Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!

Want to check out Ory Hydra yourself? Try common OAuth2 flows in the Ory OAuth2 Get Started guide!

This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.

Key improvements include:

• Enhanced integration with Ory Kratos, ensuring seamless synchronization of login and logout states across both services. Users logged out from Ory Hydra will automatically log out from Ory Kratos, enhancing security and user experience.
• The ability to bypass the logout consent screen for specific clients, streamlining the logout process.
• Simplified migration with the new feature to import OAuth2 Client IDs, making the transition to Ory Hydra smoother.
• Support for the OIDC Verifiable Credentials specification, expanding the server's capabilities in identity verification.

Thank all contributors who have made this release available!

Bug Fixes

• Return empty slice if requested_scope or audience is null (#3711) (65165e7)

• Correct id token type in token exchange response (#3625) (d1f9ba8):

  Closes https://github.com/ory/client-go/issues/2

• Dropped persistence/sql test errors (#3670) (22f0119)

• Handle logout double-submit gracefully (#3675) (5133cf9)

• Handle subject mismatch gracefully (#3619) (af0d477):

  We now redirect to the original request URL if the subjects between the remembered Hydra session and what was confirmed by the login screen does not match.

• Handle token hook auth config (#3677) (1a40833):

  • fix: handle token hook auth config
  • fix: bump golangci-lint

• Improved SSRF protection (#3669) (24c3be5)

• Incorrect down migration (#3708) (8812e0e), closes /github.com/ory/hydra/pull/3705#discussion_r1471514014

• Remove required mark (#3693) (3a764a0)

• Timeout in jwt-bearer grants when too many grants are available (#3692) (a748797)

• Verifiable credentials JWT format (#3614) (0176adc)

• Add exceptions for internal IP addresses (#3608) (1f1121c)

• Add kid to verifiable credential header (#3606) (9f1c8d1)

• Deflake ttl test (6741a49)

• Docker build (#3609) (01ff9da)

• Enable CORS with hot-reloaded origins (#3601) (6f592fc)

• Only query access tokens by hashed signature (a21e945)

• Racy random string generation (#3555) (1b26c4c)

• Reject invalid JWKS in client configuration / dependency cleanup and bump (#3603) (1d73d83)

• Restore ability to override auth and token urls for exemplary app (#3590) (dfb129a)

• Return proper error when the grant request cannot be parsed (#3558) (26f2d34)

• Use correct tracer in middleware (#3567) (807cbd2)

Documentation

• Fix typo (#3649) (f0501d2)

Features

• Add --skip-logout-consent flag to CLI (#3709) (f502d6e)

• Add authentication options to hooks (#3633) (5c8e792)

• Add flag to export public keys (#3684) (62c006b)

• Add missing index for jwk table (#3691) (39ee5e1)

• Add prompt=registration (#3636) (19857d2):

  Ory Hydra now supports a registration value for the prompt parameter of the authorization request. When specifying prompt=registration, Ory Hydra will redirect the user to the URL found under urls.registration (instead of urls.login).

• Add skip_logout_consent option to clients (#3705) (2a653e6):

  Adds a special field which disables the logout consent screen when performing OIDC logout.

• Allow injecting extra fosite strategies (#3646) (88b0b7c)

• Re-enable legacy client IDs (#3628) (5dd7d30):

  This patch changes the primary key of the hydra_client table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.

• Remove flow cookie (#3639) (cde3a30):

  This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.

• Remove login session cookie during consent flow (#3667) (5f41949)

• Support multiple token URLs (#3676) (95cc273)

• Add hydra migrate status subcommand (#3579) (749eb8d)

• Add more resolution to events and collect client metrics (#3568) (466e66b)

• Add state override (b8b9154)

• Add support for OIDC VC (#3575) (219a7c0):

  This adds initial support for issuing verifiable credentials as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.

  Because the spec is still in draft, public identifiers are suffixed with draft_00.

• Allow additional SQL migrations (#3587) (8900cbb)

• Allow Go migrations (#3602) (8eed306)

• Allow to disable claim mirroring (#3563) (c72a316):

  This PR introduces another config option called oauth2:mirror_top_level_claims which may be used to disable the mirroring of custom claims into the ext claim of the jwt. This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.

  Example:

  oauth2:
    allowed_top_level_claims:
      - test_claim
    mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
  

  Closes https://github.com/ory/hydra/issues/3348

• Bump fosite and add some more tracing (0b56f53)

• cmd: Add route that redirects to the auth code url (4db6416)

• Parallel generation of JSON web key set (#3561) (5bd9002)

• Propagate logout to identity provider (#3596) (c004fee):

  • feat: propagate logout to identity provider

  This commit improves the integration between Hydra and Kratos when logging out the user.

  This adds a new configuration key for configuring a Kratos admin URL. Additionally, Kratos can send a session ID when accepting a login request. If a session ID was specified and a Kratos admin URL was configured, Hydra will disable the corresponding Kratos session through the admin API if a frontchannel or backchannel logout was triggered.

  • fix: add special case for MySQL
  • chore: update sdk
  • chore: consistent naming
  • fix: cleanup persister

• Support different jwt scope claim strategies (#3531) (45da11e)

Changelog

• b346f90e autogen(docs): generate and bump docs
• 01aeffc6 autogen(docs): regenerate and update changelog
• 3a65840d autogen(docs): regenerate and update changelog
• 2dc52b4d autogen(docs): regenerate and update changelog
• 74732591 autogen(docs): regenerate and update changelog
• 4b8c9715 autogen(docs): regenerate and update changelog
• d0dfc0f0 autogen(docs): regenerate and update changelog
• 9e9be2d2 autogen(docs): regenerate and update changelog
• ada59a5f autogen(docs): regenerate and update changelog
• cdd2647c autogen(docs): regenerate and update changelog
• e4c160f5 autogen(docs): regenerate and update changelog
• 5121dba3 autogen(docs): regenerate and update changelog
• 21e0a9bd autogen(docs): regenerate and update changelog
• 89b1b1bd autogen(docs): regenerate and update changelog
• 0a5e0439 autogen(docs): regenerate and update changelog
• 6cbe0893 autogen(docs): regenerate and update changelog
• 78617027 autogen(docs): regenerate and update changelog
• c9f4b5f3 autogen(docs): regenerate and update changelog
• fe260d10 autogen(docs): regenerate and update changelog
• fbf39dd3 autogen(docs): regenerate and update changelog
• 9b33fc55 autogen(docs): regenerate and update changelog
• f9cee328 autogen(docs): regenerate and update changelog
• 841d58b8 autogen(docs): regenerate and update changelog
• 4a8e9a4c autogen(docs): regenerate and update changelog
• cdc0bec3 autogen(openapi): regenerate swagger spec and internal client
• 4a00e3e0 autogen(openapi): regenerate swagger spec and internal client
• dedcf5b4 autogen(openapi): regenerate swagger spec and internal client
• 92eb03a0 autogen(openapi): regenerate swagger spec and internal client
• f9a87d35 autogen(openapi): regenerate swagger spec and internal client
• 1ff8f20a autogen(openapi): regenerate swagger spec and internal client
• 11bf9df8 autogen(openapi): regenerate swagger spec and internal client
• e7968931 autogen(openapi): regenerate swagger spec and internal client
• 27f2ef50 autogen(openapi): regenerate swagger spec and internal client
• 35d62950 autogen(openapi): regenerate swagger spec and internal client
• ce00a428 autogen(openapi): regenerate swagger spec and internal client
• db4fd7d1 autogen(openapi): regenerate swagger spec and internal client
• 146b1625 autogen(openapi): regenerate swagger spec and internal client
• e1636d1e autogen(openapi): regenerate swagger spec and internal client
• 9389773a autogen(openapi): regenerate swagger spec and internal client
• af859fe4 autogen(openapi): regenerate swagger spec and internal client
• f1708f2a autogen(openapi): regenerate swagger spec and internal client
• 3e8413e9 autogen(openapi): regenerate swagger spec and internal client
• 11c8c724 autogen(openapi): regenerate swagger spec and internal client
• 800ce0a1 autogen: add v2.2.0-rc.3 to version.schema.json
• 8168ee31 autogen: pin v2.2.0-pre.1 release commit
• 04872174 autogen: render config schema
• a0c06ecb chore(deps): bump @cypress/request and cypress (#3641)
• b177f81a chore(deps): bump axios and @openapitools/openapi-generator-cli (#3701)
• 23c81943 chore(deps): bump debug from 3.2.6 to 3.2.7 (#3640)
• 18d97936 chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#3697)
• 4fa28890 chore(deps): bump github.com/docker/docker (#3707)
• 2ba35473 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#3680)
• efc00a8b chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#3645)
• 083c90de chore: build tag (#3613)
• 3615e3df chore: bump docker base images (#3632)
• aa8a364e chore: bump openapi-generator (#3696)
• 2dc66061 chore: improve context (#3656)
• 8e949299 chore: update otel (#3686)
• f0501d2c docs: fix typo (#3649)
• f502d6e3 feat: add --skip-logout-consent flag to CLI (#3709)
• 5c8e7923 feat: add authentication options to hooks (#3633)
• 62c006b9 feat: add flag to export public keys (#3684)
• 39ee5e1f feat: add missing index for jwk table (#3691)
• 19857d20 feat: add prompt=registration (#3636)
• 2a653e66 feat: add skip_logout_consent option to clients (#3705)
• 88b0b7cf feat: allow injecting extra fosite strategies (#3646)
• 5dd7d306 feat: re-enable legacy client IDs (#3628)
• cde3a30a feat: remove flow cookie (#3639)
• 5f41949a feat: remove login session cookie during consent flow (#3667)
• 95cc2735 feat: support multiple token URLs (#3676)
• d1f9ba8e fix: correct id token type in token exchange response (#3625)
• 22f0119a fix: dropped persistence/sql test errors (#3670)
• 5133cf97 fix: handle logout double-submit gracefully (#3675)
• af0d477e fix: handle subject mismatch gracefully (#3619)
• 1a40833e fix: handle token hook auth config (#3677)
• 24c3be57 fix: improved SSRF protection (#3669)
• 8812e0e6 fix: incorrect down migration (#3708)
• 3a764a05 fix: remove required mark (#3693)
• a7487977 fix: timeout in jwt-bearer grants when too many grants are available (#3692)
• 0176adc1 fix: verifiable credentials JWT format (#3614)
• 8e6c4bfa autogen(docs): regenerate and update changelog
• 33950db8 autogen(docs): regenerate and update changelog
• 28e9e31b autogen(openapi): regenerate swagger spec and internal client
• 57096be9 autogen: pin v2.2.0 release commit
• bfc05d00 chore(deps): bump github.com/opencontainers/runc from 1.1.8 to 1.1.12 (#3710)
• 65165e77 fix: return empty slice if requested_scope or audience is null (#3711)

Artifacts can be verified with cosign using this public key.