CHANGELOG.md

Table of Contents generated with DocToc

• Change Log
  • Unreleased
  • v1.0.9 (2019-11-02)
  • v1.0.8 (2019-10-04)
  • v1.0.7 (2019-09-29)
  • v1.0.6 (2019-09-29)
  • v1.0.5 (2019-09-28)
  • v1.0.4 (2019-09-26)
  • v1.0.3 (2019-09-23)
  • v1.0.2 (2019-09-18)
  • v1.0.1 (2019-09-04)
  • v1.0.0 (2019-06-24)
  • v1.0.0-rc.16 (2019-06-13)
  • v1.0.0-rc.15 (2019-06-05)
  • v1.0.0-rc.14 (2019-05-18)
  • v1.0.0-rc.12 (2019-05-10)
  • v1.0.0-rc.11 (2019-05-02)
  • v1.0.0-rc.10 (2019-04-29)
  • v1.0.0-rc.9+oryOS.10 (2019-04-18)
  • v1.0.0-rc.8+oryOS.10 (2019-04-03)
  • v1.0.0-rc.7+oryOS.10 (2019-04-02)
  • v1.0.0-rc.6+oryOS.10 (2018-12-18)
  • v1.0.0-rc.5+oryOS.10 (2018-12-13)
  • v1.0.0-rc.4+oryOS.9 (2018-12-12)
  • v1.0.0-rc.3+oryOS.9 (2018-12-06)
  • v1.0.0-rc.2+oryOS.9 (2018-11-21)
  • v1.0.0-rc.1+oryOS.9 (2018-11-21)
  • v1.0.0-beta.9 (2018-09-01)
  • v1.0.0-beta.8 (2018-08-10)
  • v1.0.0-beta.7 (2018-07-16)
  • v1.0.0-beta.6 (2018-07-11)
  • v1.0.0-beta.5 (2018-07-07)
  • v0.11.14 (2018-06-15)
  • v1.0.0-beta.4 (2018-06-13)
  • v1.0.0-beta.3 (2018-06-13)
  • v1.0.0-beta.2 (2018-05-29)
  • v1.0.0-beta.1 (2018-05-29)
  • v0.11.12 (2018-04-08)
  • v0.11.10 (2018-03-19)
  • v0.11.9 (2018-03-10)
  • v0.11.7 (2018-03-03)
  • v0.11.6 (2018-02-07)
  • v0.11.4 (2018-01-23)
  • v0.11.3 (2018-01-23)
  • v0.11.2 (2018-01-22)
  • v0.11.1 (2018-01-18)
  • v0.11.0 (2018-01-08)
  • v0.10.10 (2017-12-16)
  • v0.10.9 (2017-12-13)
  • v0.10.8 (2017-12-12)
  • v0.10.7 (2017-12-09)
  • v0.10.6 (2017-12-09)
  • v0.10.5 (2017-12-09)
  • v0.10.4 (2017-12-09)
  • v0.10.3 (2017-12-08)
  • v0.10.2 (2017-12-08)
  • v0.10.1 (2017-12-08)
  • v0.10.0 (2017-12-08)
  • v0.10.0-alpha.21 (2017-11-27)
  • v0.10.0-alpha.20 (2017-11-26)
  • v0.10.0-alpha.19 (2017-11-26)
  • v0.10.0-alpha.18 (2017-11-06)
  • v0.10.0-alpha.17 (2017-11-06)
  • v0.10.0-alpha.16 (2017-11-06)
  • v0.10.0-alpha.15 (2017-11-06)
  • v0.10.0-alpha.14 (2017-11-06)
  • v0.10.0-alpha.13 (2017-11-06)
  • v0.10.0-alpha.11 (2017-11-06)
  • v0.10.0-alpha.12 (2017-11-06)
  • v0.10.0-alpha.10 (2017-10-26)
  • v0.10.0-alpha.9 (2017-10-25)
  • v0.9.16 (2017-10-23)
  • v0.10.0-alpha.8 (2017-10-18)
  • v0.9.15 (2017-10-11)
  • v0.9.14 (2017-10-06)
  • v0.10.0-alpha.7 (2017-10-06)
  • v0.10.0-alpha.6 (2017-10-05)
  • v0.10.0-alpha.5 (2017-10-05)
  • v0.10.0-alpha.4 (2017-10-05)
  • v0.10.0-alpha.3 (2017-10-05)
  • v0.10.0-alpha.2 (2017-10-05)
  • v0.10.0-alpha.1 (2017-10-05)
  • v0.9.13 (2017-09-26)
  • v0.9.12 (2017-07-06)
  • v0.9.11 (2017-06-30)
  • v0.9.10 (2017-06-29)
  • v0.9.9 (2017-06-17)
  • v0.9.8 (2017-06-17)
  • v0.9.7 (2017-06-16)
  • v0.9.6 (2017-06-15)
  • v0.9.5 (2017-06-15)
  • v0.9.4 (2017-06-14)
  • v0.9.3 (2017-06-14)
  • v0.9.2 (2017-06-13)
  • v0.9.1 (2017-06-12)
  • v0.9.0 (2017-06-07)
  • v0.8.7 (2017-06-05)
  • v0.8.6 (2017-06-05)
  • v0.8.5 (2017-06-01)
  • v0.8.4 (2017-05-24)
  • v0.8.3 (2017-05-23)
  • v0.8.2 (2017-05-10)
  • v0.8.1 (2017-05-08)
  • v0.8.0 (2017-05-07)
  • v0.7.13 (2017-05-03)
  • v0.7.12 (2017-04-30)
  • v0.7.11 (2017-04-28)
  • v0.7.10 (2017-04-14)
  • v0.7.9 (2017-04-02)
  • v0.7.8 (2017-03-24)
  • v0.7.7 (2017-02-11)
  • v0.7.4 (2017-02-11)
  • v0.7.5 (2017-02-11)
  • v0.7.6 (2017-02-11)
  • v0.7.3 (2017-01-22)
  • v0.7.2 (2017-01-02)
  • v0.7.1 (2016-12-30)
  • v0.7.0 (2016-12-30)
  • v0.6.10 (2016-12-26)
  • v0.6.9 (2016-12-20)
  • v0.6.8 (2016-12-06)
  • v0.6.7 (2016-12-04)
  • v0.6.6 (2016-12-04)
  • v0.6.5 (2016-11-28)
  • v0.6.4 (2016-11-22)
  • v0.6.3 (2016-11-17)
  • v0.6.2 (2016-11-05)
  • v0.6.1 (2016-10-26)
  • v0.6.0 (2016-10-25)
  • v0.5.8 (2016-10-06)
  • v0.5.7 (2016-10-04)
  • v0.5.6 (2016-10-03)
  • v0.5.5 (2016-09-29)
  • v0.5.4 (2016-09-29)
  • v0.5.3 (2016-09-29)
  • v0.5.2 (2016-09-23)
  • v0.5.0 (2016-09-22)
  • v0.5.1 (2016-09-22)
  • v0.4.2-alpha.4 (2016-09-03)
  • v0.4.2 (2016-09-03)
  • v0.4.3 (2016-09-03)
  • v0.4.2-alpha.3 (2016-09-02)
  • v0.4.2-alpha.2 (2016-09-01)
  • v0.4.2-alpha.1 (2016-09-01)
  • 0.4.2-alpha (2016-09-01)
  • v0.4.1 (2016-08-18)
  • v0.4.0 (2016-08-17)
  • v0.3.1 (2016-08-17)
  • v0.3.0 (2016-08-09)
  • v0.2.0 (2016-08-09)
  • 0.1-beta.4 (2016-06-26)
  • 0.1-beta.3 (2016-06-20)
  • 0.1-beta.2 (2016-06-14)
  • 0.1-beta1 (2016-05-29)

Change Log

Unreleased

Full Changelog

Closed issues:

• Handle 404 for GET /userinfo #1630
• Add support for MongoDB 4.0 [NEW][NOT DUPLICATED] #1629

v1.0.9 (2019-11-02)

Full Changelog

Fixed bugs:

• CORS allowed_origins not working as expected #1615
• ci: Resolve broken github_changelog_generator task #1609 (aeneasr)

Closed issues:

• Client authentication failed due to password contains character "+" #1622
• Using Discovery in combination with ory deploy documentation #1620
• Support for OAuth2 Dynamic Client Registration RFC (7591, 7592) #1616
• Examples of use with SPA #1614
• Does Hydra has metric or statistics interface? #1607
• Need return login_challenge with body instead of in Location header and redirect. #1604
• Remove OAuth 2.0 Dynamic Client Registration links from README #1601
• docs: Fix broken markdown links in README #1600
• Hydra write to database: broken pipe #1599
• sqlData struct PK field should be an int64 #1595
• Add ext properties on OAuth clients #1594
• The authorization server does not support obtaining a token using this method #1501

Merged pull requests:

• Using glob ** pattern in order to match partial wildcard with protoco… #1624 (Aterocana)
• Correct alias in OAuth2 scopes documentation #1613 (slashmo)
• Update README.md #1612 (TilmanTheile)
• Update README.md #1611 (TilmanTheile)
• Build(deps): Bump jackson-version from 2.8.9 to 2.10.0 in /sdk/java/hydra-client-resttemplate #1608 (dependabot[bot])
• Updated README.md file #1606 (nishanth2143)
• Remove unnecessary paragraph in Hydra API docs #1605 (slashmo)
• Feature/add client metadata #1602 (pike1212)
• client: change pk field to int64 #1597 (pike1212)

v1.0.8 (2019-10-04)

Full Changelog

Closed issues:

• form_post response_mode #1591
• Potential bug in remember logic for login when login is skipped #1557

Merged pull requests:

• driver: don't log DSN #1593 (MDrollette)
• Don't touch authentication cookie on skipped logins #1564 (doubliez)

v1.0.7 (2019-09-29)

Full Changelog

v1.0.6 (2019-09-29)

Full Changelog

Closed issues:

• Go SDK is not "go get"-able #1422

v1.0.5 (2019-09-28)

Full Changelog

Closed issues:

• DSN credential is shown in log #1585
• Create client command doesn't pass some arguments #1584

Merged pull requests:

• Update upgrade changelog #1632 (aeneasr)

v1.0.4 (2019-09-26)

Full Changelog

Fixed bugs:

• ci: Bump changelog ruby version #1586 (aeneasr)

Closed issues:

• ory hydra token handler is failing as the client_secret is compared to a hashed value in Fosite #1580
• Authorization Code + PKCE #1572
• Delegation / Impersonation by trusted clients #1527
• Fix homebrew release pipeline #1576

Merged pull requests:

• cmd: Remove stray log lines #1581 (aeneasr)
• Make EnforcePKCE confurable #1579 (damienbr)
• Build(deps): Bump jackson-version from 2.8.9 to 2.10.0.pr3 in /sdk/java/hydra-client-resttemplate #1578 (dependabot[bot])

v1.0.3 (2019-09-23)

Full Changelog

Closed issues:

• No existing login session was found #1573
• hydra migrate sql fails on 1.0.1, but works on 1.0.0 #1571
• Previous consent consistency #1559
• Add development docker image #1558

Merged pull requests:

• Fix broken release pipeline #1575 (aeneasr)

v1.0.2 (2019-09-18)

Full Changelog

Fixed bugs:

• Migrations not working in 1.0.1 with go1.13 #1563
• Admin list clients API returns results in non-deterministic order #1554
• cli: Resolve Go 1.12.7 regression in migrate sql #1565 (aeneasr)

Closed issues:

• hope support password grant #1561
• Add support of openid-connect-federation? #1560
• No way to revoke all refresh and access tokens for a subject #1550
• Experimental support for draft-ietf-oauth-jwt-introspection-response #1543
• AcceptLoginRequest results in EOF #1524
• pkce does not seem to work #1512
• Oauth2TokenResponse is parsing "response_uri", but not "expires_in" #1509

Merged pull requests:

• clients: Ensure order of paginated results #1568 (aeneasr)
• oauth2: Enable PKCE for private clients #1567 (aeneasr)
• docker: Add alpine image #1566 (aeneasr)
• Add quickstart for prometheus. #1562 (genchilu)
• chore: remove confusing dsn setting value #1556 (cpwc)
• develop: Makes init task in makefile and corrects readme #1555 (solodynamo)

v1.0.1 (2019-09-04)

Full Changelog

Implemented enhancements:

• Oauth2TokenResponse should have IdToken and Scope fields #1541
• pagination: Add paging to output #1047
• docs: fix /oauth2/token response #1538 (aeneasr)
• docs: Document prometheus API endpoint #1537 (aeneasr)
• vendor: Bump to fosite 0.29.7 #1517 (aeneasr)
• all: add cockroachdb support #1348 (lopezator)

Fixed bugs:

• Could not migrate from os10-os12 #1502
• RP-Initiated Logout doesn't work #1546
• No rule to make target 'init'. #1507
• sdk: Upgrade swagger and resolve PHP SDK issues #1535 (aeneasr)
• driver: Fix migration plan output #1504 (aeneasr)

Closed issues:

• Panic in Kubernetes when using DSN from Secret #1545
• git.apache.org/thrift.git is moved #1539
• Invalid namespace for PHP SDK #1532
• Suggestion: Continuous Fuzzing #1530
• Invalid request error following the tutorial #1515
• make sdk does not work #1508
• Desired documentation points to not found page #1498
• Go sdk as a separate go module #1497
• cmd: Difficult to understand Swagger Errors #1492
• Configuration docs link is incorrect in hydra serve --help #1486
• oauth2/token issue #1484
• jwk: Delete a JWK endpoint deletes a JWK set when dsn is memory #1473
• test: Add consent revokation to e2e testing #1389

Merged pull requests:

• driver: Fix RP-Initiated Logout trailing slash bug #1552 (solodynamo)
• SDK: enrich oauth2_token_response and params #1551 (tyaps)
• Update README.md #1549 (woojtek)
• Build(deps): Bump mixin-deep from 1.3.1 to 1.3.2 in /test/e2e/oauth2-client #1548 (dependabot[bot])
• Remove stray fmt.Printf #1547 (aeneasr)
• Build(deps): Bump eslint-utils from 1.3.1 to 1.4.2 #1544 (dependabot[bot])
• #1539 FIXED #1540 (GSokol)
• docs: Updates issue and pull request templates #1536 (aeneasr)
• vendor: Fix SQL-regression caused by go 1.12.7 #1534 (aeneasr)
• Consent: deduplicate user authenticated clients during logout. #1531 (genchilu)
• docs: Clean up readme #1526 (aeneasr)
• docs: Updates issue and pull request templates #1525 (aeneasr)
• docs: Updates issue and pull request templates #1523 (aeneasr)
• docs: Updates issue and pull request templates #1522 (aeneasr)
• doc: Add adopters placeholder #1521 (aeneasr)
• Update libraries and 3rd parties section #1518 (max-koehler)
• Build(deps): Bump extend from 3.0.1 to 3.0.2 #1514 (dependabot[bot])
• docs: Updates issue and pull request templates #1513 (aeneasr)
• Build(deps): Bump jackson-version from 2.8.9 to 2.10.0.pr1 in /sdk/java/hydra-client-resttemplate #1505 (dependabot[bot])
• docs: Updates issue and pull request templates #1500 (aeneasr)
• Improve OAuth2 API Docs #1499 (aeneasr)
• Fix wrong command name #1496 (shankardevy)
• cmd: Print meaningful error messages on network issues #1493 (aeneasr)
• Build(deps): Bump lodash from 4.17.11 to 4.17.14 in /test/e2e/oauth2-client #1491 (dependabot[bot])
• Fixed typoe. Not -c but --config #1489 (herrjemand)
• cmd: Use commit hash instead of version for link to config #1488 (aeneasr)

v1.0.0 (2019-06-24)

Full Changelog

Implemented enhancements:

• consent: Login and consent request challenge should be sent as query parameter #1307
• Empty subject not validated during login/consent #1254
• consent: Remember logic confuses developers #1165
• Allow for insecure redirect URI for development #1021
• consent: Share session state between login and consent #1003
• Allow logging out and deleting a single session cookie #970
• consent: expose a list of all clients authorized by a user #953
• client: Improve and DRY validation in handler #909
• Extend status page to check dependencies. #887
• oauth2: Revoke previous and future access tokens when revoking a token #884
• consent: Add endpoint to revoke authentication and consent sessions #856
• oauth2: Consider implementing OIDC Session Management #834
• oauth2: Allow multiple audience claims on ID token #790
• cmd: Add cli helper for importing and exporting environments (clients, policies, keys) #699
• oauth2: Revoke access and refresh tokens when authorization code is used twice #693
• OpenID Connect Certification #689
• oauth2: Reintroduce audience claim #687
• cli/clients: allow to import multiple clients with one file #388
• Importing a client should fail when an unrecognized field is found #357
• oauth2: allow token revocation without knowing the token (i.e. per user) #304
• consent: Move to query parameters #1375 (aeneasr)
• cmd: Add resilience to CLI REST commands #1359 (aeneasr)
• client: Improve handling of legacy id field #927 (aeneasr)
• ci: Automatically pushes docs to website #784 (aeneasr)

Fixed bugs:

• cmd: hydra token client no longer seems to be using basic auth #1439
• consent: Regression causes login to skip remember on consecutive calls #1409
• jwk: Remove duplicates from jwks list #1408
• nil pointer panic on /oauth2/sessions/logout without id token hint #1403
• Missing /.well-known/jwks.json endpoint #1349
• Call to consent accept/reject for a second time gives error #1256
• Scope value double-escaping? #1201
• client: Improve error messages from managers #976
• 500 error returned on GET /clients/{id} when client doesn't exist #903
• oidc_context empty #900
• consent: Duplicate row error should return a better error message #880
• metrics: Properly handle metrics log messages #833
• id_token not returned after request at the /oauth2/token endpoint using the refresh_token #794
• oauth2: Fix swagger documentation for oauth2/token #1284 (aeneasr)
• jwk: Auto-remove old keys when upgrading from < beta.7 #925 (aeneasr)
• consent: Propagates oidc_context to consent request #901 (aeneasr)

Closed issues:

• Why is my BCrypt benchmark slower than CircleCI's? #1478
• Low RPS on BCrypt-secured enpoints #1477
• Support different read/write database URLs #1475
• id\_token\_hint should be optional on end\_session\_endpoint #1472
• The Hydra can't recovery the readiness status in k8s #1471
• oauth2: BCrypt hashs inputs (passwords) of maximum of 72 bytes, limiting OAuth 2.0 Client Secret length #1438
• health: Check if and why the health endpoint returns a HTTPS response #879
• consent: Investigate if failure during consent should cause session to be revoked #854
• cmd: Deprecate hydra connect and replace with per-command flags and environment variables #840
• docs: Add limitations section #839
• Does warden groups work with internal Hydra APIs? #823

Merged pull requests:

• jwk: Fix memory mamager of JWK deletion #1474 (sawadashota)
• cmd: Add missing html closing tag to token user #1479 (aeneasr)
• sdk: Fix missing and broken swagger annotations #1440 (aeneasr)
• fix fallback routes and templates #1402 (MDrollette)
• oauth2: Allow whitelisting insecure redirect URLs #1354 (aeneasr)
• consent: Use query parameters for challenges #1351 (aeneasr)
• Resolve sql testing race issues #1332 (aeneasr)
• Remove opencollective from package.json #1324 (DASPRiD)
• docker: update docker-compose to v3 + docker-compose files refactor #1323 (lopezator)
• cmd: Add client secret encryption option #1322 (sawadashota)
• config: Improve configuration and service management #1314 (aeneasr)
• oauth2: Resolves client secrets from potentially leaking to the database in cleartext #820 (aeneasr)

v1.0.0-rc.16 (2019-06-13)

Full Changelog

Closed issues:

• Benchmark link is broken in README.md #1465
• hydra fails to connect mysql server #1463
• What's the deal with LICENSE.txt in the 64-bit linux tarball? is this open source or not? #1462
• The hydra can't handle the DB username with "@" character #1460
• pq: operator does not exist: character varying =? #1457
• Slow MySQL query #1454
• Support Jaeger Tracing with Istio and Kubernetes #1447
• Incorrect namespace for PHP SDK #1443

Merged pull requests:

• Remove binary license #1470 (aeneasr)
• docker: Run as non-root user #1469 (aeneasr)
• sdk: Update SDKs and fix PHP namespace #1468 (aeneasr)
• mod: Update ory/x to 0.0.63 #1467 (aeneasr)
• mod: Update to ory/x 0.0.61 #1466 (aeneasr)
• docs: Add a link to Identity Provider "Werther" to community projects #1464 (nikolaas)
• cmd: Add option to disable access log for health endpoints #1458 (hypnoglow)
• tracing: Add support for B3 headers via the JAEGER_PROPAGATION env var #1456 (ptescher)

v1.0.0-rc.15 (2019-06-05)

Full Changelog

Closed issues:

• level=fatal msg="Unable to instantiate service registry." error="no driver is capable of handling the given DSN" #1455
• Display / as RegistrationEndpoint in spite of undefined #1448

Merged pull requests:

• cli: Use go templates in token user #1461 (aeneasr)
• docs: Fix link to system secret rotation #1459 (sawadashota)
• Build(deps): Bump jackson-version from 2.8.9 to 2.9.9 in /sdk/java/hydra-client-resttemplate #1453 (dependabot[bot])
• docs: Updates issue and pull request templates #1452 (aeneasr)
• docs: Updates issue and pull request templates #1451 (aeneasr)
• docs: Updates issue and pull request templates #1450 (aeneasr)
• oauth2: Don't show registration_endpoint if config is undefined #1449 (sawadashota)
• feat: support default jaeger environment variables #1442 (shaxbee)

v1.0.0-rc.14 (2019-05-18)

Full Changelog

Closed issues:

• Logout REST API and documentation mismatch #1435
• client, consent: rethink pagination #1434
• Unix socket ignores first part of the uri #1433
• .well-known/openid-configuration endpoint swapped values #1420
• Feature request: CockroachDB support #990

Merged pull requests:

• ci: Resolve goreleaser issues #1445 (aeneasr)
• ci: Update release pipeline #1444 (aeneasr)
• mod: Update module definitions #1441 (aeneasr)

v1.0.0-rc.12 (2019-05-10)

Full Changelog

Implemented enhancements:

• cmd: add the post logout redirect uris flag to the clients create command #1426

Closed issues:

• Invalid namespace on composer.json #1429
• CORS No 'Access-Control-Allow-Origin' header is present #1421
• client_secret_basic fails when client_secret is auto-generated #1419

Merged pull requests:

• Fixed composer namespace #1431 (MASNathan)
• sdk: Remove go sdk submodule #1430 (aeneasr)
• Swapped handlers to match correct values #1428 (MASNathan)
• cmd: allow to set the client's post-logout URIs #1427 (aberasarte)
• sdk/go: Add go.mod definition in sdk directory #1425 (aeneasr)
• driver: Fix broken cors option test #1423 (aeneasr)

v1.0.0-rc.11 (2019-05-02)

Full Changelog

Closed issues:

• jwk: Remove duplicates from jwks list #1413
• Help message for migrate sql is unclear regarding source of database URL. #1411
• Documentation is incorrect for some admin URLs #1410
• Accept login request 404s #1406
• Audience is not set on access tokens #1405
• cors: Apply sane defaults for cors #1400
• sql: insert/update statements are slow on MySQL 8.0.x #1397

Merged pull requests:

• docs: Updates issue and pull request templates #1432 (aeneasr)
• consent: Resolve nil pointer panic in logout flow #1418 (aeneasr)
• cors: Use sane default settings for CORS options #1417 (aeneasr)
• config: Remove duplicates JWKS IDs from wellknown config #1416 (aeneasr)
• consent: Do not confirmLoginSession when skip is true (#1414) #1415 (aeneasr)
• Do not confirmLoginSession when skip is true to prevent remember reset to false #1414 (saadtazi)
• Fix migrate SQL command message regarding config file. #1412 (dkushner)
• ttl is a top-level config value #1407 (MDrollette)
• docs: Add OIDC FC/BC changes to upgrade guide #1401 (aeneasr)

v1.0.0-rc.10 (2019-04-29)

Full Changelog

Implemented enhancements:

• cmd: Add plans to migrations #1139
• docker: Investigate adding entrypoint.sh #1108
• client: Whitelist logout redirect URL per client #1004
• cmd: Remove notice about BETA in OAUTH2_ACCESS_TOKEN_STRATEGY #946

Closed issues:

• [Question] What is the correct way to run hydra token client CLI command ? #1396
• /.well-known/jwks.json output wrong keys #1395
• go sdk is broken in rc9 #1388
• CORS for public is disabled? #1387
• Class naming inconsistent in swagger comment to cause swagger generated sdk could not be built on case sensitive os. #1384
• Outdated hydra PHP composer package #1382
• Add support for ACME TLS Certificates #1378
• SDK documentation dissapeared #1377
• Access Tokens JWT signed with ID Token key when AcessTokenStrategy is JWT #1371
• /.well-known/jwks.json only returns OpenIDConnect keys when strategy is JWT #1369
• Introduce e2e testing using cypress #1368
• how to get userinfo #1367
• Unable to test silent refresh in local development #1364
• Memory leak with jaeger tracing enabled #1363
• docs: Are refresh tokens introspectable or not? #1250

Merged pull requests:

• docker: Remove full tag from build pipeline #1399 (aeneasr)
• docker: Update jaeger tracing docker compose file #1398 (aeneasr)
• sdk: Ignore sdk directory when generating OA spec #1394 (aeneasr)
• Resolve several minor issues #1393 (aeneasr)
• Improve e2e test performance #1392 (aeneasr)
• consent: Allow prompt=none for public clients #1391 (aeneasr)
• sdk: Make clear that refresh tokens are introspectable #1390 (aeneasr)
• README.md: Fix contributors link #1385 (mkontani)
• Implement OpenID Connect Front-/Backchannel logout #1376 (aeneasr)
• oauth2: Resolve memory leak in gorilla/sessions #1374 (aeneasr)
• driver: Use proper key name when JWT is enabled #1373 (aeneasr)
• cmd: fix help text on migrate cmd #1372 (MDrollette)

v1.0.0-rc.9+oryOS.10 (2019-04-18)

Full Changelog

Implemented enhancements:

• oauth2: Support OAuth2 discovery #1127
• cli: Add retry for broken network #846

Closed issues:

• Misuse of http.Header{}.Write\(...\) #1361
• Hydra (Linux Container) on Windows docker cannot reach PostgreSQL #1360
• Migrations have stopped working on tests locally #1357
• Reenable Config Option #1344
• OpenID Connect Discovery endpoint is missing revocation_endpoint #1268
• Error: "Command failed because error occurred: invalid character 'p' after top-level value" on running hydra client create #1244
• Problem with import path for go-resty and go1.11 modules #1063

Merged pull requests:

• Fix pagination headers #1362 (kminehart)
• Pagination headers #1358 (kminehart)
• oauth2: Expose revocation endpoint at OIDC Discover #1356 (aeneasr)
• oauth2: Expose revocation endpoint at OIDC Discovery #1355 (aeneasr)
• consent: Add ability to share data from login to consent request #1353 (aeneasr)
• Add package-lock.json #1352 (aeneasr)
• driver: Initialize everything on start up #1350 (aeneasr)
• sdk: Move to go-swagger code generator #1347 (aeneasr)
• make: Introduce install-stable and install tasks #1346 (aeneasr)
• cmd: Reenable -c cli flag #1345 (aeneasr)
• docs: Fix environment variable DATABASE_URL to DSN #1343 (sawadashota)

v1.0.0-rc.8+oryOS.10 (2019-04-03)

Full Changelog

Merged pull requests:

• ci: Fix broken version info in build #1342 (aeneasr)

v1.0.0-rc.7+oryOS.10 (2019-04-02)

Full Changelog

Implemented enhancements:

• cmd: Clients list command #1310

Fixed bugs:

• Profiling doesn't log any data #1061

Closed issues:

• Rest API Logs user out by deleting the session cookie is not working #1329
• max_conns and max_idle_conns are not removed from DSN #1327
• Update docker-compose to v3 #1321
• Token user container exit after getting the access token for a single login. #1320
• cmd: Support client secret encryption at stdout #1317
• jwk: Improve key rotation #1316
• docker-compose restart value is wrong #1312
• docs: Improve Quickstart guide #1309
• Terraform Provider #1304
• ERROR: Service 'hydra-migrate' failed to build: The command '/bin/sh -c go mod download' returned a non-zero code: 1 #1298
• Invalid expiration time during introspection the token refresh #1296
• 504 Timeout when refreshing token #1295
• Website displays 0 github stars #1292
• Ambiguous Dockerfile versions #1289
• flush endpoint throw error #1288
• Redirect url is not getting the access token and refresh token when changed. #1287
• How to store my access token in the browser storage? #1286
• Consent /reject without error data will always return an invalid_request error #1285
• Support multi proxies between TLS termination proxy and hydra #1282
• Is the hydra security console open source? #1281
• CSRF value not present in session cookie in ory hydra login flow #1280
• Log readiness and liveness routes in debug log level #1278
• oAuth calls failing with 404 not found #1276
• Not Generating other token #1275
• Help needed for API endpoints #1274
• CI: cannot install gometalinter at CircleCI #1272
• CVE-2019-6486 - DoS vulnerability in the crypto/elliptic implementations #1270
• Website caveat #1269
• sql: Unable to connect to database URL with special chars in username/password #1266
• localhost https bug x-forward-proto is back #1265
• Granted audience not set in OIDC token #1264
• CI: can't load package github.com/stretchr/testify v1.3.0 #1261
• Revoking consent session breaks database #1255
• Deployment on Heroku #1253
• oauth2: token introspection does not work #1252
• Support fosite delegated transactions in SQL storage #1247
• Refresh token not works properly #1246
• Error : The "redirect_uri" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls #1245
• Feature request: Service account #1221
• DX: Easily support different workflows by sharing compose configurations #1196
• cmd: Replace checkDependency with privates & getter/setter #1121
• Replace gox and ghr with goreleaser #1107

Merged pull requests:

• Improve release pipeline and update changelog #1341 (aeneasr)
• ci: Improve release build pipeline #1340 (aeneasr)
• ci: Resolve dirty release issue #1339 (aeneasr)
• ci: Move scoop and homebrew to new repos #1338 (aeneasr)
• ci: Execute e2e tests immediately #1337 (aeneasr)
• ci: Improve cci workflow #1336 (aeneasr)
• ci: Remove pure git tag from docker release #1335 (aeneasr)
• ci: Use oryOS naming topology for docker release #1334 (aeneasr)
• consent: Login revokation is exposed at public not admin #1333 (aeneasr)
• ci: Fix broken configuration docs task #1331 (aeneasr)
• Add shell installer to repo for curl | bash #1330 (aeneasr)
• Default Remember to false in payloads with skip #1325 (kminehart)
• Prevent errors when calling HandleConsentRequest a second time #1318 (kminehart)
• docker: Bump Golang to 1.12.1 #1315 (sawadashota)
• 5min-tutorial: fix docker-compose wrong restart values #1313 (lopezator)
• cmd: Add clients list command #1311 (sawadashota)
• Add check for empty subject in AcceptLoginRequest #1308 (kminehart)
• cmd: Fix no-open inverted flag check #1306 (RomanMinkin)
• cmd: Fix description of clients create --subject-type option #1305 (sawadashota)
• circleci: disable modules support temporarily when fetching a tool #1302 (aaslamin)
• Return the expiration time of the token, depending on its type, on the endpoint of introspection. #1300 (pr0head)
• Fix 1285 #1297 (kminehart)
• docker: Bump golang to 1.12.0 #1293 (sawadashota)
• docker: Bump alpine version #1291 (sawadashota)
• cmd: Add --allowed-cors-origins to client create. #1290 (jgiles)
• config: Support multi proxies between TLS termination proxy and hydra #1283 (sawadashota)
• docs: Update docs how to serve with in memory database #1279 (sawadashota)
• addresses #1247 #1277 (michaelwagler)
• docker: Bump base docker image versions #1271 (sawadashota)
• vendor: Bump ory/x to 0.0.35 #1267 (aeneasr)
• Bump testify v1.3.0 #1262 (sawadashota)
• Disable RejectInsecureRequest middleware on unix sockets #1259 (jayme-github)
• Fix disable-telemetry check #1258 (jtescher)
• fix token flush CLI description #1251 (sawadashota)
• Enable to validate by old system secret #1249 (sawadashota)
• fix error message of too short NEW_SYSTEM_SECRET #1248 (sawadashota)

v1.0.0-rc.6+oryOS.10 (2018-12-18)

Full Changelog

Closed issues:

• sql: Scan error on column index 13, name "login_challenge": unsupported Scan, storing driver.Value type <nil> into type *string #1240
• Security: bump Golang version to 1.11.3 (CVE-2018-16875) #1238
• Why is the Ory Hydra Docker image nearly 1GB in size? #1237
• Feature request: Database migrations without downtime #1236
• typo in "building from source" #1235

Merged pull requests:

• docker: Bump base docker image versions #1243 (aeneasr)
• docs: Fix install guide typo GO111MOUDULE #1242 (aeneasr)
• consent: Properly declare SQL NullStrings #1241 (aeneasr)

v1.0.0-rc.5+oryOS.10 (2018-12-13)

Full Changelog

Implemented enhancements:

• Keep tests exportable #1204

Closed issues:

• Running the migrate database does not work properly #1227

Merged pull requests:

• ci: Resolve flaky test issues #1234 (aeneasr)
• README.md: Oktober typo #1233 (hisamura333)
• oauth2: Improve introspection debugability #1232 (aeneasr)
• Support binding frontend/backend to unix sockets #1230 (jayme-github)
• Fix help output of hydra serve #1229 (jayme-github)
• ci: Fix flaky sql migration tests #1228 (aeneasr)

v1.0.0-rc.4+oryOS.9 (2018-12-12)

Full Changelog

Implemented enhancements:

• client: Track when clients are created #1120
• client: Add created/updated at fields #1207 (aeneasr)

Fixed bugs:

• Unable to return consent sessions for a user #1203
• consent: Show all granted consent requests #1206 (aeneasr)

Closed issues:

• Unable to run migrate when comming from beta.7 (mysql) #1225
• Migration from beta.9 fails on google cloudsql #1224
• Service account #1220
• service account #1219
• Implement "on behalf of" flow / token exchange #1218
• Bump github.com/ory/x to v0.0.33 #1213
• OAuth2 Authorization Endpoint Doesn't Use CORS #1211
• hydra migrate sql requires superuser privileges #1209
• Accept consent flow cause bug with id_token have field in utf8 value for MySQL 5.7+ #1205
• Key rotation CLI message is unclear how to use ROTATED_SYSTEM_SECRET #1187

Merged pull requests:

• sql: Remove superuser requirements from postgres migrations #1226 (aeneasr)
• docker: Remove dep from build chain #1217 (aeneasr)
• docs: Fix broken links #1216 (aeneasr)
• ci: Use new document id in appendix #1215 (aeneasr)
• addresses #1213 by bumping github.com/ory/x to v0.0.33 #1214 (aaslamin)
• [oauth2] export tests again #1212 (someone1)
• docs: Adapt new docs id structure #1208 (aeneasr)
• Set ROTATED_SYSTEM_SECRET to old secret as speficied in docs. #1195 (prateek1192)

v1.0.0-rc.3+oryOS.9 (2018-12-06)

Full Changelog

Closed issues:

• PHP-SDK: Composer autoloading broken #1199
• sql: Unable to run migrations when coming from beta.9 #1185

Merged pull requests:

• oauth2: Use html templates in fallback endpoints #1202 (aeneasr)
• Fix #1199: Generated composer autoloader non-functional #1200 (Takuto88)
• Migrate links from old docs to new docs #1197 (techthumb)
• Fixed tutorial link in README.md #1193 (jimmystridh)
• setup: add instructions for updating the hydra-migrate service to use mysql instead of postgres #1192 (aaslamin)
• client: rename grant type authorize_code to authorization_code #1191 (sjkaliski)
• refactoring #1190 (RikiyaFujii)
• Remove duplicated refresh token section #1188 (condemil)

v1.0.0-rc.2+oryOS.9 (2018-11-21)

Full Changelog

Merged pull requests:

• sql: Resolve beta.9 -> rc.1 migration issue #1186 (aeneasr)

v1.0.0-rc.1+oryOS.9 (2018-11-21)

Full Changelog

Implemented enhancements:

• cmd: token user should be able to set up ssl #1147
• client: Deleting a client should delete all associated data too #1131
• Use -mod=vendor when building binaries / docker #1112
• Switch to go mod #1074
• CORS_ALLOWED_ORIGINS doesn't respect wildcards #1073
• consent: Add authorize code URL to consent and login response payloads #1046
• [Feature Request] Update consent tests to match oauth2/client tests #1043
• cmd/server: Export useful bootstrap function #973
• sdk: C# language SDK #958
• Opentracing tracing integration #931
• consent: Add ability to specify Access Token Audience #883
• Prepare v1.0.0-rc.1 release #1175 (aeneasr)
• vendor: Update fosite to 0.27.3 #1164 (aeneasr)
• sdk: Document userinfo as GET instead of POST #1161 (aeneasr)
• oauth2: Add audience and improve refresh flow #1156 (aeneasr)
• cmd: Improve issuer error message #1152 (aeneasr)
• oauth2: Add OAuth2 audience claim and improve migrations #1145 (aeneasr)
• Switch to go modules #1077 (aeneasr)
• cmd: Fix flaky port finder #1076 (aeneasr)
• rand: Fix flaky random test #1075 (aeneasr)

Fixed bugs:

• tracing: sql args are added as tags when they should be omitted #1181
• consent: Require proof of authentication before ending user session #1154
• oauth2: Audience is potentially not being refreshed #1153
• Hydra shut down after a race condition #1141
• oauth2: Tables oidc, code, openid, refresh are missing indices #1140
• consent: SQL field subject\_obfuscated does not have an index #1138
• Setting up a fresh hydra installation results in panic #1137
• Copy-paste error in manager_0_sql_migrations_test.go #1135
• cmd: Error message regarding IssuerURL should contain environment variable name #1133
• client: Deleting a client should delete all associated data too #1131
• CORS\_ALLOWED\_ORIGINS doesn't respect wildcards #1073
• OpenID configuration endpoint returns wrong registration endpoint #1072
• OAuth2 Token Revoke call results in 404 Not Found #1070
• Missing database indices #1067
• Use PKCE with hybrid flow #1060
• cmd: Consent timeout is currently hardcoded but environment variable exists #1057
• ACR claim not being set on id token when requested by login accept request #1032
• List all consent sessions returns 404 #1031
• Introspect endpoint reports expiration time for refresh tokens #1025
• sql: Resolve index/fk regression issues #1178 (aeneasr)
• Prepare v1.0.0-rc.1 release #1175 (aeneasr)
• consent: Ignore row count in revoke #1173 (aeneasr)
• vendor: Upgrade to fosite 0.27.4 #1171 (aeneasr)
• vendor: Update fosite to 0.27.3 #1164 (aeneasr)
• consent: Properly propagate acr value #1160 (aeneasr)
• cmd: Resolve broken wildcard cors #1159 (aeneasr)
• cmd: Resolve panic in migration handler #1151 (aeneasr)
• consent: Only fetch latest consent state #1124 (aeneasr)
• server: Instantiate PKCE after oidc #1123 (aeneasr)
• cli: Improve migrate error messages #1080 (aeneasr)
• cmd: Fix flaky port finder #1076 (aeneasr)
• cmd: Clarify HYDRA_ADMIN_URL in missing endpoint message #1018 (aeneasr)
• oauth2: Accept expired JWTs as id_token_hint #1017 (aeneasr)

Closed issues:

• Resolve regression issues related to foreign keys #1177
• DELETE /oauth2/auth/sessions/login/{user} returns 404 #1168
• How to authenticate with POST /clients endpoint #1148
• Implementation of user idel time sout #1146
• Move SQL migrations to files and improve test pipeline #1144
• cmd: Show error hint in oauth2 error view #1143
• Login time deteriorates over time #1119
• why hydra-login-consent-go didn't work, is there will have login provider and consent provider with golang? #1117
• Intro Blog source code is unreadable #1111
• consent: ignores extra claims for id and access token #1106
• Invalid_request while generate the Access token in own OAuth 2.0 server #1104
• Invalid_request while generate the Access token in own OAuth 2.0 server #1103
• Document query parameters for /oauth2/auth #1100
• PHP SDK is not PSR-4 compliant #1099
• CHALLENGE_TOKEN_LIFESPAN unused #1097
• Improve follow-up on numerous ORY repos #1093
• Run your own OAuth 2.0 Server : " Client authentication failed " #1091
• govet cmd/tooken_user.go: the cancel function returned by context.WithTimeout should be called #1090
• Enhancement: specify lifespan for refresh_token #1088
• Add at_hash claim to id_token in code flow. #1085
• Disable https://api.segment.io POST request #1083
• Move internal dependencies to ory/x #1081
• Support Kubernetes Secrets #1079
• Silent token refresh fails with "The Authorization Server requires End-User consent" #1068
• Invalid login_challenge #1065
• sql: Add auto-increment PKs #1059
• Feature: admin endpoint for deleting expired tokens #1058
• consent: Send error response if consent or login challenge is expired or invalid #1056
• consent: Add original request URL to login and consent request payloads #1055
• Fix flaky random-port generator #1054
• Fix flaky pseudo-random test #1053
• API doc: GET /userinfo works but not documented #1049
• go SDK userInfo response does not support extra claims #1048
• Issuer url is allways fallowed by / even when defined without #1041
• missing end_session_endpoint from .well-known doc #1040
• oryd/hydra:v1.0.0-beta.9 clients api return 404 #1036
• DELETE login/{user} and DELETE consent/{user} can not redirect to Login page #1035
• remember in requests/login/{challenge}/accept api cause get same subject always #1034
• Out of Band OAuth2 Authorization #1033
• [Cleanup] CORS Settings #1028
• Key rotation leads to "Could not fetch private signing key for OpenID Connect" #1026

Merged pull requests:

• More e2e tests #1184 (aeneasr)
• fix migrate sql command at upgrading guide #1183 (sawadashota)
• rc.1 release preparations #1182 (aeneasr)
• e2e: Improve e2e test pipeline #1180 (aeneasr)
• docs: Auto-generate appendix #1174 (aeneasr)
• vendor: Upgrade to fosite 0.28.0 #1172 (aeneasr)
• ci: Generate benchmarks in docus format #1170 (aeneasr)
• ci: Update release pipeline for new versioning #1169 (aeneasr)
• oauth2: Make client registration endpoint configurable #1167 (aeneasr)
• sdk: Update swagger endpoint definition #1166 (aeneasr)
• sql: Add missing indices #1157 (aeneasr)
• cmd: Add ability to specify consent and login lifespan #1155 (aeneasr)
• cmd: Add https option to token user command #1150 (aeneasr)
• cmd: Improve token user error handling #1149 (aeneasr)
• Minor bug fix in JWK sql migrations test case #1136 (jacor84)
• tracing: remove bad tracing config from docker-compose.yml #1132 (aaslamin)
• cmd: Resolve issues with secret migration #1129 (aeneasr)
• health: Register healthx.AliveCheckPath route for frontend #1128 (jayme-github)
• consent: Set fetch order to descending #1126 (aeneasr)
• cors: add options cors middleware handler #1125 (JiaLiPassion)
• ci: Check vet and fix vet errors #1122 (aeneasr)
• jwks: cors for wellknown endpoints #1118 (JiaLiPassion)
• oauth2: wellknown should use corsMiddleware #1116 (JiaLiPassion)
• tracing: add support for tracing db interactions #1115 (aaslamin)
• build: Improve build pipeline #1114 (aeneasr)
• e2e: Check for access/id token claims #1113 (aeneasr)
• sdk/js: Declare opencollective as devdep #1109 (aeneasr)
• Fix missing LoginChallenge and LoginSessionID from GetConsentRequest #1105 (jcxplorer)
• Update README - Benchmarks section #1102 (kishaningithub)
• docs: Updates issue and pull request templates #1101 (aeneasr)
• Add error response if consent or login challenge is expired #1098 (k-lepa)
• docs: Updates issue and pull request templates #1096 (aeneasr)
• Move dependencies to ory/x #1095 (aeneasr)
• docs: Updates issue and pull request templates #1094 (aeneasr)
• Add schema changes introduced to UPGRADE.md #1082 (aaslamin)
• sql: Add auto-increment PKs #1078 (aeneasr)
• tracing: use context aware database methods #1071 (aaslamin)
• Add missing indices to resolve #1067 #1069 (aaslamin)
• change go-resty import path for gopkg.in/resty.v1 #1064 (pierredavidbelanger)
• fosite: bump to version 0.24.0 with associated code changes #1062 (someone1)
• Bump fosite version to 0.23.0 + New tracing instrumented Hasher #1052 (aaslamin)
• Fix swagger #1045 (pierredavidbelanger)
• client: fix test to pass non-nil context #1044 (someone1)
• Bump fosite version and integrate breaking changes #1042 (aaslamin)
• two littles things that bugs me when I compile or run tests #1039 (pierredavidbelanger)
• cmd: Do not echo secrets if explicitly set #1038 (aeneasr)
• propagate context through to the sql store #1030 (aaslamin)
• consent: Add SessionsPath const #1027 (someone1)
• Use latest version of sqlcon #1024 (davidjwilkins)
• cmd/server: Export Handler bootstrap functions (#973) #1023 (someone1)
• Add support for distributed tracing #1019 (aaslamin)

v1.0.0-beta.9 (2018-09-01)

Full Changelog

Implemented enhancements:

• Duplicate entry error for second consent request #1007
• cmd: Print version when booting up #987
• client: client specific CORS settings #957
• sql: jsonb support for postgres #516
• client: filter oauth2 clients by field through REST API #505
• cmd: Allow SYSTEM_SECRET key rotation #73
• consent: Forward session and login information #1013 (aeneasr)
• jwk: Add ability to rotate SYSTEM_SECRET #1012 (aeneasr)
• vendor: Upgrade sqlcon to 0.0.6 #1008 (aeneasr)
• cmd: Use viper for cors detection #998 (aeneasr)
• cmd: Disable CORS by default #997 (aeneasr)
• cmd: Add version to banner #995 (aeneasr)
• sdk: Add new methods to SDK interface #994 (aeneasr)

Fixed bugs:

• Client creation gives incorrect error message #1016
• oauth2: id_token_hint should work with expired ID tokens #1014
• cors: Don't automatically auto-allow CORS #996
• Use ID_TOKEN_LIFESPAN when doing refresh #985
• MySQL/MariDB broken on default Debian installations #377
• cmd: Disable CORS by default #997 (aeneasr)
• consent: Populate consent session with default values #989 (aeneasr)

Closed issues:

• cmd: Replace cors fork with upstream #1010
• Auth State mismatch. URL Double Encoding #1005
• Can not remember consent because no user interaction was required with resp['skip'] false #999
• invalid if condition about SubjectTypesSupport #992
• sdk: add oauthapi functions to golang interface #991
• After redirecting from consent -- runtime error: invalid memory address or nil pointer dereference #988

Merged pull requests:

• consent: migrate to test helpers [closes #1043] #1051 (someone1)
• docker: Update compose definitions #1020 (aeneasr)
• config: Fix use of uninitialized logger #1015 (vHanda)
• cmd: Replace aeneasr/cors with rs/cors #1011 (aeneasr)
• oauth2: Enable client specific CORS settings #1009 (aeneasr)
• oauth2: Resolve broken expiry when refreshing id token #1002 (aeneasr)
• Delete Procfile #1001 (MOZGIII)
• Fix serve all cmd in docker files #1000 (condemil)
• cmd: Public subject type should cause public id alg #993 (aeneasr)
• config: disable plugin backend through 'noplugin' tag #986 (glerchundi)

v1.0.0-beta.8 (2018-08-10)

Full Changelog

Implemented enhancements:

• vendor: Upgrade to MySQL 1.4 driver #965
• oauth2: abstract oauth2/handler JWT Strategies #960
• oauth2: Support for Pairwise Subject Identifier Type #950
• [Enhancement/Proposal] Update Plugin System #949
• The JWK api should be able to export .pem #175
• cmd: Add flags for new client fields in create #939
• client: Deprecate the public flag #938
• client: Clarify error message regarding client auth method #936
• cmd: Add option to specify new oidc parameters in client #935
• consent: Obtain previously selected scopes #902
• oauth2: allow issuing of JWT access tokens #248
• oauth2: Add scope to introspection test suite #941 (aeneasr)
• consent: Add logout api endpoint #984 (aeneasr)
• sdk: Upgrade superagent to 3.7.0 #983 (aeneasr)
• vendor: Upgrade to latest sqlcon #975 (aeneasr)
• oauth2: Refactor JWT strategy #972 (someone1)
• oauth2: Removes authorization from introspection #969 (aeneasr)
• oauth2: Support for Pairwise Subject Identifier Type #966 (aeneasr)
• cmd: Introduce public and administrative ports #963 (aeneasr)
• oauth2: Adds JWT Access Token strategy #947 (aeneasr)
• oauth2: Improve token endpoint authentication error message #942 (aeneasr)

Fixed bugs:

• oauth2: error_hint, error_debug are not shared when redirect fails #974
• oauth2: Introspect response is empty when active is false. #964
• consent: MemoryManager should return errNoPreviousConsentFound when no previous consent was found #959
• consent: Auth session should check for pkg.ErrNotFound, not sql.ErrNoRows #944
• sdk: Add AdminURL and PublicURL to configuration #968 (aeneasr)
• cmd: Introduce public and administrative ports #963 (aeneasr)
• consent: Properly identify revoked login sessions #945 (aeneasr)

Closed issues:

• Refresh token and access token share same lifetime #955
• Id_token_hint doesn't work as expected #951
• consent: Check if helper rejects unknown JSON fields #940
• Unable to specify a custom claim to hydra #937
• [HTTP API] get /version returns empty #934
• Expose administrative APIs at a different port (e.g. 4445) #904

Merged pull requests:

• client: Improve memory manager error messages #978 (aeneasr)
• consent: Add ListUserConsentSessions to OAuth2API interface #977 (clausdenk)
• docker: Update .dockerignore #967 (aeneasr)
• cli: fix reporting of epected vs. received status codes #961 (rjw57)
• all: Introduce database backend interface and update plugin system an… #956 (someone1)
• Add api endpoint to list all authorized clients by user #954 (kingjan1999)
• Use spdx expression for license in package.json #952 (kingjan1999)
• Improve client API compatibility with oidc dynamic discovery #943 (aeneasr)
• oauth2: Share error details with redirect fallback #982 (aeneasr)
• cli: Print "active:false" when token is inactive #981 (aeneasr)
• consent: Return proper error when no consent was found #980 (aeneasr)
• vendor: Upgrade sqlcon to 0.0.5 #979 (aeneasr)

v1.0.0-beta.7 (2018-07-16)

Full Changelog

Implemented enhancements:

• Panic when calling oauth2/auth/sessions/consent/{user} or oauth2/auth/sessions/consent/{user}/{client} #928

Fixed bugs:

• Panic when calling oauth2/auth/sessions/consent/{user} or oauth2/auth/sessions/consent/{user}/{client} #928

Closed issues:

• migration 0.11.10 > 1.0 : did you forget to run hydra migrate sql" or forget to set the SYSTEM_SECRET #926
• ClientID property is ignored when creating a new OAuth2 Client #924
• The CSRF value from the token does not match the CSRF value from the data store #923
• Which version is stable? #922
• JSON Web Key Store default keys broken after upgrading to beta.6 #921

Merged pull requests:

• Document that ORY Hydra is OpenID Certified #933 (aeneasr)
• cmd: Show error when loading x509 cert fails #932 (aeneasr)
• Allow cookie without max age #930 (BastianHofmann)
• cmd: Check dependencies are defined before instantiation #929 (aeneasr)
• README: fix docker linux link #920 (philips)

v1.0.0-beta.6 (2018-07-11)

Full Changelog

Implemented enhancements:

• jwk: improve JWK tests #588
• warden: endpoint should only require valid client, not policy based access control #121
• cmd: CLI should be able to import PEM keys to JWK store #98

Fixed bugs:

• migration 0.9.x -> 1.0: sector_identifier_uri contains null values #918

Closed issues:

• Hydra version 0.11.13-alpine break cli #917
• docs: disallow secrets from docs/tutorials in production mode #573

Merged pull requests:

• client: Fix sql migration step for oidc #919 (aeneasr)
• cmd: Allows import of PEM/DER/JSON encoded keys #916 (aeneasr)

v1.0.0-beta.5 (2018-07-07)

Full Changelog

Implemented enhancements:

• cmd/server: Die when system secret is in wrong format #817

Fixed bugs:

• Public and private key pair fetched from store does not match #912

Closed issues:

• go get return error #913
• Can't create clients using the CLI #911
• is hydra can build on window ? #910
• Let's improve the docs! #385
• Add benchmarks to documentation #161

Merged pull requests:

• consent: Adds ability to revoke consent and login sessions #915 (aeneasr)
• jwk: Tests for simple equality in JWT strategy #914 (aeneasr)
• Adds OpenID Connect Dynamic Client Registration #908 (aeneasr)
• docs: Adds link to examples repository #907 (aeneasr)
• docs: Removes obsolete issue template #906 (aeneasr)

v0.11.14 (2018-06-15)

Full Changelog

Fixed bugs:

• Missing commits between v0.11.10 and v0.11.12 #894

v1.0.0-beta.4 (2018-06-13)

Full Changelog

v1.0.0-beta.3 (2018-06-13)

Full Changelog

Implemented enhancements:

• cmd: Allows reading database from env in migrate sql #898 (aeneasr)
• Improves compatibility with OIDC Conformity Tests #873 (aeneasr)

Closed issues:

• cmd: Add flag to allow reading database url in migration command from env #896

Merged pull requests:

• ci: Stops benchmark result commit & pushes #905 (aeneasr)
• docs: Adds CI benchmarks #897 (aeneasr)
• all: Moves to metrics-middleware #895 (aeneasr)

v1.0.0-beta.2 (2018-05-29)

Full Changelog

Closed issues:

• 1.0.0-alpha.1 Release Notes #885

Merged pull requests:

• ci: Improves build toolchain #893 (aeneasr)

v1.0.0-beta.1 (2018-05-29)

Full Changelog

Implemented enhancements:

• oauth2: Revoke tokens when performing refreshing grant #889
• docs: Explicitly document in upgrade guide that hydra is no longer protected by default #888
• consent: Investigate if prompt=none should be allowed with implicit flows #866
• consent: Implement login_hint capabilities #860
• consent: Always remove session if rememberLogin=false #859
• consent: Resolve broken time out #852
• oauth2: Support max_age #851
• consent: Include id_token_hint in oidc context #850
• health: Document prometheus endpoint #844
• config: Deprecate ClusterURL, ClientID, ClientSecret #841
• oauth2: Return token type on token introspection #831
• oauth2: Support id_token_hint at authorization endpoint #826
• consent app: Restart consent flow #809
• client: Add field client\_secret\_expires\_at to create #778
• all: All JSON output/input should be using \_ instead of camelCase #777
• oauth2: Reject authorization requests for invalid scopes before redirecting to consent endpoint #776
• oauth2: Improving the consent flow design #772
• oauth2: Expire consent request on successful consent interaction #771
• health: Add ability to retrieve version (protected endpoint) #743
• Deprecate hydra policies create -f #708
• Disallow unknown JSON fields #707
• oauth2: Remember authentication and application authorization #697
• oauth2: Require consent for OAuth 2.0 public clients #692
• policy: evaluate wildcard matching strategy #580
• installer: homebrew recipe for macOS users #572
• Warden group metadata #387
• policy: search policies by subject and resource #362
• warden: check against multiple policies #264
• core: add warden context everywhere #238
• better and more e2e tests #192
• Health and test improvements #891 (aeneasr)
• Resolves various issues related to OAuth2 #890 (aeneasr)
• Improve oidc conformity #876 (aeneasr)
• sdk: Remove the need for OAuth2 credentials #869 (aeneasr)
• Minor improvements #868 (aeneasr)
• consent: Always bust auth session if remember is false #864 (aeneasr)
• oauth2: Returns token type on introspection #832 (aeneasr)

Fixed bugs:

• Incorrect CORS-related env vars parsing #886
• consent: Remove the client secret from consent/login response #878
• oauth2: ID Token must be returned in both authorize and token response in hybrid flows with response type code #875
• consent: On first prompt=none after authentication, times mismatch #874
• oauth2: Reject requests without nonce unless using the code flow #867
• oauth2: max_age fails if max_age=1 #862
• oauth2: Figure out why MySQL tests are flaky on CI #861
• oauth2: Resolve broken prompt parameter #843
• oauth2: Duplicate requests to /oauth2/token cause 500 #828
• consent app: Restart consent flow #809
• Hydra connect fails when the client secret contains "%" #631
• Health and test improvements #891 (aeneasr)
• Resolves various issues related to OAuth2 #890 (aeneasr)
• Improves OpenID Connect Conformity #882 (aeneasr)
• Improve oidc conformity #876 (aeneasr)
• cmd: Adds jwt strategy and fixes nil pointer exception #865 (aeneasr)

Closed issues:

• consent: Authentication session cookie invalidation scenarios #855
• Please support Type Definition (d.ts) for typescript. #848
• security: add HttpOnly cookie flag #847
• REST API /clients limit & offset bug #838
• Allow configuring consent URL per client #837
• Duplicate client creation results in 500 #835
• Error 1406: Data too long for column 'subject' at row 1 #829
• Hydra sdk error hydra.introspectOauth2Token is not a function #822
• Improve the lint percentage #818
• docs: Refactor examples / tutorials #810
• Moving the access control engine to Oathkeeper #807
• Can you build an identity provider with hydra or not? #789
• docker: Add image capable of loading policies/clients/jwks from an init.d directory #760
• Add PUT method for /warden/groups/:id #745
• Document that the install guide is different from the 5 minute guide #718
• Prometheus metrics #669
• docs: Port numbers from docker compose and the lengthy tutorial do not match #653
• docs: add subject + id mocks in the policy section of the swagger specs for each endpoint #614
• docs: /warden/allowed do not fully specify security parameters #565
• docs: explain oauth2 better #356
• docs: have a "running hydra in production" section #354
• docs: clarify that the consent app is responsible for implementing full OIDC #353
• docs: add auth0 seminar to docs #347
• docs: add bug bounty section to readme #84
• docs: add passport.js real-world example #83

Merged pull requests:

• vendor: Upgrades fosite dependency #892 (aeneasr)
• Minor consent improvements #881 (aeneasr)
• oauth2: Ignores JTI in userinfo #877 (aeneasr)
• oauth2: Rejects requests without nonce in implicit/hybrid #872 (aeneasr)
• Improves health endpoints and cleans up code #871 (aeneasr)
• Client secret expires #870 (zepatrik)
• Fix mysql timing bug #863 (aeneasr)
• consent: Removes stray fmt.Print #858 (aeneasr)
• Improves consent flow #857 (aeneasr)
• Resolves issues with auth_time #853 (aeneasr)
• add /health/version endpoint #845 (zepatrik)
• Deprecate connect #842 (aeneasr)
• Move policy merged #830 (aeneasr)
• [Prometheus] Add new prometheus metrics and metrics endpoint #827 (dolbik)
• 1.0.x #825 (aeneasr)
• Merge from 0.11.x #824 (aeneasr)

v0.11.12 (2018-04-08)

Full Changelog

Fixed bugs:

• sdk: PHP sdk missing from releases #781

Closed issues:

• Special characters in redirect url #819
• "Could not fetch signing key for OpenID Connect" #816

Merged pull requests:

• Resolves dep and tests issues #821 (aeneasr)
• Activating Open Collective #805 (monkeywithacupcake)
• metrics: Improves naming of traits #804 (aeneasr)
• 0.11 #796 (aeneasr)

v0.11.10 (2018-03-19)

Full Changelog

Closed issues:

• docs: Link to php sdk README is wrong #811

Merged pull requests:

• Minor code cleanup #815 (euank)
• docs: Resolves broken swagger definitions #812 (aeneasr)
• docs: Updates banner in readme #808 (aeneasr)
• Update links to discord and readme #806 (aeneasr)

v0.11.9 (2018-03-10)

Full Changelog

Implemented enhancements:

• telemetry: Add version and build info as custom dimensions #802
• docs: Adds redirects for broken guide links #798 (aeneasr)

Fixed bugs:

• docker: Build time always return time.Now() #792
• cmd: Resolves an issue with broken build time display #799 (aeneasr)
• cmd: Adds OpenID Connect refresh handler #797 (aeneasr)

Closed issues:

• docs: document difference between scopes and policies #590

Merged pull requests:

• metrics: Improves naming of traits #803 (aeneasr)
• docs: Resolves broken images and build #801 (aeneasr)
• docs: Moves documentation to new repository. #800 (aeneasr)
• all: Updates license headers #793 (aeneasr)

v0.11.7 (2018-03-03)

Full Changelog

Implemented enhancements:

• make --skip-newsletter the default #779
• group: Add pagination to group management #741
• jwk: Add pagination to jwk lists #740
• client: Add pagination to client list #739
• ConsentRequest should use time.Now().UTC() for ExpiresAt. #679
• sdk: add python sdk #639
• oauth2: Forces UTC in consent strategy #775 (aeneasr)
• client: Introduces pagination to client management #774 (aeneasr)

Fixed bugs:

• oauth2: Remove exp and iat from ID token header #787
• Don't push to coveralls in CI when PR comes from fork #782
• policy: List tests do not care about offset/limit - fix that #746

Closed issues:

• A way to skip the consent screen for certain clients (first party) #791
• Where's the tutorial? #788
• Feature Request: oauth2/token endpoint json payload option #786
• docs: Deprecate recovering root access section #756
• oauth2: Document how to make the well known endpoint public #688
• oauth2: replace redirect uri exact match with protocol/host/path match #257

Merged pull requests:

• docs: Adds automatic summary and toc generation #785 (aeneasr)
• Remove coveralls token from circleci config #783 (zepatrik)
• Update newsletter text #780 (zepatrik)
• Minor improvements to the gitbook guide #773 (aeneasr)

v0.11.6 (2018-02-07)

Full Changelog

Implemented enhancements:

• server: Add default policy for well-known/jwks.json #761
• cmd: Add newsletter info and sign up #755
• metrics: Improve metrics endpoint #742
• oauth2: Add ability to purge old access tokens #738
• jwk: refactor jwk id generation #589
• oauth2: Adds support for PKCE (IETF RFC7636) #769 (aeneasr)
• Forces unique JWK IDs and allows anonymous access to ./well-known/jwks.json #762 (aeneasr)

Fixed bugs:

• Do not show client secret when client is public in CLI #737
• oauth2: Client secret error message should be shown on creation #725
• sdk: Resolves composer license complaint #763 (aeneasr)

Closed issues:

• docker-compose encountered errors #758
• AWS Lambda Support? #749
• cmd/client: Ask for security newsletter sign up when using client side CLI #747
• oauth2: Add PKCE support #744

Merged pull requests:

• Gen php sdk #814 (pnicolcev-tulipretail)
• oauth2: Resolves possible session fixation attack #770 (aeneasr)
• docs: Fix dead link to example policy #767 (gr-eg)
• Purge tokens #766 (aeneasr)
• client: do not show/send secret when client is public #765 (zepatrik)
• fix #725 #764 (zepatrik)
• Cmd newsletter signup #759 (aeneasr)
• sdk: Generate php sdk and point php autoloader to lib folder #736 (pnicolcev-tulipretail)

v0.11.4 (2018-01-23)

Full Changelog

v0.11.3 (2018-01-23)

Full Changelog

Implemented enhancements:

• Improve telemetry module #752 (aeneasr)

Closed issues:

• possible consent session id attack? #753

v0.11.2 (2018-01-22)

Full Changelog

Fixed bugs:

• client: Returns 404 only when policy allows getting a client #751 (aeneasr)

Merged pull requests:

• oauth2: Protects consent flow against session fixation #754 (aeneasr)

v0.11.1 (2018-01-18)

Full Changelog

Implemented enhancements:

• groups: Add ability to list all groups, not just by member #729

Fixed bugs:

• Resolves issues with pagination #750 (aeneasr)

Closed issues:

• Timezone Issue with new consent flow in 0.10? #735
• policies: change effect type from string to boolean #666
• cmd: hydra connect --url should work with and without trailing slash #650

Merged pull requests:

• add a save way to get the ClusterURL and append to it #748 (zepatrik)

v0.11.0 (2018-01-08)

Full Changelog

Implemented enhancements:

• group: List groups without owner #732
• Add an alias for offline scope called offline_access #722
• oauth2: Print debug message to logs and evaluate transmitting it to clients too #715
• groups: Add ability to list all groups, not just by member #734 (aeneasr)
• sdk: Adds php registry dummy #733 (aeneasr)
• oauth2: Prints debug message to logs and evaluate transmitting it to clients too #727 (aeneasr)
• vendor: Adds offline_access scope alias #724 (aeneasr)

Fixed bugs:

• health: Should not require x-forwarded-proto #726
• health: Stop requiring x-forwarded-proto #731 (aeneasr)

Closed issues:

• variable part in the subject and resource in ladon policy to be filled by request #730
• Trailing slash redirect strips directories from path #723
• Resolve broken docker-compose tutorial guide #717
• Document external dependencies #716

Merged pull requests:

• docs: Adds documentation on third-party deps #728 (aeneasr)

v0.10.10 (2017-12-16)

Full Changelog

Implemented enhancements:

• Make scopes in hydra token client command configurable #711
• cmd: Makes scopes in token command configurable #712 (aeneasr)
• cmd: Adds a dedicated command for importing policies #709 (aeneasr)

Fixed bugs:

• Misleading error message when using the SDK #686
• sdk/go: Resolves incorrect error message #713 (aeneasr)

Closed issues:

• Docker readme, in case it is lost #719
• Keep track of version and build hash #706
• Scope is documented as hydra.groups but should by hydra.warden.groups #702
• Rename hydra policies create -f to hydra policies import #701

Merged pull requests:

• docs: Resolves issue with broken 5-minute tutorial #721 (aeneasr)
• Improves userinfo endpoint #714 (aeneasr)
• groups: Corrects group scope documentation #710 (aeneasr)

v0.10.9 (2017-12-13)

Full Changelog

Implemented enhancements:

• Reintroduce alpine based image with shell #703

Merged pull requests:

• pkg: Fixes returning nil instead of empty array in split #705 (aeneasr)

v0.10.8 (2017-12-12)

Full Changelog

Implemented enhancements:

• oauth2: Add token_endpoint_auth_methods_supported to openid-configuration #695

Closed issues:

• docs: Add introspect bc to upgrade #698

Merged pull requests:

• Reintroduces alpine based docker image #704 (aeneasr)

v0.10.7 (2017-12-09)

Full Changelog

v0.10.6 (2017-12-09)

Full Changelog

Closed issues:

• oauth2: Write test for userinfo endpoint without token and test for 401 #691

Merged pull requests:

• Improves OpenID Connect conformity #694 (aeneasr)

v0.10.5 (2017-12-09)

Full Changelog

Closed issues:

• oauth2: Support userinfo endpoint #652

v0.10.4 (2017-12-09)

Full Changelog

Merged pull requests:

• oauth2: Adds basic userinfo endpoint #690 (aeneasr)

v0.10.3 (2017-12-08)

Full Changelog

v0.10.2 (2017-12-08)

Full Changelog

v0.10.1 (2017-12-08)

Full Changelog

Implemented enhancements:

• Open source policy naming guidelines #680

Closed issues:

• docs: docker --link should be replaced by networks #555

v0.10.0 (2017-12-08)

Full Changelog

Implemented enhancements:

• docs: Improve release and breaking changes management #675
• oauth2: Make sub explicit in the database #658
• oauth2: Add access control to token introspection endpoint #655
• all: make policy resource and action names configurable #640
• Subject field #674 (aeneasr)
• Add changelog #673 (aeneasr)

Fixed bugs:

• oauth2: Token revokation should check client id before revoking tokens #676
• cli/policies: removing a policy subject adds the subject Instead #662
• jwk: Rename ES521 key generation algorithm to ES512 #651
• oauth2: Fixes clients being able to revoke any token #677 (aeneasr)

Closed issues:

• Json logging #670
• swagger: scope pattern requires a space #661
• docs: Add list of undisclosed adopters with requests ranges to readme #659

Merged pull requests:

• Update release notes and prepare 0.10.0 #685 (aeneasr)
• docs: Adds multi-tenant best practices #684 (aeneasr)
• ci: Resolves code climate issues #683 (aeneasr)
• pkg: Adds test for LogError #682 (aeneasr)
• docs: Adds ACP best practices #681 (aeneasr)
• oauth2: Requires firewall check for introspecting access tokens #678 (aeneasr)
• Makes policy resource names prefixes configurable #672 (aeneasr)
• docs: Adds consent state machine #671 (aeneasr)
• docs: Make space optional in scope regex (#661) #668 (pnicolcev-tulipretail)
• Various minor fixes #667 (aeneasr)
• telemetry: Update telemetry identification #654 (aeneasr)

v0.10.0-alpha.21 (2017-11-27)

Full Changelog

Closed issues:

• Add support for CORS #506

Merged pull requests:

• cli: Fix hydra cli adding policy subjects on subject remove #665 (jamesnicolas)

v0.10.0-alpha.20 (2017-11-26)

Full Changelog

Merged pull requests:

• cmd: Added cors support to host process #664 (aeneasr)

v0.10.0-alpha.19 (2017-11-26)

Full Changelog

Closed issues:

• Working with flask-oidc #660
• Multi stage build process removes the ability to shell into hydra container #657
• Support ES256 JWK Algo #627
• oauth2/introspect: skip omitempty in active flag #607
• oauth2: provide CWT token generation #577

Merged pull requests:

• vendor: Upgraded ladon and dockertest versions #663 (aeneasr)
• pkg: Make low entropy RSA key generation explicit in function name #656 (aeneasr)
• docs: Update hydra versions #649 (aeneasr)

v0.10.0-alpha.18 (2017-11-06)

Full Changelog

v0.10.0-alpha.17 (2017-11-06)

Full Changelog

v0.10.0-alpha.16 (2017-11-06)

Full Changelog

Merged pull requests:

• Fix static build #648 (aeneasr)

v0.10.0-alpha.15 (2017-11-06)

Full Changelog

Merged pull requests:

• docker: Make hydra executable #647 (aeneasr)

v0.10.0-alpha.14 (2017-11-06)

Full Changelog

Fixed bugs:

• sql/postgres: wherever limit/offset is used, include ORDER BY clause #619
• oauth2: fix racy memory consent manager with RW mutex #600

Merged pull requests:

• Fix racy behaviour in oauth2 memory managers #646 (aeneasr)

v0.10.0-alpha.13 (2017-11-06)

Full Changelog

Implemented enhancements:

• Would it make sense to build hydra statically #374

Merged pull requests:

• docker: Stop building from source in docker image #645 (aeneasr)

v0.10.0-alpha.11 (2017-11-06)

Full Changelog

v0.10.0-alpha.12 (2017-11-06)

Full Changelog

Closed issues:

• Add license header to all source files #643
• warden: remove obsolete http manager #616

Merged pull requests:

• Add license header to all source files #644 (aeneasr)
• cmd: require url-encoding of root client id and secret #641 (aeneasr)
• fix health link in docs #637 (DallanQ)

v0.10.0-alpha.10 (2017-10-26)

Full Changelog

Implemented enhancements:

• jwk: use cryptopasta library #629
• Feature Request: ability to list all groups #594

Closed issues:

• jwk: add es256 generator to jwk handler in master #634
• groups: add ability to list all groups to master branch #633
• travis: run genswag and gensdk before npm publish #610

v0.10.0-alpha.9 (2017-10-25)

Full Changelog

Closed issues:

• docs: followed the installation guide and was unable to get a successful consent #623
• tests: run manager tests in parallel #617

Merged pull requests:

• Changes from zvelo #636 (aeneasr)
• Dep, JWK and groups #635 (aeneasr)
• tests: run database tests in parallel #632 (aeneasr)
• Use recommendations made from cryptopasta repository #630 (aeneasr)
• Support ES256 JWK Algo #628 (joshuarubin)

v0.9.16 (2017-10-23)

Full Changelog

Closed issues:

• docs: adding policy to consent app doesn't work as resource using <.*> #621
• documentation vague regarding returned client_secret #620

Merged pull requests:

• updated links to apiary as the old ones didn't work #626 (abusaidm)
• docs: updated hydra version in the tutorial to v0.10.0-alpha.8 and consent app to v0.10.0-alpha.9 #625 (abusaidm)
• docs: fixed spelling and wording #624 (abusaidm)
• docs: fix bash command and version used in tutorial #622 (abusaidm)
• add ability to list all groups #612 (joshuarubin)

v0.10.0-alpha.8 (2017-10-18)

Full Changelog

Closed issues:

• docs: SDK for Go is actually for Node, fix this typo #615
• server.injectConsentManager doesn't use ConsentRequestSQLManager even if *config.SQLConnection exists #613

Merged pull requests:

• cmd/server: SQLConnection should load SQLRequestManager #618 (aeneasr)
• Clean up helpers and increase test coverage #611 (aeneasr)
• sdk: format js sdk and remove mock tests #609 (aeneasr)

v0.9.15 (2017-10-11)

Full Changelog

Merged pull requests:

• Support dep #606 (joshuarubin)

v0.9.14 (2017-10-06)

Full Changelog

v0.10.0-alpha.7 (2017-10-06)

Full Changelog

v0.10.0-alpha.6 (2017-10-05)

Full Changelog

v0.10.0-alpha.5 (2017-10-05)

Full Changelog

v0.10.0-alpha.4 (2017-10-05)

Full Changelog

Merged pull requests:

• travis: move deploy scripts to its own file #604 (aeneasr)
• tests: skip cpu intense jwk generation in short mode #603 (aeneasr)

v0.10.0-alpha.3 (2017-10-05)

Full Changelog

v0.10.0-alpha.2 (2017-10-05)

Full Changelog

Implemented enhancements:

• all: refactor http client endpoint logic #584
• oauth2: refresh openid connect id token via refresh_token grant #556
• oauth2: change scope semantics to wildcard #550
• warden: need endpoint that just introspects tokens #539
• sdk: client libraries for all languages #249
• core: enable usage statistics reporting #230
• core: introduce a way to test for bc breaks in datastore #193

Merged pull requests:

• travis: resolve deployment issues #602 (aeneasr)
• warden: remove deprecated http manager #601 (aeneasr)
• docs: fix sdk links #599 (aeneasr)
• travis: re-add goveralls #598 (aeneasr)

v0.10.0-alpha.1 (2017-10-05)

Full Changelog

Implemented enhancements:

• oauth2: write test for handling consent deny #597
• group: add warden tests #591
• health: remove TLS restriction on health endpoint when termination is set #586

Fixed bugs:

• cmd: policies delete says Connection \<id\> deleted instead of Policy \<id\> deleted #583

Closed issues:

• oauth2: change meaning of audience claim #595
• sdk/go: write interfaces for APIs & responses #593

Merged pull requests:

• travis: fix binary building #596 (aeneasr)
• cmd/cli: typo Connection -> Policy #592 (ljagiello)
• sdk: switch to swagger codegen sdk #585 (aeneasr)
• 0.10.0 #557 (aeneasr)

v0.9.13 (2017-09-26)

Full Changelog

Implemented enhancements:

• RFC: Refactor consent flow #578
• oauth2: remove scope parameter from introspection request #551
• "Subject claim can not be empty" error when trying to retrieve ID Token #460

Fixed bugs:

• cmd: token user no longer uses cluster url #581
• warden: do not use refresh tokens as proof of authorization #549
• Fix import path for logrus #477

Closed issues:

• Support for RFC 7636 #576
• authorization header in /oauth2/token endpoint is case sensitive #575
• DATABASE_URL=memory go run main.go host Error #571
• error on mismatch uris #569
• Relation "hydra_jwk" does not exist #568
• Freemium Crap #567
• Warden API docs do not talk about access_token #564
• When the client is run through a container, it should pick up configuration from environment #563
• Docker hub documentation showing up as HTML #562
• Allow people to configure the Hydra service using a config file. #561
• Error on go get the project #560
• Open a Patreon account #558
• GET /client/:id broken on master #538

Merged pull requests:

• health: disable TLS restriction for health check #587 (aeneasr)
• cmd: token user should use clusterurl instead of empty string #582 (aeneasr)
• vendor: update various dependencies #579 (aeneasr)
• Update to ladon 0.8.2 #570 (olivierdeckers)
• install.md: port typo #566 (rnback)
• oauth2: give meaningful hint when subject claim is empty #554 (aeneasr)

v0.9.12 (2017-07-06)

Full Changelog

Implemented enhancements:

• oauth2: use wildcards for scope strategy #552

Merged pull requests:

• warden: refresh tokens are no longer proof of authZ #553 (aeneasr)
• README.md: hydra container doesn't include bash #548 (srenatus)
• docs: fix typo in tutorial #547 (aeneasr)
• cmd/token/user: fix auth and token-url mixup #546 (aeneasr)
• docs: update docs #545 (aeneasr)

v0.9.11 (2017-06-30)

Full Changelog

Merged pull requests:

• docs: add step-by-step installation guide #544 (aeneasr)
• docs: add product teasers #543 (aeneasr)

v0.9.10 (2017-06-29)

Full Changelog

Implemented enhancements:

• cmd/host: move status info from health endpoint to another one and protect it #532

Fixed bugs:

• Decode Basic Auth Credentials #536

Closed issues:

• Cannot try tutorial install, not existing dependencies #541
• [docker-compose] ERROR: for postgresd expected string or buffer #540

Merged pull requests:

• vendor: update fosite to remove forced nonce #542 (aeneasr)
• oauth2: form-urldecode authorization basic header #537 (aeneasr)
• [DOC] Update "Build from source" section to actual state #534 (dolbik)
• cmd/host: move status info to dedicated endpoint #533 (aeneasr)

v0.9.9 (2017-06-17)

Full Changelog

Fixed bugs:

• cmd/policy/create: not exiting on error #527

Merged pull requests:

• cmd: add test for get handler #531 (aeneasr)
• cmd/policy/create: exit on error - closes #527 #530 (aeneasr)

v0.9.8 (2017-06-17)

Full Changelog

Fixed bugs:

• Updating policies may cause loss of policy data #503

Closed issues:

• oauth2: investigate panic #512

Merged pull requests:

• oauth2: resolve panic with nested at_ext and id_ext #529 (aeneasr)
• vendor: update to ladon 0.8.0 - closes #503 #528 (aeneasr)

v0.9.7 (2017-06-16)

Full Changelog

Closed issues:

• Fatal error when running docker container #525

Merged pull requests:

• cmd/server: supply admin client policy with id #526 (aeneasr)

v0.9.6 (2017-06-15)

Full Changelog

Merged pull requests:

• Db plugin connector #524 (aeneasr)

v0.9.5 (2017-06-15)

Full Changelog

Merged pull requests:

• vendor: upgrade ladon to 0.7.7 #523 (aeneasr)

v0.9.4 (2017-06-14)

Full Changelog

Merged pull requests:

• cmd: resolve issuer test issue #522 (aeneasr)
• all: improve test exports #521 (aeneasr)
• docs: start writing faq from gitter #504 (aeneasr)

v0.9.3 (2017-06-14)

Full Changelog

Closed issues:

• Generating Client ID/Secret in >= 0.8.0 #517
• Could not gracefully run server #513
• authorize_code without password #511

Merged pull requests:

• metrics: resolve potential data race #520 (aeneasr)
• Fix warden docs #519 (aeneasr)
• all: export test helpers #518 (aeneasr)
• oauth2: add tests for refresh token grant #515 (aeneasr)
• oauth2: use issuer-prefixed auth URL in challenge redirect #509 (wyattanderson)
• cmd: resolve failing test #501 (aeneasr)

v0.9.2 (2017-06-13)

Full Changelog

Merged pull requests:

• cmd/server: print full error message on http startup #514 (aeneasr)

v0.9.1 (2017-06-12)

Full Changelog

Merged pull requests:

• client: export tests #510 (aeneasr)
• metrics: improve metrics #508 (aeneasr)
• cmd: add auto migration image #502 (aeneasr)

v0.9.0 (2017-06-07)

Full Changelog

Implemented enhancements:

• cmd/cli: add flag for X-Forwarded-Proto for faking https termination #349
• metrics: add metrics and telemetry package #500 (aeneasr)

Fixed bugs:

• warden/group: investigate missing transaction rollback in group manager #462
• policies: validate conditions and return error instead of silently dropping them #350

Closed issues:

• Headers should be case-insensitive #496
• docs: add FAQ on missing migrate in docker image #484
• docs: include oauth2 example #358
• warden: allow scopes in policies #330

Merged pull requests:

• sdk: add simple example of hydra sdk #499 (aeneasr)
• docs: add FAQ on missing migrate in docker image #498 (aeneasr)
• vendor: upgrade to ladon 0.7.4 - closes #350 #497 (aeneasr)
• docs: add scopes to oauth2 #495 (aeneasr)
• warden/group: add rollback to transactions #494 (aeneasr)

v0.8.7 (2017-06-05)

Full Changelog

Implemented enhancements:

• oauth2: add possibility for denying consent requests #400
• oauth2: allow redirection to client if consent was denied #371

Fixed bugs:

• Introspection endpoint responds with 401 on invalid payload token #457

Closed issues:

• Allow configuration of DB\_HOST, DB\_PASS, DB\_USER, DB\_NAME separately. #480

Merged pull requests:

• all: implement --fake-tls-termination flag #493 (aeneasr)
• oauth2/introspect>: resolve 401 on invalid token #492 (aeneasr)
• client/manager_sql: return an empty slice if string is empty #491 (faxal)

v0.8.6 (2017-06-05)

Full Changelog

Implemented enhancements:

• Assign clients different consent urls #378

Fixed bugs:

• Creating policies via the CLI does not populate the 'description' field #472
• Missing "iss" field from /oauth2/introspect response #399
• client: getting a non-existing client raises 500 instead of 404 #348

Closed issues:

• Libraries version problem, build break. #481
• oauth2: update to latest fosite which removed implicit storage #468
• Unable to set Public flag to false #463
• oauth2: allow client specific token TTLs #428
• docs: hint at health check #355
• Hydra URLs mounted to a subpath #352
• oidc: hydra as federated user auth for AWS Console/API #315
• jwk: when retrieving a key, stray request missing a subject 403 #271

Merged pull requests:

• oauth2/introspect: send issuer in introspection #490 (aeneasr)
• oauth2: allow redirection to client if consent was denied #489 (aeneasr)
• docs: add health check to swagger and resolve swagger issues #488 (aeneasr)
• jwk/handler: nest ac check and resolve stray log message #487 (aeneasr)
• pkg/errors: make ErrNotFound return a status code #486 (aeneasr)
• cmd/policies: description is a string field, not slice #485 (aeneasr)
• Vendor update #483 (aeneasr)
• vendor: update to latest versions #482 (aeneasr)
• client/manager: remove merging of stored and updated client #478 (faxal)
• Fix Swagger for Warden Groups #476 (pbarker)

v0.8.5 (2017-06-01)

Full Changelog

Fixed bugs:

• max_conns and max_conn_lifetime breaks db.Ping #464
• cmd/server: resolve gorilla session mem leak - closes #461 #475 (aeneasr)

Closed issues:

• Container is not Running #474
• Random periodic crashes #461

Merged pull requests:

• fix spelling of challenge #471 (sstarcher)
• oauth2: remove unused implicit grant storage #469 (aeneasr)

v0.8.4 (2017-05-24)

Full Changelog

Closed issues:

• Kubernetes Helm chart #430

Merged pull requests:

• config: connect to cleaned DSN #470 (aeneasr)
• docs: hint to kubernetes helm chart - see #430 #467 (aeneasr)
• Improve documentation #466 (aeneasr)

v0.8.3 (2017-05-23)

Full Changelog

Implemented enhancements:

• http: harden http server for public net #334

Fixed bugs:

• config: remove sql control parameters from dsn before connecting #465 (aeneasr)

Closed issues:

• Listing policies not working with database #458
• go install github.com/ory/hydra Fails to compile #456
• Challenge claims redirect http instead of https #455
• core/store: document aes gcm nonce limitation #76

Merged pull requests:

• Policy Fix #459 (pbarker)

v0.8.2 (2017-05-10)

Full Changelog

Implemented enhancements:

• Missing kid parameter in ID token header #433
• no /.well-known/openid-configuration endpoint implementation #379

Merged pull requests:

• Add Key Id to Header #454 (pbarker)
• cmd: improve error message for when database tables are missing #453 (aeneasr)
• Wellknown #427 (pbarker)

v0.8.1 (2017-05-08)

Full Changelog

Implemented enhancements:

• cmd: database migrations should not be run automatically but have a cmd instead #444
• all: move herodot to ory/herodot #436

Fixed bugs:

• cmd: token client fails in ci sometimes #443

Closed issues:

• all: deprecating rethinkdb and redis support #425
• oauth2: consent anti-csrf token should be forcefully removed #367

v0.8.0 (2017-05-07)

Full Changelog

Closed issues:

• Refresh token doesn't work #449

Merged pull requests:

• ✏️ minor grammar typo #452 (therebelrobot)
• Add example about securing the consent app #450 (matteosuppo)
• Allow setting SkipTLSVerify Option value #448 (faxal)
• 0.8.0: Towards production friendliness #445 (aeneasr)

v0.7.13 (2017-05-03)

Full Changelog

Implemented enhancements:

• ui: implement a basic management interface with react for oauth2 client, jwk, social connections and others #215

Fixed bugs:

• herodot: resolve issue with infinite loop caused by certain error chain #441
• "Could not fetch signing key for OpenID Connect" #439
• vendor: upgrade fosite to resolve regression issue #446 (aeneasr)

Closed issues:

• Peculiar EOF instead of response from the introspect endpoint. #368

Merged pull requests:

• Add Auth0 to sponsor section #435 (aeneasr)

v0.7.12 (2017-04-30)

Full Changelog

Fixed bugs:

• herodot: resolve issue with infinite loop caused by certain error chain #442 (aeneasr)

Closed issues:

• Freeze dependencies #437

v0.7.11 (2017-04-28)

Full Changelog

Closed issues:

• Mismatch between library versions #434
• Data Passthrough to IDP #431
• Api protection #429
• Gitter.im or irc channel #426
• Outdated fosite #424
• oauth2: resource owner password credentials proposal #214

Merged pull requests:

• vendor: resolve issues with glide lock file #438 (aeneasr)

v0.7.10 (2017-04-14)

Full Changelog

Closed issues:

• Build instructions from Readme fail #420
• API error (500) during tests #419
• Uname in session #418
• Resource owner password credentials grant #417
• ory vs ory-am #414
• Cockroachdb support #413
• Small doc error #411
• Rest API documentation not working #410

Merged pull requests:

• Remove uname references from docs #423 (matteosuppo)
• vendor: update common and ladon dependencies #422 (aeneasr)
• docs: resolve broken build instructions in readme - closes #420 #421 (aeneasr)
• Dropping brackets in Create Client example #415 (pbarker)
• Update bash command in tutorial #412 (pbarker)
• Update README.md #409 (joelpickup)
• docs: changes apiary url to current version #407 (aeneasr)

v0.7.9 (2017-04-02)

Full Changelog

Closed issues:

• Flow Using Curl help (token auth) #405
• Add support to mongodb #401

Merged pull requests:

• Updated ladon version in glide.lock #404 (ericalandouglas)
• oauth2: fix typo #403 (maximesong)

v0.7.8 (2017-03-24)

Full Changelog

Implemented enhancements:

• sdk: add consent helper #397
• Transition Dockerfile to Alpine Linux #393
• redirect_uri domains are case-sensitive #380
• Per-client consent URLs #351
• sdk: add consent helper - closes #397 #398 (aeneasr)
• docs: add example policy for consent app signing #389 (aeneasr)

Fixed bugs:

• cli handler_groups type error? #383

Closed issues:

• oauth2: token introspection fails on HTTP without dangerous-force-http #395
• Create User based on access token provided by Social Provider #394
• investigate why import from json fails #390
• gitter link doesn't work #386
• Possible security bug in warden/group package #382
• relation "hydra_client" does not exist (postgres) #381
• Native login support #375
• Request denied by default #373

Merged pull requests:

• docker: reduce docker image size #396 (aeneasr)
• Added information about auth code exchange to oauth2 docs #392 (therebelrobot)
• Small typo. #391 (darron)
• all: resolve ci issues and improve readme #384 (aeneasr)

v0.7.7 (2017-02-11)

Full Changelog

v0.7.4 (2017-02-11)

Full Changelog

v0.7.5 (2017-02-11)

Full Changelog

v0.7.6 (2017-02-11)

Full Changelog

Implemented enhancements:

• sql: limit maximum open connections, document timeout options through DSN #359

Fixed bugs:

• oauth2: invalid consent response causes panic #369
• oauth2: resolve issue with cookie store #376 (aeneasr)

Closed issues:

• Can hydra be easily integrated (embedded) into any golang http application? #372

Merged pull requests:

• oauth2: invalid consent response causes panic - closes #369 #370 (aeneasr)
• Resolve issues with SQL maximum open connections #360 (aeneasr)

v0.7.3 (2017-01-22)

Full Changelog

Closed issues:

• Have Hydra store usernames linked to tokens #364
• policy: investigate potential sql connection leak #363
• crypto/bcrypt: hashedPassword is not the hash of the given password #346

Merged pull requests:

• Update fosite_store_redis.go #361 (itsjamie)

v0.7.2 (2017-01-02)

Full Changelog

Fixed bugs:

• Problems with the authorization code flow #342
• sql: deleting policies does not delete associated records with mysql driver #326
• vendor: update to fosite 0.6.11 - closes #338 #343 (aeneasr)

Closed issues:

• oidc: at_hash / c_hash mismatch #338

Merged pull requests:

• vendor: update to fosite 0.6.12 #344 (aeneasr)

v0.7.1 (2016-12-30)

Full Changelog

v0.7.0 (2016-12-30)

Full Changelog

Implemented enhancements:

• Implement RemoveSubjectFromPolicy and RemoveResourceFromPolicy #336
• policy: provide rest endpoint for policy updates #305
• 0.7.0: SQL Migrate, Groups, Hardening #329 (aeneasr)

Fixed bugs:

• 0.7.0: SQL Migrate, Groups, Hardening #329 (aeneasr)

Closed issues:

• Replace # with ? in authentication response #337
• oidc: SCIM compliance #320

v0.6.10 (2016-12-26)

Full Changelog

Implemented enhancements:

• oauth2/consent: force jti echo in consent response #322
• include a migration routine for databases #194
• warden: add group management and group based policy checks #68
• Improve http-based warden/introspection error responses #335 (aeneasr)

v0.6.9 (2016-12-20)

Full Changelog

Implemented enhancements:

• cmd: add configuration options for hydra token user #327
• core: add api key flow #234

Fixed bugs:

• openid: support response_type=code id_token - closes #332 #333 (aeneasr)

Closed issues:

• openid: support response_type=code id_token #332
• Apparent failure on load with ECDSA key #328
• Why hydra github homepage crash when I visit ( while scrolling down) #323
• JsonWebTokenError: jwt must be provided #321
• write tests for cmd helpers #186

Merged pull requests:

• cmd: replace newline in HTTP_TLS #331 (ewilde)
• Log fixes #324 (johnwu96822)

v0.6.8 (2016-12-06)

Full Changelog

Implemented enhancements:

• oauth2: http introspector should return well known error #319 (aeneasr)

v0.6.7 (2016-12-04)

Full Changelog

Merged pull requests:

• all: improve cli and oauth2 error reporting #318 (aeneasr)

v0.6.6 (2016-12-04)

Full Changelog

Implemented enhancements:

• core: Redis backend #306

Closed issues:

• oauth2: aud parameter does not allow arrays #314

Merged pull requests:

• add missing work in docs/oauth2.md #317 (bbigras)
• docker: --name should be before the image's name #316 (bbigras)

v0.6.5 (2016-11-28)

Full Changelog

Implemented enhancements:

• store/redis: redis backend for hydra #313 (115100)

v0.6.4 (2016-11-22)

Full Changelog

Implemented enhancements:

• oauth2/revocation: token revocation fails silently with sql store #312 (aeneasr)

Fixed bugs:

• oauth2/revocation: token revocation fails silently with sql store #311
• oauth2/revocation: token revocation fails silently with sql store #312 (aeneasr)

Closed issues:

• docs: clean up TokenValid leftovers #310

v0.6.3 (2016-11-17)

Full Changelog

Implemented enhancements:

• Rejection reason code to /warden/token/allowed #308

Fixed bugs:

• oauth2: resolve issues with token introspection on user tokens #309 (aeneasr)

v0.6.2 (2016-11-05)

Full Changelog

Implemented enhancements:

• github: comply with Go license terms #300

Merged pull requests:

• Fix client SQL manager missing client_name #303 (johnwu96822)

v0.6.1 (2016-10-26)

Full Changelog

Fixed bugs:

• MySQL DB not creating on start – JSON column types only supported from MySQL 5.7 and onwards #299
• policy: investigate potential sql connection leak - closes #363 #365 (aeneasr)
• 0.6.1 #301 (aeneasr)

Merged pull requests:

• Fix some minor typos and the broken tutorial links #298 (justinclift)

v0.6.0 (2016-10-25)

Full Changelog

Implemented enhancements:

• Make it possible for travis-ci to build forked repos #295
• core: add sql support #292
• travis: execute gox build only when new commit is a new tag #285
• cmd: prettify the hydra token user output #281
• warden: make it clear that ladon.Request.Subject is not required or break bc and remove it #270
• connections: remove connections API #265
• consider signing up for Core Infrastructure Initiative badge #246
• oauth2: token revocation endpoint #233
• oauth2/rethinkdb: clear expired access tokens from memory #228
• 0.6.0 #293 (aeneasr)

Fixed bugs:

• all: coverage report is missing covered lines of nested packages #296
• oauth2/introspect: make endpoint rfc7662 compatible #289
• rethink: figure out how to deal with unreliable changefeed #269
• oauth2: requests waste a lot of time in fosite storer requestFromRDB\(\) routine #260
• 0.6.0 #293 (aeneasr)

Closed issues:

• docs: fix typo in consent.md #294
• docs/apiary: add at_ext note to warden endpoints #287
• core/storage: with rethinkdb being closed, what is our path forward? #286
• docs: warden resource names are wrong on apiary #268
• Request for Comment: Fair Source License / Business Source License #227
• core: (health) monitoring endpoint #216
• add much simpler identity provider and oauth2 consumer example #172
• 2fa: add two factor authentication helper API #69

Merged pull requests:

• cmd: fix typo in host command help text #291 (faxal)
• travis: Only gox build on tags and go1.7 #288 (emilva)
• docs: improve introduction #267 (aeneasr)

v0.5.8 (2016-10-06)

Full Changelog

Fixed bugs:

• oauth2: refresh token does not migrate session object to new token #283
• oauth2: refresh token does not migrate session object to new token #284 (aeneasr)

v0.5.7 (2016-10-04)

Full Changelog

Implemented enhancements:

• jwk: add use parameter to generated JWKs #279
• jwk: add use parameter to generated JWKs - closes #279 #280 (aeneasr)

v0.5.6 (2016-10-03)

Full Changelog

Implemented enhancements:

• oauth2: scopes should be separated by %20 and not +, to ensure javascript compatibility #278 (aeneasr)

Fixed bugs:

• cmd: hydra help host profiling typo #274
• cmd: hydra help host typos #272
• cmd: resolve issue with token user flow #212 (aeneasr)

Closed issues:

• Scopes should be separated by %20 and not +, to ensure javascript compatibility #277

Merged pull requests:

• cmd: fix #272 typos in the host command controls #276 (cixtor)
• Fix #274 - replace HYDRA_PROFILING with PROFILING #275 (otremblay)

v0.5.5 (2016-09-29)

Full Changelog

v0.5.4 (2016-09-29)

Full Changelog

v0.5.3 (2016-09-29)

Full Changelog

Implemented enhancements:

• docker: add http-only dockerfile and upgrade to go 1.7 base image #273 (aeneasr)

Fixed bugs:

• investigate if and why slow rethinkdb connection causes client root to be recreated #191

Closed issues:

• Consider extract Go SDK package into separate repository #266
• Showcase: How and where are you using Hydra? #115

v0.5.2 (2016-09-23)

Full Changelog

v0.5.0 (2016-09-22)

Full Changelog

v0.5.1 (2016-09-22)

Full Changelog

Implemented enhancements:

• oauth2: include original request query parameters in the consent challenge #256
• Need a better health check for a load balancer #251
• client: add ability to update client #250
• oauth2: allow access token validation for public clients #245
• all: improve error messages regarding token validation #244
• all: resolve naming inconsistencies in jwk set names used in hydra #239
• sdk: resolve naming inconsistencies #226
• oidc: support kid hint in header #222
• 0.5.0-errors #263 (aeneasr)
• 0.5.0 #243 (aeneasr)

Fixed bugs:

• When invalid/expired token is used for /warden/allowed endpoint, status 500 is returned #262
• docs: fix images in readme #261
• Bad HTML encoding of the scope parameter #259
• docs: images are broken #258
• oauth2: id token hashes are not base64 url encoded #255
• oauth2: state parameter is missing when response_type=id_token #254
• jwk: anonymous request can't read public keys #253
• travis: ld flags are wrong #242
• cmd: hydra token user should show id token in browser #224
• oidc: hybrid flow using token+code+id\_token returns multiple tokens of the same type #223
• hydra clients import doesn't print client's secret #221
• 0.5.0-errors #263 (aeneasr)
• 0.5.0 #243 (aeneasr)

Closed issues:

• core: document hard-wired JWK sets #247
• managing client definitions #197

Merged pull requests:

• docs: add notes on operational considerations #252 (boyvinall)

v0.4.2-alpha.4 (2016-09-03)

Full Changelog

v0.4.2 (2016-09-03)

Full Changelog

v0.4.3 (2016-09-03)

Full Changelog

v0.4.2-alpha.3 (2016-09-02)

Full Changelog

v0.4.2-alpha.2 (2016-09-01)

Full Changelog

v0.4.2-alpha.1 (2016-09-01)

Full Changelog

0.4.2-alpha (2016-09-01)

Full Changelog

Implemented enhancements:

• Add version option to Hydra's CLI #218
• autobuild #240 (aeneasr)
• Update jwt-go and resolve warden regression issue #232 (aeneasr)

Fixed bugs:

• warden: firewal.Audience overridden with requesting clients subject #236 (faxal)
• Update jwt-go and resolve warden regression issue #232 (aeneasr)

Closed issues:

• how to use hydra without "--dangerous-auto-logon"? #241
• warden: firewal.Audience overridden with requesting clients subject #237
• Vendor: Upgrade to jwt-go 3.0.0 #229
• docs: warden sdk example is misleading #225
• Typo in the apiary documentation #220
• Importing clients with the CLI doesn't work #219
• doc: add "what is hydra not?" section to readme #217
• figure out a process to autobuild releases #210

Merged pull requests:

• fix broken link for tutorial in README.md #213 (allan-simon)

v0.4.1 (2016-08-18)

Full Changelog

Fixed bugs:

• error bad request when running tutorial #211

v0.4.0 (2016-08-17)

Full Changelog

Implemented enhancements:

• all: move docs from gitbook to github #204
• 0.4.0 #203 (aeneasr)

Fixed bugs:

• 0.4.0-prefix #209 (aeneasr)
• 0.4.0 #203 (aeneasr)

Closed issues:

• docs/guide: warden docs are outdated #206
• fix sdk examples in readme #196
• add tests for clients import #163
• remove go get -t ./... from travis #71

v0.3.1 (2016-08-17)

Full Changelog

Implemented enhancements:

• oauth2: introspection should return custom session values #205
• warden: move IntrospectToken from warden sdk to oauth2 #201
• warden: rename InspectToken to IntrospectToken #200

Fixed bugs:

• AccessTokens get overridden during startup of hydra #207
• warden: IntrospectToken always throws an error on Hydra logs #199
• resolve issue with at extra data #198
• Fix 207 #208 (aeneasr)

v0.3.0 (2016-08-09)

Full Changelog

Implemented enhancements:

• 0.3.0 #195 (aeneasr)

Fixed bugs:

• 0.3.0 #195 (aeneasr)

v0.2.0 (2016-08-09)

Full Changelog

Implemented enhancements:

• warden sdk should not make distinction between token and request #190
• core scope should not be mandatory #189
• id token claims should be set by consent challenge id\_token claim #188
• provide default consent endpoint in hydra #185
• make bcrypt cost configurable #184
• make lifespans configurable #183
• improve env to config #182
• add memory profiling and cpu profiling #179
• add basic http request logging #178
• support edge tls termination #177
• Make client HTTPManager not compatible with fosite.Storage #173
• clean up stale branches #171
• improve hydra connect dialogue #170
• investigate if token creation can be speeded up #168
• consent: allow proxying of id token claims #167
• warden: rename authorized / allowed endpoints to something more meaningful #162
• warden: rename assertion to token #158
• Implement strict mode for warden #156
• Implement token introspection endpoint #155
• Don't log database credentials #147
• OpenID Connect Session Management #143
• [Feature request] Import clients on startup #140
• Warden for anonymous users #139
• oauth2/consent: id token expiry should be configurable #127
• Improve error message of wrong system secret #104
• warden: rename authorized / allowed endpoints to something more meaningful #187 (aeneasr)
• 0.2.0 #165 (aeneasr)
• all: add test cases for methods returning slices or maps of entities #152 (aeneasr)
• Resolve rethinkdb connection when idle #148 (aeneasr)
• all: resolve issues with the sdk and cli #142 (aeneasr)
• cli: add token validation #134 (aeneasr)
• Add wrapper library for HTTP Managers #130 (faxal)
• Decompositioning, implement Fosite #62 (aeneasr)

Fixed bugs:

• investigate runtime panic on warden allowed #181
• oauth2 implicit flow should allow custom protocols #180
• support edge tls termination #177
• Token generation should be always consistent, not eventually consistent #176
• consent: allow proxying of id token claims #167
• config: do not store database config in hydra config #164
• OAuth2 token endpoint does not allow GET method but reads query parameters #160
• OAuth2 token endpoint should be able to handle simple form encoded requests #159
• --dry option does not work correctly #157
• client.GetClients() returns invalid information #150
• RethinkDB connection dies after a certain amount of inactive time #146
• Fails to startup when a SSO connection is added. #141
• id_token: at_hash / c_hash is null #129
• oauth2: some scopes are included twice #126
• warden: iat / exp values are not being set #125
• investigate missing scopes issue #124
• rethinkdb: resolve an issue where missing refresh tokens cause duplicate key error #122
• 0.2.0 #165 (aeneasr)
• ensure client endpoint is initialised for CLI "clients import" command #149 (boyvinall)
• Resolve rethinkdb connection when idle #148 (aeneasr)
• all: resolve issues with the sdk and cli #142 (aeneasr)
• Resolve warden issues #128 (aeneasr)
• Various bugfixes #123 (aeneasr)

Closed issues:

• Error trying to create a token via curl #174
• gorethink: could not decode type []uint8 into Go value of type string #169
• document warden interface sdk #166
• Document what OpenID Connect is and how to use it #154
• Warden endpoints #137
• Environment variables naming scheme #136
• Implicit Flow redirect_uri does not match #133
• hydra 2FA on cloud providers #132
• Document HTTP client libraries for go #101
• Document error redirect to identity provider #96
• use dropbox example to explain oauth2 #95

Merged pull requests:

• client: fix client.GetClients() for multiple clients #151 (boyvinall)
• readme: Fix table of contents links #145 (smithrobs)
• doc: Minor grammar/spelling fixes for README #144 (smithrobs)
• Add some precisions to installation #131 (yageek)

0.1-beta.4 (2016-06-26)

Full Changelog

Implemented enhancements:

• Connect to rethinkdb over SSL with self-signed certificate #114

Fixed bugs:

• clients endpoint returns client secret base64 encoded #119
• firewall 403s on warden endpoints #118
• Client secrets should not be hashed when POSTing #113
• Resolve issues with warden and client api #120 (aeneasr)
• client: return client secret on POST and remove it from GET #117 (aeneasr)

Merged pull requests:

• Connect to rethinkdb with a custom certificate #116 (matteosuppo)

0.1-beta.3 (2016-06-20)

Full Changelog

Implemented enhancements:

• docker: remove wait time on boot and use restart unless-stopped option #105 (aeneasr)

Fixed bugs:

• Warden handlers are not mounted #109

Closed issues:

• Installation fails #108
• Exchange token from browser client #107
• Temporary Client not working #106
• Could not fetch initial state with docker-compose #103

Merged pull requests:

• all: update jwt-go to versioned package and update dependencies #111 (aeneasr)
• Mount warden handler #110 (faxal)

0.1-beta.2 (2016-06-14)

Full Changelog

Implemented enhancements:

• CLI should have -dry option to show what the HTTP request looks like #99
• Add offline scope for refresh tokens #97
• extend jwk cert store #92
• Creating clients with predefined credentials #91
• Passing key and certificate to hydra #88
• AES-GCM key should be sha256(secret)[:32] #86
• Update GoRethink imports #78
• link exemplary policies in the docs #75
• support SAML in addition to OAuth2 #29
• 0.1-beta2 #90 (aeneasr)
• vendor: switch to versioned gorethink api #81 (aeneasr)

Fixed bugs:

• fix issue where tls certificate is regenerated on boot #93
• typo: singing instead of signing #89
• 404 in the gitbook #85
• Update GoRethink imports #78
• client: resolved that secrets can not be set when using http or cli #102 (aeneasr)

Closed issues:

• document security architecture #82
• go install fails #77
• Security audit based on rfc6819 #42

Merged pull requests:

• Fix typo of weather #100 (smurfpandey)
• readme: add security section #87 (aeneasr)
• Fix idiom in README #79 (neuhaus)

0.1-beta1 (2016-05-29)

Implemented enhancements:

• client rest endpoint: rename name to client\_name #72
• allow using not self-signed TLS certificates #70
• Implement OpenID Connect Dynamic Client Registration 1.0 #65
• Implement default identity provider using postgres #63
• Implement generic connectors #61
• Replace osin with ory-am/fosite #46
• Remove dockertest dependency from handlers #43
• adding RethinkDB as a Store #39
• Add more IdPs #33
• Make JWT as access tokens optional and replace with a custom strategy #32
• support for ldap for user storage #28
• Migrate from mux to httprouter #14

Fixed bugs:

• spec: /jwk/:set/:kid must return array #74
• client rest endpoint: rename name to client\\_name #72
• Too many open files probably caused by http client #47

Closed issues:

• Add Dockerfile for autobuild #60
• CLI refactor and initial account set up #59
• ory-am ssl cert invalid #58
• Granted Endpoint Proposal: Performant access decisions for resource providers using REST #48
• Security "audit" pre-analysis (based on rfc6749) #41
• wrong repo #40
• Rename providers to connectors #38
• Are there standards for connecting to third party providers #37
• Add support for scopes #36
• Readme: Accounts CLI Usage #31
• Continue using JWT as access tokens? #22
• remove refresh token claims #21
• godeps should only be commited on release #19
• refactor POST workflow #13
• JWT assertions #5
• Check JWT Algorithm #3

Merged pull requests:

• dist: fix typos in exemplary policies #112 (aeneasr)
• Remove go get of govet in .travis.yml #67 (sbani)
• Hydra is now using Go 1.6 vendoring and is deployable to heroku #56 (aeneasr)
• Heroku #55 (aeneasr)
• Update README.md #54 (leetal)
• RethinkDB #53 (leetal)
• handler.go:300: no formatting directive in Sprintf call #52 (QuentinPerez)
• providers: added microsoft and improved existing providers #51 (aeneasr)
• oauth: added google provider #50 (aeneasr)
• handle multiple return values from gopass #49 (timothyknight)
• doc: create MAINTAINERS #45 (aeneasr)
• docs: create CONTRIBUTING.md #44 (aeneasr)
• update accounts CLI Usage #34 (akhedrane)
• Add a Gitter chat badge to README.md #30 (gitter-badger)
• Extra arguments #27 (QuentinPerez)
• all: oauth and guard endpoints now accept basic auth instead of token… #26 (aeneasr)
• account: refactor, more endpoints and tests #25 (aeneasr)
• all: username instead of email, token revocation, introspect spec ali… #24 (aeneasr)
• Tutorial #23 (aeneasr)
• Unstaged #20 (aeneasr)
• client: now tries to refresh when token is invalid #18 (aeneasr)
• client: added possibility to skip CA check #17 (aeneasr)
• cli: fixed default TLS and JWT filepaths #16 (aeneasr)
• Policy changes and more tests #15 (aeneasr)
• unstaged #12 (aeneasr)
• Ladon api update & policy http endpoint #11 (aeneasr)
• Improved CLI client create and provider workflow. #10 (aeneasr)
• cli #9 (aeneasr)
• all: increased test coverage #8 (aeneasr)
• Handlers and cleanup #7 (aeneasr)
• Single Sign On #6 (aeneasr)
• tests: increased coverage #4 (aeneasr)
• Implemented jwt, middleware, test coverage and handlers. #2 (aeneasr)
• Refactor #1 (aeneasr)

* This Change Log was automatically generated by github_changelog_generator