Changelog for Ory Hydra OEL
v25.3.5
Change of base image
The base image for OEL images is now set to "gcr.io/distroless/static-debian12:nonroot". Previously, it was "gcr.io/distroless/static-debian12:debug-nonroot", which included BusyBox (a minimal shell and basic debugging utilities). Debug images are still available using the "-debug" tag suffix.
JWK Cache
Ory Hydra OEL now supports in-memory caching of JWKs to improve performance and reduce latency. The cache is enabled by setting
the db.jwk_cache.enabled configuration option to true. Other available configuration options are db.jwk_cache.size, which is
the maximum number of keys to be cached, and db.jwk_cache.ttl, which is the time-to-live for cached keys. It is recommended to
set a cache TTL to force regular refreshes of the keys. Updates to keys are not actively propagated to the cache, as clients are
expected to accept old keys for a certain period of time.
v25.3.4
Increased Refresh Token Grace Period
The maximum duration for the Refresh Token Rotation Grace Period has been extended from 30 days to 180 days in Ory Hydra with the Ory Enterprise License (OEL). For Ory Network projects and non-OEL Hydra, the maximum grace period remains 5 minutes.
The extended 180-day period is only available when a reuse count (rotation_grace_reuse_count) is configured. Without a reuse count, the limit remains 5 minutes.
Important: The 180-day grace period is considered insecure for general use. It is offered exclusively to support legacy migration scenarios and is not recommended for production deployments.
v25.3.3
Improved tracing and metrics for the high-performance SQL connection pool
This change adds distributed tracing and advanced metrics for the high-performance SQL connection pool in all Ory OEL products.
2025-06-11
Tag: 290abca8469dc46c1ba07708849fed28fdbc1b69
Add hydra debug commands
Changes:
- the hydra debug challenge
<challenge>command is available in the Ory Hydra Enterprise build and offers the ability to decode various consent challenge and verifiers. Use hydra debug challenge --help for detailed documentation. - the hydra debug encrypted-session
<session>command for Ory Hydra Enterprise offers the ability to decrypt encrypted session data which is kept in the database.
2025-05-09
Update OSS dependency of Hydra OEL
Changes:
- fix for sql migration for Azure Postgres Flexible Server - https://github.com/ory/hydra/pull/3958
- introduces implementation of OAuth 2.0 Device Authorization Grant - https://github.com/ory/hydra/pull/3912
- enables "high performance pooling" parameters in the DSN for PostgreSQL and CockroachDB
2025-03-19
Reduce memory usage of Ory Hydra OEL
This change addresses high memory consumption issue by correctly initializing the sessionCheckCache
2024-12-17
Handle concurrent refreshes and improve graceful refreshing
This patch improves Ory Hydra's ability to deal with refresh flows which, for example, concurrently refresh the same token. Furthermore, graceful token refresh has been improved to handle a variety of edge cases and scenarios.
This will remove/reduce serializable errors in CockroachDB during OAuth2 token exchanges.
https://www.ory.sh/docs/hydra/guides/graceful-token-refresh
2024-07-17
Disable pre-configured multi-region config in Ory Hydra
Disables the pre-configured multi-region configuration for self-hosting Ory Enterprise License customers.