🚀 ory/hydra - Release Notes

We’re thrilled to announce the release of **Ory Hydra 2.3.0**! This version comes packed with **graceful token refresh**, performance improvements, and fixes that enhance stability, reduce database load, and streamline the developer experience. We strongly recommend upgrading to take advantage of these enhancements and ensure the best possible OAuth2 and OpenID Connect experience with Ory Hydra. Thank you to everyone who contributed!

Ory Hydra now supports graceful refresh token rotation, making OAuth2 and OpenID Connect refresh flows significantly more resilient in scenarios such as Single Page Apps and IoT. Even in highly distributed or concurrent environments, Hydra gracefully handles token refreshes reliably, ensuring tokens are not dropped or double-used.

PRs: [#3860](https://github.com/ory/hydra/pull/3860), [#3895](https://github.com/ory/hydra/pull/3895)

Previously, the `redirect_uri` was not required when performing flows with `scope=openid`. This release enforces the requirement to comply with the OpenID Connect standard.

PR: [#3900](https://github.com/ory/hydra/pull/3900)

Hydra now supports explicit SQL migration commands **`migrate sql up|down|status`** that streamline database schema management and help with zero-downtime upgrades.

PR: [#3894](https://github.com/ory/hydra/pull/3894)

- **Access token strategy & advanced CLI improvements**
  The CLI introduces new parameters and an option to specify a custom client ID on creation, making it easier to manage and script Hydra deployments.
  PRs: [#3718](https://github.com/ory/hydra/pull/3718), [#3725](https://github.com/ory/hydra/pull/3725), [#3874](https://github.com/ory/hydra/pull/3874)
- **Built-in login & consent UI for `hydra perform authorization-code`**
  A minimal built-in UI for login and consent can be enabled when testing with the CLI, removing the need to spin up a separate service.
  PR: [#3845](https://github.com/ory/hydra/pull/3845)

Unused indices have been removed, down migration scripts renamed for consistency, and all migrations are more efficient overall.

PRs: [#3859](https://github.com/ory/hydra/pull/3859), [#3911](https://github.com/ory/hydra/pull/3911)

- **Improve persistence logic** – Database transactions and concurrency have been improved across the authorization and token handlers.
  PRs: [#3756](https://github.com/ory/hydra/pull/3756), [#3763](https://github.com/ory/hydra/pull/3763), [#3886](https://github.com/ory/hydra/pull/3886)
- **Support for more claims in password grant** – You can now include additional claims in the password grant flow, providing extra flexibility in advanced scenarios. Only available with an Ory Enterprise License.
  PR: [#3864](https://github.com/ory/hydra/pull/3864)

- **Transaction Wrappers**
  Authorization and token issuance are now wrapped more consistently to prevent partial writes and race conditions.
  PRs: [#3730](https://github.com/ory/hydra/pull/3730), [#3763](https://github.com/ory/hydra/pull/3763)
- **Improved Docker setup**
  Docker configurations have been refined, removing inconsistencies in the Compose setup and enabling a fully static binary build.
  PRs: [#3826](https://github.com/ory/hydra/pull/3826), [#3924](https://github.com/ory/hydra/pull/3924)
- **Proper JSON round-tripping**
  Fixed an issue causing custom claims to break if they were nested or unexpectedly typed. JSON round-trips are now correct.
  PR: [#3819](https://github.com/ory/hydra/pull/3819)
- **Speed up public key retrieval**
  Reduced overhead for the JWK public endpoint, solving CPU contention issues in large-scale deployments.
  PRs: [#3787](https://github.com/ory/hydra/pull/3787), [#3870](https://github.com/ory/hydra/pull/3870)
- **Fix Docker Compose references**
  The CLI now properly references `docker compose` instead of `docker-compose`, ensuring compatibility with modern Docker setups.
  PR: [#3815](https://github.com/ory/hydra/pull/3815)

- **Dependency upgrades**
  Bumped `fosite`, `ory/x`, `pgx/v5`, and various third-party libraries for improved stability and performance.
- **Updated docs**
  Updated examples, improved JWK documentation, added notes on Docker Compose usage, and refined OpenID Connect discovery docs.
- **More tracing context**
  Tracing calls have been consistently standardized with `otelx.End()`, and additional context ensures better observability.
- **Code generation & housekeeping**
  Various housekeeping tasks: pinned GHA versions, fixed minor comment typos, updated newsletters/links, and more.

To upgrade to 2.3.0, follow the usual steps:

1. **Back up your database** (always recommended).
2. **Update your Hydra version** in your Docker configuration, binary, or build to `v2.3.0`.
3. **Run `hydra migrate sql up`** (if using the new commands) or your usual migration procedure.
4. **Restart your services** and confirm that Hydra is up and running.

Check the [migration docs](https://www.ory.sh/docs/hydra/self-hosted/upgrade) for detailed information.

As always, we love hearing from our community. Here are some ways to get involved:

- **Join our Slack**: [Ory Community Slack](https://www.ory.sh/chat)
- **Ask questions on GitHub Discussions**: [Ory Hydra Discussions](https://github.com/ory/hydra/discussions)
- **Submit bugs and feature requests**: [GitHub Issues](https://github.com/ory/hydra/issues)

Thanks to all contributors for making Ory Hydra the best-in-class OAuth2 and OpenID Connect server.

For Ory Hydra v2.4.0 we are looking at another highly anticipated community-contributed feature, the OAuth 2.0 Device Authorization Grant!

**Full Changelog**: [v2.2.0...v2.3.0](https://github.com/ory/hydra/compare/v2.2.0...v2.3.0)

_Happy building with Ory Hydra!_

## Breaking Changes

Going forward, OAuth2 Clients requesting an OpenID Connect flow **must** include the `redirect_uri` parameter or the request will be rejected.

Deleting consents no longer returns 404 in certain edge cases but instead always 204.

### Bug Fixes

- Advertise support for response_mode=form_post in OIDC discovery document ([#3861](https://github.com/ory/hydra/issues/3861)) ([9cc5f28](https://github.com/ory/hydra/commit/9cc5f28825bb80398a9830d4fcb220147f74504c))
- Broken JSON round-tripping for custom claims ([b36b701](https://github.com/ory/hydra/commit/b36b701026d7d7324b0b04529f134d3ed1eb9eb7)):

  Adding custom claims with numerical types (think JavaScript Number) previously did not
  round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims
  would end up as floating points in exponential notation in the final token. That, in turn,
  confused or broke downstream consumers of the token, including Kratos.

  Ref https://github.com/go-jose/go-jose/issues/144

- Change comment on revokeOAuth2LoginSessions ([#3853](https://github.com/ory/hydra/issues/3853)) ([6d829dd](https://github.com/ory/hydra/commit/6d829ddb251f9e9f1a49a91438c1bd684e827021))
- Change index name in down migration ([#3911](https://github.com/ory/hydra/issues/3911)) ([3a09db2](https://github.com/ory/hydra/commit/3a09db2abb978df91d875333b1eca70014cdcd10))
- Correct span names ([554238b](https://github.com/ory/hydra/commit/554238b6da4e1d8ad690b1bf359e532382571884))
- Correctly pass multiple token audiences and prompt parameters when performing the authorization code flow from the CLI ([#3736](https://github.com/ory/hydra/issues/3736)) ([632faef](https://github.com/ory/hydra/commit/632faef15228c2d0a2caedfc3d7c6a3782c2e131))
- Cpu contention when reading JWKs and suppress generating duplicate JWKs ([#3870](https://github.com/ory/hydra/issues/3870)) ([d5f65c5](https://github.com/ory/hydra/commit/d5f65c570a02a999867f323630d2a5d099526054)):

  Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set.
  The read path now doesn't require locking a mutex at all and instead returns valid query results directly.

  The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.

  Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.

- Do not iteratively delete records ([#3766](https://github.com/ory/hydra/issues/3766)) ([5ef20a2](https://github.com/ory/hydra/commit/5ef20a2a2bc91ccde79517667ae4bf4a36c833ba)):

  Resolves performance issues on some databases when deleting consent.

- Do not retry sending responses ([#3764](https://github.com/ory/hydra/issues/3764)) ([1bbfdb5](https://github.com/ory/hydra/commit/1bbfdb56e55525c5bc0526726fa901cf10af59e4))
- **docs:** Adjust note about SDK support on oauth2 flow endpoints ([#3812](https://github.com/ory/hydra/issues/3812)) ([d0e047c](https://github.com/ory/hydra/commit/d0e047ccc822972cf44ae6ec35c8f6e8507fe3ae))
- Error log when RP responds with status code 204 ([#3731](https://github.com/ory/hydra/issues/3731)) ([153e4b5](https://github.com/ory/hydra/commit/153e4b56e6de645ee44e4e7833c32a3890e43c54))
- Faster GetPublicKeys ([#3787](https://github.com/ory/hydra/issues/3787)) ([04c34aa](https://github.com/ory/hydra/commit/04c34aaf2e3c523f4658910d570de80de328d138)):

  GetPublicKeys used to fetch all keys in a set, even if they were actually not being used. This patch fixes that.

- Improve docker set up ([#3924](https://github.com/ory/hydra/issues/3924)) ([8ca6cbd](https://github.com/ory/hydra/commit/8ca6cbd1ab4fe659a0a9feff82766961de6c1d77)), closes [#3914](https://github.com/ory/hydra/issues/3914) [#3683](https://github.com/ory/hydra/issues/3683):

  Improves the docker set up and removes some unused files.

- Incorrect context passthru ([fa50e3e](https://github.com/ory/hydra/commit/fa50e3e999ef962fb522dfa2f9a1f6ffa20848bf))
- Incorrect indices ([#3778](https://github.com/ory/hydra/issues/3778)) ([cb0004b](https://github.com/ory/hydra/commit/cb0004b67b2818b3bca397e98c1bb5bcbb62296f))
- Limit HTTP response size ([2559819](https://github.com/ory/hydra/commit/25598191ee862b764ff160755b79fab0e95e5136))
- Omit explicit transaction in ConfirmLoginSession and add tracing ([#3886](https://github.com/ory/hydra/issues/3886)) ([a5b2d75](https://github.com/ory/hydra/commit/a5b2d75d4eeab6f26561f7a63cec24ccc7ed1127))
- Pass context to database ping ([fa21711](https://github.com/ory/hydra/commit/fa217119494e56b043810cd5ba8e8e230a24ea94))
- Require `redirect_uri` in openid requests ([#3900](https://github.com/ory/hydra/issues/3900)) ([5caa629](https://github.com/ory/hydra/commit/5caa6293b155a0ebe069d64d7db056ae8e5aa4b0)):

  Resolves a deviation from the OpenID Connect spec, where the `redirect_uri` was not required when performing flows with `scope=openid`.

- Untyped int build issues on 32bit architectures ([#3885](https://github.com/ory/hydra/issues/3885)) ([68aa167](https://github.com/ory/hydra/commit/68aa16725f529136d3f7d0282158ff8c9b11bd22))
- Upgrade fosite and improve webhook integration ([#3727](https://github.com/ory/hydra/issues/3727)) ([89323e2](https://github.com/ory/hydra/commit/89323e24de470c2b0f3037e0cf8f99bc4373d4fd))
- Use docker compose rather than docker-compose ([#3815](https://github.com/ory/hydra/issues/3815)) ([ffdfb73](https://github.com/ory/hydra/commit/ffdfb7362a8de6f6f0608879bf034602f01ea250))
- Wrap authorize response in transaction ([#3763](https://github.com/ory/hydra/issues/3763)) ([5b106aa](https://github.com/ory/hydra/commit/5b106aadb0e71add56e3cc68e5a9e33cdb81dd39))
- Wrap token handler in transaction ([#3730](https://github.com/ory/hydra/issues/3730)) ([67a85cc](https://github.com/ory/hydra/commit/67a85cc799b5c6ef278db93aba131e695fd761e9))

### Code Generation

- Pin v2.3.0 release commit ([ee8c339](https://github.com/ory/hydra/commit/ee8c339ddada3a42529c0416897abc32bad03bbb))

### Documentation

- Update clarification ([#3929](https://github.com/ory/hydra/issues/3929)) ([ce7616c](https://github.com/ory/hydra/commit/ce7616cf6c600dc4f2303167fbf6b2ed81105ba5))

### Features

- Add access token strategy parameter to cli ([#3718](https://github.com/ory/hydra/issues/3718)) ([7862dc3](https://github.com/ory/hydra/commit/7862dc337aba2899bdb945e94eb79d3ab3509202)), closes [#3717](https://github.com/ory/hydra/issues/3717)
- Add expiry and requested times to logout table ([#3837](https://github.com/ory/hydra/issues/3837)) ([f83193f](https://github.com/ory/hydra/commit/f83193f90814691d10d88493eb6357cf37565115))
- Add id parameter to create oauth2-client cli ([#3725](https://github.com/ory/hydra/issues/3725)) ([b372fd2](https://github.com/ory/hydra/commit/b372fd20169156efd7c34710f823e0c5b5dbf183)):

  Fixes https://github.com/ory/hydra/issues/3724

- Add Inspect option to registry ([2013450](https://github.com/ory/hydra/commit/2013450a9a55af26523554c3aa01fc5243573f2c))
- Add migrate sql up|down|status ([#3894](https://github.com/ory/hydra/issues/3894)) ([d27882f](https://github.com/ory/hydra/commit/d27882faf16cd8997c15d8facc1c190dff620a8e)):

  This patch adds the ability to execute down migrations using:

  ```
  hydra migrate sql down -e --steps {num_of_steps}
  ```

  Please read `hydra migrate sql down --help` carefully.

  Going forward, please use the following commands

  ```
  hydra migrate sql up ...
  hydra migrate sql status ...
  ```

  instead of the previous, now deprecated

  ```
  hydra migrate sql ...
  hydra migrate status ...
  ```

  commands.

  See https://github.com/ory-corp/cloud/issues/7350

- Built-in login/consent UI for `hydra perform authorization-code` ([#3845](https://github.com/ory/hydra/issues/3845)) ([7f8bd90](https://github.com/ory/hydra/commit/7f8bd90c2ccbf8be553d526890459f85940c8e99))
- Graceful refresh token rotation ([#3860](https://github.com/ory/hydra/issues/3860)) ([e278b40](https://github.com/ory/hydra/commit/e278b405e53f6e00f3012a49f14938443d6e7882)), closes [#1831](https://github.com/ory/hydra/issues/1831) [#3770](https://github.com/ory/hydra/issues/3770):

  This patch adds a configuration flag which enables graceful refresh token rotation. Previously, refresh tokens could only be used once. On reuse, all tokens of that chain would be revoked.

  This is particularly challenging in environments, where it's difficult to make guarantees on synchronization. This could lead to refresh tokens being sent twice due to some parallel execution.

  To resolve this, refresh tokens can now be graceful by changing `oauth2.grant.refresh_token.grace_period=10s` (example value). During this time, a refresh token can be used multiple times to generate new refresh, ID, and access tokens.

  All tokens will correctly be invalidated, when the refresh token is re-used after the grace period expires, or when the delete consent endpoint is used.

- Handle concurrent refreshes and improve graceful refreshing ([#3895](https://github.com/ory/hydra/issues/3895)) ([0a6c966](https://github.com/ory/hydra/commit/0a6c96620674e880cfbff2e077f7faf12ca0e446)):

  This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.

  Additionally, serializability errors in CockroachDB are now correctly retried.

  See https://github.com/ory-corp/cloud/issues/7311
  Closes https://github.com/ory/hydra/pull/3895

- Improve persistence logic ([#3756](https://github.com/ory/hydra/issues/3756)) ([50301e0](https://github.com/ory/hydra/commit/50301e0022ca64c9d0823544c7b664309620c70e))
- Reduce size of verifiers ([#3857](https://github.com/ory/hydra/issues/3857)) ([0cd00dc](https://github.com/ory/hydra/commit/0cd00dcb0e1390165ae94631fef3980f5b8df40e))
- Remove unused indices ([#3859](https://github.com/ory/hydra/issues/3859)) ([56fc3da](https://github.com/ory/hydra/commit/56fc3da6297eab16e2aa65818dd149104557b332))
- Support more claims in password grant ([#3864](https://github.com/ory/hydra/issues/3864)) ([41476ec](https://github.com/ory/hydra/commit/41476ec06275bc348ed4117e9e0223d04bdebfa5)):

  For the resource owner password grant, the Kratos identity ID is now written to the sub claim, and the username is written to the ext.username claim. Further, token hooks are called for the initial token issuance as well as refresh flows for access tokens issued via the resource owner password grant, allowing users to customize the fields present in the access token (for the jwt strategy) as well as on introspection.

- Update clients from files through the CLI ([#3874](https://github.com/ory/hydra/issues/3874)) ([f777fd1](https://github.com/ory/hydra/commit/f777fd1ac1047575624924d9243f6e532af4f538))
- Upgrade to jackc/pgx/v5 ([#3798](https://github.com/ory/hydra/issues/3798)) ([cd7e7ef](https://github.com/ory/hydra/commit/cd7e7eff910441f40382f7b71b3fbfae26b6641a))

### Tests

- Patch oauth2 snapshot ([#3867](https://github.com/ory/hydra/issues/3867)) ([db095de](https://github.com/ory/hydra/commit/db095decd2168125c92fa7fb9d68cc276432e6e9))

### Unclassified

- Include Requested Scopes in Webhook Requests (#3891) ([c3ff306](https://github.com/ory/hydra/commit/c3ff3061318f34fe43d71235aff035346f2c51b3)), closes [#3891](https://github.com/ory/hydra/issues/3891)
- update doc example for get oauth2-client ([5e70cde](https://github.com/ory/hydra/commit/5e70cde872f74758e22e89466c5b41e54d475533))

Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

![Ory Hydra 2.2.0](http://ory.sh/images/newsletter/hydra-2.2.0/banner.png)

Ory Hydra, the OAuth2 and OpenID Connect server designed for web-scale deployments introduces over 6x higher OAuth2 throughput on a single PostgreSQL instance!

Want to check out Ory Hydra yourself? Try common OAuth2 flows in the [Ory OAuth2 Get Started guide](https://www.ory.sh/docs/getting-started/ory-network-oauth2)!

This version significantly enhances performance, processing over 6x more authorization flows than version 2.1, thanks to architectural improvements that minimize database interactions for login and consent processes.

Key improvements include:

- Enhanced integration with Ory Kratos, ensuring seamless synchronization of login and logout states across both services. Users logged out from Ory Hydra will automatically log out from Ory Kratos, enhancing security and user experience.
- The ability to bypass the logout consent screen for specific clients, streamlining the logout process.
- Simplified migration with the new feature to import OAuth2 Client IDs, making the transition to Ory Hydra smoother.
- Support for the OIDC Verifiable Credentials specification, expanding the server's capabilities in identity verification.

Thank all contributors who have made this release available!

### Bug Fixes

- Return empty slice if requested_scope or audience is null ([#3711](https://github.com/ory/hydra/issues/3711)) ([65165e7](https://github.com/ory/hydra/commit/65165e77718b37ee720a493f2fb6be20e6b04af6))
- Correct id token type in token exchange response ([#3625](https://github.com/ory/hydra/issues/3625)) ([d1f9ba8](https://github.com/ory/hydra/commit/d1f9ba8edee45323e1f13dcf9c67eefbd524dc81)):

  Closes https://github.com/ory/client-go/issues/2

- Dropped persistence/sql test errors ([#3670](https://github.com/ory/hydra/issues/3670)) ([22f0119](https://github.com/ory/hydra/commit/22f0119ad300c1e09c03e966a3d3411e57db444f))
- Handle logout double-submit gracefully ([#3675](https://github.com/ory/hydra/issues/3675)) ([5133cf9](https://github.com/ory/hydra/commit/5133cf972ecfca18d7799c00a7afeae6a4386fbf))
- Handle subject mismatch gracefully ([#3619](https://github.com/ory/hydra/issues/3619)) ([af0d477](https://github.com/ory/hydra/commit/af0d477e0eb1e336b01fa8d1321e9dce098c82a8)):

  We now redirect to the original request URL if the subjects between
  the remembered Hydra session and what was confirmed by the login
  screen does not match.

- Handle token hook auth config ([#3677](https://github.com/ory/hydra/issues/3677)) ([1a40833](https://github.com/ory/hydra/commit/1a40833e2c87c98541d053f7c54b38f791dbb448)):

  - fix: handle token hook auth config
  - fix: bump golangci-lint

- Improved SSRF protection ([#3669](https://github.com/ory/hydra/issues/3669)) ([24c3be5](https://github.com/ory/hydra/commit/24c3be574a11a76e69f09a24754f20cf644b624c))
- Incorrect down migration ([#3708](https://github.com/ory/hydra/issues/3708)) ([8812e0e](https://github.com/ory/hydra/commit/8812e0e67b1f192de4ab6819c8f2bb98e6a5b7a7)), closes [/github.com/ory/hydra/pull/3705#discussion_r1471514014](https://github.com//github.com/ory/hydra/pull/3705/issues/discussion_r1471514014)
- Remove required mark ([#3693](https://github.com/ory/hydra/issues/3693)) ([3a764a0](https://github.com/ory/hydra/commit/3a764a053a3d7eab698668cf63d387ea76c1db40))
- Timeout in jwt-bearer grants when too many grants are available ([#3692](https://github.com/ory/hydra/issues/3692)) ([a748797](https://github.com/ory/hydra/commit/a748797761f5503b048df1b57bcc406f16cd40a3))
- Verifiable credentials JWT format ([#3614](https://github.com/ory/hydra/issues/3614)) ([0176adc](https://github.com/ory/hydra/commit/0176adc17848ab1dd021910ea31202dbdcd51737))
- Add exceptions for internal IP addresses ([#3608](https://github.com/ory/hydra/issues/3608)) ([1f1121c](https://github.com/ory/hydra/commit/1f1121caef6dd2c99c2ab551bfeb82e3cd2d8cf2))
- Add kid to verifiable credential header ([#3606](https://github.com/ory/hydra/issues/3606)) ([9f1c8d1](https://github.com/ory/hydra/commit/9f1c8d192004e0e7d7f5c3383d4dd1df222dec81))
- Deflake ttl test ([6741a49](https://github.com/ory/hydra/commit/6741a49f7b4d55a270f3eb968921894b1e5f2989))
- Docker build ([#3609](https://github.com/ory/hydra/issues/3609)) ([01ff9da](https://github.com/ory/hydra/commit/01ff9da87e231a3cef8933c16a28ed425daa3355))
- Enable CORS with hot-reloaded origins ([#3601](https://github.com/ory/hydra/issues/3601)) ([6f592fc](https://github.com/ory/hydra/commit/6f592fc8425887fb403516cbb03838b63f85f87e))
- Only query access tokens by hashed signature ([a21e945](https://github.com/ory/hydra/commit/a21e94519416cc7801995b0804696348b18fa844))
- Racy random string generation ([#3555](https://github.com/ory/hydra/issues/3555)) ([1b26c4c](https://github.com/ory/hydra/commit/1b26c4cb96400b333fe214d2da892fc045bbc69f))
- Reject invalid JWKS in client configuration / dependency cleanup and bump ([#3603](https://github.com/ory/hydra/issues/3603)) ([1d73d83](https://github.com/ory/hydra/commit/1d73d83eb03e4ceef6edb4bd0738959007053118))
- Restore ability to override auth and token urls for exemplary app ([#3590](https://github.com/ory/hydra/issues/3590)) ([dfb129a](https://github.com/ory/hydra/commit/dfb129a5b7c8ae01e1c490fce1a127697abc7bee))
- Return proper error when the grant request cannot be parsed ([#3558](https://github.com/ory/hydra/issues/3558)) ([26f2d34](https://github.com/ory/hydra/commit/26f2d34459f55444e880e6e27e081c002d630246))
- Use correct tracer in middleware ([#3567](https://github.com/ory/hydra/issues/3567)) ([807cbd2](https://github.com/ory/hydra/commit/807cbd209af376b9b2d18c278cc927d1c43e6865))

### Documentation

- Fix typo ([#3649](https://github.com/ory/hydra/issues/3649)) ([f0501d2](https://github.com/ory/hydra/commit/f0501d2cd7f30c550cc07f6f583118efc9f12a5f))

### Features

- Add --skip-logout-consent flag to CLI ([#3709](https://github.com/ory/hydra/issues/3709)) ([f502d6e](https://github.com/ory/hydra/commit/f502d6e38747986cca2ce42b0854f194e85ed103))
- Add authentication options to hooks ([#3633](https://github.com/ory/hydra/issues/3633)) ([5c8e792](https://github.com/ory/hydra/commit/5c8e7923ed22f6d231ca748bb76e4261a87afb08))
- Add flag to export public keys ([#3684](https://github.com/ory/hydra/issues/3684)) ([62c006b](https://github.com/ory/hydra/commit/62c006b916351e7f74fb00e0006ea112801143d7))
- Add missing index for jwk table ([#3691](https://github.com/ory/hydra/issues/3691)) ([39ee5e1](https://github.com/ory/hydra/commit/39ee5e1f0cfa7fae5c4f9e1663a930cb5b8c2bc9))
- Add prompt=registration ([#3636](https://github.com/ory/hydra/issues/3636)) ([19857d2](https://github.com/ory/hydra/commit/19857d20b1d7d3b918de5388f17076de0660a6be)):

  Ory Hydra now supports a `registration` value for the `prompt` parameter of
  the authorization request. When specifying `prompt=registration`, Ory Hydra
  will redirect the user to the URL found under `urls.registration`
  (instead of `urls.login`).

- Add skip_logout_consent option to clients ([#3705](https://github.com/ory/hydra/issues/3705)) ([2a653e6](https://github.com/ory/hydra/commit/2a653e66803ddb03de02d981dbc8ea57b2ac0936)):

  Adds a special field which disables the logout consent screen when performing OIDC logout.

- Allow injecting extra fosite strategies ([#3646](https://github.com/ory/hydra/issues/3646)) ([88b0b7c](https://github.com/ory/hydra/commit/88b0b7cfdf1a1968bf3a720cb2e6640451e2956b))
- Re-enable legacy client IDs ([#3628](https://github.com/ory/hydra/issues/3628)) ([5dd7d30](https://github.com/ory/hydra/commit/5dd7d306ba8181b1fff1225d056a2ee69183392e)):

  This patch changes the primary key of the `hydra_client` table. We do not expect issues, as that table is probably not overly huge in any deployment. We do however highly recommend to test the migration performance on a staging environment with a similar database setup.

- Remove flow cookie ([#3639](https://github.com/ory/hydra/issues/3639)) ([cde3a30](https://github.com/ory/hydra/commit/cde3a30a92bc30cf072763503e9780a79ba44e43)):

  This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}\_{challenge|verifier}.

- Remove login session cookie during consent flow ([#3667](https://github.com/ory/hydra/issues/3667)) ([5f41949](https://github.com/ory/hydra/commit/5f41949ad209c90d114dc427bd6ccde5e08f05da))
- Support multiple token URLs ([#3676](https://github.com/ory/hydra/issues/3676)) ([95cc273](https://github.com/ory/hydra/commit/95cc2735ed18374cc01d625c66417e42b600778d))

- Add `hydra migrate status` subcommand ([#3579](https://github.com/ory/hydra/issues/3579)) ([749eb8d](https://github.com/ory/hydra/commit/749eb8db40fb8b2d6333d917fac6c25b6e5574ef))
- Add more resolution to events and collect client metrics ([#3568](https://github.com/ory/hydra/issues/3568)) ([466e66b](https://github.com/ory/hydra/commit/466e66bd1df7bf589c5a74ad5be399b1eaa80d9b))
- Add state override ([b8b9154](https://github.com/ory/hydra/commit/b8b9154077963492dad3ed0350a4d93d09a95602))
- Add support for OIDC VC ([#3575](https://github.com/ory/hydra/issues/3575)) ([219a7c0](https://github.com/ory/hydra/commit/219a7c068fa0ec423923f157553f430c80934c45)):

  This adds initial support for issuing verifiable credentials
  as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.

  Because the spec is still in draft, public identifiers are
  suffixed with `draft_00`.

- Allow additional SQL migrations ([#3587](https://github.com/ory/hydra/issues/3587)) ([8900cbb](https://github.com/ory/hydra/commit/8900cbb770d6f39a5c3322fce488675ca6d0138a))
- Allow Go migrations ([#3602](https://github.com/ory/hydra/issues/3602)) ([8eed306](https://github.com/ory/hydra/commit/8eed306800fa330a1cda752dbb11ddf09faf25ad))
- Allow to disable claim mirroring ([#3563](https://github.com/ory/hydra/issues/3563)) ([c72a316](https://github.com/ory/hydra/commit/c72a31641ee79f090a2ac1b64a276be58312b2ee)):

  This PR introduces another config option called `oauth2:mirror_top_level_claims` which may be used to disable the mirroring of custom claims into the `ext` claim of the jwt.
  This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.

  Example:

  ```yaml
  oauth2:
    allowed_top_level_claims:
      - test_claim
    mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
  ```

  Closes https://github.com/ory/hydra/issues/3348

- Bump fosite and add some more tracing ([0b56f53](https://github.com/ory/hydra/commit/0b56f53a491e165f68a53f013989328ce86928ba))
- **cmd:** Add route that redirects to the auth code url ([4db6416](https://github.com/ory/hydra/commit/4db64161699e4301c003b2787baecae22c912c17))
- Parallel generation of JSON web key set ([#3561](https://github.com/ory/hydra/issues/3561)) ([5bd9002](https://github.com/ory/hydra/commit/5bd9002db7baa2fe2c2529fee38825d66a68991f))
- Propagate logout to identity provider ([#3596](https://github.com/ory/hydra/issues/3596)) ([c004fee](https://github.com/ory/hydra/commit/c004fee69497a5a0f8af5ccb6a2ab8d104fd9249)):

  - feat: propagate logout to identity provider

  This commit improves the integration between Hydra and Kratos when logging
  out the user.

  This adds a new configuration key for configuring a Kratos admin URL.
  Additionally, Kratos can send a session ID when accepting a login request.
  If a session ID was specified and a Kratos admin URL was configured,
  Hydra will disable the corresponding Kratos session through the admin API
  if a frontchannel or backchannel logout was triggered.

  - fix: add special case for MySQL
  - chore: update sdk
  - chore: consistent naming
  - fix: cleanup persister

- Support different jwt scope claim strategies ([#3531](https://github.com/ory/hydra/issues/3531)) ([45da11e](https://github.com/ory/hydra/commit/45da11e4fb4f0a2f939f11682c095b8dbfcddb78))



## Changelog
* b346f90e autogen(docs): generate and bump docs
* 01aeffc6 autogen(docs): regenerate and update changelog
* 3a65840d autogen(docs): regenerate and update changelog
* 2dc52b4d autogen(docs): regenerate and update changelog
* 74732591 autogen(docs): regenerate and update changelog
* 4b8c9715 autogen(docs): regenerate and update changelog
* d0dfc0f0 autogen(docs): regenerate and update changelog
* 9e9be2d2 autogen(docs): regenerate and update changelog
* ada59a5f autogen(docs): regenerate and update changelog
* cdd2647c autogen(docs): regenerate and update changelog
* e4c160f5 autogen(docs): regenerate and update changelog
* 5121dba3 autogen(docs): regenerate and update changelog
* 21e0a9bd autogen(docs): regenerate and update changelog
* 89b1b1bd autogen(docs): regenerate and update changelog
* 0a5e0439 autogen(docs): regenerate and update changelog
* 6cbe0893 autogen(docs): regenerate and update changelog
* 78617027 autogen(docs): regenerate and update changelog
* c9f4b5f3 autogen(docs): regenerate and update changelog
* fe260d10 autogen(docs): regenerate and update changelog
* fbf39dd3 autogen(docs): regenerate and update changelog
* 9b33fc55 autogen(docs): regenerate and update changelog
* f9cee328 autogen(docs): regenerate and update changelog
* 841d58b8 autogen(docs): regenerate and update changelog
* 4a8e9a4c autogen(docs): regenerate and update changelog
* cdc0bec3 autogen(openapi): regenerate swagger spec and internal client
* 4a00e3e0 autogen(openapi): regenerate swagger spec and internal client
* dedcf5b4 autogen(openapi): regenerate swagger spec and internal client
* 92eb03a0 autogen(openapi): regenerate swagger spec and internal client
* f9a87d35 autogen(openapi): regenerate swagger spec and internal client
* 1ff8f20a autogen(openapi): regenerate swagger spec and internal client
* 11bf9df8 autogen(openapi): regenerate swagger spec and internal client
* e7968931 autogen(openapi): regenerate swagger spec and internal client
* 27f2ef50 autogen(openapi): regenerate swagger spec and internal client
* 35d62950 autogen(openapi): regenerate swagger spec and internal client
* ce00a428 autogen(openapi): regenerate swagger spec and internal client
* db4fd7d1 autogen(openapi): regenerate swagger spec and internal client
* 146b1625 autogen(openapi): regenerate swagger spec and internal client
* e1636d1e autogen(openapi): regenerate swagger spec and internal client
* 9389773a autogen(openapi): regenerate swagger spec and internal client
* af859fe4 autogen(openapi): regenerate swagger spec and internal client
* f1708f2a autogen(openapi): regenerate swagger spec and internal client
* 3e8413e9 autogen(openapi): regenerate swagger spec and internal client
* 11c8c724 autogen(openapi): regenerate swagger spec and internal client
* 800ce0a1 autogen: add v2.2.0-rc.3 to version.schema.json
* 8168ee31 autogen: pin v2.2.0-pre.1 release commit
* 04872174 autogen: render config schema
* a0c06ecb chore(deps): bump @cypress/request and cypress (#3641)
* b177f81a chore(deps): bump axios and @openapitools/openapi-generator-cli (#3701)
* 23c81943 chore(deps): bump debug from 3.2.6 to 3.2.7 (#3640)
* 18d97936 chore(deps): bump follow-redirects in /test/e2e/oauth2-client (#3697)
* 4fa28890 chore(deps): bump github.com/docker/docker (#3707)
* 2ba35473 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#3680)
* efc00a8b chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 (#3645)
* 083c90de chore: build tag (#3613)
* 3615e3df chore: bump docker base images (#3632)
* aa8a364e chore: bump openapi-generator (#3696)
* 2dc66061 chore: improve context (#3656)
* 8e949299 chore: update otel (#3686)
* f0501d2c docs: fix typo (#3649)
* f502d6e3 feat: add --skip-logout-consent flag to CLI (#3709)
* 5c8e7923 feat: add authentication options to hooks (#3633)
* 62c006b9 feat: add flag to export public keys (#3684)
* 39ee5e1f feat: add missing index for jwk table (#3691)
* 19857d20 feat: add prompt=registration (#3636)
* 2a653e66 feat: add skip_logout_consent option to clients (#3705)
* 88b0b7cf feat: allow injecting extra fosite strategies (#3646)
* 5dd7d306 feat: re-enable legacy client IDs (#3628)
* cde3a30a feat: remove flow cookie (#3639)
* 5f41949a feat: remove login session cookie during consent flow (#3667)
* 95cc2735 feat: support multiple token URLs (#3676)
* d1f9ba8e fix: correct id token type in token exchange response (#3625)
* 22f0119a fix: dropped persistence/sql test errors (#3670)
* 5133cf97 fix: handle logout double-submit gracefully (#3675)
* af0d477e fix: handle subject mismatch gracefully (#3619)
* 1a40833e fix: handle token hook auth config (#3677)
* 24c3be57 fix: improved SSRF protection (#3669)
* 8812e0e6 fix: incorrect down migration (#3708)
* 3a764a05 fix: remove required mark (#3693)
* a7487977 fix: timeout in jwt-bearer grants when too many grants are available (#3692)
* 0176adc1 fix: verifiable credentials JWT format (#3614)
* 8e6c4bfa autogen(docs): regenerate and update changelog
* 33950db8 autogen(docs): regenerate and update changelog
* 28e9e31b autogen(openapi): regenerate swagger spec and internal client
* 57096be9 autogen: pin v2.2.0 release commit
* bfc05d00 chore(deps): bump github.com/opencontainers/runc from 1.1.8 to 1.1.12 (#3710)
* 65165e77 fix: return empty slice if requested_scope or audience is null (#3711)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Introduces logout compatibility with Ory Kratos.

### Bug Fixes

- Add exceptions for internal IP addresses ([#3608](https://github.com/ory/hydra/issues/3608)) ([1f1121c](https://github.com/ory/hydra/commit/1f1121caef6dd2c99c2ab551bfeb82e3cd2d8cf2))
- Add kid to verifiable credential header ([#3606](https://github.com/ory/hydra/issues/3606)) ([9f1c8d1](https://github.com/ory/hydra/commit/9f1c8d192004e0e7d7f5c3383d4dd1df222dec81))
- Deflake ttl test ([6741a49](https://github.com/ory/hydra/commit/6741a49f7b4d55a270f3eb968921894b1e5f2989))
- Docker build ([#3609](https://github.com/ory/hydra/issues/3609)) ([01ff9da](https://github.com/ory/hydra/commit/01ff9da87e231a3cef8933c16a28ed425daa3355))
- Enable CORS with hot-reloaded origins ([#3601](https://github.com/ory/hydra/issues/3601)) ([6f592fc](https://github.com/ory/hydra/commit/6f592fc8425887fb403516cbb03838b63f85f87e))
- Only query access tokens by hashed signature ([a21e945](https://github.com/ory/hydra/commit/a21e94519416cc7801995b0804696348b18fa844))
- Racy random string generation ([#3555](https://github.com/ory/hydra/issues/3555)) ([1b26c4c](https://github.com/ory/hydra/commit/1b26c4cb96400b333fe214d2da892fc045bbc69f))
- Reject invalid JWKS in client configuration / dependency cleanup and bump ([#3603](https://github.com/ory/hydra/issues/3603)) ([1d73d83](https://github.com/ory/hydra/commit/1d73d83eb03e4ceef6edb4bd0738959007053118))
- Restore ability to override auth and token urls for exemplary app ([#3590](https://github.com/ory/hydra/issues/3590)) ([dfb129a](https://github.com/ory/hydra/commit/dfb129a5b7c8ae01e1c490fce1a127697abc7bee))
- Return proper error when the grant request cannot be parsed ([#3558](https://github.com/ory/hydra/issues/3558)) ([26f2d34](https://github.com/ory/hydra/commit/26f2d34459f55444e880e6e27e081c002d630246))
- Use correct tracer in middleware ([#3567](https://github.com/ory/hydra/issues/3567)) ([807cbd2](https://github.com/ory/hydra/commit/807cbd209af376b9b2d18c278cc927d1c43e6865))

### Code Generation

- Pin v2.2.0-rc.3 release commit ([ad8a4ba](https://github.com/ory/hydra/commit/ad8a4bab63b352c0b259a97d7b3f23247b0238b1))

### Features

- Add `hydra migrate status` subcommand ([#3579](https://github.com/ory/hydra/issues/3579)) ([749eb8d](https://github.com/ory/hydra/commit/749eb8db40fb8b2d6333d917fac6c25b6e5574ef))
- Add more resolution to events and collect client metrics ([#3568](https://github.com/ory/hydra/issues/3568)) ([466e66b](https://github.com/ory/hydra/commit/466e66bd1df7bf589c5a74ad5be399b1eaa80d9b))
- Add state override ([b8b9154](https://github.com/ory/hydra/commit/b8b9154077963492dad3ed0350a4d93d09a95602))
- Add support for OIDC VC ([#3575](https://github.com/ory/hydra/issues/3575)) ([219a7c0](https://github.com/ory/hydra/commit/219a7c068fa0ec423923f157553f430c80934c45)):

  This adds initial support for issuing verifiable credentials
  as specified in https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.

  Because the spec is still in draft, public identifiers are
  suffixed with `draft_00`.

- Allow additional SQL migrations ([#3587](https://github.com/ory/hydra/issues/3587)) ([8900cbb](https://github.com/ory/hydra/commit/8900cbb770d6f39a5c3322fce488675ca6d0138a))
- Allow Go migrations ([#3602](https://github.com/ory/hydra/issues/3602)) ([8eed306](https://github.com/ory/hydra/commit/8eed306800fa330a1cda752dbb11ddf09faf25ad))
- Allow to disable claim mirroring ([#3563](https://github.com/ory/hydra/issues/3563)) ([c72a316](https://github.com/ory/hydra/commit/c72a31641ee79f090a2ac1b64a276be58312b2ee)):

  This PR introduces another config option called `oauth2:mirror_top_level_claims` which may be used to disable the mirroring of custom claims into the `ext` claim of the jwt.
  This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.

  Example:

  ```yaml
  oauth2:
    allowed_top_level_claims:
      - test_claim
    mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
  ```

  Closes https://github.com/ory/hydra/issues/3348

- Bump fosite and add some more tracing ([0b56f53](https://github.com/ory/hydra/commit/0b56f53a491e165f68a53f013989328ce86928ba))
- **cmd:** Add route that redirects to the auth code url ([4db6416](https://github.com/ory/hydra/commit/4db64161699e4301c003b2787baecae22c912c17))
- Parallel generation of JSON web key set ([#3561](https://github.com/ory/hydra/issues/3561)) ([5bd9002](https://github.com/ory/hydra/commit/5bd9002db7baa2fe2c2529fee38825d66a68991f))
- Propagate logout to identity provider ([#3596](https://github.com/ory/hydra/issues/3596)) ([c004fee](https://github.com/ory/hydra/commit/c004fee69497a5a0f8af5ccb6a2ab8d104fd9249)):

  - feat: propagate logout to identity provider

  This commit improves the integration between Hydra and Kratos when logging
  out the user.

  This adds a new configuration key for configuring a Kratos admin URL.
  Additionally, Kratos can send a session ID when accepting a login request.
  If a session ID was specified and a Kratos admin URL was configured,
  Hydra will disable the corresponding Kratos session through the admin API
  if a frontchannel or backchannel logout was triggered.

  - fix: add special case for MySQL
  - chore: update sdk
  - chore: consistent naming
  - fix: cleanup persister

- Support different jwt scope claim strategies ([#3531](https://github.com/ory/hydra/issues/3531)) ([45da11e](https://github.com/ory/hydra/commit/45da11e4fb4f0a2f939f11682c095b8dbfcddb78))


## Changelog
* 2c452efd autogen(docs): regenerate and update changelog
* 551c359d autogen(docs): regenerate and update changelog
* 93ebaee6 autogen(docs): regenerate and update changelog
* 7cfba846 autogen(docs): regenerate and update changelog
* cb647702 autogen(docs): regenerate and update changelog
* 938d4bba autogen(docs): regenerate and update changelog
* 0072ddf7 autogen(docs): regenerate and update changelog
* c30de7f8 autogen(docs): regenerate and update changelog
* 6c298b2f autogen(docs): regenerate and update changelog
* a547a749 autogen(docs): regenerate and update changelog
* 5704640c autogen(docs): regenerate and update changelog
* e586cc2c autogen(docs): regenerate and update changelog
* 2bdad2c2 autogen(docs): regenerate and update changelog
* dc878b82 autogen(docs): regenerate and update changelog
* 425c977a autogen(docs): regenerate and update changelog
* 339bf40e autogen(docs): regenerate and update changelog
* ea40d443 autogen(docs): regenerate and update changelog
* 71d18536 autogen(docs): regenerate and update changelog
* be85c29a autogen(docs): regenerate and update changelog
* 598c21d7 autogen(docs): regenerate and update changelog
* 42a9615a autogen(docs): regenerate and update changelog
* 330530d7 autogen(openapi): regenerate swagger spec and internal client
* 254a21b2 autogen(openapi): regenerate swagger spec and internal client
* ad8a4bab autogen: pin v2.2.0-rc.3 release commit
* 6631c213 autogen: render config schema
* 59ec76ba chore(deps): bump semver from 5.7.0 to 5.7.2 (#3569)
* 9fd59e2b chore(deps): bump semver from 5.7.0 to 5.7.2 in /test/e2e/oauth2-client (#3570)
* 3c5c1265 chore(deps): bump tough-cookie, @cypress/request and wait-on (#3592)
* 48d5df43 chore: add hperl as codeowner (#3607)
* efd9ca7d chore: bump deps (#3560)
* d5099cbb chore: remove fosite branch override (#3599)
* 39145855 chore: replace fosite rewrite (#3564)
* 8ed2a2d3 chore: support in README (#3565)
* 1a1f5044 chore: update repository templates to https://github.com/ory/meta/commit/ac80097fa427e7ae39820c59cac62dc6e11b9aff
* eb89af7c chore: update repository templates to https://github.com/ory/meta/commit/af28aff50b62a9eeb69de4842e0e164f82c9e066
* 4db64161 feat(cmd): add route that redirects to the auth code url
* 749eb8db feat: add `hydra migrate status` subcommand (#3579)
* 466e66bd feat: add more resolution to events and collect client metrics (#3568)
* b8b91540 feat: add state override
* 219a7c06 feat: add support for OIDC VC (#3575)
* 8eed3068 feat: allow Go migrations (#3602)
* 8900cbb7 feat: allow additional SQL migrations (#3587)
* c72a3164 feat: allow to disable claim mirroring (#3563)
* 0b56f53a feat: bump fosite and add some more tracing
* 5bd9002d feat: parallel generation of JSON web key set (#3561)
* c004fee6 feat: propagate logout to identity provider (#3596)
* 45da11e4 feat: support different jwt scope claim strategies (#3531)
* 1f1121ca fix: add exceptions for internal IP addresses (#3608)
* 9f1c8d19 fix: add kid to verifiable credential header (#3606)
* 6741a49f fix: deflake ttl test
* 01ff9da8 fix: docker build (#3609)
* 6f592fc8 fix: enable CORS with hot-reloaded origins (#3601)
* a21e9451 fix: only query access tokens by hashed signature
* 1b26c4cb fix: racy random string generation (#3555)
* 1d73d83e fix: reject invalid JWKS in client configuration / dependency cleanup and bump (#3603)
* dfb129a5 fix: restore ability to override auth and token urls for exemplary app (#3590)
* 26f2d344 fix: return proper error when the grant request cannot be parsed (#3558)
* 807cbd20 fix: use correct tracer in middleware (#3567)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

This release optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.

BREAKING CHANGE:

- The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
- Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.

### Bug Fixes

- Version clash in apk install ([24ebdd3](https://github.com/ory/hydra/commit/24ebdd3feb302f655000a243dad032b04cf25afc))

### Code Generation

- Pin v2.2.0-rc.2 release commit ([b183040](https://github.com/ory/hydra/commit/b183040a0d6c33abd4db01eb21a1bb0e141ea9ec))

### Features

- Hot-reload Oauth2 CORS settings ([#3537](https://github.com/ory/hydra/issues/3537)) ([a8ecf80](https://github.com/ory/hydra/commit/a8ecf807b2c6bfa6cc2d8b474f527a2fda12daef))
- Sqa metrics v2 ([#3533](https://github.com/ory/hydra/issues/3533)) ([3ec683d](https://github.com/ory/hydra/commit/3ec683d7cf582443f29bd93c4c88392b3ce692a4))


## Changelog
* 4194d750 autogen(docs): regenerate and update changelog
* 898aa001 autogen(docs): regenerate and update changelog
* b183040a autogen: pin v2.2.0-rc.2 release commit
* a8ecf807 feat: hot-reload Oauth2 CORS settings (#3537)
* 3ec683d7 feat: sqa metrics v2 (#3533)
* 24ebdd3f fix: version clash in apk install


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

We are excited to announce the next Ory Hydra release! This release includes the following important changes:

- Fixed a memory leak in the OpenTelemetry implementation, improving overall memory usage and stability.
- Added a missing index for faster janitor cleanup, resulting in quicker and more efficient cleanup operations.
- Fixed a bug related to SameSite in dev mode, ensuring proper functionality and consistency in handling SameSite attributes during development.

We appreciate your continuous support and feedback. Please feel free to reach out to us with any further suggestions or issues.

### Bug Fixes

- Add index on requested_at for refresh tokens and use it in janitor ([#3516](https://github.com/ory/hydra/issues/3516)) ([5b8e712](https://github.com/ory/hydra/commit/5b8e7121c49a0dfed6312b599a617e692f324fdb))
- Disable health check request logs ([#3496](https://github.com/ory/hydra/issues/3496)) ([eddf7f3](https://github.com/ory/hydra/commit/eddf7f3867e8977e58d09681c583e99bca503448))
- Do not use prepared SQL statements and bump deps ([#3506](https://github.com/ory/hydra/issues/3506)) ([31b9e66](https://github.com/ory/hydra/commit/31b9e663b183f8244d86ddd1ae9f55267e190a69))
- Proper SameSite=None in dev mode ([#3502](https://github.com/ory/hydra/issues/3502)) ([5751fae](https://github.com/ory/hydra/commit/5751fae7b37a2692ad484c785356e702928f1b9b))
- Sqa config values unified across projects ([#3490](https://github.com/ory/hydra/issues/3490)) ([1b1899e](https://github.com/ory/hydra/commit/1b1899e9472fecfbdeb07f5e99c27713b82478e5))
- **sql:** Incorrect JWK query ([#3499](https://github.com/ory/hydra/issues/3499)) ([13ce0d6](https://github.com/ory/hydra/commit/13ce0d6f39febed83c6b1e10b45b0be2ed75a415)):

  `persister_grant_jwk` had an OR statement without bracket leading to not using the last part of the query.

### Code Generation

- Pin v2.1.2 release commit ([d94ed6e](https://github.com/ory/hydra/commit/d94ed6e4486ee270d8903e6e9376134931a742d9))

### Documentation

- Incorrect json output format example ([#3497](https://github.com/ory/hydra/issues/3497)) ([b71a36b](https://github.com/ory/hydra/commit/b71a36bf5c063a719a9e31ff348af594d87dc794))

### Features

- Add --skip-consent flag to hydra cli ([#3492](https://github.com/ory/hydra/issues/3492)) ([083d518](https://github.com/ory/hydra/commit/083d518cf51240c8977f0d9226897a9886cfbb50))


## Changelog
* 0e84c241 autogen(docs): generate and bump docs
* 9f371723 autogen(docs): regenerate and update changelog
* 872720b3 autogen(docs): regenerate and update changelog
* 49072237 autogen(docs): regenerate and update changelog
* ba45af00 autogen(docs): regenerate and update changelog
* 3703e5a7 autogen(docs): regenerate and update changelog
* ca85a170 autogen(docs): regenerate and update changelog
* 0e7e95fc autogen(docs): regenerate and update changelog
* be8f7266 autogen: add v2.1.1 to version.schema.json
* d94ed6e4 autogen: pin v2.1.2 release commit
* 20c6fa76 autogen: render config schema
* 400b9af0 chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#3493)
* f2f007db chore(deps): bump github.com/docker/distribution (#3514)
* b69a332b chore: bump ory/x (#3518)
* cf20054f chore: remove unneeded dependency (#3494)
* e2b7665c chore: update nodemon version for oauth2 client (#3503)
* b71a36bf docs: incorrect json output format example (#3497)
* 083d518c feat: add --skip-consent flag to hydra cli (#3492)
* 13ce0d6f fix(sql): incorrect JWK query (#3499)
* 5b8e7121 fix: add index on requested_at for refresh tokens and use it in janitor (#3516)
* eddf7f38 fix: disable health check request logs (#3496)
* 31b9e663 fix: do not use prepared SQL statements and bump deps (#3506)
* 5751fae7 fix: proper SameSite=None in dev mode (#3502)
* 1b1899e9 fix: sqa config values unified across projects (#3490)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

We are excited to share this year's Q1 release of Ory Hydra: v2.1!

Highlights:

- Support for Datadog tracing (#3431).
- Ability to skip consent for trusted clients (#3451).
- Setting access token type in the OAuth2 Client is now possible (#3446).
- Revoke login sessions by SessionID (#3450).
- Session lifespan extended on session refresh (#3464).
- Token request hooks added for all grant types (#3427).
- Reduced SQL tracing noise (#3481).

Don't want to run the upgrade yourself? Switch to [Ory Network](https://console.ory.sh/registration?flow=d1ae4761-3493-4dd9-b0ce-3200916b38aa)!

### Bug Fixes

- Double-hashed access token signatures ([#3486](https://github.com/ory/hydra/issues/3486)) ([8720b25](https://github.com/ory/hydra/commit/8720b250b92b49c651d87f6e727beda31c227dfe)), closes [#3485](https://github.com/ory/hydra/issues/3485)
- Reduce SQL tracing noise ([#3481](https://github.com/ory/hydra/issues/3481)) ([6e1f545](https://github.com/ory/hydra/commit/6e1f5454be3ff00b0016e3d72b121701ccd23625))

### Code Generation

- Pin v2.1.1 release commit ([6efae7c](https://github.com/ory/hydra/commit/6efae7cfa7430cecaa145e2e71958699a2394115))


## Changelog
* df16a26c autogen(docs): generate and bump docs
* ed2ac06b autogen(docs): regenerate and update changelog
* 6078f85a autogen(docs): regenerate and update changelog
* ddfbd659 autogen: add v2.1.0 to version.schema.json
* 6efae7cf autogen: pin v2.1.1 release commit
* ad549d61 autogen: pin v2.1.1 release commit
* 2f7cda5f autogen: render config schema
* 0448284f chore: update ory/x (#3480)
* 8720b250 fix: double-hashed access token signatures (#3486)
* 6e1f5454 fix: reduce SQL tracing noise (#3481)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

We are excited to share this year's Q1 release of Ory Hydra: v2.1.0!

Highlights:

- Support for Datadog tracing (#3431).
- Ability to skip consent for trusted clients (#3451).
- Setting access token type in the OAuth2 Client is now possible (#3446).
- Revoke login sessions by SessionID (#3450).
- Session lifespan extended on session refresh (#3464).
- Token request hooks added for all grant types (#3427).
- Reduced SQL tracing noise (#3481).

Don't want to run the upgrade yourself? Switch to [Ory Network](https://console.ory.sh/registration?flow=d1ae4761-3493-4dd9-b0ce-3200916b38aa)!

### Bug Fixes

- Reduce SQL tracing noise ([#3481](https://github.com/ory/hydra/issues/3481)) ([6e1f545](https://github.com/ory/hydra/commit/6e1f5454be3ff00b0016e3d72b121701ccd23625))

### Code Generation

- Pin v2.1.0 release commit ([3649832](https://github.com/ory/hydra/commit/3649832421bff09b5e4c172b37dc61027dac0869))


## Changelog
* 5c2e2271 autogen(docs): regenerate and update changelog
* 36498324 autogen: pin v2.1.0 release commit
* 6e1f5454 fix: reduce SQL tracing noise (#3481)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

autogen: pin v2.1.0-pre.2 release commit

### Code Generation

- Pin v2.1.0-pre.2 release commit ([3b1d87e](https://github.com/ory/hydra/commit/3b1d87e3a16dd4b4b55725c5c78eb062fefc8f2f))


## Changelog
* 3b1d87e3 autogen: pin v2.1.0-pre.2 release commit


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

autogen: pin v2.1.0-pre.1 release commit

### Code Generation

- Pin v2.1.0-pre.1 release commit ([2289e6b](https://github.com/ory/hydra/commit/2289e6b8159becde96b31fc99aa2a218631d70ea))


## Changelog
* 2289e6b8 autogen: pin v2.1.0-pre.1 release commit
* 0d740d9d chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3476)
* c29b9680 chore: update alpine version


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Bugfixes for migration and pagination regressions and a new endpoint.

### Bug Fixes

- Add `client_id` and `client_secret` to `revokeOAuth2Token` ([#3373](https://github.com/ory/hydra/issues/3373)) ([93bac07](https://github.com/ory/hydra/commit/93bac074b3f7bd347c329377bf8c14aed7f43c00))
- Docker build ([48217bd](https://github.com/ory/hydra/commit/48217bd203af9467eae570b2c47c777a6c1e929b))
- Introspect command CLI example ([#3353](https://github.com/ory/hydra/issues/3353)) ([4ee4456](https://github.com/ory/hydra/commit/4ee4456d884ef6925a74c26768537e9a1ca8a9a6))
- Invalidate tokens with inconsistent state ([#3385](https://github.com/ory/hydra/issues/3385)) ([542ea77](https://github.com/ory/hydra/commit/542ea771c9740a1ebf5bc0006cb59e9eaff688d2)), closes [#3346](https://github.com/ory/hydra/issues/3346):

  This patch includes SQL migrations targeting environments which have not yet migrated to Ory Hydra 2.0. It removes inconsistent records which resolves issues during the migrations process. Please be aware that some users might be affected by this change. They might need to re-authorize certain apps. However, most active records should not be affected by this.

  Installations already on Ory Hydra 2.0 will not be affected by this change.

- No longer auto-generate system secret ([c5fe043](https://github.com/ory/hydra/commit/c5fe0433be88dc3cbcd09b8c85c3a90819109681)):

  This patch changes Ory Hydra's behavior to no longer auto-generate a temporary secret when no global secret was set. The APIs now return an error instead.

  See https://github.com/ory/network/issues/185

- Prevent multiple redirections to post logout url ([#3366](https://github.com/ory/hydra/issues/3366)) ([50666b9](https://github.com/ory/hydra/commit/50666b96ef28a019f5dfd9758f50c0023ad4ae05)), closes [#3342](https://github.com/ory/hydra/issues/3342)
- Strip `public` from schema ([#3374](https://github.com/ory/hydra/issues/3374)) ([3831b44](https://github.com/ory/hydra/commit/3831b4482a525cf67b519064bfefd45fe9f3cbd3)), closes [#3367](https://github.com/ory/hydra/issues/3367)
- Token pagination ([#3384](https://github.com/ory/hydra/issues/3384)) ([e8d8de9](https://github.com/ory/hydra/commit/e8d8de9072fda61b6d651107005d12f7bac0cba7)), closes [#3362](https://github.com/ory/hydra/issues/3362)

### Code Generation

- Pin v2.0.3 release commit ([16831c5](https://github.com/ory/hydra/commit/16831c55c41e64dd73637e8e2ca8f22202fc7d87))

### Features

- List consent sessions by session id ([#2853](https://github.com/ory/hydra/issues/2853)) ([d275ad6](https://github.com/ory/hydra/commit/d275ad66a4e3cb9494eeae7756acf33a76c37892))


## Changelog
* 5d79e57a autogen(docs): generate and bump docs
* bd190868 autogen(docs): regenerate and update changelog
* 2720839b autogen(docs): regenerate and update changelog
* a400a354 autogen(docs): regenerate and update changelog
* 6710ddc4 autogen(docs): regenerate and update changelog
* d7a28e94 autogen(docs): regenerate and update changelog
* f2925ee4 autogen(docs): regenerate and update changelog
* 2986605e autogen(docs): regenerate and update changelog
* c586e035 autogen(openapi): regenerate swagger spec and internal client
* c65342e2 autogen: add v2.0.2 to version.schema.json
* 16831c55 autogen: pin v2.0.3 release commit
* b28bad38 chore(deps): bump decode-uri-component in /test/e2e/oauth2-client (#3377)
* cb23cca0 chore(deps): bump minimatch in /test/e2e/oauth2-client (#3381)
* 93fc0a1b chore(deps): bump qs from 6.5.2 to 6.5.3 (#3380)
* 316b5820 chore(deps): bump qs, body-parser and express in /test/e2e/oauth2-client (#3379)
* f9f0337f chore: list contributors in file (#3345)
* d275ad66 feat: list consent sessions by session id (#2853)
* 93bac074 fix: add `client_id` and `client_secret` to `revokeOAuth2Token` (#3373)
* 48217bd2 fix: docker build
* 4ee4456d fix: introspect command CLI example (#3353)
* 542ea771 fix: invalidate tokens with inconsistent state (#3385)
* c5fe0433 fix: no longer auto-generate system secret
* 50666b96 fix: prevent multiple redirections to post logout url (#3366)
* 3831b448 fix: strip `public` from schema (#3374)
* e8d8de90 fix: token pagination (#3384)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

This release resolves bugs and SDK publishing issues.

### Bug Fixes

- Add v2 suffix ([#3340](https://github.com/ory/hydra/issues/3340)) ([c54b9db](https://github.com/ory/hydra/commit/c54b9dbf9acf0cd066969b6c729605f1e52e943a))
- Correct migration file name ([01f80a8](https://github.com/ory/hydra/commit/01f80a850112ca4a30330eeaa8eca35af4a91467))
- Incorrect consent removal on authentication revokation ([ccf2388](https://github.com/ory/hydra/commit/ccf238863d381227a04229f5f4eb8c11bb8153a9)):

  This patch resolves a regression where, in a certain condition, an accepted consent could be incorrectly deleted when the related authentication session was removed.

- Incorrect jwk import order ([#3344](https://github.com/ory/hydra/issues/3344)) ([729102f](https://github.com/ory/hydra/commit/729102ff0d87051f219cf88a1296ea3c8effc530)), closes [#3343](https://github.com/ory/hydra/issues/3343)
- Isolate transactions for crdb ([f22046f](https://github.com/ory/hydra/commit/f22046fcee445dbc0b8c8bc49a9eb053ed485dab))
- Scope type should be string instead of int ([#3337](https://github.com/ory/hydra/issues/3337)) ([f59f1c6](https://github.com/ory/hydra/commit/f59f1c68346f8083e3d4e1d47117e014e644c376)):

  Closes https://github.com/ory/sdk/pull/223

### Code Generation

- Pin v2.0.2 release commit ([ce96826](https://github.com/ory/hydra/commit/ce968261a2043469860c6238701631c456268aba))

### Documentation

- Add refresh token grant type ([c752125](https://github.com/ory/hydra/commit/c752125315e1450c10d7604610d974a60e7f556a))
- Fix typo ([dcfd11f](https://github.com/ory/hydra/commit/dcfd11f026469347a5ae941ebd1aa6f127e65143))
- Standardize license headers ([#3216](https://github.com/ory/hydra/issues/3216)) ([d768cf6](https://github.com/ory/hydra/commit/d768cf6580b3410f7d0b3b9420760ce0818a5fe2))
- Update README link ([6184b6a](https://github.com/ory/hydra/commit/6184b6a0ad028ecf90bb1212a7b1429fdc798a1b))

### Features

- Enable simultaneous auth flows by creating client related csrf co… ([#3059](https://github.com/ory/hydra/issues/3059)) ([16bd568](https://github.com/ory/hydra/commit/16bd568fa2ae99db87603e3808b82ca1051b1726)), closes [#3019](https://github.com/ory/hydra/issues/3019)

### Tests

- Fix flaky test ([c417be1](https://github.com/ory/hydra/commit/c417be1e181f602a69f611a68c331be56f88937c))
- Resolve time race ([643e88c](https://github.com/ory/hydra/commit/643e88c3673da923a2c49157c5513d78c19777e8))


## Changelog
* 94aadf83 autogen(docs): generate and bump docs
* 0eeea900 autogen(docs): regenerate and update changelog
* 8d92030a autogen(docs): regenerate and update changelog
* 48603bac autogen(docs): regenerate and update changelog
* bedaf486 autogen(docs): regenerate and update changelog
* 3749a736 autogen(docs): regenerate and update changelog
* cec489fe autogen(docs): regenerate and update changelog
* d37b3234 autogen(docs): regenerate and update changelog
* cdfcf451 autogen(docs): regenerate and update changelog
* 70e6fe9c autogen(docs): regenerate and update changelog
* 4fd6baaf autogen(docs): regenerate and update changelog
* fd020496 autogen(openapi): regenerate swagger spec and internal client
* 74d4569a autogen(openapi): regenerate swagger spec and internal client
* 164f4b5f autogen: add v2.0.1 to version.schema.json
* ce968261 autogen: pin v2.0.2 release commit
* 80a1335b chore: license checker (#3328)
* f8a7ced6 chore: remove obsolete header (#3334)
* 90152fab chore: update Ory CLI with breaking changes to the format task (#3338)
* 0b322806 chore: update repository templates to https://github.com/ory/meta/commit/852a1aece5fefac0a03f928672538c5d8c536ad8
* cda9fd42 chore: update repository templates to https://github.com/ory/meta/commit/a2fba7e968572391ac4a55ce362dca0c4800c97d
* 54184337 chore: update repository templates to https://github.com/ory/meta/commit/b41b1ee5ed62f47bac563014929c64bff0c14163
* 736aaefb chore: update repository templates to https://github.com/ory/meta/commit/d3f8710e356fb833d4bd71b4ba19d062df2ea89e
* c7521253 docs: add refresh token grant type
* dcfd11f0 docs: fix typo
* d768cf65 docs: standardize license headers (#3216)
* 6184b6a0 docs: update README link
* 16bd568f feat: enable simultaneous auth flows by creating client related csrf co… (#3059)
* c54b9dbf fix: add v2 suffix (#3340)
* 01f80a85 fix: correct migration file name
* ccf23886 fix: incorrect consent removal on authentication revokation
* 729102ff fix: incorrect jwk import order (#3344)
* f22046fc fix: isolate transactions for crdb
* f59f1c68 fix: scope type should be string instead of int (#3337)
* c417be1e test: fix flaky test
* 643e88c3 test: resolve time race


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Resolves an issues with post-release steps and adds the introspect command to the Ory Hydra CLI.

### Bug Fixes

- Add missing introspect command ([c43aba3](https://github.com/ory/hydra/commit/c43aba3ea4394d51eef16cfdf3bc4ca848989f16))
- Bump quickstart images to 2.0.0 ([8c763ad](https://github.com/ory/hydra/commit/8c763ad8b170bca1a7ef29bfa3f09d88cbbdae4c))
- Post-release steps with yq ([b6300e3](https://github.com/ory/hydra/commit/b6300e34af208e49ad0a5a5a230c85b03a2cb58d))

### Code Generation

- Pin v2.0.1 release commit ([403223c](https://github.com/ory/hydra/commit/403223cc50bc0722102be96ff5631709f2b4e9f0))

### Documentation

- Update README ([#3323](https://github.com/ory/hydra/issues/3323)) ([c48e481](https://github.com/ory/hydra/commit/c48e4811c571feb33a0a524ef995bc3d24101b75))


## Changelog
* 8297cfc5 autogen(docs): regenerate and update changelog
* 403223cc autogen: pin v2.0.1 release commit
* c48e4811 docs: update README (#3323)
* c43aba3e fix: add missing introspect command
* 8c763ad8 fix: bump quickstart images to 2.0.0
* b6300e34 fix: post-release steps with yq


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Ory Hydra 2.0 is available now! It ships major internal data restructuring and adds support for additional OAuth2 flows such as OAuth2 Token Exchange. Ory Hydra now natively integrates with [Ory Kratos](https://github.com/ory/kratos), an open source Identity Server.

Install the Ory CLI for the best developer experience to try out Ory Hydra 2.0 right away!

```shell
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

brew install ory/tap/cli
```

create a new project (you may also use [Docker](https://www.ory.sh/docs/hydra/5min-tutorial))

```
ory create project --name "Ory Hydra 2.0 Example"
project_id="{set to the id from output}"
```

and follow the quick & easy steps below.

Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow:

```shell
ory create oauth2-client --project $project_id \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
client_id="{set to client id from output}"
client_secret="{set to client secret from output}"

ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id
access_token="{set to access token from output}"

ory introspect token $access_token --project $project_id
```

Try out the OAuth 2.0 Authorize Code grant right away!

By accepting permissions `openid` and `offline_access` at the consent screen, Ory refreshes and OpenID Connect ID token,

```shell
ory create oauth2-client --project $project_id \
    --name "Authorize Code with OpenID Connect Demo" \
    --grant-type authorization_code \
    --response-type code \
    --redirect-uri ttp://127.0.0.1:4446/callback
code_client_id="{set to client id from output}"
code_client_secret="{set to client secret from output}"

ory perform authorization-code \
    --project $project_id \
    --client-id $code_client_id \
    --client-secret $code_client_secret
code_access_token="{set to access token from output}"

ory introspect token $code_access_token --project $project_id
```

### What's changed in Ory Hydra 2.0?

- Ory Identities is now compatible with the Ory OAuth2 Login and Consent Flow. This means, for example, that Ory Kratos can be the login provider for Ory Hydra with a bit of configuration.
- The Ory Network enables this integration as a default.
- Ory Hydra 2.0 now natively supports key types such as ES256 for signing ID Tokens and OAuth 2.0 Access Tokens in JWT format.
- Additionally, the key naming mechanism was updated to conform with industry best practices.
- Ory Hydra 2.0 ships a complete refactoring of the internal database structure, reducing database storage at scale and optimizing query performance.
- All primary keys are now UUIDs to avoid hotspots in distributed systems. Please note that as part of this change it is no longer possible to choose the OAuth 2.0 Client ID. Instead, Ory chooses the best-performing ID format for the petabyte scale.
- Ory chose to denormalize tables that had a negative performance impact due to excessive JOIN statements.
- Using BCrypt as the primary hashing algorithm for OAuth 2.0 Client Secrets creates excessive CPU consumption at scale. OAuth 2.0 Client Secrets are auto-generated in Ory Hydra 2.x, removing the need for excessive hashing costs.
- The new PKBDF2 hasher can be fine-tuned to support hashing at scale without a significant threat model impact.
- This section only applies in scenarios where Ory Hydra is working in a do-it-yourself fashion e.g. on Docker. An Ory Hydra 2.0 compatible service is already available on the [Ory Network](https://www.ory.sh).
- The database schema changed significantly from the previous structure. Please be aware that there might be a period where the database tables will be locked for writes while the upgrade runs. **A full backup of the database before upgrading is essential!** We recommend trying out the upgrade on a copy of a production database first.

### Detailed Overview

Find a list of detailed changes below!

#### SQL Migrations

To run the SQL migrations using:

```
hydra migrate sql $DSN
```

#### SDK changes

Ory Hydra 1.x is a crucial service at Ory. Version 2.0 streamlines the APIs and SDKs to follow Ory API’s semantics and specification.

To better support TB-scale environments, the OAuth2 Client HTTP API's query
parameters for pagination have changed from `limit` and `offset` to `page_token`
and `page_size`. The `page_token` is an opaque string contained in the HTTP
`Link` Header, which expresses the next, previous, first, and last page.

Administrative endpoints now have an `/admin` prefix (e.g. `POST /admin/keys` instead of `POST /keys`). Existing administrative endpoints will redirect to this new prefixed path for backward compatibility.

HTTP endpoint `/oauth2/flush`, used to flush inactive access tokens was deprecated and has been removed. Please use `hydra janitor` instead.

To conform with the Ory V1 SDK, several SDK methods and payloads were renamed. Please check the [CHANGELOG](https://github.com/ory/hydra/blob/master/CHANGELOG.md) for a complete list of changes.

#### Configuration changes

The `iss` (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.

Setting

```yaml
urls:
  self:
    issuer: https://auth.example.com
```

has changed

```patch
- "iss": "https://auth.example.com/"
+ "iss": "https://auth.example.com"
```

To set a trailing slash make sure to set it in the config value:

```yaml
urls:
  self:
    issuer: https://auth.example.com/
```

#### CLI Changes

Flags `--dangerous-allow-insecure-redirect-url` and `--dangerous-force-http` have been removed. Use the `--dev` flag instead to denote a development environment with reduced security restrictions.

We now recommend using the [Ory CLI](https://www.ory.sh/docs/guides/cli/installation) to manage OAuth2 resources. As part of this restructuring, some of the commands were renamed. Here are some examples:

```patch
- hydra client create
+ ory create oauth2-client

- hydra clients list
+ ory list oauth2-clients
```

Additionally, array arguments now use the singular form:

```patch
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
```

To manage resources in a do-it-yourself installation, continue using the `hydra` CLI.

Please check the [CHANGELOG](https://github.com/ory/hydra/blob/master/CHANGELOG.md) for a complete list of changes.

Ory Hydra 2.0 ships with support for OpenTelemetry. The previous telemetry solution using OpenTracing format is deprecated with this release.

## Breaking Changes

SDK naming has changed for the following operations:

```patch
ory.
-   V0alpha2Api.AdminDeleteOAuth2Token(context.Background()).
+   OAuth2Api.DeleteOAuth2Token(context.Background()).
    ClientId("foobar").Execute()

ory.
-   V0alpha2Api.RevokeOAuth2Token(
+   OAuth2Api.RevokeOAuth2Token(
        context.WithValue(context.Background(), sdk.ContextBasicAuth, sdk.BasicAuth{
            UserName: clientID,
            Password: clientSecret,
        })).Token(token).Execute()

ory.
-   V0alpha2Api.AdminIntrospectOAuth2Token(context.Background()).
+   OAuth2Api.IntrospectOAuth2Token(context.Background()).
    Token(token).
    Scope("foo bar")).Execute()
```

SDK naming has changed for the following operations:

```patch
ory.
-   V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+   WellknownApi.DiscoverJsonWebKeys(context.Background()).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+	JwkApi.GetJsonWebKeySet(context.Background(), setID).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
    Execute()

ory.
-   V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
-   AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
-       Alg: "RS256",
-       Use: "sig",
+   JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+   CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+       Alg: "RS256",
+       Use: "sig",
    }).Execute()

ory.
-   V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
    JsonWebKey(jsonWebKey).Execute()
ory.
-   V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+   JwkApi.SetJsonWebKeySet(context.Background(), setID).
    JsonWebKeySet(jsonWebKeySet).Execute()

ory.
-   V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
    JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
    Execute()
ory.
-   V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
    JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
    Execute()
```

SDK naming has changed for the following operations:

```patch
ory.
-   V0alpha2Api.DiscoverJsonWebKeys(context.Background()).
+   WellknownApi.DiscoverJsonWebKeys(context.Background()).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKeySet(context.Background(), setID).
+	JwkApi.GetJsonWebKeySet(context.Background(), setID).
    Execute()

ory.
-   V0alpha2Api.AdminGetJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.GetJsonWebKey(context.Background(), setID, keyID).
    Execute()

ory.
-   V0alpha2Api.AdminCreateJsonWebKeySet(context.Background(), setID).
-   AdminCreateJsonWebKeySetBody(hydra.AdminCreateJsonWebKeySetBody{
-       Alg: "RS256",
-       Use: "sig",
+   JwkApi.CreateJsonWebKeySet(context.Background(), setID).
+   CreateJsonWebKeySet(hydra.CreateJsonWebKeySet{
+       Alg: "RS256",
+       Use: "sig",
    }).Execute()

ory.
-   V0alpha2Api.AdminUpdateJsonWebKey(context.Background(), setID, keyID).
+   JwkApi.SetJsonWebKey(context.Background(), setID, keyID).
    JsonWebKey(jsonWebKey).Execute()
ory.
-   V0alpha2Api.AdminUpdateJsonWebKeySet(context.Background(), setID).
+   JwkApi.SetJsonWebKeySet(context.Background(), setID).
    JsonWebKeySet(jsonWebKeySet).Execute()

ory.
-   V0alpha2Api.AdminDeleteJsonWebKey(context.Background(), setID, keyID).
    JwkApi.DeleteJsonWebKey(context.Background(), setID, keyID).
    Execute()
ory.
-   V0alpha2Api.AdminDeleteJsonWebKeySet(context.Background(), setID).
    JwkApi.DeleteJsonWebKeySet(context.Background(), setID).
    Execute()
```

SDK naming has changed for the following operations:

```patch
ory.
-   V0alpha2Api.AdminRevokeOAuth2ConsentSessions(cmd.Context()).
+   OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
    Client(clientId).Execute()

ory.
-   V0alpha2Api.AdminListOAuth2SubjectConsentSessions(cmd.Context(), id).
+   OAuth2Api.RevokeOAuth2ConsentSessions(context.Background()).
    Client(clientId).Execute()

ory.
-   V0alpha2Api.AdminListOAuth2SubjectConsentSessions(context.Background()).
+   OAuth2Api.ListOAuth2ConsentSessions(context.Background()).
    Subject(subjectId).Execute()

ory.
-   V0alpha2Api.AdminRevokeOAuth2LoginSessions(context.Background()).
+   OAuth2Api.RevokeOAuth2LoginSessions(context.Background()).
    Subject(subjectId).Execute()

ory.
-   V0alpha2Api.AdminGetOAuth2LoginRequest(context.Background()).
+   OAuth2Api.GetOAuth2LoginRequest(context.Background()).
    LoginChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminAcceptOAuth2LoginRequest(context.Background()).
+   OAuth2Api.AcceptOAuth2LoginRequest(context.Background()).
    AcceptOAuth2LoginRequest(body).
    LoginChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminRejectOAuth2LoginRequest(context.Background()).
+   OAuth2Api.RejectOAuth2LoginRequest(context.Background()).
    RejectOAuth2Request(body).
    LoginChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminGetOAuth2ConsentRequest(context.Background()).
+   OAuth2Api.GetOAuth2ConsentRequest(context.Background()).
    ConsentChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminAcceptOAuth2ConsentRequest(context.Background()).
+   OAuth2Api.AcceptOAuth2ConsentRequest(context.Background()).
    AcceptOAuth2ConsentRequest(body).
    ConsentChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminRejectOAuth2ConsentRequest(context.Background()).
+   OAuth2Api.RejectOAuth2ConsentRequest(context.Background()).
    RejectOAuth2Request().
    ConsentChallenge(challenge).Execute()

ory.
-   V0alpha2Api.AdminAcceptOAuth2LogoutRequest(context.Background()).
+   OAuth2Api.AcceptOAuth2LogoutRequest(context.Background()).
    LogoutChallenge(challenge).
    Execute()

ory.
-   V0alpha2Api.AdminRejectOAuth2LogoutRequest(context.Background()).
+   OAuth2Api.RejectOAuth2LogoutRequest(context.Background()).
    LogoutChallenge(challenge).
    Execute()

ory.
    V0alpha2Api.AdminGetOAuth2LogoutRequest(context.Background()).
+   OAuth2Api.GetOAuth2LogoutRequest(context.Background()).
    LogoutChallenge(challenge).
    Execute()

- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2LoginRequestAlreadyHandled

- var AlreadyHandledError HandledOAuth2LoginRequest
+ var AlreadyHandledError ErrorOAuth2ConsentRequestAlreadyHandled

- var OAuth2SuccessResponse SuccessfulOAuth2RequestResponse
+ var OAuth2SuccessResponse OAuth2RedirectTo
```

Error models in the generated SDK have been renamed:

```patch
- oAuth2ApiError
+ errorOAuth2
```

The SDK API for the following has changed:

```patch
// Go example
ory.
-   V0alpha2Api.AdminUpdateOAuth2Client(cmd.Context(), id)
+   Oauth2Api.SetOAuth2Client(cmd.Context(), id).
    OAuth2Client(client).Execute()

ory.
-   V0alpha2Api.AdminGetOAuth2Client(cmd.Context(), id).
+   Oauth2Api.GetOAuth2Client(cmd.Context(), id).
    Execute()

ory.
-   V0alpha2Api.AdminDeleteOAuth2Client(cmd.Context(), id).
+   Oauth2Api.DeleteOAuth2Client(cmd.Context(), id).
    Execute()

ory.
-   V0alpha2Api.AdminCreateOAuth2Client(cmd.Context()).
+   Oauth2Api.CreateOAuth2Client(cmd.Context()).
    OAuth2Client(client).Execute()

ory.
-   V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context(), id).
+   OidcApi.GetOidcDynamicClient(cmd.Context(), id).
    Execute()

ory.
-   V0alpha2Api.DynamicClientRegistrationGetOAuth2Client(cmd.Context()).
+   OidcApi.CreateOidcDynamicClient(cmd.Context()).
    OAuth2Client(client).Execute()

ory.
-   V0alpha2Api.DynamicClientRegistrationDeleteOAuth2Client(cmd.Context()).
+   OidcApi.DeleteOidcDynamicClient(cmd.Context()).
    OAuth2Client(client).Execute()

ory.
-   V0alpha2Api.DynamicClientRegistrationUpdateOAuth2Client(cmd.Context(), id).
+   OidcApi.SetOidcDynamicClient(cmd.Context(), id).
    Execute()
```

We removed compatibility with unsupported database versions (e.g. MySQL 5.6). Ory Hydra v2.x is now compatible with MySQL 8.0.13+, PostgreSQL 11.8+, CockroachDB v22.1.2+.

Configuration keys have changed:

```patch
serve: {
  public: {
-    access_log: {
+    request_log: {
      disable_for_health: true
    },
  },
  admin: {
-    access_log: {
+    request_log: {
      disable_for_health: true
    },
  }
}
```

Rename SDK method from `deleteOAuth2Token` to `adminDeleteOAuth2Token`.

Rename SDK method from `oauth2Token` to `performOAuth2TokenFlow`.

Rename SDK method from `introspectOAuth2Token` to `adminIntrospectOAuth2Token`.

Rename SDK method from `userinfo` to `getOidcUserInfo`.

Rename SDK method from `discoverOpenIDConfiguration` to `discoverOidcConfiguration`.

Rename SDK method from `listTrustedJwtGrantIssuers` to `adminListTrustedOAuth2JwtGrantIssuers`.

Rename SDK method from `deleteTrustedJwtGrantIssuer` to `adminDeleteTrustedOAuth2JwtGrantIssuer`.

Rename SDK method from `getTrustedJwtGrantIssuer` to `adminGetTrustedOAuth2JwtGrantIssuer`.

Rename SDK method from `trustJwtGrantIssuer` to `adminTrustOAuth2JwtGrantIssuer`.

Rename SDK method from `rejectLogoutRequest` to `adminRejectOAuth2LogoutRequest`.

Rename SDK method from `rejectConsentRequest` to `rejectOAuth2ConsentRequest`.

Rename SDK method from `acceptConsentRequest` to `adminAcceptOAuth2ConsentRequest`.

Rename SDK method from `getOAuth2ConsentRequest` to `adminGetOAuth2ConsentRequest`.

Rename SDK method from `rejectLoginRequest` to `rejectOAuth2LoginRequest`.

Rename SDK method from `acceptLoginRequest` to `adminAcceptOAuth2LoginRequest`.

Rename SDK method from `getLoginRequest` to `adminGetOAuth2LoginRequest`.

Rename SDK method from `revokeAuthenticationSession` to `adminRevokeOAuth2LoginSessions`.

Rename SDK method from `adminListSubjectConsentSessions` to `adminListOAuth2SubjectConsentSessions`.

Rename SDK method from `revokeConsentSessions` to `adminRevokeOAuth2ConsentSessions`

This release updates SDK services from `public` and `admin` to `v2`. Methods exposed at the admin interface are now prefixed with `admin` (e.g. `adminCreateJsonWebKeySet`). Administrative endpoints now have an `/admin` prefix (e.g. `POST /admin/keys`). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.

This release updates SDK services from `public` and `admin` to `v2`. Methods exposed at the admin interface are now prefixed with `admin` (e.g. `adminCreateOAuth2Client`). Administrative endpoints now have an `/admin` prefix (e.g. `POST /admin/clients`). Existing administrative endpoints will redirect to this new prefixed path for backwards compatibility.

The default names of cookies have changed:

```patch
- oauth2_authentication_csrf
+ ory_hydra_login_csrf
- oauth2_consent_csrf
+ ory_hydra_consent_csrf
- oauth2_authentication_session
+ ory_hydra_session
```

Use the new configuration option to change the cookie names back to v1.x if required.

CLI flag `--dangerous-force-http` has been removed. Please use the `--dev` flag instead!

CLI flag `--dangerous-allow-insecure-redirect-url` has been removed. Please use the `--dev` flag instead!

The `hydra token revoke` command has been renamed to `hydra revoke token` and now supports structured output (JSON, tables, ...).

The `hydra token introspect` command has been renamed to `hydra introspect token` and now supports structured output (JSON, tables, ...).

The `hydra token delete` command has been renamed to `hydra delete access-tokens` and now supports structured output (JSON, tables, ...).

The `hydra token client` command has been renamed to `hydra perform client-credentials` and now supports structured output (JSON, tables, ...).

The `hydra keys create|delete|get|import` commands have changed to follow other Ory project's guidelines, including structured output and improved handling. They are now:

```
hydra create jwks
hydra get jwks
hydra delete jwks
hydra import jwk
```

Please head over to the documentation for more information or use the `--help` CLI flag for each command.

HTTP endpoint `/oauth2/flush`, used to flush inactive access token was deprecated and has been removed. Please use `hydra janitor` instead.

Command `hydra clients import` is now `hydra import client`.

Command `hydra clients update` is now `hydra update client`. Additionally, all flags are now singular:

```patch
hydra update client [client-id] \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
```

To better support TB-scale environments, the OAuth2 Client HTTP API's query parameters for pagination have changed from `limit` and `offset` to `page_token` and `page_size`. The `page_token` is an opaque string contained in the HTTP `Link` Header, which expresses the next, previous, first, and last page.

Command `hydra clients list` is now `hydra list client`. Please notice that the pagination flags have changed to `--page-token` and `page-size`!

Command `hydra clients delete` is now `hydra delete client`.

Command `hydra clients get` is now `hydra get client`.

Command `hydra clients create` is now `hydra create client`. Additionally, all flags are now singular:

```patch
hydra create client \
- --redirect-uris foo --redirect-uris bar \
+ --redirect-uri foo --redirect-uri bar \
- --grant-types foo --grant-types bar \
+ --grant-type foo --grant-type bar \
- --response-types foo --response-types bar \
+ --response-type foo --response-type bar \
- --allowed-cors-origins foo --allowed-cors-origins bar \
+ --allowed-cors-origin foo --allowed-cors-origin bar \
- --post-logout-callbacks foo --post-logout-callbacks bar \
+ --post-logout-callback foo --post-logout-callback bar
```

This change is backwards compatible, but changes the default hashing algorithm to PBKDF2. To keep using BCrypt for hashing new OAuth2 Client Secrets set the following configuration option in your configuration file:

```
oauth2:
  hashers:
    algorithm: bcrypt
```

To improve security and scalability (in particular sharding), OAuth 2.0 Client IDs can no longer be chosen but are always assigned a random generated UUID V4. OAuth 2.0 Clients created with custom IDs before the v2.0 release will continue working with their legacy Client ID in Ory Hydra v2.x.

Additionally, the `hydra create client` command no longer supports flag `--id` and flag `--callbacks` has been renamed to `--redirect-uris`.

The `iss` (issuer) value no longer appends a trailing slash but instead uses the raw value set in the config.

Setting

```yaml
urls:
  self:
    issuer: https://auth.example.com
```

has changed

```patch
-  "iss": "https://auth.example.com/"
+  "iss": "https://auth.example.com"
```

To set a trailing slash make sure to set it in the config value:

```yaml
urls:
  self:
    issuer: https://auth.example.com/
```

SDK object `PatchDocument` was renamed to `JsonPatchDocument`.

TLS is no longer enabled by default. We want to make deployments behind TLS termination easier. To expose Ory Hydra directly to the public internet, configure keys `serve..tls`.

JSON Web Keys are no longer prefixed with `public` or `private`. This affects keys generated in Ory Hydra after upgrading to this patch. Existing keys are unaffected by this.

OAuth2 errors can no longer be returned in the legacy error format. Essentially, fields `error_hint`, `error_debug` have been removed. Option `oauth2.include_legacy_error_fields` has been removed.

The HS512 and HS256 JSON Web Key generators has been removed. It is now only possible to generate asymmetric keys in Ory Hydra. It will still be possible to save HS512 or HS256 keys.

if using MySQL, hydra_jwk/kid and hydra_oauth2_trusted_jwt_bearer_issuer/key_id may only contain ascii/utf-8 symbols 0-127

Encode MySQL columns hydra_oauth2_trusted_jwt_bearer_issuer/key_id and hydra_jwk/kid in ascii as
a workaround for the 3072-byte index entry size limit[1].

[1]: https://dev.mysql.com/doc/refman/8.0/en/innodb-limits.html

Signed-off-by: Grant Zvolsky 

This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that _there are no down migrations_, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://www.ory.sh/hydra/docs/guides/migrate-v2).

Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.

Signed-off-by: Grant Zvolsky 

### Bug Fixes

- `allowed_top_level_claims` set to nil ([#3245](https://github.com/ory/hydra/issues/3245)) ([cd2c252](https://github.com/ory/hydra/commit/cd2c252b4bb737bdcf7db95ccd181b35337d31c7))
- `max_age=0` forces authentication ([2597f19](https://github.com/ory/hydra/commit/2597f190e83b2fdc98818892b89da3ecab644303)), closes [#3034](https://github.com/ory/hydra/issues/3034)
- Add CORS to public health handler ([#3114](https://github.com/ory/hydra/issues/3114)) ([02c6d5d](https://github.com/ory/hydra/commit/02c6d5d4ea7e45f1ca89ab211f858b9552f20842)):

  Co-authored-by: Reaper 

  Co-authored-by: Patrik 
  Co-authored-by: Alano Terblanche 
  Co-authored-by: Reaper 

- Add json1 tag everywhere ([dd1d733](https://github.com/ory/hydra/commit/dd1d733b0a162b45c2d11ab7f8cd7ec9f8e5e73b))
- Add missing down migrations ([a98c067](https://github.com/ory/hydra/commit/a98c06714b0b55cb08a987685786cdbfe45961ee))
- Allow retries of unused login & consent requests ([51a586b](https://github.com/ory/hydra/commit/51a586b0b2d8882e515d3e37ad4c8d39d27c22b2)), closes [#2914](https://github.com/ory/hydra/issues/2914) [#3085](https://github.com/ory/hydra/issues/3085) [#2824](https://github.com/ory/hydra/issues/2824)
- Cache migration status ([7e25fdb](https://github.com/ory/hydra/commit/7e25fdbdeafa551430eb997d931f7e48573f0675))
- Client specific CORS ([9a4f9e9](https://github.com/ory/hydra/commit/9a4f9e9993ff78d317a8b3f979ddee408e982eef)), closes [#1754](https://github.com/ory/hydra/issues/1754)
- **cli:** Output format issues ([fe3c899](https://github.com/ory/hydra/commit/fe3c89900d416069d879e4647c6221153c8444b2))
- Cockroach migration fixes ([7bed244](https://github.com/ory/hydra/commit/7bed24454c83a3b8e2613aa4acf14a36b21116cb))
- Compile errors ([d1f5a0e](https://github.com/ory/hydra/commit/d1f5a0efbd7f245a0adca3e9d69907254f051700))
- Compile issue ([83983c2](https://github.com/ory/hydra/commit/83983c2bbccaad9117640db22c5322e37cfcf7bc))
- Compile issues ([68cb7d5](https://github.com/ory/hydra/commit/68cb7d511f60fd4693c16b8847ec9ded71eb4352))
- Conditionals in db-diff ([a006b04](https://github.com/ory/hydra/commit/a006b0488272b45fe98a332521a21984424a9787))
- **config:** Add default to supported types. ([f4812c8](https://github.com/ory/hydra/commit/f4812c85872e852219c0baffab7a845c64c5795b))
- **config:** Correct salt detection ([2b6350c](https://github.com/ory/hydra/commit/2b6350c0e6be0317a47896cda7102e6a6c22199c))
- **config:** Disallow additional properties ([9022769](https://github.com/ory/hydra/commit/902276991df4ff3d303d11c262fcbfc896b464b4))
- **config:** Support number ([ab6a9ee](https://github.com/ory/hydra/commit/ab6a9ee23dc4f05b3e8a8d8daff16be65a42b354))
- ConfirmLoginSession, missing FKs; add tests ([1f7bf40](https://github.com/ory/hydra/commit/1f7bf40e4f76c9864d92f4cb3f4f408f7b13c88d))
- Conformity health check ([e163c80](https://github.com/ory/hydra/commit/e163c803b33a9c643e3286cbf7e31b51693f779a))
- Consistently use RS256 in hot reloading ([6376135](https://github.com/ory/hydra/commit/63761357c2b186397c9023ff36ed9c9f1ce772d6))
- Default back to RS256 keys ([891fb55](https://github.com/ory/hydra/commit/891fb551ad24fa9f949bb3860cb8b79603781d81))
- Disable NID tests with HSM enabled ([142cd13](https://github.com/ory/hydra/commit/142cd13382200aad186f11c3b9269ff8e129b3e2)):

  We currently don't support NID isolation in combination with HSM.

- Docker image build ([1d8a8ff](https://github.com/ory/hydra/commit/1d8a8fff8c41eece869c0fcc2c40d219ee2d0ff9))
- Docker image build ([#3247](https://github.com/ory/hydra/issues/3247)) ([05bda6b](https://github.com/ory/hydra/commit/05bda6bfcc8f3b19830ccdf4df15d921e48ff3b8))
- Docker instructions ([063f61b](https://github.com/ory/hydra/commit/063f61beb2e931844a9eb6e7cd6e8776182e46df))
- Dont close crdb for reuse purposes ([11587ae](https://github.com/ory/hydra/commit/11587aed8484fdf42b10420fc77d0df0346c23e7))
- Fix hydra_client pk change mysql down migration ([#2791](https://github.com/ory/hydra/issues/2791)) ([560acce](https://github.com/ory/hydra/commit/560accee306a6f3b599798561230152579981085))
- Fix unbatched select in flushInactiveTokens ([a5cc6ea](https://github.com/ory/hydra/commit/a5cc6eaea9be1369557a1164e7d01fb179c92959)):

  chore: code review

  chore: format

  don't delete more tokens than expected.

  correct test.

  add nid in flush tokens.

- Handle server error when refresh token requests come same time ([#3207](https://github.com/ory/hydra/issues/3207)) ([b0196c0](https://github.com/ory/hydra/commit/b0196c046b09fa80dfa15a14f343c407ef3500b2))
- High db cpu utilisation on query ([#3260](https://github.com/ory/hydra/issues/3260)) ([4bf995d](https://github.com/ory/hydra/commit/4bf995d2610414abc69380885afdf6dce46e4042))
- Hsm compile issues ([8571a67](https://github.com/ory/hydra/commit/8571a6712f18567b72c2cac3c3755eefa5b9a9d7))
- HSM test ([ca748a1](https://github.com/ory/hydra/commit/ca748a1d54c56a6dea48e2e7aa4a7fc35efeb518))
- **hsm:** Public key extraction ([57cf46c](https://github.com/ory/hydra/commit/57cf46c4ff3f00d37a11133a3e9fbc989d86039a))
- **hsm:** Public key extraction everywhere ([c9c2e01](https://github.com/ory/hydra/commit/c9c2e0163b353419564e10ec142b782fa94e52a4))
- Ignore cypress screenshots in git ([668a319](https://github.com/ory/hydra/commit/668a31924a2211712fa499b7fcc6ce6641fc2885))
- Improve duration pattern ([6c8dda8](https://github.com/ory/hydra/commit/6c8dda8667efdd528df3184a1e9384c0213a8b91))
- Improve health check reporting ([1bd0c52](https://github.com/ory/hydra/commit/1bd0c52302ce0c14a901e4120cbef558dab54962))
- Improve jwk generator defaults ([ece5ca6](https://github.com/ory/hydra/commit/ece5ca6a5733170ab68db1940c5d8e45f6fb1dbb))
- Improve lazy initialization of JWKs ([8cffc5b](https://github.com/ory/hydra/commit/8cffc5b1241d1478ea693a013d91e05aa0e5928f))
- Improve migration status speed ([1a4abd6](https://github.com/ory/hydra/commit/1a4abd6da98874360ba18d0cdff26980a1dad461))
- Improve time validation ([b32ff33](https://github.com/ory/hydra/commit/b32ff33f586c97c8a4c8083378deb898ba11bcbd))
- Incorrect queries ([255b4e2](https://github.com/ory/hydra/commit/255b4e225bfaa7b6b9b61354d708be919527ee82))
- **jwk:** Expose correct metadata algorithms ([0a786b7](https://github.com/ory/hydra/commit/0a786b7cd35f4311f85b3b6b9cb3af0444e4ad53))
- Lazy load PKI ([d65aa3a](https://github.com/ory/hydra/commit/d65aa3a9b676deace57744dfb3632392eec90781))
- Lint issues ([72a5cd8](https://github.com/ory/hydra/commit/72a5cd8cf4b2e980e378d183760837fbf7c7fd21))
- Make servicelocator explicit ([3a26385](https://github.com/ory/hydra/commit/3a263854d86e63a75b5e6a73cab81ba7a60ccfe9))
- Missing data in JWT grant ([#3143](https://github.com/ory/hydra/issues/3143)) ([c51b21b](https://github.com/ory/hydra/commit/c51b21bb2334a0a5413a0d25ea54478696808444))
- Move to v0alpha2 api spec ([a364db4](https://github.com/ory/hydra/commit/a364db4ff2cbd65116358929f9e5bb37fde0cc88))
- Mysql slice delete ([c56b958](https://github.com/ory/hydra/commit/c56b9585ecd8201b710805812f7abbb6a475bfc8)):

  - Add a workaround for [mysql slice delete](https://github.com/gobuffalo/pop/issues/699)
  - Optimize logout verification (save 1 db rountrip)
  - Update a test to use StaticContextualizer & revert CleanAndMigrate workaround
  - Ensure a Client generated with faker satisfies the DB schema
  - Remove unused argument from HandleConsentRequest

- **mysql:** Fix mysql key too long error ([ba16958](https://github.com/ory/hydra/commit/ba16958cdfcee071ae3c67bf6f24dfd963a29ae9))
- **oauth2:** Incorrect TTL override ([7893a98](https://github.com/ory/hydra/commit/7893a980387e3d29978e535e81331014ac41820a))
- Optimise sql update to avoid redundant writes ([#3289](https://github.com/ory/hydra/issues/3289)) ([1aa6cc4](https://github.com/ory/hydra/commit/1aa6cc43f2a270f1853b6634f5af26344d077a97)), closes [#3137](https://github.com/ory/hydra/issues/3137):

  The SQL update here would potentially update a lot of rows, which did not need updating. In some DB engines, this would not be an issue, because the redundant writes are ignored. But on PostgreSQL engines, it is another story; here it would actually carry out the writes, leading to a potentially high number of redundant iops when the engine is vaccuming outdated records. With this change, the SQL update will only affect the rows which is not in the desired state already.

- Pop compile issue ([3e7b6b4](https://github.com/ory/hydra/commit/3e7b6b412ea524529cad8d716a23c785f7c3e466))
- Postgres migration script ([#3249](https://github.com/ory/hydra/issues/3249)) ([d6e7f94](https://github.com/ory/hydra/commit/d6e7f94f5eb678c43d43af8054b6707ea545c9b1))
- Prefix paths correctly with /admin ([e130dfa](https://github.com/ory/hydra/commit/e130dfa93c596f86b057dfb35bcea6e58874f76c))
- Proper introspection output format ([#3312](https://github.com/ory/hydra/issues/3312)) ([8b77f5a](https://github.com/ory/hydra/commit/8b77f5ada22261fdcf87fc1a3b362a023a565abc))
- Quickstart with SQLite ([e58d3d1](https://github.com/ory/hydra/commit/e58d3d15eb835f94757fb39868d4570265772a9b)), closes [#3050](https://github.com/ory/hydra/issues/3050)
- Regression in database layer ([1d78e79](https://github.com/ory/hydra/commit/1d78e79623af7bf7d59dd2e7d1ab741e838de95e))
- Remove deprecated config value ([8994190](https://github.com/ory/hydra/commit/8994190033ced6fac0a9e5aaffccd2d5e9428ac1))
- Remove goswagger generated client ([e2c8809](https://github.com/ory/hydra/commit/e2c8809bedf1cf78ce163f58232c23aaedd11593))
- Remove incorrect aliases ([2a20080](https://github.com/ory/hydra/commit/2a20080d1d1caa92d0483ec8fec5a5bf1e9d2267))
- Remove obsolete type patches ([e670d68](https://github.com/ory/hydra/commit/e670d68dad332824a49875e014d6957653eef4a2))
- Remove unnecessary load of TLS certificates at boot ([13691d3](https://github.com/ory/hydra/commit/13691d3995f4418c8a83caf3d22f5ca98152187a))
- Remove unused swagger struct ([4ff0690](https://github.com/ory/hydra/commit/4ff0690d895280b15b1a2f88540766b2adfe6f04))
- Replace of consent session expires values ([e1731ba](https://github.com/ory/hydra/commit/e1731baf51676d70cf04e6e674df697d4af3298c))
- Resolve a merge conflict in migration_test ([#2811](https://github.com/ory/hydra/issues/2811)) ([acb16c1](https://github.com/ory/hydra/commit/acb16c1c273e023c8c3854f7fc36ba653085c828))
- Resolve conformance build issues ([f6ee1d3](https://github.com/ory/hydra/commit/f6ee1d3bda00a3105815c12a7fa1f6fbc38a72a6))
- Resolve internal SDK regressions ([937e6ba](https://github.com/ory/hydra/commit/937e6baabf2df183ec6f5679b1507319a9988afa))
- Resolve merge conflicts ([6eee09c](https://github.com/ory/hydra/commit/6eee09cc72618121588d40877e0ee7bff3d5623c))
- Resolve migration regressions ([5552e4d](https://github.com/ory/hydra/commit/5552e4df97bb5990e05f19d38aca98b614b4f48a))
- Resolve test issues and regressions introduced by the new JWK generator ([77b1ac7](https://github.com/ory/hydra/commit/77b1ac749656e855092513fac3c459f439eefe54))
- Resolve token prefix regression ([1fd6ea3](https://github.com/ory/hydra/commit/1fd6ea3df64598095ba119350ec1cca3e2a44e72))
- Retry transient crdb transaction failures ([f0f3139](https://github.com/ory/hydra/commit/f0f3139efeb4b5ec74c875e350838aaf20045779))
- Revert latest docker image changes ([#3286](https://github.com/ory/hydra/issues/3286)) ([f2daa7d](https://github.com/ory/hydra/commit/f2daa7d6456e4bd27cb9e4b3aa89e2790e59f2b3)):

  Closes https://github.com/ory/hydra/issues/3285

- Revert to normal crdb ([c9a248d](https://github.com/ory/hydra/commit/c9a248dd7cebe20009559e5625ab195a288eb656))
- **sdk:** GenericError type ([21c579a](https://github.com/ory/hydra/commit/21c579ad40d2802e91c3fcc6ee910e44499b07cb))
- **sdk:** Handle all error codes ([#3153](https://github.com/ory/hydra/issues/3153)) ([1ab345b](https://github.com/ory/hydra/commit/1ab345b9ee3e24231fe05d8a88f12f0698721f32)), closes [#2350](https://github.com/ory/hydra/issues/2350)
- **sdk:** Make session uniquely named ([468e27d](https://github.com/ory/hydra/commit/468e27d0ddd206839f24166b85989dbcebcc215d))
- **sdk:** Omit DefaultSession ([954aa5f](https://github.com/ory/hydra/commit/954aa5f3a142e70e2c98f5917b9170bb57df91fc))
- **sdk:** Remove pattern from scope parameter ([1332fe6](https://github.com/ory/hydra/commit/1332fe6c4dd8fcdef5861ebb451f36b0c388aafe)), closes [#3142](https://github.com/ory/hydra/issues/3142)
- **sdk:** Resolve type issues and regenerate SDK ([6880fea](https://github.com/ory/hydra/commit/6880feafb060d8df299aa75664aa4950dcad53c6))
- **sdk:** Use correct struct for response ([04b308f](https://github.com/ory/hydra/commit/04b308f35a389b8cb96341f8c431e2c0b521cb3f))
- Speed up health checks ([eafa2bb](https://github.com/ory/hydra/commit/eafa2bb488bf55e035d55f3974c0766e4ede123e))
- Support issuer with and without trailing slash ([d746fa4](https://github.com/ory/hydra/commit/d746fa499a73df617741e0a792f254970e1b504a)), closes [#1482](https://github.com/ory/hydra/issues/1482)
- Update benchmark script ([63a84de](https://github.com/ory/hydra/commit/63a84de3f51c1ffd06729f78ced488ba72acb0c5))
- Use --yes flag in db-diff ([36ddb61](https://github.com/ory/hydra/commit/36ddb6155786c5b5ac6d83a3e3761a4768bded82))
- Use config func everywhere ([d1af32d](https://github.com/ory/hydra/commit/d1af32dc9e72f26e4e758ff2f2fc8c9071a4dc4e))
- Use correct context ([3ceefd7](https://github.com/ory/hydra/commit/3ceefd738d363c910e47a456a353603612d5674a))
- Use correct sdk tag ([#3318](https://github.com/ory/hydra/issues/3318)) ([aea37d6](https://github.com/ory/hydra/commit/aea37d6a358f8c440ac2a3a138adec77d7544aab))
- Use CreateWith ([9fbbbdf](https://github.com/ory/hydra/commit/9fbbbdf425fea6f2a1218c489d4d9f65c03daf75))
- Use StringSliceJSONFormat instead of StringSlicePipeDelimiter ([#3112](https://github.com/ory/hydra/issues/3112)) ([1d9891d](https://github.com/ory/hydra/commit/1d9891dcf14cdb0e18aa071e053675475f5d787b)):

  Closes https://github.com/ory/hydra/issues/2859

### Code Generation

- Pin v2.0.0 release commit ([4d83a28](https://github.com/ory/hydra/commit/4d83a289ac590fbdefca5ed933327b46c4abf65f))

### Code Refactoring

- `hydra keys` command ([e466d7c](https://github.com/ory/hydra/commit/e466d7c9d284da22742ad0769153f95e12daa9e8))
- `hydra token client` command ([81e79f2](https://github.com/ory/hydra/commit/81e79f2a34024c2c60b52bfd6f76518f0a179166))
- `hydra token delete` command ([aa338e1](https://github.com/ory/hydra/commit/aa338e1789e0d9946fe241d4dc2168f6dd17ca51))
- `hydra token introspect` command ([da3e2b4](https://github.com/ory/hydra/commit/da3e2b44382199dc601e8d01d9a3f4757a7c59a6))
- `hydra token revoke` command ([42e75c3](https://github.com/ory/hydra/commit/42e75c32c63cf029f4088bc277d4039059017771))
- CLI environment variables `HYDRA_URL` has been renamed to `ORY_SDK_URL` ([08bbbab](https://github.com/ory/hydra/commit/08bbbab1a9beb030cbea1487fd3d32e360a44c37)):

  BREKAING CHANGE: To follow ecosystem convention, environment variables `HYDRA_URL`, `HYDRA_ADMIN_URL` have been renamed to `ORY_SDK_URL`.

- **client:** Make OAuth2 Client IDs system-chosen and immutable ([4002224](https://github.com/ory/hydra/commit/4002224439c681f9bc4aaa8af2793615fe5c0d95)), closes [#2911](https://github.com/ory/hydra/issues/2911)
- **client:** Rename SDK methods and introduce `/admin` prefix ([0752721](https://github.com/ory/hydra/commit/0752721dd87f8d5b447e8ba3fa413cf2fd5608ba))
- **client:** Replace limit and offset parameters with page_token and page_size ([23585b5](https://github.com/ory/hydra/commit/23585b579776f5fe058a95b06556c27a8d1da0c4))
- **consent:** Rename SDK method from `acceptConsentRequest` to `adminAcceptOAuth2ConsentRequest` ([5885ab3](https://github.com/ory/hydra/commit/5885ab31d91eebb70f1b701baf4df9ee6dab75e2))
- **consent:** Rename SDK method from `acceptLoginRequest` to `adminAcceptOAuth2LoginRequest` ([fa27d0c](https://github.com/ory/hydra/commit/fa27d0cfcc97bbfdaaf7a696e0d82872c6859ccf))
- **consent:** Rename SDK method from `adminListSubjectConsentSessions` to `adminListOAuth2SubjectConsentSessions` ([bb51ba0](https://github.com/ory/hydra/commit/bb51ba0c40ba59839a7ea383170cdd559b22a8be))
- **consent:** Rename SDK method from `getLoginRequest` to `adminGetOAuth2LoginRequest` ([9053040](https://github.com/ory/hydra/commit/9053040fe47164e4167f0f15270b9e6ade81604f))
- **consent:** Rename SDK method from `getOAuth2ConsentRequest` to `adminGetOAuth2ConsentRequest` ([475efbc](https://github.com/ory/hydra/commit/475efbcf8e49ea105653a914aecf8a622e3ae5c1))
- **consent:** Rename SDK method from `rejectConsentRequest` to `rejectOAuth2ConsentRequest` ([e0e3da9](https://github.com/ory/hydra/commit/e0e3da9e627f931495ab459462abf000446e9785))
- **consent:** Rename SDK method from `rejectLoginRequest` to `rejectOAuth2LoginRequest` ([37a8839](https://github.com/ory/hydra/commit/37a8839fb1f0b1226504b49bff179328c7010226))
- **consent:** Rename SDK method from `rejectLogoutRequest` to `adminRejectOAuth2LogoutRequest` ([cdffa1e](https://github.com/ory/hydra/commit/cdffa1e053d67190c59b927b966eddb0aba6ba64))
- **consent:** Rename SDK method from `revokeAuthenticationSession` to `adminRevokeOAuth2LoginSessions` ([0a5ebe8](https://github.com/ory/hydra/commit/0a5ebe8fa1eadd00756eb084a2bc654b349ed071))
- **consent:** Rename SDK method from `revokeConsentSessions` to `adminRevokeOAuth2ConsentSessions` ([1108409](https://github.com/ory/hydra/commit/1108409abd1c7e6fdefcf95d376a0c7e33e85cde))
- Deprecate `--dangerous-allow-insecure-redirect-url` flag ([46b5887](https://github.com/ory/hydra/commit/46b58874643b91073caae79668feae6aab5b08d5))
- Deprecate `--dangerous-force-http` flag ([062734e](https://github.com/ory/hydra/commit/062734e16aef0c0d1425ce51ead7c3abeca71ba0))
- Drop TLS by default ([edb042e](https://github.com/ory/hydra/commit/edb042e12fb87cb448dd1b6c2dfa6fee104704c1))
- Environment variable `DATABASE_URL` has been deprecated ([8023d2a](https://github.com/ory/hydra/commit/8023d2a75be4466a0112d747c4b327969879a636))
- Finalize consent SDK methods ([53d225a](https://github.com/ory/hydra/commit/53d225a9806a73a9b2c9fef585ebd63301272f34))
- Generated UUID variant & version test ([#2793](https://github.com/ory/hydra/issues/2793)) ([697813e](https://github.com/ory/hydra/commit/697813e185045cabe997bf3a95de02089eea1a0f)), closes [#2792](https://github.com/ory/hydra/issues/2792)
- Improve performance and reduce data use of consent persistence layer ([#2836](https://github.com/ory/hydra/issues/2836)) ([53862f2](https://github.com/ory/hydra/commit/53862f290c21e599822e11d7554d6437419ee502)):

  This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:

  - Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.

  - Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.

- **jwk:** No longer prefix keys with `public` or `private` ([5e2ea0b](https://github.com/ory/hydra/commit/5e2ea0b6c65441983a7e85f9e8434f6068f4fcba))
- **jwk:** Rename SDK methods and introduce `/admin` prefix ([cd007bb](https://github.com/ory/hydra/commit/cd007bbb49bc8d544b5dcfa77088e76cf1ee0b2f))
- Make commands easier to consume ([cc9d9e5](https://github.com/ory/hydra/commit/cc9d9e5b5de070e6521f603ceef806c8284b849b))
- **oauth2:** Clean up changes ([c12b45c](https://github.com/ory/hydra/commit/c12b45cc446991e80acf5d5d0be4131c168fbeb7))
- **oauth2:** Rename SDK method from `deleteOAuth2Token` to `adminDeleteOAuth2Token` ([ea4caf7](https://github.com/ory/hydra/commit/ea4caf73415f131f3df9bf8e41961eac1af7d835))
- **oauth2:** Rename SDK method from `discoverOpenIDConfiguration` to `discoverOidcConfiguration` ([df467a0](https://github.com/ory/hydra/commit/df467a0605a941c4c60968b82b0380932b5e06b8))
- **oauth2:** Rename SDK method from `introspectOAuth2Token` to `adminIntrospectOAuth2Token` ([f2bd9a3](https://github.com/ory/hydra/commit/f2bd9a30a93c35ceb062be4d3c1178bc93e4b387))
- **oauth2:** Rename SDK method from `oauth2Token` to `performOAuth2TokenFlow` ([51b58e7](https://github.com/ory/hydra/commit/51b58e7eadf1b9686903e9c7e454754f02c29956))
- **oauth2:** Rename SDK method from `userinfo` to `getOidcUserInfo` ([4e554e7](https://github.com/ory/hydra/commit/4e554e7a938911f2a9a2a6b6ad2da602f0642095))
- Remove `/oauth2/flush` endpoint ([17c226c](https://github.com/ory/hydra/commit/17c226cc2ad54ed7afc7f7279646cbfabe9363ca))
- Remove `oauth2.include_legacy_error_fields` config ([148cadb](https://github.com/ory/hydra/commit/148cadb2009aabb9c5301bb3f4321e370259adcf))
- Remove HS512 and HS256 jwk key generator ([5fb3049](https://github.com/ory/hydra/commit/5fb3049ee8f04dc03b6365e52486d0fdae9ae0f6))
- Rename `access_log` to `request_log` ([223c8bc](https://github.com/ory/hydra/commit/223c8bc2b1ec002725f834e316735f2d9a34fe5b))
- Rename `hydra clients create` command ([76eb93c](https://github.com/ory/hydra/commit/76eb93c352d5f51bb6f76be82d6ac5fe3a7264be)):

  Renames the command to `hydra create client` and changes CLI flags.

- Rename `hydra clients delete` command ([dea2fdd](https://github.com/ory/hydra/commit/dea2fdd0056770173aabad1c4a1497e8f5a8f38a)):

  Renames the command to `hydra delete client` and changes CLI flags.

- Rename `hydra clients get` command ([edd4b43](https://github.com/ory/hydra/commit/edd4b43d279040534046f903cdd0f407322a7cf0)):

  Renames the command to `hydra get client` and changes CLI flags.

- Rename `hydra clients import` command ([7de7841](https://github.com/ory/hydra/commit/7de78410fc90f8c1ce5b961e92ddb93be66353ba)):

  The `hydra clients import` command now supports reading from STDIN as well as the file system, and ships with output formats such as `json` and `json-pretty`.

- Rename `hydra clients list` command ([1c0f971](https://github.com/ory/hydra/commit/1c0f971e8be56697d0f15f1cc59e6d68744f77ad)):

  Renames the command to `hydra list client` and changes CLI flags.

- Rename `hydra clients update` command ([7482b77](https://github.com/ory/hydra/commit/7482b77c7124718da696564635094ba57d905922))
- Replace custom key generator with jose key generator ([d2d5512](https://github.com/ory/hydra/commit/d2d551230ede27296cb3b488dd23b00b19b65d1a)):

  Closes https://github.com/ory/hydra/issues/1825

- **sdk:** Consent SDK ([e800002](https://github.com/ory/hydra/commit/e800002d09a01cee8f3331541ae6734c499315ac))
- **sdk:** JSON Web Key SDK API ([06d565e](https://github.com/ory/hydra/commit/06d565ebb7771c266d33d9b74cf3eeb500ac9896))
- **sdk:** OAuth 2.0 Trust Relationship SDK ([b0a2b05](https://github.com/ory/hydra/commit/b0a2b0533941e9a784f5925d60653e520269c126))
- **sdk:** OAuth2 SDK API ([142b55f](https://github.com/ory/hydra/commit/142b55f295f811d963cf32c3e7946b9ccd542489))
- **sdk:** Rename errors ([6b60156](https://github.com/ory/hydra/commit/6b601564c1a5c4e29a40d21dc216663c8d7a6fe9))
- **sdk:** Rename oauth2 client operations and payloads ([cb742ad](https://github.com/ory/hydra/commit/cb742ad0d61844aa7bdff2bd8e455c5e7ad49b21))
- **sdk:** Rename PatchDocument to JsonPatchDocument ([a54ea69](https://github.com/ory/hydra/commit/a54ea697412186981d6eb999d121f43ed92cd0ca))
- **trust:** Rename SDK method from `deleteTrustedJwtGrantIssuer` to `adminDeleteTrustedOAuth2JwtGrantIssuer` ([e0be7cf](https://github.com/ory/hydra/commit/e0be7cfe16bf30efa0ebb9f52b5bd8f2fe19e53f))
- **trust:** Rename SDK method from `getTrustedJwtGrantIssuer` to `adminGetTrustedOAuth2JwtGrantIssuer` ([210116e](https://github.com/ory/hydra/commit/210116e32af61cc4720f8bc8da5348bb076e0a1a))
- **trust:** Rename SDK method from `listTrustedJwtGrantIssuers` to `adminListTrustedOAuth2JwtGrantIssuers` ([cb7b9e0](https://github.com/ory/hydra/commit/cb7b9e00dd07ec2d7abbd6357b1cd334b2cb20fe))
- **trust:** Rename SDK method from `trustJwtGrantIssuer` to `adminTrustOAuth2JwtGrantIssuer` ([7edf8df](https://github.com/ory/hydra/commit/7edf8df16ac0c9bb6c6f365c147e16240f210a1e))

### Documentation

- Add required key to all versions in the version schema ([#3233](https://github.com/ory/hydra/issues/3233)) ([ac61740](https://github.com/ory/hydra/commit/ac617401718f11a09f77e41592166ec45a9b23cb))
- Clarify command usage strings ([34cde51](https://github.com/ory/hydra/commit/34cde517e36d88f3e5bde2f7f440d6dd51fd6699))
- Remove mention of CircleCI ([#3240](https://github.com/ory/hydra/issues/3240)) ([75f7b50](https://github.com/ory/hydra/commit/75f7b500394d6322f03d61678fb86d70a97eaab3))
- Update config key descriptions ([919170f](https://github.com/ory/hydra/commit/919170ffd689cd8eddd44f3eb47d9fb498adf922))

### Features

- Add `db.ignore_unknown_table_columns` configuration property ([#3192](https://github.com/ory/hydra/issues/3192)) ([#3193](https://github.com/ory/hydra/issues/3193)) ([5842946](https://github.com/ory/hydra/commit/5842946d156ec1f66c13585da7cfc2be4f6ebb68)):

  The property allows to ignore scan errors when columns in the SQL result have no fields in the destination struct.

- Add ability to allow token refresh from hook without overriding the session claims ([#3146](https://github.com/ory/hydra/issues/3146)) ([afa2ea0](https://github.com/ory/hydra/commit/afa2ea030363a1fed82863cfa6c94e4379c9d062)), closes [#3082](https://github.com/ory/hydra/issues/3082)
- Add embedx helpers ([#3189](https://github.com/ory/hydra/issues/3189)) ([ee9032c](https://github.com/ory/hydra/commit/ee9032ce1005f930cd100bf52a170a5483fb3f79))
- Add new key `serve.public.tls.enabled` ([ecacc6d](https://github.com/ory/hydra/commit/ecacc6de1a206a93d700d1a38150bb83468d34a5))
- Add nid tests and resolve issues ([#3102](https://github.com/ory/hydra/issues/3102)) ([a84c5f5](https://github.com/ory/hydra/commit/a84c5f5064a935a745a52a42575fd57bc3dee94f))
- Add SQLite dependency to SQLite Dockerfile ([#3282](https://github.com/ory/hydra/issues/3282)) ([841a153](https://github.com/ory/hydra/commit/841a1535969e86ee6d2dc17c767c656f1908baae))
- Add tag descriptions ([c111a4c](https://github.com/ory/hydra/commit/c111a4ce2ccd33be592340d6cc28d85afa2f82dc))
- Add token prefixes ([60bab08](https://github.com/ory/hydra/commit/60bab0830591560900264d4bc8da3bf5b898cbf7)), closes [#2845](https://github.com/ory/hydra/issues/2845):

  This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs.

- Allow config context ([d894c97](https://github.com/ory/hydra/commit/d894c974d0dbb166ebb93478055cab5de18a5d11))
- Better control for cookie secure flag ([90d539f](https://github.com/ory/hydra/commit/90d539f53dd5d9bacf9dac5a20901990486799f1))
- **client:** Respect ip restrictions in client validation ([cafe89a](https://github.com/ory/hydra/commit/cafe89ad2285a141c642b26d079c2b865db60935))
- **cli:** Improve migrate command handling ([e252654](https://github.com/ory/hydra/commit/e2526547b1c1a7ed69543c2f2d4e005b17e6a016))
- **cli:** Significantly improved `create client` ([bb9c8ba](https://github.com/ory/hydra/commit/bb9c8ba4f7736b6e737528604445dbed05f1b997)), closes [#3091](https://github.com/ory/hydra/issues/3091):

  This patch adds output formats to `hydra create client` and makes all client fields configurable as flags.

- Config hot reloading architecture ([bbe0406](https://github.com/ory/hydra/commit/bbe0406df63257a63ecc203bc9ff93417d9c6024))
- Custom client token ttl ([#3206](https://github.com/ory/hydra/issues/3206)) ([9ef671f](https://github.com/ory/hydra/commit/9ef671f284a95e69b60d032acd6da1a6a06219b5)), closes [#3157](https://github.com/ory/hydra/issues/3157):

  This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.

- Deprecate autoincrement primary key in hydra_client ([#2784](https://github.com/ory/hydra/issues/2784)) ([6d01e2e](https://github.com/ory/hydra/commit/6d01e2e79b4925c84514d9d47dcd945aee2fafbf)), closes [#2781](https://github.com/ory/hydra/issues/2781)
- Deprecate autoincrement primary key in hydra_jwk ([#2789](https://github.com/ory/hydra/issues/2789)) ([b76a151](https://github.com/ory/hydra/commit/b76a1514b79a3e5ff178057b762b01053854e976)), closes [#2788](https://github.com/ory/hydra/issues/2788)
- Hot-reload TLS certificate ([#3265](https://github.com/ory/hydra/issues/3265)) ([1d13be6](https://github.com/ory/hydra/commit/1d13be6d3b2f03e45cb3f91e9a079e53861edc85))
- Implement NID ([b7fc2bf](https://github.com/ory/hydra/commit/b7fc2bff532aed6b87793d9f3236a69d1be322a1))
- Improve CLI messages ([e934c4f](https://github.com/ory/hydra/commit/e934c4f7769065d964ac9a441d901af8baac728a))
- Improve cloud cli compatibility ([93a626d](https://github.com/ory/hydra/commit/93a626d18a3132f3359e5223704b970a08cfb405))
- Improve cookie settings ([9717cad](https://github.com/ory/hydra/commit/9717cad6141a6c79f13170e7fcf15810fba39072))
- Improve refresh token error messages ([2769c9b](https://github.com/ory/hydra/commit/2769c9b369d133f1766912cdf07c4c0cf214d133))
- Improved cookie controls ([e7834ec](https://github.com/ory/hydra/commit/e7834ecb19e7c9dcb5fe591d991e3c8286f1b0ca)):

  New cookie configuration options have been introduced, allowing a higher degree of control:

  ```yaml
  serve:
    cookies:
      same_site_mode: Lax
      same_site_legacy_workaround: false
      domain: example.com
      names:
        login_csrf: ory_hydra_login_csrf
        consent_csrf: ory_hydra_consent_csrf
        session: ory_hydra_session
  ```

- Make all ui urls relative ([370a487](https://github.com/ory/hydra/commit/370a48747aea3e311d4ea87887533e9ed6d83b52))
- Make CORS config hot reloadable ([2d5c893](https://github.com/ory/hydra/commit/2d5c8930de693bbed56c9c9c890b744ef199df31))
- Make perform commands ory cloud-able ([954693f](https://github.com/ory/hydra/commit/954693feffbb619d65ac50ebccb8d7adb72c3ecf))
- Pass options from root ([2f91ef4](https://github.com/ory/hydra/commit/2f91ef471c53a6cc444331fbc840ec136e8a3fb7))
- Rebuild containers on start ([5b616d8](https://github.com/ory/hydra/commit/5b616d8ae6eb53071ccf73410c8509d85d415a23))
- Renaming to Ory Network ([#3298](https://github.com/ory/hydra/issues/3298)) ([fbcaaad](https://github.com/ory/hydra/commit/fbcaaade18f961c011e32ea713fb1f1fe0a1bb36))
- Replace hydra's transaction impl with ory/popx/transaction ([77d8dac](https://github.com/ory/hydra/commit/77d8dacb3007838407010c9998e31b62d452ade7))
- Respect local DNS restrictions ([7eb1d1c](https://github.com/ory/hydra/commit/7eb1d1c0ff7189bcd76792ac38e7425e9b7c6f86))
- **sdk:** Add missing bearer security definition ([a85bc7a](https://github.com/ory/hydra/commit/a85bc7ab52aa6bce20eec52985a465fc31544b57))
- **sdk:** Type nulls ([fe70395](https://github.com/ory/hydra/commit/fe70395ae58e52a573bfac7385941d4504a1e403))
- Support alternate hashing algorithms for client secrets ([ddba42f](https://github.com/ory/hydra/commit/ddba42f49837c48d4ee9bf9203ffa81f3b31757c)), closes [rfc6819#section-5](https://github.com/rfc6819/issues/section-5) [/datatracker.ietf.org/doc/html/rfc6819#section-5](https://github.com//datatracker.ietf.org/doc/html/rfc6819/issues/section-5):

  This patch adds support for hashing client secrets using pbkdf2 instead of bcrypt, which might be a more appropriate algorithm in certain settings. As we assume that most environments fall in this category, we also changed the default to pbkdf2 with 25.000 rounds (roughly 1-3ms per hash on an Apple M1 Max core).

  High hash costs are needed when hashing user-chosen passwords, as users often reuse passwords across sites. A high hash cost will make it much harder for the attacker to guess the user-chosen password and try using it on other sites (e.g. Google).

  As most client secrets are auto-generated, using high hash costs is not useful. The password (OAuth2 Client Secret) is not user chosen and unlikely to be reused. As such, there is little point in using excessive hash costs to protect users. High hash costs in a system like Ory Hydra will cause high CPU costs from mostly automated traffic (OAuth2 Client interactions). It has also been a point of critizism from some who wish for better RPS on specific endpoints.

  Other systems like Keycloak do not [hash client secrets at all](https://groups.google.com/g/keycloak-dev/c/TmsNfnol0_g), referencing more secure authentication mechanisms such as assertion-based client authentication.

- Support ES256 for generating JWTs ([9a080ad](https://github.com/ory/hydra/commit/9a080ad2fa75c932da6ec0a40602cbfdeee8fd94))
- Switch to otelx ([#3108](https://github.com/ory/hydra/issues/3108)) ([05eaf6d](https://github.com/ory/hydra/commit/05eaf6d3be68f52cbed4de2a8586bfa777d1187f))
- Switch to otelx ([#3108](https://github.com/ory/hydra/issues/3108)) ([47d0518](https://github.com/ory/hydra/commit/47d0518efe71fbb57d6c2e494e33c73ba652089f))
- Tls on public port can now be configured without restrictions ([73d9517](https://github.com/ory/hydra/commit/73d9517572e665ae5b6bcdb53c3666d18a6137c3))
- **tracing:** Add lots of tracing spans ([#3125](https://github.com/ory/hydra/issues/3125)) ([2ee9229](https://github.com/ory/hydra/commit/2ee922938b435fdb58ca804cb29c3136347d8930))
- Upgrade go-swagger ([cce8d60](https://github.com/ory/hydra/commit/cce8d60969a33d28227e59c39b598105d5544bf4))

### Tests

- Add test for access token strategy ([b4865dd](https://github.com/ory/hydra/commit/b4865dd1b7515c7a05a4c198dad7bc6b83ad08b2))
- **conformance:** Add directory ([f5d0885](https://github.com/ory/hydra/commit/f5d088538190e4032cf7705a529eb33272bcac3a))
- **conformity:** Revert admin prefix ([580f33b](https://github.com/ory/hydra/commit/580f33b1fffab2efbf37281a7fd96a2293f35fb3))
- **conformity:** Sdk regression ([15f3cfc](https://github.com/ory/hydra/commit/15f3cfcb56dcc1891f521c4c10ee47c46c73a2ce))
- **e2e:** Add trailing slash to issuer ([fa23960](https://github.com/ory/hydra/commit/fa23960730ce253ef4daf283a183ca84fa1dcdc4))
- **e2e:** Fix build instructions ([415658d](https://github.com/ory/hydra/commit/415658d88d50e291a74ebc3df397781f1a1c521c))
- **e2e:** Fix issuer URL ([03b2340](https://github.com/ory/hydra/commit/03b2340837724e3482bbecba4677152d7c1d8615))
- **e2e:** Fix jwt regression ([647822d](https://github.com/ory/hydra/commit/647822d7a6a032472dfc6ab2eba1e3f5902db655))
- **e2e:** Resolve test regressions ([30855d9](https://github.com/ory/hydra/commit/30855d9e491a7125d2d1cd5c5d1bc3358138f7be))
- **e2e:** Respect metadata ([7bea2e8](https://github.com/ory/hydra/commit/7bea2e8f8f903fcc5468410daf3558bc83dbc14e))
- **e2e:** Upgrade cypress ([40be7bb](https://github.com/ory/hydra/commit/40be7bb5d4a7438dfb073cb5b161e0cabb5d51b5))
- **e2e:** Upgrade jwks-rsa ([8ddf880](https://github.com/ory/hydra/commit/8ddf880c351ab772c156933cdd685da5017e373f))
- Fix a flaky test ([51600f4](https://github.com/ory/hydra/commit/51600f499d9e9ebc18ca6293230b94034b498798))
- Fix assertions on nil pointers ([8710590](https://github.com/ory/hydra/commit/87105903a7e0ceb3192ab13530c838b407abf3a4))
- Fix conformity issues ([2875c19](https://github.com/ory/hydra/commit/2875c190c42416d308483b1b5b7567e53e27a5d8))
- Fix failing master pipeline ([#3283](https://github.com/ory/hydra/issues/3283)) ([f979adb](https://github.com/ory/hydra/commit/f979adb447ded4cefda2f7914544167474d60491))
- Fix flaky equal check ([1100aba](https://github.com/ory/hydra/commit/1100aba1e1c5b9617a2560e42c45c43d6636835b))
- Fix flaky equal check ([2c4615c](https://github.com/ory/hydra/commit/2c4615cea945e1243f3231680f11f609650e5524))
- Fix resp.bodyclose lint error ([f0f5223](https://github.com/ory/hydra/commit/f0f5223a7c84c1599658d2e33eeae6e83dd5f734))
- **hsm:** Do not evaluate HSM private key ([3420026](https://github.com/ory/hydra/commit/3420026a40532074a6787383e33912e7371cd1ae))
- **hsm:** Resolve test issues ([8db9e5b](https://github.com/ory/hydra/commit/8db9e5bb239abf569fbdf1613c3871c560981113))
- Implement network test structure for clients ([8a09175](https://github.com/ory/hydra/commit/8a091750bf4cfc757b1019b0f90b87b1c87f81b9))
- Improve jwk test layout ([3b7a1a7](https://github.com/ory/hydra/commit/3b7a1a754a625c627c754858533a52e4a1b61d5d))
- **migratest:** Add missing cockroach migrations and debug test failures ([5e6c099](https://github.com/ory/hydra/commit/5e6c09952447093add986a2b367cb2089c550d24))
- Refactor migration tests to use fixtures ([#2936](https://github.com/ory/hydra/issues/2936)) ([7b96651](https://github.com/ory/hydra/commit/7b966515fd712ac7ed0416b5c806b2c7cc245a2f)), closes [#2901](https://github.com/ory/hydra/issues/2901)
- Remove unused fixture ([1cf5bd0](https://github.com/ory/hydra/commit/1cf5bd0fc9bbb1724410d97dee8e45e6a8d54c2b))
- Resolve test migration issues ([63b7303](https://github.com/ory/hydra/commit/63b7303d448ad2493e838fdc755349b1f53f6664))
- Test client update and double delete ([3a50926](https://github.com/ory/hydra/commit/3a50926a6996b88216cac3dbbedf8c6d394d89ee))
- Update fixtures ([e77c0d3](https://github.com/ory/hydra/commit/e77c0d35caab9cacc313fe217a4acd616689faa5))
- Update paths to reflect new admin api ([549deda](https://github.com/ory/hydra/commit/549deda85231b04d031f56ecd116e959c72d767d))
- Update resource limits ([9e9ea94](https://github.com/ory/hydra/commit/9e9ea94607c4d9b45e2951adc852d6cb7ffc2d96))
- Update snapshot ([1c9a0d2](https://github.com/ory/hydra/commit/1c9a0d2db34b4792ca4deebbb69ac90fc7af10f0))
- Update snapshots ([5f5c81e](https://github.com/ory/hydra/commit/5f5c81ea0883d83d5d1f6a52cca9c3a7148adfd8))
- Update snapshots ([01dbc0e](https://github.com/ory/hydra/commit/01dbc0eb54f92ecc8595a867bf03c3b6cfc382ce))
- Update snapshots ([34bc743](https://github.com/ory/hydra/commit/34bc743e4b6f3f7b3357237f9e43587a7195664c))
- Update snapshots ([c66a536](https://github.com/ory/hydra/commit/c66a536a08c8f4371df71fcec0a3db5db665c080))
- Use fixed time.Now function in pop ([08968aa](https://github.com/ory/hydra/commit/08968aa9b05bdac8c5dceeda6af837da582272b9))

### Unclassified

- unstaged - refactor sdk use across the board ([34dfc0f](https://github.com/ory/hydra/commit/34dfc0fe576c89514594df5d05e7dee7dc3fc198))
- code review: add missing nid ([2592451](https://github.com/ory/hydra/commit/2592451bbb9e2201a39299cf338563231adf73e8))
- code review ([8e961d0](https://github.com/ory/hydra/commit/8e961d0eb32fa5ca0d8d9dbb32d73231e9f5d80f))
- code review: contextualize config ([10c146b](https://github.com/ory/hydra/commit/10c146b49cb06f6498ec13c724d6be4fc3b35260))
- code review: make sure CreateClient doesn't use provided ID ([8eec85d](https://github.com/ory/hydra/commit/8eec85d35cf514ba59de29efa92226337b8015c5))
- code review: generate first NID randomly; add/update tests; fix db-diff ([00490cb](https://github.com/ory/hydra/commit/00490cbbc5111c07071eb118e3dac813825e2aa5))
- Create networks table ([a2c5e14](https://github.com/ory/hydra/commit/a2c5e142040c25e68668d881f7cfda8e360e4d8a))


## Changelog
* 52154bc1 autogen(docs): generate and bump docs
* 9d01e248 autogen(docs): generate cli docs
* 3895d8a4 autogen(docs): regenerate and update changelog
* c16ffb46 autogen(docs): regenerate and update changelog
* 984185fb autogen(docs): regenerate and update changelog
* 181dda57 autogen(docs): regenerate and update changelog
* e70a6ce0 autogen(docs): regenerate and update changelog
* 07e02124 autogen(docs): regenerate and update changelog
* 1cab9408 autogen(docs): regenerate and update changelog
* 200dc9a4 autogen(docs): regenerate and update changelog
* 60b93459 autogen(docs): regenerate and update changelog
* 09b9318f autogen(docs): regenerate and update changelog
* e4d17df7 autogen(openapi): Regenerate swagger spec and internal client
* 20f2bcda autogen(openapi): Regenerate swagger spec and internal client (#2812)
* 8b12c914 autogen(openapi): regenerate swagger spec and internal client
* f9e71cfe autogen(openapi): regenerate swagger spec and internal client
* f148145a autogen(openapi): regenerate swagger spec and internal client
* 8db8cd7a autogen: pin v2.0.0 release commit
* 4d83a289 autogen: pin v2.0.0 release commit
* c68e1303 autogen: pin v2.0.0-alpha.0.pre.0 release commit
* 71226bc9 autogen: pin v2.0.0-alpha.0.pre.1 release commit
* 0cafe8fb autogen: pin v2.0.0-alpha.0.pre.2 release commit
* e27e2901 chore(deps): bump minimist and minimist in /test/e2e/oauth2-client (#3246)
* 8e351373 chore(sdk): remove obsolete template
* c38e700f chore: add json1 tag to db-diff
* 22d4a924 chore: address merge conflicts
* 3ba28f2b chore: backport migration fix to migration source (#3267)
* f4676194 chore: bump go to 1.19
* ac279c38 chore: change metric name and make Go 1.19 compatible (#3223)
* dc119136 chore: code review
* 96adcb84 chore: delete unused code
* 9fd2a473 chore: fix CLI command description (#3248)
* 81503e03 chore: fix compile and lint issues
* 922b43aa chore: fix formatting (#3269)
* 3632a6cf chore: fix lint issues
* 046b1ebe chore: fix typo (#3236)
* da0feb75 chore: format
* 56d1286b chore: format
* 6e593025 chore: format
* 2ef71d97 chore: format
* 655f8aa5 chore: format
* a76cda3e chore: format
* 15cdb885 chore: format using Make (#3257)
* b849d3d8 chore: go mod tidy
* 2adb928c chore: regenerate SDKs
* f5d89636 chore: regenerate SDKs
* 336ccaf8 chore: regenerate values
* 019f6bf3 chore: remove cypress screenshots
* 0b643a36 chore: remove double tabs from Makefile (#3273)
* abca5edb chore: remove fosite replace
* cc5d7701 chore: remove mod rewrites
* bbd48047 chore: remove stray console.log's
* 925013e3 chore: remove unused OpenAPI specifications and update snapshots
* 47daf0a1 chore: remove unused code
* 098a9831 chore: reorganize definition
* a28bcf1f chore: styles
* 49d48477 chore: update Prettier and ory-prettier-style and format everything (#3242)
* 82ba4467 chore: update formatter and formatting
* 5835ede1 chore: update fosite dependency
* aa7d0592 chore: update go mod
* b067680c chore: update golang and alpine
* f1b0603a chore: update openapi-generator to 6.0.1
* 8cea91d4 chore: update ory/x
* 686d59cb chore: update package locks
* e07e578b chore: update prettierignore
* 216352e3 chore: update repository templates
* a9c8da01 chore: update repository templates to https://github.com/ory/meta/commit/19eed817e5d5b64509887ef5f1e3eff3e3ce03a1
* 8b8e73d5 chore: update repository templates to https://github.com/ory/meta/commit/23d918a32533554c30d720dc44e821de3cda18f8
* 1c9f3e0c chore: update repository templates to https://github.com/ory/meta/commit/4a68ca0e3b70305c4a49a65777cb7f83a5eb9d89
* a73301c1 chore: update repository templates to https://github.com/ory/meta/commit/4ef13422e91f15b9f70014a0d67b92498ab728d1
* 8177cb5e chore: update repository templates to https://github.com/ory/meta/commit/6ab5ce6da0cc57d4492e932602bbfd4a76547795
* be24b804 chore: update repository templates to https://github.com/ory/meta/commit/935cc0443464fd76fbf41dff1081b368080c9353
* 791f5d12 chore: upgrade crdb to v22.x
* c8c3dbce chore: upgrade golangci-lint
* 55948d86 ci: add missing npm dependencies for changelog generation
* b4931a3c ci: do not use --verbose flag
* f040caf0 ci: install changelog-generator-cli
* 1cb56dfe ci: update crdb
* 8e961d0e code review
* 2592451b code review: add missing nid
* 10c146b4 code review: contextualize config
* 00490cbb code review: generate first NID randomly; add/update tests; fix db-diff
* 8eec85d3 code review: make sure CreateClient doesn't use provided ID
* ac617401 docs: add required key to all versions in the version schema (#3233)
* 34cde517 docs: clarify command usage strings
* 75f7b500 docs: remove mention of CircleCI (#3240)
* 919170ff docs: update config key descriptions
* e2526547 feat(cli): improve migrate command handling
* bb9c8ba4 feat(cli): significantly improved `create client`
* cafe89ad feat(client): respect ip restrictions in client validation
* a85bc7ab feat(sdk): add missing bearer security definition
* fe70395a feat(sdk): type nulls
* 2ee92293 feat(tracing): add lots of tracing spans (#3125)
* 841a1535 feat: add SQLite dependency to SQLite Dockerfile (#3282)
* 5842946d feat: add `db.ignore_unknown_table_columns` configuration property (#3192) (#3193)
* afa2ea03 feat: add ability to allow token refresh from hook without overriding the session claims (#3146)
* ee9032ce feat: add embedx helpers (#3189)
* ecacc6de feat: add new key `serve.public.tls.enabled`
* a84c5f50 feat: add nid tests and resolve issues (#3102)
* c111a4ce feat: add tag descriptions
* 60bab083 feat: add token prefixes
* d894c974 feat: allow config context
* 90d539f5 feat: better control for cookie secure flag
* bbe0406d feat: config hot reloading architecture
* 9ef671f2 feat: custom client token ttl (#3206)
* 6d01e2e7 feat: deprecate autoincrement primary key in hydra_client (#2784)
* b76a1514 feat: deprecate autoincrement primary key in hydra_jwk (#2789)
* 1d13be6d feat: hot-reload TLS certificate (#3265)
* b7fc2bff feat: implement NID
* e934c4f7 feat: improve CLI messages
* 93a626d1 feat: improve cloud cli compatibility
* 9717cad6 feat: improve cookie settings
* 2769c9b3 feat: improve refresh token error messages
* e7834ecb feat: improved cookie controls
* 2d5c8930 feat: make CORS config hot reloadable
* 370a4874 feat: make all ui urls relative
* 954693fe feat: make perform commands ory cloud-able
* 2f91ef47 feat: pass options from root
* 5b616d8a feat: rebuild containers on start
* fbcaaade feat: renaming to Ory Network (#3298)
* 77d8dacb feat: replace hydra's transaction impl with ory/popx/transaction
* 7eb1d1c0 feat: respect local DNS restrictions
* 9a080ad2 feat: support ES256 for generating JWTs
* ddba42f4 feat: support alternate hashing algorithms for client secrets
* 05eaf6d3 feat: switch to otelx (#3108)
* 47d0518e feat: switch to otelx (#3108)
* 73d95175 feat: tls on public port can now be configured without restrictions
* cce8d609 feat: upgrade go-swagger
* a2c5e142 feature: create networks table
* fe3c8990 fix(cli): output format issues
* f4812c85 fix(config): add default to supported types.
* 2b6350c0 fix(config): correct salt detection
* 90227699 fix(config): disallow additional properties
* ab6a9ee2 fix(config): support number
* 57cf46c4 fix(hsm): public key extraction
* c9c2e016 fix(hsm): public key extraction everywhere
* 0a786b7c fix(jwk): expose correct metadata algorithms
* ba16958c fix(mysql): fix mysql key too long error
* 7893a980 fix(oauth2): incorrect TTL override
* 21c579ad fix(sdk): genericError type
* 1ab345b9 fix(sdk): handle all error codes (#3153)
* 468e27d0 fix(sdk): make session uniquely named
* 954aa5f3 fix(sdk): omit DefaultSession
* 1332fe6c fix(sdk): remove pattern from scope parameter
* 6880feaf fix(sdk): resolve type issues and regenerate SDK
* 04b308f3 fix(sdk): use correct struct for response
* 1f7bf40e fix: ConfirmLoginSession, missing FKs; add tests
* ca748a1d fix: HSM test
* cd2c252b fix: `allowed_top_level_claims` set to nil (#3245)
* 2597f190 fix: `max_age=0` forces authentication
* 02c6d5d4 fix: add CORS to public health handler (#3114)
* dd1d733b fix: add json1 tag everywhere
* a98c0671 fix: add missing down migrations
* 51a586b0 fix: allow retries of unused login & consent requests
* 7e25fdbd fix: cache migration status
* 9a4f9e99 fix: client specific CORS
* 7bed2445 fix: cockroach migration fixes
* d1f5a0ef fix: compile errors
* 83983c2b fix: compile issue
* 68cb7d51 fix: compile issues
* a006b048 fix: conditionals in db-diff
* e163c803 fix: conformity health check
* 63761357 fix: consistently use RS256 in hot reloading
* 891fb551 fix: default back to RS256 keys
* 142cd133 fix: disable NID tests with HSM enabled
* 1d8a8fff fix: docker image build
* 05bda6bf fix: docker image build (#3247)
* 063f61be fix: docker instructions
* 11587aed fix: dont close crdb for reuse purposes
* 560accee fix: fix hydra_client pk change mysql down migration (#2791)
* a5cc6eae fix: fix unbatched select in flushInactiveTokens
* b0196c04 fix: handle server error when refresh token requests come same time (#3207)
* 4bf995d2 fix: high db cpu utilisation on query (#3260)
* 8571a671 fix: hsm compile issues
* 668a3192 fix: ignore cypress screenshots in git
* 6c8dda86 fix: improve duration pattern
* 1bd0c523 fix: improve health check reporting
* ece5ca6a fix: improve jwk generator defaults
* 8cffc5b1 fix: improve lazy initialization of JWKs
* 1a4abd6d fix: improve migration status speed
* b32ff33f fix: improve time validation
* 255b4e22 fix: incorrect queries
* d65aa3a9 fix: lazy load PKI
* 72a5cd8c fix: lint issues
* 3a263854 fix: make servicelocator explicit
* c51b21bb fix: missing data in JWT grant (#3143)
* a364db4f fix: move to v0alpha2 api spec
* c56b9585 fix: mysql slice delete
* 1aa6cc43 fix: optimise sql update to avoid redundant writes (#3289)
* 3e7b6b41 fix: pop compile issue
* d6e7f94f fix: postgres migration script (#3249)
* e130dfa9 fix: prefix paths correctly with /admin
* 8b77f5ad fix: proper introspection output format (#3312)
* e58d3d15 fix: quickstart with SQLite
* 1d78e796 fix: regression in database layer
* 89941900 fix: remove deprecated config value
* e2c8809b fix: remove goswagger generated client
* 2a20080d fix: remove incorrect aliases
* e670d68d fix: remove obsolete type patches
* 13691d39 fix: remove unnecessary load of TLS certificates at boot
* 4ff0690d fix: remove unused swagger struct
* e1731baf fix: replace of consent session expires values
* acb16c1c fix: resolve a merge conflict in migration_test (#2811)
* f6ee1d3b fix: resolve conformance build issues
* 937e6baa fix: resolve internal SDK regressions
* 6eee09cc fix: resolve merge conflicts
* 5552e4df fix: resolve migration regressions
* 77b1ac74 fix: resolve test issues and regressions introduced by the new JWK generator
* 1fd6ea3d fix: resolve token prefix regression
* f0f3139e fix: retry transient crdb transaction failures
* f2daa7d6 fix: revert latest docker image changes (#3286)
* c9a248dd fix: revert to normal crdb
* eafa2bb4 fix: speed up health checks
* d746fa49 fix: support issuer with and without trailing slash
* 63a84de3 fix: update benchmark script
* 36ddb615 fix: use --yes flag in db-diff
* 9fbbbdf4 fix: use CreateWith
* 1d9891dc fix: use StringSliceJSONFormat instead of StringSlicePipeDelimiter (#3112)
* d1af32dc fix: use config func everywhere
* 3ceefd73 fix: use correct context
* aea37d6a fix: use correct sdk tag (#3318)
* 40022244 refactor(client): make OAuth2 Client IDs system-chosen and immutable
* 0752721d refactor(client): rename SDK methods and introduce `/admin` prefix
* 23585b57 refactor(client): replace limit and offset parameters with page_token and page_size
* 5885ab31 refactor(consent): rename SDK method from `acceptConsentRequest` to `adminAcceptOAuth2ConsentRequest`
* fa27d0cf refactor(consent): rename SDK method from `acceptLoginRequest` to `adminAcceptOAuth2LoginRequest`
* bb51ba0c refactor(consent): rename SDK method from `adminListSubjectConsentSessions` to `adminListOAuth2SubjectConsentSessions`
* 9053040f refactor(consent): rename SDK method from `getLoginRequest` to `adminGetOAuth2LoginRequest`
* 475efbcf refactor(consent): rename SDK method from `getOAuth2ConsentRequest` to `adminGetOAuth2ConsentRequest`
* e0e3da9e refactor(consent): rename SDK method from `rejectConsentRequest` to `rejectOAuth2ConsentRequest`
* 37a8839f refactor(consent): rename SDK method from `rejectLoginRequest` to `rejectOAuth2LoginRequest`
* cdffa1e0 refactor(consent): rename SDK method from `rejectLogoutRequest` to `adminRejectOAuth2LogoutRequest`
* 0a5ebe8f refactor(consent): rename SDK method from `revokeAuthenticationSession` to `adminRevokeOAuth2LoginSessions`
* 1108409a refactor(consent): rename SDK method from `revokeConsentSessions` to `adminRevokeOAuth2ConsentSessions`
* 5e2ea0b6 refactor(jwk): no longer prefix keys with `public` or `private`
* cd007bbb refactor(jwk): rename SDK methods and introduce `/admin` prefix
* c12b45cc refactor(oauth2): clean up changes
* ea4caf73 refactor(oauth2): rename SDK method from `deleteOAuth2Token` to `adminDeleteOAuth2Token`
* df467a06 refactor(oauth2): rename SDK method from `discoverOpenIDConfiguration` to `discoverOidcConfiguration`
* f2bd9a30 refactor(oauth2): rename SDK method from `introspectOAuth2Token` to `adminIntrospectOAuth2Token`
* 51b58e7e refactor(oauth2): rename SDK method from `oauth2Token` to `performOAuth2TokenFlow`
* 4e554e7a refactor(oauth2): rename SDK method from `userinfo` to `getOidcUserInfo`
* 06d565eb refactor(sdk): JSON Web Key SDK API
* b0a2b053 refactor(sdk): OAuth 2.0 Trust Relationship SDK
* 142b55f2 refactor(sdk): OAuth2 SDK API
* e800002d refactor(sdk): consent SDK
* a54ea697 refactor(sdk): rename PatchDocument to JsonPatchDocument
* 6b601564 refactor(sdk): rename errors
* cb742ad0 refactor(sdk): rename oauth2 client operations and payloads
* e0be7cfe refactor(trust): rename SDK method from `deleteTrustedJwtGrantIssuer` to `adminDeleteTrustedOAuth2JwtGrantIssuer`
* 210116e3 refactor(trust): rename SDK method from `getTrustedJwtGrantIssuer` to `adminGetTrustedOAuth2JwtGrantIssuer`
* cb7b9e00 refactor(trust): rename SDK method from `listTrustedJwtGrantIssuers` to `adminListTrustedOAuth2JwtGrantIssuers`
* 7edf8df1 refactor(trust): rename SDK method from `trustJwtGrantIssuer` to `adminTrustOAuth2JwtGrantIssuer`
* 08bbbab1 refactor: CLI environment variables `HYDRA_URL` has been renamed to `ORY_SDK_URL`
* e466d7c9 refactor: `hydra keys` command
* 81e79f2a refactor: `hydra token client` command
* aa338e17 refactor: `hydra token delete` command
* da3e2b44 refactor: `hydra token introspect` command
* 42e75c32 refactor: `hydra token revoke` command
* 46b58874 refactor: deprecate `--dangerous-allow-insecure-redirect-url` flag
* 062734e1 refactor: deprecate `--dangerous-force-http` flag
* edb042e1 refactor: drop TLS by default
* 8023d2a7 refactor: environment variable `DATABASE_URL` has been deprecated
* 53d225a9 refactor: finalize consent SDK methods
* 697813e1 refactor: generated UUID variant & version test (#2793)
* 53862f29 refactor: improve performance and reduce data use of consent persistence layer (#2836)
* cc9d9e5b refactor: make commands easier to consume
* 5fb3049e refactor: remove HS512 and HS256 jwk key generator
* 17c226cc refactor: remove `/oauth2/flush` endpoint
* 148cadb2 refactor: remove `oauth2.include_legacy_error_fields` config
* 223c8bc2 refactor: rename `access_log` to `request_log`
* 76eb93c3 refactor: rename `hydra clients create` command
* dea2fdd0 refactor: rename `hydra clients delete` command
* edd4b43d refactor: rename `hydra clients get` command
* 7de78410 refactor: rename `hydra clients import` command
* 1c0f971e refactor: rename `hydra clients list` command
* 7482b77c refactor: rename `hydra clients update` command
* d2d55123 refactor: replace custom key generator with jose key generator
* f5d08853 test(conformance): add directory
* 580f33b1 test(conformity): revert admin prefix
* 15f3cfcb test(conformity): sdk regression
* fa239607 test(e2e): add trailing slash to issuer
* 415658d8 test(e2e): fix build instructions
* 03b23408 test(e2e): fix issuer URL
* 647822d7 test(e2e): fix jwt regression
* 30855d9e test(e2e): resolve test regressions
* 7bea2e8f test(e2e): respect metadata
* 40be7bb5 test(e2e): upgrade cypress
* 8ddf880c test(e2e): upgrade jwks-rsa
* 3420026a test(hsm): do not evaluate HSM private key
* 8db9e5bb test(hsm): resolve test issues
* 5e6c0995 test(migratest): add missing cockroach migrations and debug test failures
* b4865dd1 test: add test for access token strategy
* 51600f49 test: fix a flaky test
* 87105903 test: fix assertions on nil pointers
* 2875c190 test: fix conformity issues
* f979adb4 test: fix failing master pipeline (#3283)
* 2c4615ce test: fix flaky equal check
* 1100aba1 test: fix flaky equal check
* f0f5223a test: fix resp.bodyclose lint error
* 8a091750 test: implement network test structure for clients
* 3b7a1a75 test: improve jwk test layout
* 7b966515 test: refactor migration tests to use fixtures (#2936)
* 1cf5bd0f test: remove unused fixture
* 63b7303d test: resolve test migration issues
* 3a50926a test: test client update and double delete
* e77c0d35 test: update fixtures
* 549deda8 test: update paths to reflect new admin api
* 9e9ea946 test: update resource limits
* 1c9a0d2d test: update snapshot
* 5f5c81ea test: update snapshots
* 34bc743e test: update snapshots
* 01dbc0eb test: update snapshots
* c66a536a test: update snapshots
* 08968aa9 test: use fixed time.Now function in pop
* 34dfc0fe unstaged - refactor sdk use across the board


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

This release resolves a critical regression introduced in Ory Hydra v1.11.9. Upgrade to this version and skip Ory Hydra v1.11.9 if you have an existing system. The bug can break existing refresh tokens from working.

It includes no other significant changes.

### Bug Fixes

- Improve refresh webhook getter ([d40b1da](https://github.com/ory/hydra/commit/d40b1daf2b62cd9868032fa1c376e1301936c0e1))
- Omit null lifespans ([#3212](https://github.com/ory/hydra/issues/3212)) ([2d080a0](https://github.com/ory/hydra/commit/2d080a01dc39a3f7155cf05938501d59bc5f21bb))
- Regression in session store ([5c4321d](https://github.com/ory/hydra/commit/5c4321d8d605c5c09537e345f56b447ac5856f95))
- Remove special char from snapshot symbols ([7128ad2](https://github.com/ory/hydra/commit/7128ad2a066674c4c1252f2cb1619055e5fbbbd9))
- Revert config changes ([4da64de](https://github.com/ory/hydra/commit/4da64de7502a4de8cca4db6cfa35bdcf485ba7ef))
- Session unmarshalling ([3bb943a](https://github.com/ory/hydra/commit/3bb943a9ac2d4309b43d1cb9bf27bac7cabb86f9))

### Code Generation

- Pin v1.11.10 release commit ([1a6c220](https://github.com/ory/hydra/commit/1a6c22070fc9550796c14b271e816be1dd1b8d78))


## Changelog
* 75bdfc04 autogen(docs): generate and bump docs
* 40c8c2de autogen(docs): regenerate and update changelog
* e7faec91 autogen(docs): regenerate and update changelog
* 958895b8 autogen(docs): regenerate and update changelog
* 4b5cc903 autogen(docs): regenerate and update changelog
* e1bb9361 autogen(docs): regenerate and update changelog
* 1a6c2207 autogen: pin v1.11.10 release commit
* b3abc58d chore: update repository templates
* 3c0a6ec4 chore: update repository templates
* 2cee9e1a chore: update version schema to be compatible with current ory/cli (#3211)
* 5205a36b ci: pin go to 1.18
* 1d94bfda ci: workaround for linter issue
* d40b1daf fix: improve refresh webhook getter
* 2d080a01 fix: omit null lifespans (#3212)
* 5c4321d8 fix: regression in session store
* 7128ad2a fix: remove special char from snapshot symbols
* 4da64de7 fix: revert config changes
* 3bb943a9 fix: session unmarshalling


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

☠️ WARNING ☠️

This version contains a regression which can cause the refresh flow to fail for existing consent sessions. Please do not upgrade to this version. For new systems, you can still use this version.

---

This release introduces two new features:

- The ability to specify token lifespans on a per-client basis using a new HTTP endpoint;
- The additional context in the refresh token hook.

### Bug Fixes

- Backport fix for client specific CORS ([#1754](https://github.com/ory/hydra/issues/1754)) ([#3163](https://github.com/ory/hydra/issues/3163)) ([996258d](https://github.com/ory/hydra/commit/996258d50ec620c89a8f55a98436320ab99db62b))
- **docs:** Correct the tracing service name environment variable ([6e2343c](https://github.com/ory/hydra/commit/6e2343c68fb662b4af3839f56acff4f85c428f79)):

  While I believe this used to be specific to OTEL, it now appears to be
  configurable "globally", according to `spec/config.json`.

- Fixed configuration editor for the documentation page ([#3105](https://github.com/ory/hydra/issues/3105)) ([0a77a06](https://github.com/ory/hydra/commit/0a77a069a9d3c7bea425694da44ac1cfbc37923a)):

  Closes https://github.com/ory/docs/issues/722

- Handle server error when refresh token requests come same time ([#3207](https://github.com/ory/hydra/issues/3207)) ([e66ba3c](https://github.com/ory/hydra/commit/e66ba3c6b3277e5be772f786df26509f939840e7))
- Link OIDC Certification image ([#3124](https://github.com/ory/hydra/issues/3124)) ([17b517f](https://github.com/ory/hydra/commit/17b517f355f63788b237b2964984df02b56b8c63))
- Ping logic for SQL Registry ([#3095](https://github.com/ory/hydra/issues/3095)) ([a383b5a](https://github.com/ory/hydra/commit/a383b5a655688b203aba49c35c0f9c3cda84483d)), closes [#2734](https://github.com/ory/hydra/issues/2734)
- Swagger for dynamic client registration ([#3141](https://github.com/ory/hydra/issues/3141)) ([9902ec7](https://github.com/ory/hydra/commit/9902ec7333c6e2d271f47f8fc93c43176282d180))
- Updated process ending instructions ([#3176](https://github.com/ory/hydra/issues/3176)) ([b72491e](https://github.com/ory/hydra/commit/b72491ec81dc61ebf5d52ec0f30ae4561f37f9df)):

  cmd + c doesn't end the process on macOS but ctrl + c does.

### Code Generation

- Pin v1.11.9 release commit ([8814e79](https://github.com/ory/hydra/commit/8814e7979cad87e454c1d68bb0eb758e28ab9473))

### Documentation

- Fix missing image ([7925597](https://github.com/ory/hydra/commit/79255970787c4793a57fe79d756aa0364b4a9490))

### Features

- Add session and requester to refresh token webhook data ([#3204](https://github.com/ory/hydra/issues/3204)) ([6d23859](https://github.com/ory/hydra/commit/6d23859009dafc8b8f51d0feec04b850c137e19a)), closes [#3203](https://github.com/ory/hydra/issues/3203)
- Add token_endpoint_auth_signing_alg to cli ([#3148](https://github.com/ory/hydra/issues/3148)) ([ed6eb30](https://github.com/ory/hydra/commit/ed6eb3017dfb82f1c1fa97f1d88d023211f1e034))
- Custom client token ttl ([#3206](https://github.com/ory/hydra/issues/3206)) ([9544c03](https://github.com/ory/hydra/commit/9544c03a3bc62de88f5348db30db2f6651c69597)), closes [#3157](https://github.com/ory/hydra/issues/3157):

  This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType.


## Changelog
* b0d672d1 autogen(docs): generate and bump docs
* 44b2c441 autogen(docs): regenerate and update changelog
* b62b21b4 autogen(docs): regenerate and update changelog
* b5af690a autogen(docs): regenerate and update changelog
* e586fd72 autogen(docs): regenerate and update changelog
* 3f962767 autogen(docs): regenerate and update changelog
* 9bc59be9 autogen(docs): regenerate and update changelog
* d0533c49 autogen(docs): regenerate and update changelog
* dd63a187 autogen(docs): regenerate and update changelog
* f0cb5390 autogen(openapi): regenerate swagger spec and internal client
* dbf1056c autogen(openapi): regenerate swagger spec and internal client
* 5c8350e4 autogen(openapi): regenerate swagger spec and internal client
* 8814e797 autogen: pin v1.11.9 release commit
* 5127bb77 autogen: pin v1.11.9-pre.0 release commit
* 540d9329 chore: delete semantic.yml
* ceada196 chore: deprecate coupon
* 1faa00b6 chore: display GitHub Action badge
* 87b20be6 chore: replace x/json.go with ory/x's jsonx patch (#3183)
* c9be891f chore: update repository templates
* fa87290a chore: update repository templates
* 88992d3a chore: update repository templates
* 6b954c22 chore: update repository templates
* 5a753234 chore: update repository templates
* 3fa88fcb chore: update repository templates
* f2f13470 chore: update repository templates
* 2a4ad740 chore: update repository templates
* fbde5001 chore: update repository templates
* 79255970 docs: fix missing image
* 6d238590 feat: add session and requester to refresh token webhook data (#3204)
* ed6eb301 feat: add token_endpoint_auth_signing_alg to cli (#3148)
* 9544c03a feat: custom client token ttl (#3206)
* 6e2343c6 fix(docs): correct the tracing service name environment variable
* 996258d5 fix: backport fix for client specific CORS (#1754) (#3163)
* 0a77a069 fix: fixed configuration editor for the documentation page (#3105)
* e66ba3c6 fix: handle server error when refresh token requests come same time (#3207)
* 17b517f3 fix: link OIDC Certification image (#3124)
* a383b5a6 fix: ping logic for SQL Registry (#3095)
* 9902ec73 fix: swagger for dynamic client registration (#3141)
* b72491ec fix: updated process ending instructions (#3176)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

This release resolves issues in the log module, improves the SDK type definitions, and introduces new configuration options to HSM.

### Bug Fixes

- Add limit and offset to pagination ([#3062](https://github.com/ory/hydra/issues/3062)) ([51f6c5d](https://github.com/ory/hydra/commit/51f6c5d12e38ac82f80d6db34d9d0d788af2d985)), closes [#3033](https://github.com/ory/hydra/issues/3033)
- Add missing flags to config schema ([00100a1](https://github.com/ory/hydra/commit/00100a1bcb60d1836a2c3d6c6a4212e3161b1bda)), closes [#653](https://github.com/ory/hydra/issues/653)
- Configure audit logger ([#3022](https://github.com/ory/hydra/issues/3022)) ([3115dde](https://github.com/ory/hydra/commit/3115dde229a6be936ad4d844d778d6ee82279643))
- Do not use cached version ([422d422](https://github.com/ory/hydra/commit/422d4227e8b599a6eb32b60d432fd0cad95a717a))
- Generated consent model ([#3076](https://github.com/ory/hydra/issues/3076)) ([270dbe0](https://github.com/ory/hydra/commit/270dbe0842827b3ec362a7ec35a56acd33275603))
- Proper response types for 404 errors ([#3072](https://github.com/ory/hydra/issues/3072)) ([e711273](https://github.com/ory/hydra/commit/e711273e935d693d726dde2d97c296bd523f3a1e)), closes [#3064](https://github.com/ory/hydra/issues/3064)
- Remove extraneous call to driver.init() ([#3093](https://github.com/ory/hydra/issues/3093)) ([1590542](https://github.com/ory/hydra/commit/1590542c70f98955aed591e3d929309e2b3b7396))
- Remove unnecessary transaction ([#3029](https://github.com/ory/hydra/issues/3029)) ([d4b2696](https://github.com/ory/hydra/commit/d4b2696bd72b9fc98f3959b13be2fc28aa2263bc))
- **sdk:** Correct polymorph type for consent session ([#3074](https://github.com/ory/hydra/issues/3074)) ([646459a](https://github.com/ory/hydra/commit/646459a55528e7f0805934d34493d78b92476904)), closes [#3058](https://github.com/ory/hydra/issues/3058)
- **sdk:** Incorrect title ([#3014](https://github.com/ory/hydra/issues/3014)) ([d654911](https://github.com/ory/hydra/commit/d654911c0da2e2f9513e62916daf2284186d19de)):

  Closes https://github.com/ory/sdk/issues/153

- Sync ports between Dockerfiles and comments ([#3027](https://github.com/ory/hydra/issues/3027)) ([ebd1694](https://github.com/ory/hydra/commit/ebd16940e270561c13aab60a969a4969391d5d80))
- Typo README ([#3078](https://github.com/ory/hydra/issues/3078)) ([7d378f1](https://github.com/ory/hydra/commit/7d378f186cfc140cbb0649557bfd0e2fadd96fff))
- Use default for env var ([2b024b4](https://github.com/ory/hydra/commit/2b024b4f8e98f3efe73018bd57e1d16738d50eeb))

### Code Generation

- Pin v1.11.8 release commit ([337ab3e](https://github.com/ory/hydra/commit/337ab3ec2e363292ff93d5e5641a9b0bb87dba0c))

### Documentation

- Update pricing ([c46f780](https://github.com/ory/hydra/commit/c46f780f4d736a325e63d4542ed3dfbe83431ae6))
- Update README ([#3032](https://github.com/ory/hydra/issues/3032)) ([980c2d8](https://github.com/ory/hydra/commit/980c2d843acc70a23a71dc9b4347d13d70dbc399))

### Features

- Add hsm key set prefix to support multiple hydra instances on the same hsm partition ([#3066](https://github.com/ory/hydra/issues/3066)) ([90523fd](https://github.com/ory/hydra/commit/90523fd0d31930666bd091efeb9346498d92978e)):

  This pull request adds configuration option `hsm.key_set_prefix` to support multiple Ory Hydra instances to store keys on the same HSM partition. For example if `hsm.key_set_prefix=app1.` then key set `hydra.openid.id-token` would be generated/requested/deleted on HSM with `CKA_LABEL=app1.hydra.openid.id-token`

  This will not affect Hydra API in any way. `GET /keys/hydra.openid.id-token` will return key set from HSM with label `app1.hydra.openid.id-token`.

- Add support for trust grants that can issue tokens for any subject ([#3012](https://github.com/ory/hydra/issues/3012)) ([a3c4304](https://github.com/ory/hydra/commit/a3c4304be2d3988843084d871aa5066d36803219)), closes [#2930](https://github.com/ory/hydra/issues/2930):

  Previously, a trust relationship had to be setup for every subject
  before the issuer could sign a JWT token for it. This change will allow
  setting up token services that can issue tokens with any value in the
  subject field.

- Async backchannel logout ([#2849](https://github.com/ory/hydra/issues/2849)) ([22e1ebb](https://github.com/ory/hydra/commit/22e1ebb5742477e924ebac83c711bec08bffd7ba))
- Backchannel request logging ([#3067](https://github.com/ory/hydra/issues/3067)) ([6dda48d](https://github.com/ory/hydra/commit/6dda48dc3e2eb6d4f57e41abcc8b49e71c38e80d))
- Make sensitive log value redaction text configurable ([#3040](https://github.com/ory/hydra/issues/3040)) ([536352c](https://github.com/ory/hydra/commit/536352c15bb054f123e9d62944690a06cff86ba0))

### Tests

- Ensure generator checks are executed ([#3061](https://github.com/ory/hydra/issues/3061)) ([d38f6e6](https://github.com/ory/hydra/commit/d38f6e626baef00cb4cf57cbe59c7b15bea76e06))


## Changelog
* e06dd6ae autogen(docs): generate and bump docs
* b548c5ad autogen(docs): regenerate and update changelog
* 77394397 autogen(docs): regenerate and update changelog
* 152bdddd autogen(docs): regenerate and update changelog
* b00d2b9b autogen(docs): regenerate and update changelog
* f2bef45b autogen(docs): regenerate and update changelog
* 1f0e79ca autogen(docs): regenerate and update changelog
* fff64918 autogen(docs): regenerate and update changelog
* 8adbfb00 autogen(docs): regenerate and update changelog
* 48449f63 autogen(docs): regenerate and update changelog
* 924be24b autogen(docs): regenerate and update changelog
* f9338e4f autogen(docs): regenerate and update changelog
* a2afc759 autogen(docs): regenerate and update changelog
* 7d899635 autogen(docs): regenerate and update changelog
* e3236dd9 autogen(docs): regenerate and update changelog
* 05286df2 autogen(docs): regenerate and update changelog
* 835cb787 autogen(docs): regenerate and update changelog
* 1e4e3280 autogen(docs): regenerate and update changelog
* 1056795b autogen(docs): regenerate and update changelog
* 7602b4cc autogen(openapi): regenerate swagger spec and internal client
* b17b4743 autogen(openapi): regenerate swagger spec and internal client
* 22176486 autogen(openapi): regenerate swagger spec and internal client
* 23bc3e93 autogen(openapi): regenerate swagger spec and internal client
* 83c918a4 autogen: add v1.11.7 to version.schema.json
* 337ab3ec autogen: pin v1.11.8 release commit
* f06505f4 chore(deps): bump async from 2.6.2 to 2.6.4 in /test/e2e/oauth2-client (#3073)
* 57693f69 chore(deps): bump async from 3.2.0 to 3.2.3 (#3069)
* ff10e176 chore(deps): bump minimist from 1.2.5 to 1.2.6 (#3045)
* 57686719 chore(deps): bump minimist in /test/e2e/oauth2-client (#3047)
* 9eabc7dd chore(deps): update alpine version (#3036)
* 222a01ba chore: bump ory/fosite to v0.42.2 (#3077)
* 184d3222 chore: improve Dockerfiles (#3052)
* f3206734 chore: update repository templates
* 849af9f2 chore: update repository templates
* 980c2d84 docs: update README (#3032)
* c46f780f docs: update pricing
* 90523fd0 feat: add hsm key set prefix to support multiple hydra instances on the same hsm partition (#3066)
* a3c4304b feat: add support for trust grants that can issue tokens for any subject (#3012)
* 22e1ebb5 feat: async backchannel logout (#2849)
* 6dda48dc feat: backchannel request logging (#3067)
* 536352c1 feat: make sensitive log value redaction text configurable (#3040)
* 646459a5 fix(sdk): correct polymorph type for consent session (#3074)
* d654911c fix(sdk): incorrect title (#3014)
* 51f6c5d1 fix: add limit and offset to pagination (#3062)
* 00100a1b fix: add missing flags to config schema
* 3115dde2 fix: configure audit logger (#3022)
* 422d4227 fix: do not use cached version
* 270dbe08 fix: generated consent model (#3076)
* e711273e fix: proper response types for 404 errors (#3072)
* 1590542c fix: remove extraneous call to driver.init() (#3093)
* d4b2696b fix: remove unnecessary transaction (#3029)
* ebd16940 fix: sync ports between Dockerfiles and comments (#3027)
* 7d378f18 fix: typo README (#3078)
* 2b024b4f fix: use default for env var
* d38f6e62 test: ensure generator checks are executed (#3061)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Ory Hydra has a new place for documentation at [github.com/ory/docs](https://github.com/ory/docs) and [www.ory.sh/docs/hydra](https://www.ory.sh/docs/hydra)! Additionally, the CI/CD infrastructure was moved to GitHub actions.

### Code Generation

- Pin v1.11.7 release commit ([510615b](https://github.com/ory/hydra/commit/510615bcc66231f90c29c1186c28f61366da7e52))


## Changelog
* 510615bc autogen: pin v1.11.7 release commit


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Ory Hydra has a new place for documentation at [github.com/ory/docs](https://github.com/ory/docs) and [www.ory.sh/docs/hydra](https://www.ory.sh/docs/hydra)! Additionally, the CI/CD infrastructure was moved to GitHub actions.

### Code Generation

- Pin v1.11.6 release commit ([49d0d75](https://github.com/ory/hydra/commit/49d0d754c9432b27c7282d39d9b3533f359bc08f))


## Changelog
* 49d0d754 autogen: pin v1.11.6 release commit


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Ory Hydra has a new place for documentation at [github.com/ory/docs](https://github.com/ory/docs) and [www.ory.sh/docs/hydra](https://www.ory.sh/docs/hydra)! Additionally, the CI/CD infrastructure was moved to GitHub actions.

### Code Generation

- Pin v1.11.5 release commit ([743468e](https://github.com/ory/hydra/commit/743468eced1c8329d9b11b7a4cd5410e101bb05b))


## Changelog
* 743468ec autogen: pin v1.11.5 release commit


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

autogen: pin v1.11.4 release commit

### Bug Fixes

- Pass swag-spec-location to sdk-release ([#2994](https://github.com/ory/hydra/issues/2994)) ([b768bb5](https://github.com/ory/hydra/commit/b768bb5afd452d3eb59faf7b0066e146163cb88b))

### Code Generation

- Pin v1.11.4 release commit ([9e731b6](https://github.com/ory/hydra/commit/9e731b6e30b5aadd30fe3d7d8541db2331b11df2))


## Changelog
* 3536a989 autogen(docs): regenerate and update changelog
* 0fa1a539 autogen(docs): regenerate and update changelog
* 39c82fc4 autogen(docs): regenerate and update changelog
* 950f25a5 autogen(docs): regenerate and update changelog
* 3659006e autogen(openapi): regenerate swagger spec and internal client
* 2c80bc64 autogen(openapi): regenerate swagger spec and internal client
* bad5b045 autogen(openapi): regenerate swagger spec and internal client
* 89a6a91a autogen(openapi): regenerate swagger spec and internal client
* 9e731b6e autogen: pin v1.11.4 release commit
* b00f5ec3 autogen: pin v1.11.4-pre.0 release commit
* 96798db8 autogen: pin v1.11.4-pre.1 release commit
* 8b1c967c autogen: pin v1.11.4-pre.2 release commit
* b768bb5a fix: pass swag-spec-location to sdk-release (#2994)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

autogen: pin v1.11.3 release commit

### Bug Fixes

- Comply with new fosite persister interface ([#2990](https://github.com/ory/hydra/issues/2990)) ([4c91a39](https://github.com/ory/hydra/commit/4c91a393c9c8bee50557a21b12b01923c874ff14))

### Code Generation

- Pin v1.11.3 release commit ([a3dd4ee](https://github.com/ory/hydra/commit/a3dd4ee051314730f14aa6b7731397fb6e9b90db))


## Changelog
* 52ebedb9 autogen(docs): regenerate and update changelog
* 8a966e88 autogen(docs): regenerate and update changelog
* dec52a19 autogen(docs): regenerate and update changelog
* e6ec7f39 autogen(openapi): regenerate swagger spec and internal client
* ce6c4f8a autogen(openapi): regenerate swagger spec and internal client
* dec56ed6 autogen(openapi): regenerate swagger spec and internal client
* a3dd4ee0 autogen: pin v1.11.3 release commit
* 067438f3 ci: use ory/ci/checkout (#2991)
* 4c91a393 fix: comply with new fosite persister interface (#2990)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

autogen: pin v1.11.2 release commit

### Code Generation

- Pin v1.11.2 release commit ([7c099f8](https://github.com/ory/hydra/commit/7c099f8b4479a63a1dd582b3c09ff65a7a1008fe))


## Changelog
* 7c099f8b autogen: pin v1.11.2 release commit


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

Happy new year! We are excited to announce to you the next iteration of Ory Hydra: Version 1.11.0!

This version has significant new features contributed by the awesome Open Source Community - you! But not only that:

**Ory Hydra 2.0 is coming!**

While a major version, we intend to keep all APIs with as few breaking changes as possible. The efforts focus on some long-standing issues in the persistence layer. In particular, data growth rate and performance improvements are the focus areas! If you are interested to see what is going on, check out PR [#2796](https://github.com/ory/hydra/pull/2796)

And Ory Hydra 2.0 will be available as an API in Ory Cloud! If you are interested in Ory Cloud, apply to [Ory Acceleration Program](https://share-eu1.hsforms.com/1KWJxgKzNQWOjR9r5blC41wextgn) and receive a **one-year free subscription for Ory Cloud's Start-Up plan**. The Start-Up plan comes with convenient features such as custom domains and unlimited identities/tokens!

More on timelines and Ory Hydra 2.0 plans will follow later this year.

If these changes are not exciting enough already, Ory Hydra now supports loading Private and Public Keys from Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. Thank you [@aarmam](https://github.com/aarmam) for this amazing work! For more information, please [read the guide](https://www.ory.sh/hydra/docs/next/guides/hsm-support).

Next up, Ory Hydra now natively supports the OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol which can be enabled (optionally) in the configuration! Thank you [@fjvierap](https://github.com/fjvierap) for your hard work!

We do not stop there, [@Xopek](https://github.com/Xopek) and [@jagobagascon](https://github.com/jagobagascon) added the Support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523) to Ory Hydra! This major improvement allows Ory Hydra to have an even better integration API than before!

For our Apple users and everyone eyeballing ARM64, we now distributed binaries and Docker Images for all platforms and CPU architectures, including Apple M1, Linux ARM (v6, v7, v8, ARM64), and - this is new - FreeBSD!

Lastly, we resolved a bug in the configuration loading which now allows loading complex configuration keys from environment variables without hassle!

**Please notice that this release requires SQL migrations to be applied! As always, please make a backup before applying them!**

## Breaking Changes

To celebrate this change, we cleaned up the ways you install Ory software. There is now one central brew / bash curl repository:

```patch
-brew install ory/hydra/hydra
+brew install ory/tap/hydra

-bash <(curl https://raw.githubusercontent.com/ory/kratos/master/install.sh)
+bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) hydra
```

Endpoint `PUT /clients` now returns a 404 error when the OAuth2 Client to be updated does not exist. It returned 401 previously. This change requires you to run SQL migrations!

Co-authored-by: fjviera 

Please notice that this change requires SQL migrations to be applied! As always, please make a backup before applying them!

Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
Co-authored-by: Jagoba Gascón 
Co-authored-by: Gajewski Dmitriy 

### Bug Fixes

- Add hiring notice to README ([#2893](https://github.com/ory/hydra/issues/2893)) ([0a73d8b](https://github.com/ory/hydra/commit/0a73d8be3639372fe9830a65df1334842888814b))
- Bump deps ([#2868](https://github.com/ory/hydra/issues/2868)) ([b287287](https://github.com/ory/hydra/commit/b2872876ac97d8f2066e2044845f428adc0510dd))
- Contributors is upper case ([5bad542](https://github.com/ory/hydra/commit/5bad542ac7c34e564ae7d71832fc2afca47b14dd))
- Error handling in persister ([#2860](https://github.com/ory/hydra/issues/2860)) ([33d75d7](https://github.com/ory/hydra/commit/33d75d791d801b5bbb2ece442c7e2836fce3a657))
- FreeBSD build issue, env loading, add OTEL tracing ([5158faa](https://github.com/ory/hydra/commit/5158faae10e8f55f7134deefcc084d929480e6f1)), closes [#2597](https://github.com/ory/hydra/issues/2597) [#2912](https://github.com/ory/hydra/issues/2912):

  This fix addresses an issue where configuration values in arrays could not be loaded from environment variables, which is now possible. For more information on how Ory Hydra parses configuration, [head over to the documentation](https://www.ory.sh/docs/ecosystem/configuring/)!

  Additionally, this PR resolves a build issue on FreeBSD - making it now possible to compile Ory Hydra with the FreeBSD target.

  Lastly, this change adds OpenTelemetry support!

- Missing imports ([42fec62](https://github.com/ory/hydra/commit/42fec62c074f79a88ac928e86902adc8afc1afd6))
- Missing stack traces ([#2858](https://github.com/ory/hydra/issues/2858)) ([1441658](https://github.com/ory/hydra/commit/144165845aac85f6b91e426872ea02daac541387))
- Patch should not reset client secret ([#2872](https://github.com/ory/hydra/issues/2872)) ([895de01](https://github.com/ory/hydra/commit/895de0120f27a903d97347a012961181bdb5f71f)), closes [#2869](https://github.com/ory/hydra/issues/2869)
- Remove codecov report for internal testhelpers ([52a77a3](https://github.com/ory/hydra/commit/52a77a3e563397c603aa7462899a2e1890c44386)), closes [#2871](https://github.com/ory/hydra/issues/2871)
- Remove contributors file ([565aa2d](https://github.com/ory/hydra/commit/565aa2d46ff12064d8cbef3d874e6e6216ea97f3))
- Update v1.10 installation instructions for linux ([#2799](https://github.com/ory/hydra/issues/2799)) ([45afd0d](https://github.com/ory/hydra/commit/45afd0d836adad948c13f3be6cf06b33deaceddb)):

  The documentation for how to install hydra on linux is still using the old version tags

- Use pop/v6 ([b284353](https://github.com/ory/hydra/commit/b284353de64675337a857306610041d16266f63e))
- Version info nil on version api endpoint ([#2894](https://github.com/ory/hydra/issues/2894)) ([440e0b8](https://github.com/ory/hydra/commit/440e0b824289b821d82ac0add18a80a94c848323))

### Code Generation

- Pin v1.11.0 release commit ([5355a1a](https://github.com/ory/hydra/commit/5355a1abe709c92cf0bdb838395fd1933cd5e9c9))

### Documentation

- Fix grammar issues and typos ([#2830](https://github.com/ory/hydra/issues/2830)) ([49b582c](https://github.com/ory/hydra/commit/49b582c5b3b6df4c11845986f87693ce2df0c64b))
- ORY -> Ory to follow styleguides ([#2941](https://github.com/ory/hydra/issues/2941)) ([5895d03](https://github.com/ory/hydra/commit/5895d03a37ae8b1fd34db9dafdfbcfef449b4b3c))
- Update bash install ([5ca99e5](https://github.com/ory/hydra/commit/5ca99e5988c6e9262e341c2d5376c3b419909d5c))
- Update coverage badge ([1f89973](https://github.com/ory/hydra/commit/1f899732da3751c89d3b2d3ec298cc8159a4f5f5)), closes [#2871](https://github.com/ory/hydra/issues/2871)
- Use Ory instead of ORY in the documentation ([#2939](https://github.com/ory/hydra/issues/2939)) ([1b2f6a6](https://github.com/ory/hydra/commit/1b2f6a675e40bcb5bddbc1b8602e6f698cb40642))

### Features

- Add list of authors ([#2831](https://github.com/ory/hydra/issues/2831)) ([511a668](https://github.com/ory/hydra/commit/511a66898aae7191db922a25957fb84245cd7d26)), closes [#2829](https://github.com/ory/hydra/issues/2829)
- Add shellcheck to circleci ([#2835](https://github.com/ory/hydra/issues/2835)) ([38cbcc0](https://github.com/ory/hydra/commit/38cbcc02a0689fa28c1ccd892e7069d1b34516a6)), closes [#2832](https://github.com/ory/hydra/issues/2832)
- **docs:** Opentelemetry tracing ([74da7b6](https://github.com/ory/hydra/commit/74da7b6b0a0e92ec4162141b10de2df3c9fed587))
- ES256 for JWK generation ([#2828](https://github.com/ory/hydra/issues/2828)) ([5795bc3](https://github.com/ory/hydra/commit/5795bc3e650815a69c89e591925621eff4b63a11)), closes [#2453](https://github.com/ory/hydra/issues/2453)
- Hardware Security Module support ([#2625](https://github.com/ory/hydra/issues/2625)) ([7578aa9](https://github.com/ory/hydra/commit/7578aa9f3ad16beff669d6749e248d44b61359ae)):

  This change introduces support for Hardware Security Modules, a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.

  If enabled, the Hardware Security Module is used to look up any keys. If no key is found, the software module is used as a fallback for lookup. This allows you to use the HSM for privileged keys, and the software module to manage lifecycle keys (e.g. for Token Exchange).

  For more information, please [read the guide](https://www.ory.sh/hydra/docs/next/guides/hsm-support).

  Thank you to [aarmam](https://github.com/aarmam) for this great contribution!

- Native ARM64 support in Docker and Binaries ([abffb09](https://github.com/ory/hydra/commit/abffb098cfc51ee4a045f833cc79b23ec4bacb31)):

  This release adds important security updates for the base Docker Images (e.g. Alpine). Additionally, Ory Hydra now has full ARM support have been resolved and the binaries are now downloadable for all major platforms.

- OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol ([#2909](https://github.com/ory/hydra/issues/2909)) ([6a18f62](https://github.com/ory/hydra/commit/6a18f62935bccaed85acadf6010e0e3a395ea538)), closes [#2568](https://github.com/ory/hydra/issues/2568) [#2549](https://github.com/ory/hydra/issues/2549):

  This feature adds first-class support for two IETF RFCs and one OpenID Spec:

  - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
  - [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
  - [OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592)

  To enable this feature, which is disabled by default, set

  ```yaml
  oidc:
    dynamic_client_registration:
      enabled: true
  ```

  in your Ory Hydra configuration. Once enabled, endpoints `POST`, `GET`, `PUT`, and `DELETE` for `/connect/register` will be available at the public port!

- Support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 ([#2384](https://github.com/ory/hydra/issues/2384)) ([858f2cf](https://github.com/ory/hydra/commit/858f2cf362996f46a8f86841e359336e877436c5)), closes [#2229](https://github.com/ory/hydra/issues/2229):

  This change adds support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523).
  Users of Ory Hydra will be able to grant permission for OAuth 2.0 Client to act on behalf of some Resource Owner using JWT Bearer Assertions.

  For more information about this feature, please head over to the documentation: https://www.ory.sh/hydra/docs/next/guides/oauth2-grant-type-jwt-bearer


## Changelog
* b052084e autogen(docs): generate and format documentation
* 61cef960 autogen(docs): generate and format documentation
* 04a25b1d autogen(docs): generate and format documentation
* bdc365d2 autogen(docs): generate and format documentation
* 5a4e11c9 autogen(docs): generate and format documentation
* 7dd428e8 autogen(docs): generate and format documentation
* 844a5950 autogen(docs): generate and format documentation
* 31af257a autogen(docs): generate and format documentation
* 6cb74cbd autogen(docs): generate and format documentation
* e8eeb8ea autogen(docs): generate and format documentation
* f15f3398 autogen(docs): generate cli docs
* 9a4d04e3 autogen(docs): generate cli docs
* 72837a10 autogen(docs): update milestone document
* e91e2d1c autogen(docs): update milestone document
* ecb841c3 autogen(docs): update milestone document
* 91b0870e autogen(docs): update milestone document
* e03a1fed autogen(docs): update milestone document
* 3236e31d autogen(docs): update milestone document
* e10309c3 autogen(docs): update milestone document
* 745619f1 autogen(openapi): Regenerate swagger spec and internal client
* 2d544901 autogen(openapi): Regenerate swagger spec and internal client
* 41f61871 autogen(openapi): Regenerate swagger spec and internal client
* 4250f03c autogen(openapi): Regenerate swagger spec and internal client
* 7da8adf8 autogen: add v1.10.7 to version.schema.json
* 5355a1ab autogen: pin v1.11.0 release commit
* e770afa6 autogen: pin v1.11.0-pre.0 release commit
* ef11adf2 chore: bump aline to 3.14.3 (#2856)
* 50f9dc86 chore: document consent requirement for non-https redirect schemes (#2826)
* 7a71b2da chore: new goreleaser config
* 54eb3c8c chore: update docusaurus template
* e2915351 chore: update docusaurus template
* b75b20ab chore: update docusaurus template
* b7ecf2c1 chore: update docusaurus template
* d6873662 chore: update docusaurus template (#2838)
* ebe46983 chore: update docusaurus template (#2846)
* c0942885 chore: update docusaurus template (#2922)
* 21b470dc chore: update repository templates
* 4a734a24 chore: update repository templates
* c8eb2e26 chore: update repository templates
* 47ff2b9e ci: bump groreleaser
* 5895d03a docs: ORY -> Ory to follow styleguides (#2941)
* 49b582c5 docs: fix grammar issues and typos (#2830)
* 5ca99e59 docs: update bash install
* 1f899732 docs: update coverage badge
* 1b2f6a67 docs: use Ory instead of ORY in the documentation (#2939)
* 74da7b6b feat(docs): opentelemetry tracing
* 5795bc3e feat: ES256 for JWK generation (#2828)
* 7578aa9f feat: Hardware Security Module support (#2625)
* 6a18f629 feat: OpenID Connect Dynamic Client Registration and OAuth2 Dynamic Client Registration Protocol (#2909)
* 511a6689 feat: add list of authors (#2831)
* 38cbcc02 feat: add shellcheck to circleci (#2835)
* abffb098 feat: native ARM64 support in Docker and Binaries
* 858f2cf3 feat: support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 (#2384)
* 5158faae fix: FreeBSD build issue, env loading, add OTEL tracing
* 0a73d8be fix: add hiring notice to README (#2893)
* b2872876 fix: bump deps (#2868)
* 5bad542a fix: contributors is upper case
* 33d75d79 fix: error handling in persister (#2860)
* 42fec62c fix: missing imports
* 14416584 fix: missing stack traces (#2858)
* 895de012 fix: patch should not reset client secret (#2872)
* 52a77a3e fix: remove codecov report for internal testhelpers
* 565aa2d4 fix: remove contributors file
* 45afd0d8 fix: update v1.10 installation instructions for linux (#2799)
* b284353d fix: use pop/v6
* 440e0b82 fix: version info nil on version api endpoint (#2894)


Artifacts can be verified with [cosign](https://github.com/sigstore/cosign) using [this public key](https://raw.githubusercontent.com/ory/xgoreleaser/master/cosign.pub).

## Changelog

2f01882f autogen(docs): generate and format documentation
ba9501c8 autogen(docs): generate and format documentation
88890482 autogen(docs): generate and format documentation
3d08e960 autogen(docs): regenerate and update changelog
699c022e autogen(docs): update milestone document
10944a79 autogen: add v1.10.5 to version.schema.json
f1771f13 autogen: pin v1.10.6 release commit
57b41e93 chore: update x/sys to support go 1.17 (#2687)
87f4a58c docs: section for debugging jwks based client errors (#2680)
184a3c45 fix: documentation SYSTEM_SECRET -> SECRETS_SYSTEM (#2686)
df08c7fc fix: typo in errors.go (#2699)


## Docker images

- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.10-sqlite`
- `docker pull oryd/hydra:v1.10.6-sqlite`
- `docker pull oryd/hydra:v1.10.6-sqlite`
- `docker pull oryd/hydra:latest-sqlite`
- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.10`
- `docker pull oryd/hydra:v1.10.6`
- `docker pull oryd/hydra:v1.10.6`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.10-alpine`
- `docker pull oryd/hydra:v1.10.6-alpine`
- `docker pull oryd/hydra:v1.10.6-alpine`
- `docker pull oryd/hydra:latest-alpine`

This patch introduces a faster and better janitor (database clean up routine), the ability to filter OAuth2 Clients by owner and name, and resolves a regression when parsing config environment variables.

## Changelog

73744313 autogen(docs): generate and format documentation
447451ff autogen(docs): generate and format documentation
6f5c01a7 autogen(docs): generate cli docs
3a48df6d autogen(docs): update milestone document
a8675dd9 autogen(docs): update milestone document
b8085018 autogen(docs): update milestone document
cbf1c976 autogen(openapi): Regenerate swagger spec and internal client
4a66d0c5 autogen: add v1.10.3 to version.schema.json
16381f44 autogen: add v1.10.5-pre.1 to version.schema.json
a5d30aa0 autogen: pin v1.10.4 release commit
0456f54d autogen: pin v1.10.5 release commit
94cda7ac autogen: pin v1.10.5-pre.0 release commit
ba5547a9 autogen: pin v1.10.5-pre.1 release commit
4f74591b chore: adjust CODEOWNERS (#2659)
23bd2f79 chore: update docusaurus template
8d368178 chore: update docusaurus template (#2647)
575dc3fd chore: update docusaurus template (#2655)
a4e94615 chore: update docusaurus template (#2658)
5a811305 chore: update repository templates
a30f9d09 chore: update repository templates (#2656)
7ec39198 chore: update x library (#2674)
4083684b docs: add long flag --grant-types in 5min tutorial (#2650)
ea6fdfd6 feat: add owner/name filter to list clients (#2637)
6ea0bf8f feat: improve delete queries for janitor command (#2540)
564d18b3 fix: docs generator
81ab0af7 style: format


## Docker images

- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.10-sqlite`
- `docker pull oryd/hydra:v1.10.5-sqlite`
- `docker pull oryd/hydra:v1.10.5-sqlite`
- `docker pull oryd/hydra:latest-sqlite`
- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.10`
- `docker pull oryd/hydra:v1.10.5`
- `docker pull oryd/hydra:v1.10.5`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.10-alpine`
- `docker pull oryd/hydra:v1.10.5-alpine`
- `docker pull oryd/hydra:v1.10.5-alpine`
- `docker pull oryd/hydra:latest-alpine`

Ory Hydra v0.10.3 brings several bug fixes and configuration features, in particular:

1. Adding the `hydra keys import` command;
2. Passing the `client_id` in the logout request;
3. Resolving prometheus cardinality issues;
4. Moving to `go-jose` for JSON Web Keys and JSON Web Tokens;
5. Supporting PKCE discovery in `/.well-known/`;
6. Support for Instana tracing.

For a full list of changes, please check below!

### Bug Fixes

- Add RFC 8414 pkce info to OpenID Connect Discovery ([#2547](https://github.com/ory/hydra/issues/2547)) ([9693168](https://github.com/ory/hydra/commit/96931685da3b01b1b43c5286c6b5025ff505e50a)), closes [#2311](https://github.com/ory/hydra/issues/2311)
- Add the missing keys import command ([#2521](https://github.com/ory/hydra/issues/2521)) ([c4bc248](https://github.com/ory/hydra/commit/c4bc248b3fc6bc147b0d703e7bcba3ae7ddc399e)), closes [#2520](https://github.com/ory/hydra/issues/2520)
- Audience should include client ID ([#2455](https://github.com/ory/hydra/issues/2455)) ([8c70394](https://github.com/ory/hydra/commit/8c703945e91fed257432d63a1c1340a5af021e8a))
- Build issues ([5de255b](https://github.com/ory/hydra/commit/5de255b09ea308a10d004055f5145a80430ee4b4))
- Correct CodeFromRemote syntax ([#2626](https://github.com/ory/hydra/issues/2626)) ([d3ee859](https://github.com/ory/hydra/commit/d3ee8598316f5b71f6c3dff021d57026f700b538))
- Intro docs ([#2602](https://github.com/ory/hydra/issues/2602)) ([bc87822](https://github.com/ory/hydra/commit/bc8782247314835653303d147ad74a416507006e))
- No more windows workaround ([#2632](https://github.com/ory/hydra/issues/2632)) ([db73b44](https://github.com/ory/hydra/commit/db73b441916ea11713b5ebde9aafb60f7a9e426d)), closes [#2160](https://github.com/ory/hydra/issues/2160)
- **oauth2:** Enforce assertion check on userinfo aud field ([#2524](https://github.com/ory/hydra/issues/2524)) ([c463d9f](https://github.com/ory/hydra/commit/c463d9f8932f36857fd539b1221868ebaee0e736)):

  This is so the check on the `ok` variable is effectual. Prior to this patch the type assertion on the *client.Client was setting the value of `ok`. Due to the fact the type assertion on *client.Client is already checked and on a false value it exits the func, this value will _always_ be true.

- Prometheus URL label ([#2503](https://github.com/ory/hydra/issues/2503)) ([f588ec6](https://github.com/ory/hydra/commit/f588ec69d4fa03f602d3cbb20abd4188195a7375)), closes [#2502](https://github.com/ory/hydra/issues/2502)
- README exemplary apps ([#2579](https://github.com/ory/hydra/issues/2579)) ([60e7042](https://github.com/ory/hydra/commit/60e70426583c0bdd879ff498b19d84fc4fc095e7))
- Resolve config parsing regression ([58deacf](https://github.com/ory/hydra/commit/58deacf5b2e860e027d1cbf0f0220b92177d9a3d)), closes [#2518](https://github.com/ory/hydra/issues/2518)
- Resolve sdk build issues ([68976f8](https://github.com/ory/hydra/commit/68976f8f6fa3b465dd5b13272e989050e472714c))
- Resolve sdk build issues ([1807e89](https://github.com/ory/hydra/commit/1807e893fd3f94c2a840a353b542f29962f57b05))
- Resolve swagger generation issues ([#2610](https://github.com/ory/hydra/issues/2610)) ([53a50dd](https://github.com/ory/hydra/commit/53a50ddfb520939dd4fce76d9812398809dc300e))
- Use prebuilt ory cli and bump ory/x ([#2605](https://github.com/ory/hydra/issues/2605)) ([0f95e01](https://github.com/ory/hydra/commit/0f95e017056ca20eff641c862c668fe5f44b7769)), closes [#2596](https://github.com/ory/hydra/issues/2596)
- Wrong description ([#2589](https://github.com/ory/hydra/issues/2589)) ([5553a6f](https://github.com/ory/hydra/commit/5553a6f29d1f2c78da2adec3ea6d514acfda6100)), closes [#2587](https://github.com/ory/hydra/issues/2587)
- WWW-Authenticate header in userinfo handler ([#2454](https://github.com/ory/hydra/issues/2454)) ([f701b28](https://github.com/ory/hydra/commit/f701b28eaabe81df6834ee9a9d32beda5c2d2b33))

### Code Generation

- Pin v1.10.3 release commit ([ea93158](https://github.com/ory/hydra/commit/ea931581eb54ab5dc142ea1f81357f25b8e4156a))

### Code Refactoring

- Integrate with fosite `v0.40` (go-jose migration) ([#2526](https://github.com/ory/hydra/issues/2526)) ([5bdc4bc](https://github.com/ory/hydra/commit/5bdc4bc1561b8da28edc82afda027482e54e41f3))

### Documentation

- Clearer wording in SPA notice for HTML forms ([#2565](https://github.com/ory/hydra/issues/2565)) ([64a332a](https://github.com/ory/hydra/commit/64a332a98fc1c3a73e4b39b58b21b4cd61f5b240)):

  See https://ory-community.slack.com/archives/C012RBW0F18/p1621977892051700

- Fix erroneous sidebar commit ([94ded27](https://github.com/ory/hydra/commit/94ded27cb85db9958491ca9f3960462446d8165a))
- Fix typo ('ROCP' to 'ROPC') ([#2633](https://github.com/ory/hydra/issues/2633)) ([00e15aa](https://github.com/ory/hydra/commit/00e15aa001e68698afb440097baf19e5423bfb15))
- Link to correct doc in help command ([#2631](https://github.com/ory/hydra/issues/2631)) ([3e5760f](https://github.com/ory/hydra/commit/3e5760f56d93b7797fb97a348624e2778ab864f4)), closes [#2366](https://github.com/ory/hydra/issues/2366)
- Move api docs to top level ([243a617](https://github.com/ory/hydra/commit/243a617343c01565aca2f412f16e63a36dfef997))
- New redoc api docs ([9fb505f](https://github.com/ory/hydra/commit/9fb505f25c57fff6316405cec41393b82caa3d3b))
- Rename sidebar api ([f14d2e7](https://github.com/ory/hydra/commit/f14d2e71a32f8a05220557c888ee6d4d604c432e))
- Replace `oryd` in examples with `ory` ([#2600](https://github.com/ory/hydra/issues/2600)) ([5796994](https://github.com/ory/hydra/commit/579699427c59fab84de65a28230dba4d1f4104e0))

### Features

- Add custom claims to top-level JWT payload ([#2545](https://github.com/ory/hydra/issues/2545)) ([63402de](https://github.com/ory/hydra/commit/63402dee7604141118fead91491abe6763150f1c)), closes [#1974](https://github.com/ory/hydra/issues/1974)
- Add instana as possible tracing provider ([#2548](https://github.com/ory/hydra/issues/2548)) ([f74fe90](https://github.com/ory/hydra/commit/f74fe90d585146984919d12e180b3ab5da702cdc))
- Add max_conn_idle_time flag ([#2551](https://github.com/ory/hydra/issues/2551)) ([81e0784](https://github.com/ory/hydra/commit/81e0784b7615da0ce5d56df50232cc7ccaf0096c))
- Import keys with a default key id ([#2563](https://github.com/ory/hydra/issues/2563)) ([cd3014c](https://github.com/ory/hydra/commit/cd3014cdf316c8c1256315d6460cd25a52a0df3a))
- Pass client in logout request ([#2483](https://github.com/ory/hydra/issues/2483)) ([43b391d](https://github.com/ory/hydra/commit/43b391d95f17cfd7414786cec0c602c15e29e956)), closes [#2468](https://github.com/ory/hydra/issues/2468)


## Changelog

77d10004 autogen(docs): generate and format documentation
dbdc00cf autogen(docs): generate and format documentation
379f34a5 autogen(docs): generate and format documentation
a27b0575 autogen(docs): generate and format documentation
eddfa2d6 autogen(docs): generate and format documentation
754bb413 autogen(docs): generate and format documentation
64022e88 autogen(docs): generate and format documentation
cc1d698f autogen(docs): generate and format documentation
15581747 autogen(docs): generate and format documentation
2839bc8f autogen(docs): generate cli docs
fdfe7eb5 autogen(docs): generate cli docs
fe63f3fd autogen(docs): regenerate and update changelog
371a9aee autogen(docs): regenerate and update changelog
b98676e1 autogen(docs): update milestone document
6b29f75e autogen(docs): update milestone document
03247394 autogen(docs): update milestone document
8debee76 autogen(openapi): Regenerate swagger spec and internal client
9702d386 autogen(openapi): Regenerate swagger spec and internal client
70cd4a22 autogen(openapi): Regenerate swagger spec and internal client
b597c88e autogen(openapi): Regenerate swagger spec and internal client
02f766c5 autogen(openapi): Regenerate swagger spec and internal client
bdbb775b autogen(openapi): Regenerate swagger spec and internal client
be8de37c autogen(openapi): Regenerate swagger spec and internal client
737685ec autogen(openapi): Regenerate swagger spec and internal client
c07adb6f autogen(openapi): Regenerate swagger spec and internal client
0e9778a1 autogen: add v1.10.2 to version.schema.json
46b438ed autogen: add v1.10.3-pre.1 to version.schema.json
ea931581 autogen: pin v1.10.3 release commit
30b77e69 autogen: pin v1.10.3-pre.1 release commit
2579fe09 autogen: pin v1.10.3-pre.1 release commit
38ba27b4 chore(deps): bump color-string in /test/e2e/oauth2-client (#2592)
f85f5bec chore: bump ory/x and cleanup go.mod Closes #2609 by pulling in upstream fix https://github.com/ory/x/pull/373
e739e63a chore: coc shield
5730436f chore: docs sidebar uniform (#2591)
089fdc1b chore: format
19482e8c chore: update docusaurus template
110f7488 chore: update docusaurus template
52a1a252 chore: update docusaurus template
b48e54d7 chore: update docusaurus template
ef59ab27 chore: update docusaurus template (#2569)
9d5fc15a chore: update docusaurus template (#2590)
a303e9ec chore: update docusaurus template (#2595)
0d9a250e chore: update docusaurus template (#2611)
fc41dbe1 chore: update docusaurus template (#2613)
cb981ecf chore: update docusaurus template (#2615)
e06b8a51 chore: update docusaurus template (#2616)
510456d8 chore: update docusaurus template (#2617)
9cfec9d1 chore: update docusaurus template (#2619)
2ca6de61 chore: update docusaurus template (#2620)
60a14a34 chore: update repository templates
2fca5a4b chore: update repository templates
a347d7b1 chore: update repository templates
8a2b9aaa chore: update repository templates
64f0018c chore: update repository templates
3f88ca3e chore: update repository templates (#2550)
3f059264 chore: update repository templates (#2554)
5ae6fe60 chore: update repository templates (#2601)
06c34823 chore: update repository templates (#2630)
4f8d0bce ci: add codecov reporting
e6ee5b9d ci: explicit go mod cache keys (#2566)
64a332a9 docs: clearer wording in SPA notice for HTML forms (#2565)
94ded27c docs: fix erroneous sidebar commit
00e15aa0 docs: fix typo ('ROCP' to 'ROPC') (#2633)
3e5760f5 docs: link to correct doc in help command (#2631)
243a6173 docs: move api docs to top level
9fb505f2 docs: new redoc api docs
f14d2e71 docs: rename sidebar api
57969942 docs: replace `oryd` in examples with `ory` (#2600)
63402dee feat: add custom claims to top-level JWT payload (#2545)
f74fe90d feat: add instana as possible tracing provider (#2548)
81e0784b feat: add max_conn_idle_time flag (#2551)
cd3014cd feat: import keys with a default key id (#2563)
43b391d9 feat: pass client in logout request (#2483)
c463d9f8 fix(oauth2): enforce assertion check on userinfo aud field (#2524)
60e70426 fix: README exemplary apps (#2579)
f701b28e fix: WWW-Authenticate header in userinfo handler (#2454)
96931685 fix: add RFC 8414 pkce info to OpenID Connect Discovery (#2547)
c4bc248b fix: add the missing keys import command (#2521)
8c703945 fix: audience should include client ID (#2455)
5de255b0 fix: build issues
d3ee8598 fix: correct CodeFromRemote syntax (#2626)
bc878224 fix: intro docs (#2602)
db73b441 fix: no more windows workaround (#2632)
f588ec69 fix: prometheus URL label (#2503)
58deacf5 fix: resolve config parsing regression
1807e893 fix: resolve sdk build issues
68976f8f fix: resolve sdk build issues
53a50ddf fix: resolve swagger generation issues (#2610)
0f95e017 fix: use prebuilt ory cli and bump ory/x (#2605)
5553a6f2 fix: wrong description (#2589)
5bdc4bc1 refactor: integrate with fosite `v0.40` (go-jose migration) (#2526)


## Docker images

- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.10-sqlite`
- `docker pull oryd/hydra:v1.10.3-sqlite`
- `docker pull oryd/hydra:v1.10.3-sqlite`
- `docker pull oryd/hydra:latest-sqlite`
- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.10`
- `docker pull oryd/hydra:v1.10.3`
- `docker pull oryd/hydra:v1.10.3`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.10-alpine`
- `docker pull oryd/hydra:v1.10.3-alpine`
- `docker pull oryd/hydra:v1.10.3-alpine`
- `docker pull oryd/hydra:latest-alpine`

This maintenance release resolves regressions introduced in Ory Hydra v1.10.1. A big change is that Ory Hydra now supports PATCH operations for OAuth2 Clients and is able to handle TLS for admin and public endpoints individually. The breaking changes included in this release address two bugs which are marked as a BREAKING CHANGE. We believe however that these changes do not affect running systems and given the major improvements introduced by the fixes, we decided to mark this as a patch release.

## [1.10.2](https://github.com/ory/hydra/compare/v1.10.1...v1.10.2) (2021-05-04)


### Bug Fixes

* CookieStore MaxAge value ([#2485](https://github.com/ory/hydra/issues/2485)) ([#2488](https://github.com/ory/hydra/issues/2488)) ([aafc901](https://github.com/ory/hydra/commit/aafc901eb09cd26e1c11f2204f46fc1d67517b92)):

    > CookieStore MaxAge is set to 86400 * 30 by default. This prevents secure cookies retrieval with expiration > 30 days. MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.
* Do not use error_hint anymore ([#2450](https://github.com/ory/hydra/issues/2450)) ([ff90c47](https://github.com/ory/hydra/commit/ff90c47ff52c30ffeb0f9740b870be0f5313fd04))
* Handled requests respond with 410 Gone and include redirect URL ([#2473](https://github.com/ory/hydra/issues/2473)) ([e3d9158](https://github.com/ory/hydra/commit/e3d9158aebb750386c4dd2ebed0dfdaf5b374805)), closes [#1569](https://github.com/ory/hydra/issues/1569)
* Link in documentation ([#2478](https://github.com/ory/hydra/issues/2478)) ([5fdd913](https://github.com/ory/hydra/commit/5fdd91302a8068956515c750a7d160dfa10057a6))
* Login and consent redirect behavior change since 1.9.x ([#2457](https://github.com/ory/hydra/issues/2457)) ([2f3a1af](https://github.com/ory/hydra/commit/2f3a1afb09c96400484f0e4b397c6b811fe72fe4)), closes [#2363](https://github.com/ory/hydra/issues/2363):

    > Allow #fragment in configured url to keep backwards compatibility.
* Make token user command work with public clients ([#2479](https://github.com/ory/hydra/issues/2479)) ([a033d6a](https://github.com/ory/hydra/commit/a033d6a732c13b2d15ba073f582a994d174e299c))
* Resolve clidoc issues ([f6e5958](https://github.com/ory/hydra/commit/f6e59589eba86f179ac4462f1b00fc1d2066d4b5))
* Resolve specignore issues ([1431167](https://github.com/ory/hydra/commit/143116732bdf86ba92a1e42928519edb23ed53b7))
* Use PublicURL where given ([#2441](https://github.com/ory/hydra/issues/2441)) ([eefefd5](https://github.com/ory/hydra/commit/eefefd514f691bbf0a7e59e395be1b9341668e90)), closes [#2422](https://github.com/ory/hydra/issues/2422)
* Valid JSON response for already handled requests ([#2517](https://github.com/ory/hydra/issues/2517)) ([ac61616](https://github.com/ory/hydra/commit/ac61616322e3f58319b5fd778441f442a6a9f156)), closes [#2515](https://github.com/ory/hydra/issues/2515)
* Version schema ([#2427](https://github.com/ory/hydra/issues/2427)) ([7781215](https://github.com/ory/hydra/commit/77812158ec414bc1529a7503bcd8d1fe84dfff4d))


### Code Refactoring

* Move unix socket support helpers into ory/x ([#2486](https://github.com/ory/hydra/issues/2486)) ([44fd4e4](https://github.com/ory/hydra/commit/44fd4e42f09ac2bccb4beb51f1646e11e85eca2b))


### Documentation

* Add dotnet sdk ([#2431](https://github.com/ory/hydra/issues/2431)) ([014c773](https://github.com/ory/hydra/commit/014c773d70e6fac0e856f5d78b5fe2feafd73e5a))
* Add php link sdk page & fix links ([#2469](https://github.com/ory/hydra/issues/2469)) ([47cf3c7](https://github.com/ory/hydra/commit/47cf3c76c3e9566763297fbd33a7f59af00cd74f))
* Change forum to discussions readme ([#2451](https://github.com/ory/hydra/issues/2451)) ([aa2919d](https://github.com/ory/hydra/commit/aa2919dc14fbfb2185638dd4de73401fc1b5e594)):

    > same as https://github.com/ory/kratos/pull/1220
* Fix uppercase id ([8ac186c](https://github.com/ory/hydra/commit/8ac186c207a4f50aaf929ddaf6349c5055cac92e))
* Guide for merging system.secrets ([#2448](https://github.com/ory/hydra/issues/2448)) ([5466d4e](https://github.com/ory/hydra/commit/5466d4e3e834b7c5114e074b8e7fb07e37c967f6))


### Features

* Add the MaxTagValueLength config for jaeger of tracing ([#2482](https://github.com/ory/hydra/issues/2482)) ([03c96ee](https://github.com/ory/hydra/commit/03c96ee22d781939a3fe9cf01763da44242a2308)), closes [#2447](https://github.com/ory/hydra/issues/2447)
* Enable "nbf" (not before) claim to be optional for Access Token ([#2437](https://github.com/ory/hydra/issues/2437)) ([666cd25](https://github.com/ory/hydra/commit/666cd2580def07735c6fdaca346dd194ea2edff5)), closes [#1542](https://github.com/ory/hydra/issues/1542)
* Global docs sidebar and added cloud pages ([#2495](https://github.com/ory/hydra/issues/2495)) ([7f7362b](https://github.com/ory/hydra/commit/7f7362b437fe073a022fd811635b14851c61bfb4))
* Implement partial client updates (PATCH) with JSON Patch syntax ([#2411](https://github.com/ory/hydra/issues/2411)) ([540c89d](https://github.com/ory/hydra/commit/540c89d68e7efbd9043cb0147e10781cd61021a6)):

    > Implements a new endpoint `PATCH /clients/{id}` which uses JSON Patch syntax to update an OAuth2 client partially. This removes the need to do `PUT /clients/{id}` with the full OAuth2 Client in the payload.
    > 
    > 
* Split TLS config into admin and public interfaces ([#2476](https://github.com/ory/hydra/issues/2476)) ([60704d4](https://github.com/ory/hydra/commit/60704d490c46840ccad966b3d0ef074913285fab)), closes [#1231](https://github.com/ory/hydra/issues/1231) [#1962](https://github.com/ory/hydra/issues/1962):

    > Adds the possibility to specify TLS certificates for admin and public endpoints individually. Also improves compatibility for internal networks (e.g. Kubernetes) by removing the need for having TLS termination on admin endpoints. This can be enabled by setting `serve.admin.tls.enabled` to false.


### BREAKING CHANGES

* This patch makes it so that already handled consent/login/logout requests respond with 410 Gone instead of 409 Conflict. Additionally, a URL is included that the user should be redirected to!

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
* This patch changes how issuer and public URLs are used. Please be aware that going forward, the public URL is used for redirects. Previously, the issuer URL was used. If no public URL is set, the issuer URL will be used as before.





## Changelog

5c611f0c autogen(docs): generate and format documentation
09dc7743 autogen(docs): generate and format documentation
4d58f1fa autogen(docs): generate and format documentation
a02ffe9b autogen(docs): generate and format documentation
d8682a99 autogen(docs): generate and format documentation
24f91ab7 autogen(docs): generate and format documentation
2666562a autogen(docs): generate and format documentation
3151706d autogen(docs): generate and format documentation
1c0e8117 autogen(docs): generate and format documentation
7ba4b470 autogen(docs): generate and format documentation
79f3b900 autogen(docs): generate and format documentation
0c7a2add autogen(docs): generate and format documentation
af6beb81 autogen(docs): generate and format documentation
c9b99be2 autogen(docs): generate and format documentation
b6c34e0e autogen(docs): generate and format documentation
c1cc9476 autogen(docs): generate and format documentation
e0ccaf3c autogen(docs): generate and format documentation
40b09cdf autogen(docs): generate cli docs
bfa14a53 autogen(docs): regenerate and update changelog
3dbcf87b autogen(docs): update milestone document
db4eb720 autogen(docs): update milestone document
5d0d69e0 autogen(docs): update milestone document
598de159 autogen(docs): update milestone document
00a57bd0 autogen(docs): update milestone document
d33a4904 autogen(openapi): Regenerate swagger spec and internal client
3e37546a autogen(openapi): Regenerate swagger spec and internal client
fcc0dd20 autogen(openapi): Regenerate swagger spec and internal client
17cfc781 autogen(openapi): Regenerate swagger spec and internal client
4e6aebe8 autogen: add v1.10.1 to version.schema.json
1da2f24c autogen: pin v1.10.2 release commit
e8c3a06e autogen: pin v1.10.2 release commit
3bb0bb9a chore: bump base alpine images (#2439)
b8bac7f8 chore: bump ory/x
638562c7 chore: bump ory/x and gogo/protobuf (#2434)
73c99317 chore: fix links (#2481)
bd90f3e8 chore: fix sdk links (#2433)
380fc94d chore: format and cleanup
ddb34c1f chore: update docusaurus template
d99f2136 chore: update docusaurus template
6b01fa9d chore: update docusaurus template
cf2fe0c9 chore: update docusaurus template
eaa3f870 chore: update docusaurus template
c3d705d4 chore: update docusaurus template (#2493)
69a87a55 chore: update docusaurus template (#2494)
a76bf401 chore: update repository templates (#2443)
9a484fc0 chore: update vulnerable jwt-go
3d48259a ci: run conformity on PRs
014c773d docs: add dotnet sdk (#2431)
47cf3c76 docs: add php link sdk page & fix links (#2469)
aa2919dc docs: change forum to discussions readme (#2451)
8ac186c2 docs: fix uppercase id
5466d4e3 docs: guide for merging system.secrets (#2448)
03c96ee2 feat: add the MaxTagValueLength config for jaeger of tracing (#2482)
666cd258 feat: enable "nbf" (not before) claim to be optional for Access Token (#2437)
7f7362b4 feat: global docs sidebar and added cloud pages (#2495)
540c89d6 feat: implement partial client updates (PATCH) with JSON Patch syntax (#2411)
60704d49 feat: split TLS config into admin and public interfaces (#2476)
aafc901e fix: CookieStore MaxAge value (#2485) (#2488)
ff90c47f fix: do not use error_hint anymore (#2450)
e3d9158a fix: handled requests respond with 410 Gone and include redirect URL (#2473)
5fdd9130 fix: link in documentation (#2478)
2f3a1afb fix: login and consent redirect behavior change since 1.9.x (#2457)
a033d6a7 fix: make token user command work with public clients (#2479)
f6e59589 fix: resolve clidoc issues
14311673 fix: resolve specignore issues
eefefd51 fix: use PublicURL where given (#2441)
ac616163 fix: valid JSON response for already handled requests (#2517)
77812158 fix: version schema (#2427)
44fd4e42 refactor: move unix socket support helpers into ory/x (#2486)


## Docker images

- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.10-sqlite`
- `docker pull oryd/hydra:v1.10.2-sqlite`
- `docker pull oryd/hydra:v1.10.2-sqlite`
- `docker pull oryd/hydra:latest-sqlite`
- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.10`
- `docker pull oryd/hydra:v1.10.2`
- `docker pull oryd/hydra:v1.10.2`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.10-alpine`
- `docker pull oryd/hydra:v1.10.2-alpine`
- `docker pull oryd/hydra:v1.10.2-alpine`
- `docker pull oryd/hydra:latest-alpine`

We are excited to announce Ory Hydra v1.10.0!

This release adds significant data management improvements. As such, we introduce the new "hydra janitor" command which cleans up stale data and can be run, for example, as a (Kubernetes) CronJob.

The new janitor command is able to clean up invalid and expired access and refresh tokens as well as login and consent requests. This solves issues observed in installations with lots of traffic.

This patch refactors the internal file embed system by migrating to Go 1.16, simplifying and speeding up the build process.

To follow OAuth2 best-practice, refresh tokens will now invalidate the whole access and refresh token chain if reused.



## [1.10.1](https://github.com/ory/hydra/compare/v1.9.2...v1.10.1) (2021-03-25)


### Bug Fixes

* Add docs/node_modules make target ([b302501](https://github.com/ory/hydra/commit/b302501b60da8263617966201eab5e99c733481e))
* Add network specific error message to avoid confusion ([#2367](https://github.com/ory/hydra/issues/2367)) ([56d71e6](https://github.com/ory/hydra/commit/56d71e67c4b985f03bc374faf998543b5bb21221)), closes [#2338](https://github.com/ory/hydra/issues/2338)
* Adds sqa section to config.schema.json ([#2360](https://github.com/ory/hydra/issues/2360)) ([89df8d7](https://github.com/ory/hydra/commit/89df8d7b3e295115fc930b6aabe4ec4148dd42f2)), closes [#2358](https://github.com/ory/hydra/issues/2358):

    > Move from viper to koanf caused env vars without corresponding
    > paths in config.schema.json to be ignored. This commit adds
    > missing sqa section, so the SQA_OPT_OUT env var has effect again.
* Adopt new cli renderer pipeline ([02483ce](https://github.com/ory/hydra/commit/02483ce4c00d53d897830a2aaa7ff0a6d540dc3a))
* Better http resiliency and sqlite updates ([883a84f](https://github.com/ory/hydra/commit/883a84f88721b75ff56c28796d00ab7e748e467b))
* Improve cache and update CI images to go 1.16 ([#2388](https://github.com/ory/hydra/issues/2388)) ([7803202](https://github.com/ory/hydra/commit/78032026e940ad10ac9df20eb42dff5cc2bd0be4))
* Increase conformance test timeout ([e9bd064](https://github.com/ory/hydra/commit/e9bd06421a8b3843280c6ef5aa41ba34eaab7d1d))
* Record cypress videos ([c9d0a26](https://github.com/ory/hydra/commit/c9d0a262c13087348454747b260e9b5d1b743384))
* Resolve clidoc issues ([8257cb2](https://github.com/ory/hydra/commit/8257cb29c896467324b362662de55ca811bfb181))
* Resolve docs build issues ([6612099](https://github.com/ory/hydra/commit/6612099b49c3f7e4f6aebe0dfbec7e74f696e0b9))
* Resolve e2e test issues ([4812f54](https://github.com/ory/hydra/commit/4812f5492fdc7ae97f4e7a1b11f46ab55ca10521))
* Resolve migrator duplicate files ([b1f63ff](https://github.com/ory/hydra/commit/b1f63fffe1cc5539f774aef5e82e6f872eee5474))
* Resolve migrator regression issues ([cdfc03d](https://github.com/ory/hydra/commit/cdfc03d800a1968b9a090a03f829c7b7208277d6))
* Revert mode default and maximum values ([#2349](https://github.com/ory/hydra/issues/2349)) ([b20fc48](https://github.com/ory/hydra/commit/b20fc48db6b494b1fb20d1745b748ae90aa325ba)):

    > I made a mistake in previous pull request, these socket mode values are in decimal, not octal format. Sorry.
* Update janitor help ([b7965c6](https://github.com/ory/hydra/commit/b7965c6fb4efb5c376417d77da8b7b9742da3ffd))
* Use appropriate migrations with precedence ([b61d05c](https://github.com/ory/hydra/commit/b61d05cebe14f99519ad38cca7ccb9ca0e0fb57b))
* Use gelf windows hotfix ([0cac0f1](https://github.com/ory/hydra/commit/0cac0f1e5ef098a6058bcc352d585b1a8e024eb3))
* Use go 1.16 in conformity suite ([3fbda05](https://github.com/ory/hydra/commit/3fbda05ab2bca1ecadedf2f5408687c8f6e03f1e))


### Documentation

* Faq custom data ([#2334](https://github.com/ory/hydra/issues/2334)) ([471e85d](https://github.com/ory/hydra/commit/471e85d282e1a8fc731bdaaa1c9375d2fb964b87))
* Fix basic examples for the golang SDK ([#2399](https://github.com/ory/hydra/issues/2399)) ([6806865](https://github.com/ory/hydra/commit/680686512bc1a5261bc5a9034d88a7bef6a4922d))
* Fix subject identifier algorithms to match configuration ([#2400](https://github.com/ory/hydra/issues/2400)) ([dd19b86](https://github.com/ory/hydra/commit/dd19b86b015decdfda456289cd970c70f45f3270)):

    > On https://www.ory.sh/hydra/docs/reference/configuration/ under 'subject identifiers' the name for defining which subject identifier algorithms are supported it is called "supported_types", not "enabled" as in these pages.
* Improve readme tests section ([#2380](https://github.com/ory/hydra/issues/2380)) ([277afe9](https://github.com/ory/hydra/commit/277afe9d1a191ad3b2ec21e5197ecc09146def61))
* Quickstart config ([#2328](https://github.com/ory/hydra/issues/2328)) ([f20f645](https://github.com/ory/hydra/commit/f20f645998cadd066a3d027ceb78002b340442b9))
* Update config.schema.json default values ([#2348](https://github.com/ory/hydra/issues/2348)) ([8494822](https://github.com/ory/hydra/commit/849482209b6f270dfd7965a1f3d6de39feb3cd58)):

    > Updated wrong config schema values
* Update examples to new helm install command format ([#2369](https://github.com/ory/hydra/issues/2369)) ([f006556](https://github.com/ory/hydra/commit/f006556f584a63009af5117c449a52d11aa72a14)):

    > Tried example with helm 3.5.2 and it does not support `--name` flag. So I moved name and repository to first line of commands.


### Features

* Add --no-shutdown flag to "hydra token user" to prevent auto-termination ([#2382](https://github.com/ory/hydra/issues/2382)) ([#2386](https://github.com/ory/hydra/issues/2386)) ([a17d10e](https://github.com/ory/hydra/commit/a17d10e7c273069e9cac18a9ea0326200bc2b569))
* Add front/backchannel logout params to client cli ([#2387](https://github.com/ory/hydra/issues/2387)) ([055f801](https://github.com/ory/hydra/commit/055f801eb76e187b3fa70e6a474d68a0d56f766b)), closes [#1487](https://github.com/ory/hydra/issues/1487)
* Flush inactive/expired login and consent requests ([#2381](https://github.com/ory/hydra/issues/2381)) ([f039ebb](https://github.com/ory/hydra/commit/f039ebbdf315715deb44fc20fb3fdef3f4fa7b51)), closes [#1574](https://github.com/ory/hydra/issues/1574):

    > This patch resolves various table growth issues caused by expired/inactive login and consent flows never being purged from the database.
    > 
    > You may now use the new `hydra janitor` command to remove access & refresh tokens and login & consent requests which are no longer valid or used. The command follows the `notAfter` safe-guard approach to ensure records needed to be kept are not deleted.
    > 
    > To learn more, please use `hydra help janitor`.
    > 
    > This patch phases out the `/oauth2/flush` endpoint as the janitor is better suited for background tasks, is easier to run in a targeted fashion (e.g. as a singleton job), and does not cause HTTP timeouts.
* Flush refresh tokens for service oauth2/flush ([#2373](https://github.com/ory/hydra/issues/2373)) ([b46a14c](https://github.com/ory/hydra/commit/b46a14cd6d260a7dee748de34abfea54908f1a0b)), closes [/github.com/ory/hydra/issues/1574#issuecomment-736684327](https://github.com//github.com/ory/hydra/issues/1574/issues/issuecomment-736684327)
* Move to go 1.16 and static embed files ([6fa591c](https://github.com/ory/hydra/commit/6fa591c849c3d63b036d7a4001496f42f02b821b))
* Refresh token reuse detection ([#2383](https://github.com/ory/hydra/issues/2383)) ([bc349f1](https://github.com/ory/hydra/commit/bc349f1fbaf19340081d9a6c097de2b76e848e46)), closes [#2022](https://github.com/ory/hydra/issues/2022):

    > This patch adds support for Refresh Token reuse Detection introduced by https://github.com/ory/fosite/pull/567. Ory Hydra's persister no longer deletes refresh tokens when using them, but instead deactivates them - similar to how authorization codes work.


### Tests

* Bump cypress to newer version and add resilience ([c76309c](https://github.com/ory/hydra/commit/c76309cf9faba46162af7dc856a99cbccf6403a9))
* Bump ory/x and resolve regressions ([1a03c07](https://github.com/ory/hydra/commit/1a03c0778bc088bb7a7932fb6794fe3707bea4c2))
* Fix record arg ([b248406](https://github.com/ory/hydra/commit/b248406d44bd580b795d8e15f6e0f57eeb4f173b))
* Improve e2e script and add record option ([9d4764d](https://github.com/ory/hydra/commit/9d4764d80706941185ffb56fb0fff067f07ddd08))
* Resolve flaky cypress tests ([356b05f](https://github.com/ory/hydra/commit/356b05f600ca58029b22ed11af850b3ba369ae62))
* Resolve migration regression ([e59e2bc](https://github.com/ory/hydra/commit/e59e2bc9eb58b9bbf14d5e591ebaf04b7de19c6d))
* Use cypress fetchers ([2aa0980](https://github.com/ory/hydra/commit/2aa09804f670e4f24d8ee7df7feae94b12394ee3))
* Use go 1.16 in conformity ([ccd983d](https://github.com/ory/hydra/commit/ccd983d707fd6b98f848f1206e151a44fcfc3b51))


### Unclassified

* Do not send 404 on revoke consent / delete login ([#2397](https://github.com/ory/hydra/issues/2397)) ([854b9ee](https://github.com/ory/hydra/commit/854b9eed7916b098c35ddc466d01788d101491f3))
* Resolve oidc conformity regression ([1049602](https://github.com/ory/hydra/commit/10496024e5edbd96d6bdbb8342bb1724a2dd0a52))





## Changelog

ce7ee75c autogen(docs): generate and format documentation
74bfe9ce autogen(docs): generate and format documentation
ec93526e autogen(docs): generate and format documentation
4cc80123 autogen(docs): generate and format documentation
21c62857 autogen(docs): generate and format documentation
67d9b387 autogen(docs): generate and format documentation
dc97559d autogen(docs): generate and format documentation
a11527f1 autogen(docs): generate and format documentation
e18e9669 autogen(docs): generate and format documentation
9ad9c1d3 autogen(docs): generate and format documentation
d3697cd9 autogen(docs): generate cli docs
83f8ebd0 autogen(docs): generate cli docs
7731121d autogen(docs): generate cli docs
d6c82091 autogen(docs): generate cli docs
8f939da6 autogen(docs): generate cli docs
5005c9a7 autogen(docs): regenerate and update changelog
48b75ab7 autogen(docs): regenerate and update changelog
97e3f80f autogen(docs): regenerate and update changelog
69e7bef3 autogen(docs): regenerate and update changelog
003a6820 autogen(docs): regenerate and update changelog
c1e9b38a autogen(docs): regenerate and update changelog
eb5c5305 autogen(docs): regenerate and update changelog
5210a0fd autogen(docs): regenerate and update changelog
4eafcfe1 autogen(docs): regenerate and update changelog
c84fcdf4 autogen(docs): update milestone document
d4d243ff autogen(docs): update milestone document
1cce525e autogen(docs): update milestone document
ac95a335 autogen(openapi): Regenerate swagger spec and internal client
f6ef7514 autogen(openapi): Regenerate swagger spec and internal client
cc7a8e46 autogen(openapi): Regenerate swagger spec and internal client
b660fa39 autogen(openapi): Regenerate swagger spec and internal client
72a2e2f3 autogen(openapi): Regenerate swagger spec and internal client
756f19fc autogen(openapi): Regenerate swagger spec and internal client
f5b993a2 autogen(openapi): Regenerate swagger spec and internal client
577ad1bc autogen(openapi): Regenerate swagger spec and internal client
582aca38 autogen(openapi): Regenerate swagger spec and internal client
27dc147a autogen: add v1.9.2 to version.schema.json
ed096e92 autogen: add v1.9.3-pre.5 to version.schema.json
bf8f805f autogen: pin v1.10.0 release commit
60b2434e autogen: pin v1.10.0 release commit
2287ac59 autogen: pin v1.10.1 release commit
c3833af2 autogen: pin v1.10.1-pre.1 release commit
01af32f3 autogen: pin v1.10.1-pre.2 release commit
440d171d autogen: pin v1.9.3-pre.0 release commit
38b6317a autogen: pin v1.9.3-pre.1 release commit
149db769 autogen: pin v1.9.3-pre.2 release commit
26615cbb autogen: pin v1.9.3-pre.3 release commit
bf652999 autogen: pin v1.9.3-pre.4 release commit
be012b6d autogen: pin v1.9.3-pre.5 release commit
d2aecf88 chore(deps): bump pug-code-gen in /test/e2e/oauth2-client (#2376)
d0ef3e37 chore: fix go mod
ab06db3e chore: fix link (#2359)
4b595e87 chore: update docusaurus template
15653367 chore: update docusaurus template (#2424)
785e743e chore: update package lock
f4ed887a chore: update repository templates
96627651 chore: update repository templates
cb64d68d chore: update repository templates
1d314105 chore: update repository templates (#2362)
a3295561 chore: update repository templates (#2378)
e3d60323 ci: add trailing slash to prettier check (#2389)
e819e7b5 ci: adopt new swagger ignorepkgs
0afd9fc0 ci: bump orbs
7f806e55 ci: fix yaml syntax error
0326699f ci: link to cypress project
d8ad323f ci: reorder e2e execution
94593db5 ci: run e2e tests in one container (#2391)
d17f5050 ci: use nancy command instead of job (#2390)
854b9eed consent: do not send 404 on revoke consent / delete login (#2397)
471e85d2 docs: faq custom data (#2334)
68068651 docs: fix basic examples for the golang SDK (#2399)
dd19b86b docs: fix subject identifier algorithms to match configuration (#2400)
277afe9d docs: improve readme tests section (#2380)
f20f6459 docs: quickstart config (#2328)
84948220 docs: update config.schema.json default values (#2348)
f006556f docs: update examples to new helm install command format (#2369)
a17d10e7 feat: add --no-shutdown flag to "hydra token user" to prevent auto-termination (#2382) (#2386)
055f801e feat: add front/backchannel logout params to client cli (#2387)
f039ebbd feat: flush inactive/expired login and consent requests (#2381)
b46a14cd feat: flush refresh tokens for service oauth2/flush (#2373)
6fa591c8 feat: move to go 1.16 and static embed files
bc349f1f feat: refresh token reuse detection (#2383)
b302501b fix: add docs/node_modules make target
56d71e67 fix: add network specific error message to avoid confusion (#2367)
89df8d7b fix: adds sqa section to config.schema.json (#2360)
02483ce4 fix: adopt new cli renderer pipeline
883a84f8 fix: better http resiliency and sqlite updates
78032026 fix: improve cache and update CI images to go 1.16 (#2388)
e9bd0642 fix: increase conformance test timeout
c9d0a262 fix: record cypress videos
8257cb29 fix: resolve clidoc issues
6612099b fix: resolve docs build issues
4812f549 fix: resolve e2e test issues
b1f63fff fix: resolve migrator duplicate files
cdfc03d8 fix: resolve migrator regression issues
b20fc48d fix: revert mode default and maximum values (#2349)
b7965c6f fix: update janitor help
b61d05ce fix: use appropriate migrations with precedence
0cac0f1e fix: use gelf windows hotfix
3fbda05a fix: use go 1.16 in conformity suite
c76309cf test: bump cypress to newer version and add resilience
1a03c077 test: bump ory/x and resolve regressions
b248406d test: fix record arg
9d4764d8 test: improve e2e script and add record option
356b05f6 test: resolve flaky cypress tests
e59e2bc9 test: resolve migration regression
2aa09804 test: use cypress fetchers
ccd983d7 test: use go 1.16 in conformity
10496024 tests: resolve oidc conformity regression


## Docker images

- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.10-sqlite`
- `docker pull oryd/hydra:v1.10.1-sqlite`
- `docker pull oryd/hydra:v1.10.1-sqlite`
- `docker pull oryd/hydra:latest-sqlite`
- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.10`
- `docker pull oryd/hydra:v1.10.1`
- `docker pull oryd/hydra:v1.10.1`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.10-alpine`
- `docker pull oryd/hydra:v1.10.1-alpine`
- `docker pull oryd/hydra:v1.10.1-alpine`
- `docker pull oryd/hydra:latest-alpine`

This release adds more telemetry data to the prometheus exporter.



## [1.9.2](https://github.com/ory/hydra/compare/v1.9.1...v1.9.2) (2021-01-29)


### Features

* Enable emittance of response time metrics ([#2323](https://github.com/ory/hydra/issues/2323)) ([c1f1ba5](https://github.com/ory/hydra/commit/c1f1ba5c9ed80fc27b1d4cad60dc843827587572))





## Changelog

8a415d92 autogen(docs): generate and format documentation
eb6f682f autogen(docs): regenerate and update changelog
fcd80d16 autogen(docs): regenerate and update changelog
0b4673ec autogen: add v1.9.1 to version.schema.json
f0580e25 autogen: pin v1.9.2 release commit
c1f1ba5c feat: enable emittance of response time metrics (#2323)



## Docker images

- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.9`
- `docker pull oryd/hydra:v1.9.2`
- `docker pull oryd/hydra:v1.9.2`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.9-alpine`
- `docker pull oryd/hydra:v1.9.2-alpine`
- `docker pull oryd/hydra:v1.9.2-alpine`
- `docker pull oryd/hydra:latest-alpine`
- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.9-sqlite`
- `docker pull oryd/hydra:v1.9.2-sqlite`
- `docker pull oryd/hydra:v1.9.2-sqlite`
- `docker pull oryd/hydra:latest-sqlite`

This release makes [Dart](https://pub.dev/packages/ory_hydra_client) and [Rust](https://crates.io/crates/ory-hydra-client) SDKs available for Ory Hydra!



## [1.9.1](https://github.com/ory/hydra/compare/v1.9.0...v1.9.1) (2021-01-27)


### Documentation

* Add faq items ([8d31cb3](https://github.com/ory/hydra/commit/8d31cb34a23b2224cd8858ba51089ba5f3b155c5)):

    > Added two items to the FAQ that were sitting in meta/tmp.
* Add link endings. ([#2313](https://github.com/ory/hydra/issues/2313)) ([1316cc0](https://github.com/ory/hydra/commit/1316cc00439c1b256b780f7de6878a7dc6cda19a)), closes [#38](https://github.com/ory/hydra/issues/38)
* Add Rust and Dart SDKs ([c4b4f73](https://github.com/ory/hydra/commit/c4b4f73eb250db364eefe3d83fdf3780c7834f6f)):

    > We now support for Rust and Dart SDKs!
* Fix npm links ([#2303](https://github.com/ory/hydra/issues/2303)) ([341f3ed](https://github.com/ory/hydra/commit/341f3ede500bff4b0d07e7e8b8d264f2291f2baa))
* Quickstart cleanup ([#2324](https://github.com/ory/hydra/issues/2324)) ([a8ad705](https://github.com/ory/hydra/commit/a8ad70524c58d73e45fa690fe4b9f848013183ce))
* Reorg faq sidebar ([#2318](https://github.com/ory/hydra/issues/2318)) ([4fdb7f1](https://github.com/ory/hydra/commit/4fdb7f1c8e31fe5c024e1c562077d4516f934f52))
* Update before oauth2.mdx ([#2299](https://github.com/ory/hydra/issues/2299)) ([d2ee4f6](https://github.com/ory/hydra/commit/d2ee4f6cd308a2b61fd4ef7f8fcebb2901190a58)), closes [#2295](https://github.com/ory/hydra/issues/2295)
* Update javascript documentation ([a2b3a49](https://github.com/ory/hydra/commit/a2b3a49e56afa5ae18a522198f1744e43b4f779f)):

    > Closes https://github.com/ory/sdk/issues/22
* Update npm package name ([#2302](https://github.com/ory/hydra/issues/2302)) ([d05d82e](https://github.com/ory/hydra/commit/d05d82e926a726fd4fe0179363a140ca59e40c10)):

    > Changed npm client package from @oryd/hydra-client to @ory/hydra-client





## Changelog

efa4c4ce autogen(docs): generate and format documentation
ea5edb39 autogen(docs): generate cli docs
7e162f65 autogen(docs): generate cli docs
10b5d594 autogen(docs): generate cli docs
994d4d4d autogen(docs): regenerate and update changelog
97c664bd autogen(docs): regenerate and update changelog
2a0c1d06 autogen(docs): regenerate and update changelog
8d5c8b18 autogen(docs): regenerate and update changelog
7e546aa0 autogen(docs): regenerate and update changelog
3027833e autogen(docs): regenerate and update changelog
bdf79911 autogen(docs): update milestone document
1921e54c autogen: add v1.9.0 to version.schema.json
5cedc9e2 autogen: pin v1.9.1 release commit
68cb6670 chore: bump gjson (#2298)
183d421a chore: update repository templates (#2301)
c4b4f73e docs: add Rust and Dart SDKs
8d31cb34 docs: add faq items
1316cc00 docs: add link endings. (#2313)
341f3ede docs: fix npm links (#2303)
a8ad7052 docs: quickstart cleanup (#2324)
4fdb7f1c docs: reorg faq sidebar (#2318)
d2ee4f6c docs: update before oauth2.mdx (#2299)
a2b3a49e docs: update javascript documentation
d05d82e9 docs: update npm package name (#2302)



## Docker images

- `docker pull oryd/hydra:v1`
- `docker pull oryd/hydra:v1.9`
- `docker pull oryd/hydra:v1.9.1`
- `docker pull oryd/hydra:v1.9.1`
- `docker pull oryd/hydra:latest`
- `docker pull oryd/hydra:v1-alpine`
- `docker pull oryd/hydra:v1.9-alpine`
- `docker pull oryd/hydra:v1.9.1-alpine`
- `docker pull oryd/hydra:v1.9.1-alpine`
- `docker pull oryd/hydra:latest-alpine`
- `docker pull oryd/hydra:v1-sqlite`
- `docker pull oryd/hydra:v1.9-sqlite`
- `docker pull oryd/hydra:v1.9.1-sqlite`
- `docker pull oryd/hydra:v1.9.1-sqlite`
- `docker pull oryd/hydra:latest-sqlite`