Pin v2.0.1 release commit (403223c)

Documentation

• Update README (#​3323) (c48e481)

Changelog

• 8297cfc autogen(docs): regenerate and update changelog
• 403223c autogen: pin v2.0.1 release commit
• c48e481 docs: update README (#​3323)
• c43aba3 fix: add missing introspect command
• 8c763ad fix: bump quickstart images to 2.0.0
• b6300e3 fix: post-release steps with yq

Artifacts can be verified with cosign using this public key.

v2.0.0

Compare Source

Ory Hydra 2.0 is available now! It ships major internal data restructuring and adds support for additional OAuth2 flows such as OAuth2 Token Exchange. Ory Hydra now natively integrates with Ory Kratos, an open source Identity Server.

Install the Ory CLI for the best developer experience to try out Ory Hydra 2.0 right away!

bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

brew install ory/tap/cli

create a new project (you may also use Docker)

ory create project --name "Ory Hydra 2.0 Example"
project_id="{set to the id from output}"

and follow the quick & easy steps below.

Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow:

ory create oauth2-client --project $project_id \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
client_id="{set to client id from output}"
client_secret="{set to client secret from output}"

ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id
access_token="{set to access token from output}"

ory introspect token $access_token --project $project_id

Try out the OAuth 2.0 Authorize Code grant right away!

By accepting permissions openid and offline_access at the consent screen, Ory refreshes and OpenID Connect ID token,

ory create oauth2-client --project $project_id \
    --name "Authorize Code with OpenID Connect Demo" \
    --grant-type authorization_code \
    --response-type code \
    --redirect-uri ttp://127.0.0.1:4446/callback
code_client_id="{set to client id from output}"
code_client_secret="{set to client secret from output}"

ory perform authorization-code \
    --project $project_id \
    --client-id $code_client_id \
    --client-secret $code_client_secret
code_access_token="{set to access token from output}"

ory introspect token $code_access_token --project $project_id

What's changed in Ory Hydra 2.0?

• Ory Identities is now compatible with the Ory OAuth2 Login and Consent Flow. This means, for example, that Ory Kratos can be the login provider for Ory Hydra with a bit of configuration.
• The Ory Network enables this integration as a default.
• Ory Hydra 2.0 now natively supports key types such as ES256 for signing ID Tokens and OAuth 2.0 Access Tokens in JWT format.
• Additionally, the key naming mechanism was updated to conform with industry best practices.
• Ory Hydra 2.0 ships a complete refactoring of the internal database structure, reducing database storage at scale and optimizing query performance.
• All primary keys are now UUIDs to avoid hotspots in distributed systems. Please note that as part of this change it is no longer possible to choose the OAuth 2.0 Client ID. Instead, Ory chooses the best-performing ID format for the petabyte scale.
• Ory chose to denormalize tables that had a negative performance impact due to excessive JOIN statements.
• Using BCrypt as the primary hashing algorithm for OAuth 2.0 Client Secrets creates excessive CPU consumption at scale. OAuth 2.0 Client Secrets are auto-generated in Ory Hydra 2.x, removing the need for excessive hashing costs.
• The new PKBDF2 hasher can be fine-tuned to support hashing at scale without a significant threat model impact.
• This section only applies in scenarios where Ory Hydra is working in a do-it-yourself fashion e.g. on Docker. An Ory Hydra 2.0 compatible service is already available on the Ory Network.
• The database schema changed significantly from the previous structure. Please be aware that there might be a period where the database tables will be locked for writes while the upgrade runs. A full backup of the database before upgrading is essential! We recommend trying out the upgrade on a copy of a production database first.

Detailed Overview

Find a list of detailed changes below!

SQL Migrations

To run the SQL migrations using:

hydra migrate sql $DSN

SDK changes

Ory Hydra 1.x is a crucial service at Ory. Version 2.0 streamlines the APIs and SDKs to follow Ory API’s semantics and specification.

To better support TB-scale environments, the OAuth2 Client HTTP API's query
parameters for pagination have changed from limit and offset to page_token
and page_size. The page_token is an opaque string contained in the HTTP
Link Header, which expresses the next, previous, first, and last page.

Administrative endpoints now have an /admin prefix (e.g. POST /admin/keys instead of POST /keys). Existing administrative endpoints will redirect to this new prefixed path for backward compatibility.

HTTP endpoint /oauth2/flush, used to flush inactive access tokens was deprecated and has been removed. Please use hydra janitor instead.

To conform with the Ory V1 SDK, several SDK methods and payloads were renamed. Please check the CHANGELOG for a complete list of changes.

Configuration changes

The iss (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.

Setting

urls:
  self:
    issuer: https://auth.example.com

has changed

- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"

To set a trailing slash make sure to set it in the config value:

urls:
  self:
    issuer: https://auth.example.com/

CLI Changes

Flags --dangerous-allow-insecure-redirect-url and --dangerous-force-http have been removed. Use the --dev flag instead to denote a development environment with reduced security restrictions.

We now recommend using the Ory CLI to manage OAuth2 resources. As part of this restructuring, some of the commands were renamed. Here are some examples:

- hydra client create
+ ory create oauth2-client

- hydra clients list
+ ory list oauth2-clients

Additionally, array arguments now use the singular form:

hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \


</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/FAForever/gitops-stack).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjI3LjIiLCJ0YXJnZXRCcmFuY2giOiJkZXZlbG9wIn0=-->