0.8.0: Towards production friendliness

.travis.yml

@@ -1,27 +1,28 @@
 sudo: required
 
-go_import_path: github.com/ory-am/hydra
+go_import_path: github.com/ory/hydra
 
 services:
   - docker
 
 env:
-  - DOCKER_BIND_LOCALHOST=true GO15VENDOREXPERIMENT=1
+  - DOCKER_BIND_LOCALHOST=true DATABASE_URL=memory
 
 language: go
 
 go:
-  - 1.7
+  - 1.8
 
-go_import_path: github.com/ory-am/hydra
+before_install:
+  - sudo apt-get install curl
 
 install:
   - go get github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/Masterminds/glide github.com/mitchellh/gox
   - git clone https://github.com/docker-library/official-images.git ~/official-images
   - glide install
-  - go install github.com/ory-am/hydra
+  - go install github.com/ory/hydra
   - glide update
-  - go install github.com/ory-am/hydra
+  - go install github.com/ory/hydra
 
 script:
   - |-
@@ -31,13 +32,20 @@ script:
   - go test -v -bench=.* -run=none $(glide novendor)
   - docker build -t hydra-travis-ci .
   - docker run -d hydra-travis-ci
-  - $GOPATH/bin/hydra host --dangerous-auto-logon &
+  - DATABASE_URL=memory hydra host --dangerous-auto-logon --dangerous-force-http &
   - while ! echo exit | nc localhost 4444; do sleep 1; done
-  - $GOPATH/bin/hydra token client --skip-tls-verify
+# Test clients
+  - hydra clients create --id foobar
+  - hydra clients delete foobar
+# Test token on arbitrary endpoints
+  - |-
+    curl --header "Authorization: bearer $(hydra token client)" http://localhost:4444/clients
+# Test token validation
+  - hydra token validate $(hydra token client)
 
 after_success:
   - |-
-    [ "${TRAVIS_TAG}" != "" ] && [ "${TRAVIS_GO_VERSION}" == "1.7" ] && gox -ldflags "-X github.com/ory-am/hydra/cmd.Version=`git describe --tags` -X github.com/ory-am/hydra/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory-am/hydra/cmd.GitHash=`git rev-parse HEAD`" -output "dist/{{.Dir}}-{{.OS}}-{{.Arch}}"
+    [ "${TRAVIS_TAG}" != "" ] && [ "${TRAVIS_GO_VERSION}" == "1.7" ] && gox -ldflags "-X github.com/ory/hydra/cmd.Version=`git describe --tags` -X github.com/ory/hydra/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/hydra/cmd.GitHash=`git rev-parse HEAD`" -output "dist/{{.Dir}}-{{.OS}}-{{.Arch}}"
 
 deploy:
   provider: releases
@@ -47,4 +55,4 @@ deploy:
   skip_cleanup: true
   on:
     tags: true
-    go: 1.7
+    go: 1.8

Dockerfile

@@ -2,7 +2,7 @@ FROM golang:1.8-alpine
 
 RUN apk add --no-cache git
 RUN go get github.com/Masterminds/glide
-WORKDIR /go/src/github.com/ory-am/hydra
+WORKDIR /go/src/github.com/ory/hydra
 
 ADD ./glide.yaml ./glide.yaml
 ADD ./glide.lock ./glide.lock

Dockerfile-demo

@@ -1,7 +1,7 @@
 FROM golang:1.8-alpine
 
 RUN apk add --no-cache git && go get github.com/Masterminds/glide
-WORKDIR /go/src/github.com/ory-am/hydra
+WORKDIR /go/src/github.com/ory/hydra
 
 ADD ./glide.yaml ./glide.yaml
 ADD ./glide.lock ./glide.lock
@@ -10,6 +10,6 @@ RUN glide install --skip-test -v
 ADD . .
 RUN go install .
 
-ENTRYPOINT /go/bin/hydra host --dangerous-auto-logon --dangerous-force-http
+ENTRYPOINT /go/bin/hydra migrate sql $DATABASE_URL; /go/bin/hydra host --dangerous-auto-logon --dangerous-force-http
 
 EXPOSE 4444

Dockerfile-http

@@ -1,7 +1,7 @@
 FROM golang:1.8-alpine
 
 RUN apk add --no-cache git && go get github.com/Masterminds/glide
-WORKDIR /go/src/github.com/ory-am/hydra
+WORKDIR /go/src/github.com/ory/hydra
 
 ADD ./glide.yaml ./glide.yaml
 ADD ./glide.lock ./glide.lock

HISTORY.md

@@ -0,0 +1,87 @@
+# History
+
+This list makes you aware of (breaking) changes.
+
+## 0.8.0
+
+This PR improves some performance bottlenecks, offers more control over Hydra, moves to Go 1.8,
+and moves the REST documentation to swagger.
+
+**Before applying this update, please make a back up of your database. Do not upgrade directly from versions
+below 0.7.0**.
+
+To upgrade the database schemas, please run the following commands in exactly this order
+
+```sh
+$ hydra help migrate sql
+$ hydra help migrate ladon
+```
+
+```sh
+$ hydra migrate sql mysql://...
+$ hydra migrate ladon 0.6.0 mysql://...
+```
+
+### Breaking changes
+
+#### Ladon updated to 0.6.0
+
+Ladon was greatly improved with version 0.6.0, resolving various performance bottlenecks. Please read more on this
+release [here](https://github.com/ory/ladon/blob/master/HISTORY.md#060).
+
+#### Redis and RethinkDB deprecated
+
+Redis and RethinkDB are removed from the repository now and no longer supported, see
+[this issue](https://github.com/ory/hydra/issues/425).
+
+#### Moved to ory namespace
+
+To reflect the GitHub organization rename, Hydra was moved from `https://github.com/ory-am/hydra` to
+`https://github.com/ory/hydra`.
+
+#### SDK
+
+The method `FindPoliciesForSubject` of the policy SDK was removed. Instead, `List` was added. The HTTP endpoint `GET /policies`
+no longer allows to query by subject.
+
+#### JWK
+
+To generate JWKs previously the payload at `POST /keys` was `{ "alg": "...", "id": "some-id" }`. `id` was changed to
+`kid` so this is now `{ "alg": "...", "kid": "some-id" }`.
+
+#### Migrations are no longer automatically applied
+
+SQL Migrations are no longer automatically applied. Instead you need to run `hydra migrate sql` after upgrading
+to a Hydra version that includes a breaking schema change.
+
+### Changes
+
+#### Log format: json
+
+Set the log format to json using `export LOG_FORMAT=json`
+
+#### SQL Connection Control
+
+You can configure SQL connection limits by appending parameters `max_conns`, `max_idle_conns`, or `max_conn_lifetime`
+to the DSN: `postgres://foo:bar@host:port/database?max_conns=12`.
+
+#### REST API Docs are now generated from source code
+
+... and are swagger 2.0 spec.
+
+#### Documentation on scopes
+
+Documentation on scopes (e.g. offline) was added.
+
+#### New response writer library
+
+Hydra now uses `github.com/ory/herodot` for writing REST responses. This increases compatibility with other libraries
+and resolves a few other issues.
+
+#### Graceful http handling
+
+Hydra is now capable of gracefully handling SIGINT.
+
+#### Best practice HTTP server config
+
+Hydra now implements best practices for running HTTP servers that are exposed to the public internet.

README.md

@@ -26,7 +26,23 @@ you build a bridge between Hydra and your authentication infrastructure.
 Hydra is able to securely manage JSON Web Keys, and has a sophisticated policy-based access control you can use if you want to.
 
 Hydra is suitable for green- (new) and brownfield (existing) projects. If you are not familiar with OAuth 2.0 and are working
-on a greenfield project, we recommend evaluating if OAuth 2.0 really serves your purpose. **Knowledge of OAuth 2.0 is imperative in understanding what Hydra does and how it works.**
+on a greenfield project, we recommend evaluating if OAuth 2.0 really serves your purpose.
+**Knowledge of OAuth 2.0 is imperative in understanding what Hydra does and how it works.**
+
+Hydra implements Open Standards set by IETF:
+
+* [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
+* [OAuth 2.0 Threat Model and Security Considerations](https://tools.ietf.org/html/rfc6819)
+* [OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009)
+* [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
+* [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
+* [OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592)
+* [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+
+and the OpenID Foundation:
+
+* [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html)
+* [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
 
 ---
 
@@ -42,6 +58,7 @@ the access control SDK [Ladon](https://github.com/ory/ladon).
 **Table of Contents**
 
 - [What is Hydra?](#what-is-hydra)
+- [Who is using it?](#who-is-using-it)
 - [Enterprise Edition](#enterprise-edition)
 - [Quickstart](#quickstart)
   - [5 minutes tutorial: Run your very own OAuth2 environment](#5-minutes-tutorial-run-your-very-own-oauth2-environment)
@@ -77,6 +94,16 @@ or some template engine or a predefined front-end. Instead it relies on HTTP red
 to verify user consent allowing you to use Hydra with any authentication endpoint, be it [authboss](https://github.com/go-authboss/authboss),
 [auth0.com](https://auth0.com/) or your proprietary PHP authentication.
 
+## Who is using it?
+
+This is a curated list of Hydra adopters.
+
+<img src="https://www.arduino.cc/en/uploads/Trademark/ArduinoCommunityLogo.png" align="left" width="30%" alt="arduino.cc"> 
+Arduino is an open-source electronics platform based on easy-to-use hardware and software. It's intended
+for anyone making interactive projects. Hydra secures Arduino's developer platform.
+
+<br>
+
 ## Enterprise Edition
 
 Hydra is available as an Apache 2.0-licensed Open Source technology. In enterprise environments however,
@@ -142,7 +169,7 @@ and execute the hydra command from there:
 $ docker exec -i -t <hydra-container-id> /bin/bash
 # e.g. docker exec -i -t ec91228 /bin/bash
 
-root@ec91228cb105:/go/src/github.com/ory-am/hydra# hydra
+root@ec91228cb105:/go/src/github.com/ory/hydra# hydra
 Hydra is a twelve factor OAuth2 and OpenID Connect provider
 
 [...]
@@ -154,11 +181,11 @@ If you wish to compile hydra yourself, you need to install and set up [Go 1.5+](
 to your `$PATH`. To do so, run the following commands in a shell (bash, sh, cmd.exe, ...):
 
 ```
-go get github.com/ory-am/hydra
+go get github.com/ory/hydra
 go get github.com/Masterminds/glide
-cd $GOPATH/src/github.com/ory-am/hydra
+cd $GOPATH/src/github.com/ory/hydra
 glide install
-go install github.com/ory-am/hydra
+go install github.com/ory/hydra
 hydra
 ```
 
@@ -169,11 +196,10 @@ rename Go packages.
 
 *Why should I use Hydra? It's not that hard to implement two OAuth2 endpoints and there are numerous SDKs out there!*
 
-OAuth2 and OAuth2 related specifications are over 200 written pages. Implementing OAuth2 is easy, getting it right is hard.
-Even if you use a secure SDK (there are numerous SDKs not secure by design in the wild), messing up the implementation
-is a real threat - no matter how good you or your team is. To err is human.
-
-An in-depth list of security features is listed [in the security guide](https://ory.gitbooks.io/hydra/content/faq/security.html).
+OAuth2 and OAuth2 related specifications are over 400 written pages. Implementing OAuth2 is easy, getting it right is hard.
+Hydra is trusted by companies all around the world, has a vibrant community and faces millions of requests in production
+each day. Of course, we also compiled a security guide with more details on cryptography and security concepts.
+Read [the security guide now](https://ory.gitbooks.io/hydra/content/security.html).
 
 ## Reception
 
@@ -211,24 +237,17 @@ Run `hydra -h` or `hydra help`.
 Developing with Hydra is as easy as:
 
 ```
-go get github.com/ory-am/hydra
+go get github.com/ory/hydra
 go get github.com/Masterminds/glide
-cd $GOPATH/src/github.com/ory-am/hydra
+cd $GOPATH/src/github.com/ory/hydra
 glide install
 go test $(glide novendor)
 ```
 
-If you want to run a Hydra instance, there are two possibilities:
+Then run it with in-memory database:
 
-Run without Database:
-```
-go run main.go host
-```
-
-Run against RethinkDB using Docker:
 ```
-docker run --name some-rethink -d -p 8080:8080 -p 28015:28015 rethinkdb
-DATABASE_URL=rethinkdb://localhost:28015/hydra go run main.go host
+DATABASE_URL=memory go run main.go host
 ```
 
 ## Sponsors