Update oryd/hydra Docker tag to v2

[renovate]

This PR contains the following updates:

Package	Update	Change
oryd/hydra (source)	major	v1.11.10 -> v2.3.0

---

Release Notes

ory/hydra (oryd/hydra)

v2.3.0

Compare Source

We’re thrilled to announce the release of Ory Hydra 2.3.0! This version comes packed with graceful token refresh, performance improvements, and fixes that enhance stability, reduce database load, and streamline the developer experience. We strongly recommend upgrading to take advantage of these enhancements and ensure the best possible OAuth2 and OpenID Connect experience with Ory Hydra. Thank you to everyone who contributed!

Ory Hydra now supports graceful refresh token rotation, making OAuth2 and OpenID Connect refresh flows significantly more resilient in scenarios such as Single Page Apps and IoT. Even in highly distributed or concurrent environments, Hydra gracefully handles token refreshes reliably, ensuring tokens are not dropped or double-used.

PRs: #​3860, #​3895

Previously, the redirect_uri was not required when performing flows with scope=openid. This release enforces the requirement to comply with the OpenID Connect standard.

PR: #​3900

Hydra now supports explicit SQL migration commands migrate sql up|down|status that streamline database schema management and help with zero-downtime upgrades.

PR: #​3894

• Access token strategy & advanced CLI improvements
  The CLI introduces new parameters and an option to specify a custom client ID on creation, making it easier to manage and script Hydra deployments.
  PRs: #​3718, #​3725, #​3874
• Built-in login & consent UI for hydra perform authorization-code
  A minimal built-in UI for login and consent can be enabled when testing with the CLI, removing the need to spin up a separate service.
  PR: #​3845

Unused indices have been removed, down migration scripts renamed for consistency, and all migrations are more efficient overall.

PRs: #​3859, #​3911

• Improve persistence logic – Database transactions and concurrency have been improved across the authorization and token handlers.
  PRs: #​3756, #​3763, #​3886

• Support for more claims in password grant – You can now include additional claims in the password grant flow, providing extra flexibility in advanced scenarios. Only available with an Ory Enterprise License.
  PR: #​3864

• Transaction Wrappers
  Authorization and token issuance are now wrapped more consistently to prevent partial writes and race conditions.
  PRs: #​3730, #​3763

• Improved Docker setup
  Docker configurations have been refined, removing inconsistencies in the Compose setup and enabling a fully static binary build.
  PRs: #​3826, #​3924

• Proper JSON round-tripping
  Fixed an issue causing custom claims to break if they were nested or unexpectedly typed. JSON round-trips are now correct.
  PR: #​3819

• Speed up public key retrieval
  Reduced overhead for the JWK public endpoint, solving CPU contention issues in large-scale deployments.
  PRs: #​3787, #​3870

• Fix Docker Compose references
  The CLI now properly references docker compose instead of docker-compose, ensuring compatibility with modern Docker setups.
  PR: #​3815

• Dependency upgrades
  Bumped fosite, ory/x, pgx/v5, and various third-party libraries for improved stability and performance.

• Updated docs
  Updated examples, improved JWK documentation, added notes on Docker Compose usage, and refined OpenID Connect discovery docs.

• More tracing context
  Tracing calls have been consistently standardized with otelx.End(), and additional context ensures better observability.

• Code generation & housekeeping
  Various housekeeping tasks: pinned GHA versions, fixed minor comment typos, updated newsletters/links, and more.

To upgrade to 2.3.0, follow the usual steps:

1. Back up your database (always recommended).
2. Update your Hydra version in your Docker configuration, binary, or build to v2.3.0.
3. Run hydra migrate sql up (if using the new commands) or your usual migration procedure.
4. Restart your services and confirm that Hydra is up and running.

Check the migration docs for detailed information.

As always, we love hearing from our community. Here are some ways to get involved:

• Join our Slack: Ory Community Slack
• Ask questions on GitHub Discussions: Ory Hydra Discussions
• Submit bugs and feature requests: GitHub Issues

Thanks to all contributors for making Ory Hydra the best-in-class OAuth2 and OpenID Connect server.

For Ory Hydra v2.4.0 we are looking at another highly anticipated community-contributed feature, the OAuth 2.0 Device Authorization Grant!

Full Changelog: v2.2.0...v2.3.0

Happy building with Ory Hydra!

Breaking Changes

Going forward, OAuth2 Clients requesting an OpenID Connect flow must include the redirect_uri parameter or the request will be rejected.

Deleting consents no longer returns 404 in certain edge cases but instead always 204.

Bug Fixes

• Advertise support for response_mode=form_post in OIDC discovery document (#​3861) (9cc5f28)

• Broken JSON round-tripping for custom claims (b36b701):

  Adding custom claims with numerical types (think JavaScript Number) previously did not
  round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims
  would end up as floating points in exponential notation in the final token. That, in turn,
  confused or broke downstream consumers of the token, including Kratos.

  Ref go-jose/go-jose#144

• Change comment on revokeOAuth2LoginSessions (#​3853) (6d829dd)

• Change index name in down migration (#​3911) (3a09db2)

• Correct span names (554238b)

• Correctly pass multiple token audiences and prompt parameters when performing the authorization code flow from the CLI (#​3736) (632faef)

• Cpu contention when reading JWKs and suppress generating duplicate JWKs (#​3870) (d5f65c5):

  Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set.
  The read path now doesn't require locking a mutex at all and instead returns valid query results directly.

  The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.

  Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.

• Do not iteratively delete records (#​3766) (5ef20a2):

  Resolves performance issues on some databases when deleting consent.

• Do not retry sending responses (#​3764) (1bbfdb5)

• docs: Adjust note about SDK support on oauth2 flow endpoints (#​3812) (d0e047c)

• Error log when RP responds with status code 204 (#​3731) (153e4b5)

• Faster GetPublicKeys (#​3787) (04c34aa):

  GetPublicKeys used to fetch all keys in a set, even if they were actually not being used. This patch fixes that.

• Improve docker set up (#​3924) (8ca6cbd), closes #​3914 #​3683:

  Improves the docker set up and removes some unused files.

• Incorrect context passthru (fa50e3e)

• Incorrect indices (#​3778) (cb0004b)

• Limit HTTP response size (2559819)

• Omit explicit transaction in ConfirmLoginSession and add tracing (#​3886) (a5b2d75)

• Pass context to database ping (fa21711)

• Require redirect_uri in openid requests (#​3900) (5caa629):

  Resolves a deviation from the OpenID Connect spec, where the redirect_uri was not required when performing flows with scope=openid.

• Untyped int build issues on 32bit architectures (#​3885) (68aa167)

• Upgrade fosite and improve webhook integration (#​3727) (89323e2)

• Use docker compose rather than docker-compose (#​3815) (ffdfb73)

• Wrap authorize response in transaction (#​3763) (5b106aa)

• Wrap token handler in transaction (#​3730) (67a85cc)

Code Generation

• Pin v2.3.0 release commit (ee8c339)

Documentation

• Update clarification (#​3929) (ce7616c)

Features

• Add access token strategy parameter to cli (#​3718) (7862dc3), closes #​3717

• Add expiry and requested times to logout table (#​3837) (f83193f)

• Add id parameter to create oauth2-client cli (#​3725) (b372fd2):

  Fixes #​3724

• Add Inspect option to registry (2013450)

• Add migrate sql up|down|status (#​3894) (d27882f):

  This patch adds the ability to execute down migrations using:

  hydra migrate sql down -e --steps {num_of_steps}
  

  Please read hydra migrate sql down --help carefully.

  Going forward, please use the following commands

  hydra migrate sql up ...
  hydra migrate sql status ...
  

  instead of the previous, now deprecated

  hydra migrate sql ...
  hydra migrate status ...
  

  commands.

  See ory-corp/cloud#7350

• Built-in login/consent UI for hydra perform authorization-code (#​3845) (7f8bd90)

• Graceful refresh token rotation (#​3860) (e278b40), closes #​1831 #​3770:

  This patch adds a configuration flag which enables graceful refresh token rotation. Previously, refresh tokens could only be used once. On reuse, all tokens of that chain would be revoked.

  This is particularly challenging in environments, where it's difficult to make guarantees on synchronization. This could lead to refresh tokens being sent twice due to some parallel execution.

  To resolve this, refresh tokens can now be graceful by changing oauth2.grant.refresh_token.grace_period=10s (example value). During this time, a refresh token can be used multiple times to generate new refresh, ID, and access tokens.

  All tokens will correctly be invalidated, when the refresh token is re-used after the grace period expires, or when the delete consent endpoint is used.

• Handle concurrent refreshes and improve graceful refreshing (#​3895) (0a6c966):

  This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.

  Additionally, serializability errors in CockroachDB are now correctly retried.

  See ory-corp/cloud#7311
  Closes #​3895

• Improve persistence logic (#​3756) (50301e0)

• Reduce size of verifiers (#​3857) (0cd00dc)

• Remove unused indices (#​3859) (56fc3da)

• Support more claims in password grant (#​3864) (41476ec):

  For the resource owner password grant, the Kratos identity ID is now written to the sub claim, and the username is written to the ext.username claim. Further, token hooks are called for the initial token issuance as well as refresh flows for access tokens issued via the resource owner password grant, allowing users to customize the fields present in the access token (for the jwt strategy) as well as on introspection.

• Update clients from files through the CLI (#​3874) (f777fd1)

• Upgrade to jackc/pgx/v5 (#​3798) (cd7e7ef)

Tests

• Patch oauth2 snapshot (#​3867) (db095de)

Unclassified

• Include Requested Scopes in Webhook Requests (#​3891) (c3ff306), closes #​3891
• update doc example for get oauth2-client (5e70cde)

Artifacts can be verified with cosign using this public key.

v2.2.0

Compare Source

Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!

Want to check out Ory Hydra yourself? Try common OAuth2 flows in the Ory OAuth2 Get Started guide!

This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.

Key improvements include:

• Enhanced integration with Ory Kratos, ensuring seamless synchronization of login and logout states across both services. Users logged out from Ory Hydra will automatically log out from Ory Kratos, enhancing security and user experience.
• The ability to bypass the logout consent screen for specific clients, streamlining the logout process.
• Simplified migration with the new feature to import OAuth2 Client IDs, making the transition to Ory Hydra smoother.
• Support for the OIDC Verifiable Credentials specification, expanding the server's capabilities in identity verification.

Thank all contributors who have made this release available!

Bug Fixes

• Return empty slice if requested_scope or audience is null (#​3711) (65165e7)

• Correct id token type in token exchange response (#​3625) (d1f9ba8):

  Closes ory/client-go#2

• Dropped persistence/sql test errors (#​3670) (22f0119)

• Handle logout double-submit gracefully (#​3675) (5133cf9)

• Handle subject mismatch gracefully (#​3619) (af0d477):

  We now redirect to the original request URL if the subjects between
  the remembered Hydra session and what was confirmed by the login
  screen does not match.

• Handle token hook auth config (#​3677) (1a40833):

  • fix: handle token hook auth config
  • fix: bump golangci-lint

• Improved SSRF protection (#​3669) (24c3be5)

• Incorrect down migration (#​3708) (8812e0e), closes /github.com/ory/hydra/pull/3705#discussion_r1471514014

• Remove required mark (#​3693) (3a764a0)

• Timeout in jwt-bearer grants when too many grants are available (#​3692) (a748797)

• Verifiable credentials JWT format (#​3614) (0176adc)

• Add exceptions for internal IP addresses (#​3608) (1f1121c)

• Add kid to verifiable credential header (#​3606) (9f1c8d1)

• Deflake ttl test (6741a49)

• Docker build (#​3609) (01ff9da)

• Enable CORS with hot-reloaded origins (#​3601) (6f592fc)

• Only query access tokens by hashed signature (a21e945)

• Racy random string generation (#​3555) (1b26c4c)

• Reject invalid JWKS in client configuration / dependency cleanup and bump (#​3603) (1d73d83)

• Restore ability to override auth and token urls for exemplary app (#​3590) (dfb129a)

• Return proper error when the grant request cannot be parsed (#​3558) (26f2d34)

• Use correct tracer in middleware (#​3567) (807cbd2)

Documentation

• Fix typo (#​3649) (f0501d2)

Features

• Add --skip-logout-consent flag to CLI (#​3709) (f502d6e)

• Add authentication options to hooks (#​3633) (5c8e792)

• Add flag to export public keys (#​3684) (62c006b)

• Add missing index for jwk table (#​3691) (39ee5e1)

• Add prompt=registration (#​3636) (19857d2):

  Ory Hydra now supports a registration value for the prompt parameter of
  the authorization request. When specifying prompt=registration, Ory Hydra
  will redirect the user to the URL found under urls.registration
  (instead of urls.login).

• Add skip_logout_consent option to clients (#​3705) (2a653e6):

  Adds a special field which disables the logout consent screen when performing OIDC logout.

• Allow injecting extra fosite strategies (#​3646) (88b0b7c)

• Re-enable legacy client IDs (#​3628) (5dd7d30):

  This patch changes the primary key of the hydra_client table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.

• Remove flow cookie (#​3639) (cde3a30):

  This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.

• Remove login session cookie during consent flow (#​3667) (5f41949)

• Support multiple token URLs (#​3676) (95cc273)

• Add hydra migrate status subcommand (#​3579) (749eb8d)

• Add more resolution to events and collect client metrics (#​3568) (466e66b)

• Add state override (b8b9154)

• Add support for OIDC VC (#​3575) (219a7c0):

  This adds initial support for issuing verifiable credentials
  as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.

  Because the spec is still in draft, public identifiers are
  suffixed with draft_00.

• Allow additional SQL migrations (#​3587) (8900cbb)

• Allow Go migrations (#​3602) (8eed306)

• Allow to disable claim mirroring (#​3563) (c72a316):

  This PR introduces another config option called oauth2:mirror_top_level_claims which may be used to disable the mirroring of custom claims into the ext claim of the jwt.
  This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.

  Example:

  oauth2:
    allowed_top_level_claims:
      - test_claim
    mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext

  Closes #​3348

• Bump fosite and add some more tracing (0b56f53)

• cmd: Add route that redirects to the auth code url (4db6416)

• Parallel generation of JSON web key set (#​3561) (5bd9002)

• Propagate logout to identity provider (#​3596) (c004fee):

  • feat: propagate logout to identity provider

  This commit improves the integration between Hydra and Kratos when logging
  out the user.

  This adds a new configuration key for configuring a Kratos admin URL.
  Additionally, Kratos can send a session ID when accepting a login request.
  If a session ID was specified and a Kratos admin URL was configured,
  Hydra will disable the corresponding Kratos session through the admin API
  if a frontchannel or backchannel logout was triggered.

  • fix: add special case for MySQL
  • chore: update sdk
  • chore: consistent naming
  • fix: cleanup persister

• Support different jwt scope claim strategies (#​3531) (45da11e)

Changelog

• b346f90 autogen(docs): generate and bump docs
• 01aeffc autogen(docs): regenerate and update changelog
• 3a65840 autogen(docs): regenerate and update changelog
• 2dc52b4 autogen(docs): regenerate and update changelog
• 7473259 autogen(docs): regenerate and update changelog
• 4b8c971 autogen(docs): regenerate and update changelog
• d0dfc0f autogen(docs): regenerate and update changelog
• 9e9be2d autogen(docs): regenerate and update changelog
• ada59a5 autogen(docs): regenerate and update changelog
• cdd2647 autogen(docs): regenerate and update changelog
• e4c160f autogen(docs): regenerate and update changelog
• 5121dba autogen(docs): regenerate and update changelog
• 21e0a9b autogen(docs): regenerate and update changelog
• 89b1b1b autogen(docs): regenerate and update changelog
• 0a5e043 autogen(docs): regenerate and update changelog
• 6cbe089 autogen(docs): regenerate and update changelog
• 7861702 autogen(docs): regenerate and update changelog
• c9f4b5f autogen(docs): regenerate and update changelog
• fe260d1 autogen(docs): regenerate and update changelog
• fbf39dd autogen(docs): regenerate and update changelog
• 9b33fc5 autogen(docs): regenerate and update changelog
• f9cee32 autogen(docs): regenerate and update changelog
• 841d58b autogen(docs): regenerate and update changelog
• 4a8e9a4 autogen(docs): regenerate and update changelog
• cdc0bec autogen(openapi): regenerate swagger spec and internal client
• 4a00e3e autogen(openapi): regenerate swagger spec and internal client
• dedcf5b autogen(openapi): regenerate swagger spec and internal client
• 92eb03a autogen(openapi): regenerate swagger spec and internal client
• f9a87d3 autogen(openapi): regenerate swagger spec and internal client
• 1ff8f20 autogen(openapi): regenerate swagger spec and internal client
• 11bf9df autogen(openapi): regenerate swagger spec and internal client
• e796893 autogen(openapi): regenerate swagger spec and internal client
• 27f2ef5 autogen(openapi): regenerate swagger spec and internal client
• 35d6295 autogen(openapi): regenerate swagger spec and internal client
• ce00a42 autogen(openapi): regenerate swagger spec and internal client
• db4fd7d autogen(openapi): regenerate swagger spec and internal client
• 146b162 autogen(openapi): regenerate swagger spec and internal client
• e1636d1 autogen(openapi): regenerate swagger spec and internal client
• 9389773 autogen(openapi): regenerate swagger spec and internal client
• af859fe autogen(openapi): regenerate swagger spec and internal client
• f1708f2 autogen(openapi): regenerate swagger spec and internal client
• 3e8413e autogen(openapi): regenerate swagger spec and internal client
• 11c8c72 autogen(openapi): regenerate swagger spec and internal client
• 800ce0a autogen: add v2.2.0-rc.3 to version.schema.json
• 8168ee3 autogen: pin v2.2.0-pre.1 release commit
• 0487217 autogen: render config schema
• a0c06ec chore(deps): bump @​cypress/request and cypress (#​3641)
• b177f81 chore(deps): bump axios and @​openapitools/openapi-generator-cli (#​3701)
• 23c8194 chore(deps): bump debug from 3.2.6 to 3.2.7 (#​3640)
• 18d9793 chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#​3697)
• 4fa2889 chore(deps): bump github.com/docker/docker (#​3707)
• 2ba3547 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#​3680)
• efc00a8 chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#​3645)
• 083c90d chore: build tag (#​3613)
• 3615e3d chore: bump docker base images (#​3632)
• aa8a364 chore: bump openapi-generator (#​3696)
• 2dc6606 chore: improve context (#​3656)
• 8e94929 chore: update otel (#​3686)
• f0501d2 docs: fix typo (#​3649)
• f502d6e feat: add --skip-logout-consent flag to CLI (#​3709)
• 5c8e792 feat: add authentication options to hooks (#​3633)
• 62c006b feat: add flag to export public keys (#​3684)
• 39ee5e1 feat: add missing index for jwk table (#​3691)
• 19857d2 feat: add prompt=registration (#​3636)
• 2a653e6 feat: add skip_logout_consent option to clients (#​3705)
• 88b0b7c feat: allow injecting extra fosite strategies (#​3646)
• 5dd7d30 feat: re-enable legacy client IDs (#​3628)
• cde3a30 feat: remove flow cookie (#​3639)
• 5f41949 feat: remove login session cookie during consent flow (#​3667)
• 95cc273 feat: support multiple token URLs (#​3676)
• d1f9ba8 fix: correct id token type in token exchange response (#​3625)
• 22f0119 fix: dropped persistence/sql test errors (#​3670)
• 5133cf9 fix: handle logout double-submit gracefully (#​3675)
• af0d477 fix: handle subject mismatch gracefully (#​3619)
• 1a40833 fix: handle token hook auth config (#​3677)
• 24c3be5 fix: improved SSRF protection (#​3669)
• 8812e0e fix: incorrect down migration (#​3708)
• 3a764a0 fix: remove required mark (#​3693)
• a748797 fix: timeout in jwt-bearer grants when too many grants are available (#​3692)
• 0176adc fix: verifiable credentials JWT format (#​3614)
• 8e6c4bf autogen(docs): regenerate and update changelog
• 33950db autogen(docs): regenerate and update changelog
• 28e9e31 autogen(openapi): regenerate swagger spec and internal client
• 57096be autogen: pin v2.2.0 release commit
• bfc05d0 chore(deps): bump github.com/opencontainers/runc from 1.1.8 to 1.1.12 (#​3710)
• 65165e7 fix: return empty slice if requested_scope or audience is null (#​3711)

Artifacts can be verified with cosign using this public key.

v2.1.2

Compare Source

We are excited to announce the next Ory Hydra release! This release includes the following important changes:

• Fixed a memory leak in the OpenTelemetry implementation, improving overall memory usage and stability.
• Added a missing index for faster janitor cleanup, resulting in quicker and more efficient cleanup operations.
• Fixed a bug related to SameSite in dev mode, ensuring proper functionality and consistency in handling SameSite attributes during development.

We appreciate your continuous support and feedback. Please feel free to reach out to us with any further suggestions or issues.

Bug Fixes

• Add index on requested_at for refresh tokens and use it in janitor (#​3516) (5b8e712)

• Disable health check request logs (#​3496) (eddf7f3)

• Do not use prepared SQL statements and bump deps (#​3506) (31b9e66)

• Proper SameSite=None in dev mode (#​3502) (5751fae)

• Sqa config values unified across projects (#​3490) (1b1899e)

• sql: Incorrect JWK query (#​3499) (13ce0d6):

  persister_grant_jwk had an OR statement without bracket leading to not using the last part of the query.

Code Generation

• Pin v2.1.2 release commit (d94ed6e)

Documentation

• Incorrect json output format example (#​3497) (b71a36b)

Features

• Add --skip-consent flag to hydra cli (#​3492) (083d518)

Changelog

• 0e84c24 autogen(docs): generate and bump docs
• 9f37172 autogen(docs): regenerate and update changelog
• 872720b autogen(docs): regenerate and update changelog
• 4907223 autogen(docs): regenerate and update changelog
• ba45af0 autogen(docs): regenerate and update changelog
• 3703e5a autogen(docs): regenerate and update changelog
• ca85a17 autogen(docs): regenerate and update changelog
• 0e7e95f autogen(docs): regenerate and update changelog
• be8f726 autogen: add v2.1.1 to version.schema.json
• d94ed6e autogen: pin v2.1.2 release commit
• 20c6fa7 autogen: render config schema
• 400b9af chore(deps): bump @​nestjs/core and @​openapitools/openapi-generator-cli (#​3493)
• f2f007d chore(deps): bump github.com/docker/distribution (#​3514)
• b69a332 chore: bump ory/x (#​3518)
• cf20054 chore: remove unneeded dependency (#​3494)
• e2b7665 chore: update nodemon version for oauth2 client (#​3503)
• b71a36b docs: incorrect json output format example (#​3497)
• 083d518 feat: add --skip-consent flag to hydra cli (#​3492)
• 13ce0d6 fix(sql): incorrect JWK query (#​3499)
• 5b8e712 fix: add index on requested_at for refresh tokens and use it in janitor (#​3516)
• eddf7f3 fix: disable health check request logs (#​3496)
• 31b9e66 fix: do not use prepared SQL statements and bump deps (#​3506)
• 5751fae fix: proper SameSite=None in dev mode (#​3502)
• 1b1899e fix: sqa config values unified across projects (#​3490)

Artifacts can be verified with cosign using this public key.

v2.1.1

Compare Source

We are excited to share this year's Q1 release of Ory Hydra: v2.1!

Highlights:

• Support for Datadog tracing (#​3431).
• Ability to skip consent for trusted clients (#​3451).
• Setting access token type in the OAuth2 Client is now possible (#​3446).
• Revoke login sessions by SessionID (#​3450).
• Session lifespan extended on session refresh (#​3464).
• Token request hooks added for all grant types (#​3427).
• Reduced SQL tracing noise (#​3481).

Don't want to run the upgrade yourself? Switch to Ory Network!

Bug Fixes

• Double-hashed access token signatures (#​3486) (8720b25), closes #​3485
• Reduce SQL tracing noise (#​3481) (6e1f545)

Code Generation

• Pin v2.1.1 release commit (6efae7c)

Changelog

• df16a26 autogen(docs): generate and bump docs
• ed2ac06 autogen(docs): regenerate and update changelog
• 6078f85 autogen(docs): regenerate and update changelog
• ddfbd65 autogen: add v2.1.0 to version.schema.json
• 6efae7c autogen: pin v2.1.1 release commit
• ad549d6 autogen: pin v2.1.1 release commit
• 2f7cda5 autogen: render config schema
• 0448284 chore: update ory/x (#​3480)
• 8720b25 fix: double-hashed access token signatures (#​3486)
• 6e1f545 fix: reduce SQL tracing noise (#​3481)

Artifacts can be verified with cosign using this public key.

v2.1.0

Compare Source

We are excited to share this year's Q1 release of Ory Hydra: v2.1.0!

Highlights:

• Support for Datadog tracing (#​3431).
• Ability to skip consent for trusted clients (#​3451).
• Setting access token type in the OAuth2 Client is now possible (#​3446).
• Revoke login sessions by SessionID (#​3450).
• Session lifespan extended on session refresh (#​3464).
• Token request hooks added for all grant types (#​3427).
• Reduced SQL tracing noise (#​3481).

Don't want to run the upgrade yourself? Switch to Ory Network!

Bug Fixes

• Reduce SQL tracing noise (#​3481) (6e1f545)

Code Generation

• Pin v2.1.0 release commit ([3649832](https://redirect.github.com/ory/hydra/c

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}