ory · aeneasr · Oct 5, 2017 · Jul 9, 2017 · Jul 9, 2017 · Jul 9, 2017
@@ -13,6 +13,5 @@ output/
 _book/
 dist/
 coverage.*
-docs/api.swagger.json
 Dockerfile-plugin-*
 plugin-*.so
@@ -0,0 +1,21 @@
+client/
+cmd/
+compose/
+config/
+docs/
+firewall/
+health/
+integration/
+jwk/
+metrics/
+oauth2/
+pkg/
+policy/
+rand/
+scripts/
+sdk/go/
+vendor/
+warden/
+*.yml
+*.go
+*.md
@@ -23,46 +23,45 @@ before_install:
   - sudo apt-get install curl
 
 install:
-  - go get github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/Masterminds/glide github.com/mitchellh/gox
+  - go get -u github.com/go-swagger/go-swagger/cmd/swagger github.com/bradfitz/goimports github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/Masterminds/glide github.com/mitchellh/gox github.com/ory/go-acc
   - git clone https://github.com/docker-library/official-images.git ~/official-images
   - glide install
   - go install github.com/ory/hydra
   - glide update
   - go install github.com/ory/hydra
 
 script:
-  - touch ./coverage.tmp
-  - |
-    echo 'mode: atomic' > coverage.txt
-  - |
-    go list ./... | grep -v /cmd | grep -v /vendor | xargs -n1 -I{} sh -c 'go test -race -covermode=atomic -coverprofile=coverage.tmp -coverpkg $(go list ./... | grep -v /vendor | tr "\n" ",") {} && tail -n +2 coverage.tmp >> coverage.txt || exit 255' && rm coverage.tmp
-  - touch ./coverage.tmp
-  - |
-    go list ./cmd/... | xargs -n1 -I{} sh -c 'go test -covermode=atomic -coverprofile=coverage.tmp -coverpkg $(go list ./... | grep -v /vendor | tr "\n" ",") {} && tail -n +2 coverage.tmp >> coverage.txt || exit 255' && rm coverage.tmp
-  - goveralls -coverprofile="coverage.txt"
+  - ./scripts/test-format.sh
+  - go-acc -o coverage.txt $(glide novendor)
+  - go test -race -short $(glide novendor | grep -v cmd)
   - docker build -t hydra-travis-ci -f Dockerfile-without-telemetry .
   - docker run -d hydra-travis-ci
   - DATABASE_URL=memory hydra host --dangerous-auto-logon --dangerous-force-http --disable-telemetry &
   - while ! echo exit | nc localhost 4444; do sleep 1; done
-# Test clients
-  - hydra clients create --id foobar
-  - hydra clients delete foobar
-# Test token on arbitrary endpoints
-  - |-
-    curl --header "Authorization: bearer $(hydra token client)" http://localhost:4444/clients
-# Test token validation
-  - hydra token validate $(hydra token client)
+  - ./scripts/test-e2e.sh
+  - ./scripts/run-genswag.sh
 
 after_success:
   - |-
     [ "${TRAVIS_TAG}" != "" ] && gox -ldflags "-X github.com/ory/hydra/cmd.Version=`git describe --tags` -X github.com/ory/hydra/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/hydra/cmd.GitHash=`git rev-parse HEAD`" -output "dist/{{.Dir}}-{{.OS}}-{{.Arch}}"
 
+
+
+before_deploy:
+  - npm version --no-git-tag-version $(git describe --tag)
+
 deploy:
-  provider: releases
-  file_glob: true
-  api_key: "$GITHUB_TOKEN"
-  file: "dist/*"
-  skip_cleanup: true
-  on:
-    tags: true
-    go: 1.8
+  - provider: npm
+    api_key: "$NPM_TOKEN"
+    email: "$NPM_EMAIL"
+    skip_cleanup: true
+    on:
+      tags: true
+  - provider: releases
+    file_glob: true
+    api_key: "$GITHUB_TOKEN"
+    file: "dist/*"
+    skip_cleanup: true
+    on:
+      tags: true
+      go: 1.9
@@ -1,4 +1,4 @@
-FROM golang:1.8-alpine
+FROM golang:1.9-alpine
 
 RUN apk add --no-cache git build-base
 RUN go get github.com/Masterminds/glide

@@ -1,4 +1,4 @@
-FROM golang:1.8-alpine
+FROM golang:1.9-alpine
 
 RUN apk add --no-cache git build-base
 RUN go get github.com/Masterminds/glide

@@ -1,4 +1,4 @@
-FROM golang:1.8-alpine
+FROM golang:1.9-alpine
 
 RUN apk add --no-cache git build-base
 RUN go get github.com/Masterminds/glide

@@ -1,4 +1,4 @@
-FROM golang:1.8-alpine
+FROM golang:1.9-alpine
 
 RUN apk add --no-cache git build-base
 RUN go get github.com/Masterminds/glide

@@ -1,4 +1,4 @@
-FROM golang:1.8-alpine
+FROM golang:1.9-alpine
 
 RUN apk add --no-cache git build-base
 RUN go get github.com/Masterminds/glide

@@ -2,6 +2,106 @@
 
 This list makes you aware of (breaking) changes. For patch notes, please check the [releases tab](https://github.com/ory/hydra/releases).
 
+## 0.10.0-alpha1
+
+**Warning: This version introduces breaking changes and is not suited for production use yet.**
+
+Version 0.10.0 is a preview tag of the 1.0.0 release. It contains multiple breaking changes.
+
+This release requires running `hydra migrate sql` before `hydra host`.
+
+Please also note that the new scope strategy might render your administrative client incapable of performing requests.
+Set the environment variable `SCOPE_STRATEGY=DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY` to temporarily use the previous
+scope strategy and migrate the scopes manually. You may append `.*` to all scopes. For example, `hydra` is now `hydra hydra.*`
+
+## New consent flow
+
+Previously, the consent flow looked roughly like this:
+
+1. App asks user for Authorization by generating the authorization URL (http://hydra.mydomain.com/oauth2/auth?client_id=...).
+1. Hydra asks browser of user for authentication by redirecting to the Consent App with a *consent challenge* (http://login.mydomain.com/login?challenge=xYt...).
+  1. Retrieves a RSA 256 public key from Hydra.
+  2. Uses said public key to verify the consent challenge.
+3. User logs in and authorizes the requested scopes
+4. Consent app generates the consent response
+  1. Retrieves a private key from Hydra which is used to sign the consent response.
+  2. Creates a response message and sign with said private key.
+  3. Redirects the browser back to Hydra, appending the consent response (http://hydra.mydomain.com/oauth2/auth?client_id=...&consent=zxI...).
+6. Hydra validates consent response and generates access tokens, authorize codes, refresh tokens, and id tokens.
+
+This approach has several disadvantages:
+
+1. Validating and generating the JSON Web Tokens (JWTs) requires libraries for each language
+  1. Because libraries are required, auto generating SDKs from the swagger spec is impossible. Thus, every language
+  requires a maintained SDK which significantly increases our workload.
+  2. There have been at least two major bugs affecting almost all JWT libraries for any language. The spec has been criticised
+  for it's mushy language.
+  3. The private key used by the consent app for signing consent responses was originally thought to be stored at the consent
+  app, not in Hydra. However, since Hydra offers JWK storage, it was decided to use the Hydra JWK store per default for
+  retrieval of the private key to improve developer experience. However, to make really sense, the private key should have
+  been stored at the consent app, not in Hydra.
+2. Private/Public keypairs need to be fetched on every request or cached in a way that allows for key rotation, complicating
+the consent app.
+3. There is currently no good mechanism for rotating JWKs in Hydra's storage.
+4. The consent challenge / response has a limited length as it's transmitted via the URL query. The length of a URL
+is limited.
+
+Due to these reasons we decided to refactor the consent flow. Instead of relying on JWTs using RSA256, a simple HTTP call
+is now enough to confirm a consent request:
+
+1. App asks user for Authorization by generating the authorization URL (http://hydra.mydomain.com/oauth2/auth?client_id=...).
+1. Hydra asks browser of user for authentication by redirecting to the Consent App with a unique *consent request id* (http://login.mydomain.com/login?consent=fjad2312).
+  1. Consent app makes a HTTP REST request to `http://hydra.mydomain.com/oauth2/consent/requests/fjad2312` and retrieves information on the authorization request.
+3. User logs in and authorizes the requested scopes
+4. Consent app accepts or denies the consent request by making a HTTP REST request to `http://hydra.mydomain.com/oauth2/consent/requests/fjad2312/accept` or `http://hydra.mydomain.com/oauth2/consent/requests/fjad2312/reject`.
+5. Redirects the browser back to Hydra.
+6. Hydra validates consent request by checking if it was accepted and generates access tokens, authorize codes, refresh tokens, and id tokens.
+
+Learn more on how the new consent flow works in the guide: https://ory.gitbooks.io/hydra/content/oauth2.html#consent-flow
+
+## Audience
+
+Previously, the audience terminology was used as a synonym for OAuth2 client IDs. This is no longer the case. The audience
+is typically a URL identifying the endpoint(s) the token is intended for. For example, if a client requires access to
+endpoint `http://mydomain.com/users`, then the audience would be `http://mydomain.com/users`.
+
+The audience feature is currently not supported in Hydra, only the terminology changed. Fields named `audience` are thus
+renamed to `clientId` (where previously named `audience`) and `cid` (where previously named `aud`).
+
+**IMPORTANT NOTE:** This does **not** apply to OpenID Connect ID tokens. There, the `aud` claim **MUST** match the `client_id`.
+This discrepancy between OpenID Connect and OAuth 2.0 is what caused the confusion with the OAuth 2.0 audience terminology.
+
+## Response payload changes to `/warden/token/allowed`
+
+Previously, the response of the warden endpoint contained shorthands like `aud`, `iss`, and so on. Those have now been changed
+to their full names. For example, `iss` is now `issuer`. Additionally, `aud` is now named `clientId`.
+
+## Go SDK
+
+The Go SDK was completely replaced in favor of a SDK based on `swagger-codegen`. Read more on it here: https://ory.gitbooks.io/hydra/content/sdk/go.html
+
+## Health endpoints
+
+* `GET /health` is now `GET /health/status`
+* `GET /health/stats` is now `GET /health/metrics`
+
+## Group endpoints
+
+* `GET /warden/groups` now returns a list of groups, not just a group id
+
+## Refreshing OpenID Connect ID Token using `refresh_token` grant type
+
+1. It is now possible to refresh openid connect tokens using the refresh_token grant. An ID Token is issued if the scope
+`openid` was requested, and the client is allowed to receive an ID Token.
+
+## Replacing hierarchical scope strategy with wildcard scope strategy
+
+The previous scope matching strategy has been replaced in favor of a wildcard-based matching strategy. Read more
+on this strategy [here](https://ory.gitbooks.io/hydra/content/oauth2.html#oauth2-scopes).
+
+To fall back to hierarchical scope matching, set the environment variable `SCOPE_STRATEGY=DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY`.
+This feature *might* be fully removed in the final 1.0.0 version.
+
 ## 0.9.0
 
 This version adds performance metrics to `/health` and sends anonymous usage statistics to our servers, [click here](https://ory.gitbooks.io/hydra/content/telemetry.html) for more

@@ -17,7 +17,7 @@ and low resource consumption. ORY Hydra *is not* an identity provider (user sign
 but connects to your existing identity provider through a [consent app](https://ory.gitbooks.io/hydra/content/oauth2.html#consent-app-flow).
 Implementing the consent app in a different language is easy, and exemplary consent apps
 ([Go](https://github.com/ory/hydra-consent-app-go), [Node](https://github.com/ory/hydra-consent-app-express)) and
-SDKs ([Go](https://github.com/ory/hydra/tree/update-docs/sdk), [Node](https://github.com/ory/hydra-js)) are provided.
+[SDKs](https://ory.gitbooks.io/hydra/content/sdk.html) are provided.
 
 Besides mitigating various attack vectors, such as database compromisation and OAuth 2.0 weaknesses, ORY Hydra is
 able to securely manage JSON Web Keys, and has a sophisticated policy-based access control you can use if you want to.
@@ -288,7 +288,6 @@ Fosite (which is what this is based on) is a very good implementation from a sec
 ## Libraries and third-party projects
 
 Official:
-* [Consent App SDK For NodeJS](https://github.com/ory/hydra-js)
 * [Consent App Example written in Go](https://github.com/ory/hydra-consent-app-go)
 * [Exemplary Consent App with Express and NodeJS](https://github.com/ory/hydra-consent-app-express)
 

@@ -8,7 +8,7 @@ import (
 
 // Client represents an OAuth 2.0 Client.
 //
-// swagger:model oauthClient
+// swagger:model oAuth2Client
 type Client struct {
 	// ID is the id for this client.
 	ID string `json:"id" gorethink:"id"`
@@ -40,7 +40,7 @@ type Client struct {
 	// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
 	// can use when requesting access tokens.
 	//
-	// Pattern: ([a-zA-Z0-9\.]+\s)+
+	// Pattern: ([a-zA-Z0-9\.\*]+\s)+
 	Scope string `json:"scope" gorethink:"scope"`
 
 	// Owner is a string identifying the owner of the OAuth 2.0 Client.
@@ -87,7 +87,7 @@ func (c *Client) GetHashedSecret() []byte {
 }
 
 func (c *Client) GetScopes() fosite.Arguments {
-	return fosite.Arguments(strings.Split(c.Scope, " "))
+	return fosite.Arguments(strings.Fields(c.Scope))
 }
 
 func (c *Client) GetGrantTypes() fosite.Arguments {

@@ -1,14 +1,21 @@
-// Package client implements the OAuth 2.0 Client functionality and provides http handlers, http clients and storage adapters.
+// Package client implements OAuth 2.0 client management capabilities
+//
+// OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are granted
+// to applications that want to use OAuth 2.0 access and refresh tokens.
+//
+//
+// In ORY Hydra, OAuth 2.0 clients are used to manage ORY Hydra itself. These clients may gain highly privileged access
+// if configured that way. This endpoint should be well protected and only called by code you trust.
 package client
 
-// swagger:parameters createOAuthClient
+// swagger:parameters createOAuth2Client
 type swaggerCreateClientPayload struct {
 	// in: body
 	// required: true
 	Body Client
 }
 
-// swagger:parameters updateOAuthClient
+// swagger:parameters updateOAuth2Client
 type swaggerUpdateClientPayload struct {
 	// in: path
 	// required: true
@@ -20,13 +27,14 @@ type swaggerUpdateClientPayload struct {
 }
 
 // A list of clients.
-// swagger:response clientsList
+// swagger:response oAuth2ClientList
 type swaggerListClientsResult struct {
 	// in: body
+	// type: array
 	Body []Client
 }
 
-// swagger:parameters getOAuthClient deleteOAuthClient
+// swagger:parameters getOAuth2Client deleteOAuth2Client
 type swaggerQueryClientPayload struct {
 	// The id of the OAuth 2.0 Client.
 	//