v25.4.0

This release brings internal improvements to configuration handling, observability, and repo management. It also aligns Oathkeeper more closely with the rest of the Ory ecosystem by migrating to vendored libraries, modernizing infrastructure, and improving CI/CD pipelines.

Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Features

• Monorepo migration: Oathkeeper has been consolidated into the Ory monorepo for better cross-project consistency and maintainability.
• Vendored Ory/x: Oathkeeper now uses vendored versions of ory/x to reduce dependency issues and simplify builds.
• Goreleaser integration: Release builds are now managed via goreleaser, improving reproducibility across platforms.
• Config helpers moved to ory/x: Shared configuration test helpers were migrated for reuse across the ecosystem.
• OTLP tracing improvements: Enhanced telemetry support with better defaults and sampling control.

Auto-generated release notes

Bug Fixes

• Add repo syncing for polis (d9d0564):

• Better tracing in proxy HTTP (154aa3a):

• Copybara script (e378207):

• Deduplicate down migrations (2a9de87):

• deps: Update go-x (596d47f):

• Escape IPv6 regex string (1c941f8):

• Failing CI in OSS repos (ef037fc):

• Force SQL operator precedence in pagination v2 to ensure nid isolation (352dc27):

• hydra: Instrument metrics also on public endpoints (9fb2738):

• hydra: Use prometheus metrics instead of SQA metrics (2e8a272):

• Ignore non SQL files when applying migrations (190f33f):

• Implicit transactions for cockroach v23.5 and simplified migration logic (f80141c):

• Include go.mod in vendored oryx (682fcc1):

• Jsonx.ApplyJSONPatch (7afa2f9):

• Lint (637e831):

• Otlp sampling rate default (eb7f97f):

• Print correct content of down migrations (d84193b):

• Reject invalid migration names (dfc957a):

• Return 404 on schema file not exists (62b1711):

• Revert "fix: otlp sampling rate default (#9055)" (2941afc):

• Simplify and fix Copybara sync job (1492be0):

• Use batch insert to speed up project changes (269a260):

• Use git hash to render ory x schema references (7f7962c):

• Use hard-coded fallback key instead of panic (70be40a):

• Use main branch for polis (bf316f3):

Code Generation

• Prepare for OSS release - v25.4.0 (2020997):

Code Refactoring

• Move database meta functions to root x folder for reusability (5dd0c61):

Features

• Add allowed domains configuration for captcha (1635888):

• Autoconfigure kratos-changefeed (cb91816):

• Bump CRDB, establish foreign key, (d525767):

• changelog-oel: Choose identity schema in self-service registration and login flows (afe66df):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (e2e2c1b):

• changelog: Migrate http router to stdlib router (8350c72):

• Custom page token column extraction (d1cab42):

• Domain telemetry improvements (897ec02):

• Expose Ory-Error-Id HTTP header (4caf155):

• Extend Copybara pipelines to sync PRs from OSS repositories (da827d3):

• Goreleaser (009ad5c):

• hydra: Split up persister (51c7a2a):

• Improve domain telemetry for OSS (Hydra & Kratos) (54ce1f5):

• Improved events and identity recent activity (b11af64):

• Monorepo (809577e):

• Move config testhelpers to ory/x (933e770):

• Use stdlib HTTP router in Kratos (e2cc330):

• Use vendored ory/x (3c2c499):

Tests

• Add golangci-lint config and GHA (35de51f):

• hydra: Add snapshots for login & consent requests (c668a49):

• Resturcture and improve integration tests (df4e14b):

Changelog

• 996bcaf chore(deps): update actions/setup-node action to v6
• 95d5ec4 chore(deps): update actions/setup-node action to v6
• ff602dd chore(deps): update dependency node to v24
• f32259a chore(deps): update oathkeeper gha
• d20aefc chore(hydra): registry setup refactoring
• e59c492 chore(kratos): cleanup and improve some tests
• 71ed442 chore: add migration tests in kratos non-oss for crdb
• 9e30681 chore: add pagination secrets for Kratos
• d2d49b1 chore: add pre-release workflows for oss
• bef3eb9 chore: additional pop options
• 43aee43 chore: axios update
• 99d23a9 chore: bump Go everywhere
• 88dfaf2 chore: bump deps
• 52e01e7 chore: bump go deps
• 405e21b chore: bump go to 1.24.6
• 69d68e4 chore: bump sec deps
• f77f609 chore: cleanup oss workflows
• 0f29a1b chore: fix build for kratos-oss
• 971b1bc chore: fix vulnerable dependencies
• 083c2e4 chore: gh actions and node lib updates
• ea42f28 chore: go mod tidy to unblock CI
• b7cdaae chore: improve migration testdata and assertions
• 6ea1e01 chore: merge ory/x repo
• 6c5e2b2 chore: more gh actions and ...

v0.40.9

This is a maintanance release with small fixes and dependency updates.

Bug Fixes

• Memory leak in id_token mutator cache (#1209) (363ac04)

Code Generation

• Pin v0.40.9 release commit (05493f3)

Changelog

• 7e9e856 autogen(docs): regenerate and update changelog
• 517f326 autogen(docs): regenerate and update changelog
• 7027d73 autogen(docs): regenerate and update changelog
• 8330ab4 autogen(docs): regenerate and update changelog
• d043772 autogen(openapi): regenerate swagger spec and internal client
• 05493f3 autogen: pin v0.40.9 release commit
• 5aac663 autogen: update license overview
• 1c78491 autogen: update license overview
• cd58b5b autogen: update license overview
• b114c77 autogen: update license overview
• e3499c4 autogen: update license overview
• ff93a23 chore: bump packages with found cves (#1217)
• 862a101 chore: remove unused cached TTL value in id_token mutator (#1210)
• 479f6c0 chore: update codeowners (#1213)
• 09ce5cd chore: update repository templates to ory/meta@000f213
• 460d779 chore: update repository templates to ory/meta@44efd83
• 62bf0f4 chore: update repository templates to ory/meta@6dd5819
• ae75233 chore: update repository templates to ory/meta@7ba4064
• b9231ef chore: update repository templates to ory/meta@83e71e6
• 82b15de chore: update repository templates to ory/meta@b1eed88
• 967e922 chore: update repository templates to ory/meta@c091d79
• f22b3bc chore: update repository templates to ory/meta@cb2a20f
• 0ce3102 chore: update repository templates to ory/meta@cbb120b
• de75458 chore: update repository templates to ory/meta@e54ac5d
• 363ac04 fix: memory leak in id_token mutator cache (#1209)

Artifacts can be verified with cosign using this public key.

v0.40.8

This release consists of dependency updates and also includes some bug fixes.

Bug Fixes

• Config schema $id (889c9ec)
• Improve caching configuration (2373057)
• metrics: Remove query string from collapsed path segment (#1159) (15ee438)
• Remote authorizers with request body (#1185) (62ca1e8)
• Set correct max cost for oauth2 introspection authn handler (#1176) (368c28a)

Code Generation

• Pin v0.40.8 release commit (f14d6da)

Changelog

• 5f778cb autogen(docs): generate and bump docs
• 374b146 autogen(docs): regenerate and update changelog
• 9c27046 autogen(docs): regenerate and update changelog
• 6b5672b autogen(docs): regenerate and update changelog
• f6adf0b autogen(docs): regenerate and update changelog
• 817943a autogen: add v0.40.7 to version.schema.json
• f14d6da autogen: pin v0.40.8 release commit
• c815b8b autogen: render config schema
• addd40d autogen: render config schema
• 6d628fb chore: add kubescape image scanner (#1168)
• f0c8650 chore: adjust project automation (#1192)
• 9ba2a4b chore: bump go-jose (#1180)
• f561c5a chore: bump libcrypto and alpine (#1207)
• ba39541 chore: bump to go 1.22 and fix automations (#1183)
• 1950529 chore: pin GHA PM action version (#1199)
• e0b22cb chore: remove git unset release hooks
• 92ae88c chore: update dependencies (#1206)
• 361177a chore: update golang-jwt to v5 (#1171)
• a360da5 chore: update goreleaser to v2
• ea93326 chore: update newsletter link (#1174)
• 8a3961a chore: update newsletter link (#1175)
• 4c9f0f7 chore: update repository templates to ory/meta@1af2225
• a28a6d3 chore: update repository templates to ory/meta@297c8a5
• f46220e chore: update repository templates to ory/meta@3cf0f00
• 7acc639 chore: update repository templates to ory/meta@4132def
• 42934ea chore: update repository templates to ory/meta@43af518
• b142379 chore: update repository templates to ory/meta@939b80f
• 9add863 chore: update repository templates to ory/meta@e838bee
• 6fd2968 chore: update repository templates to ory/meta@fe4ffe0
• b9b9f87 chore: update security policy
• 72dde73 chore: upgrade deps with high cves (#1198)
• 98f8a00 chore: upgrade ristretto to use generics (#1195)
• acb2584 ci: update Code QL action to v2 (#1173)
• 15ee438 fix(metrics): remove query string from collapsed path segment (#1159)
• 889c9ec fix: config schema $id
• 2373057 fix: improve caching configuration
• 62ca1e8 fix: remote authorizers with request body (#1185)
• 368c28a fix: set correct max cost for oauth2 introspection authn handler (#1176)

Artifacts can be verified with cosign using this public key.

v0.40.7

This release includes new features and many improvements to the tracing instrumentations.

Code Generation

• Pin v0.40.7 release commit (8fc9b7a):

  Bumps from v0.40.7-pre.0

Changelog

• 8fc9b7a autogen: pin v0.40.7 release commit

Artifacts can be verified with cosign using this public key.

v0.40.7-pre.0

autogen: pin v0.40.7-pre.0 release commit

Bug Fixes

• Ignore version.schema.json (prettier) (58690ae)
• Update alpine version (#1128) (5bf9b70)

Code Generation

• Pin v0.40.7-pre.0 release commit (82282ce)

Features

• Add headers option for remote_json authorizer (#1140) (1ee445d)

• Preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131) (b5d4d88):

  This patch additionally allows selecting between the two authenticators based on a prefix to the token.

Changelog

• 25959b1 autogen(docs): generate and bump docs
• 4d61221 autogen(docs): regenerate and update changelog
• cae2824 autogen(docs): regenerate and update changelog
• 0260960 autogen(docs): regenerate and update changelog
• c064f20 autogen(docs): regenerate and update changelog
• 1329413 autogen(docs): regenerate and update changelog
• d1e74fa autogen(docs): regenerate and update changelog
• db2da0a autogen: add v0.40.6 to version.schema.json
• 82282ce autogen: pin v0.40.7-pre.0 release commit
• 93939a0 chore: bump golangci-lint (#1150)
• 98e8e5c chore: bump ory/herodot
• 461f088 chore: update repository templates to ory/meta@ac80097
• 557f512 chore: update repository templates to ory/meta@af28aff
• 1ee445d feat: add headers option for remote_json authorizer (#1140)
• b5d4d88 feat: preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131)
• 58690ae fix: ignore version.schema.json (prettier)
• 5bf9b70 fix: update alpine version (#1128)

Artifacts can be verified with cosign using this public key.

v0.40.6

Resolves an issue in how X-Forwarded headers were set.

Bug Fixes

• Properly copy x-forwarded headers from upstream (#1121) (7088682)

Code Generation

• Pin v0.40.6 release commit (75eb682)

Changelog

• ee605eb autogen(docs): generate and bump docs
• 8fc3473 autogen: add v0.40.5 to version.schema.json
• 75eb682 autogen: pin v0.40.6 release commit
• 7088682 fix: properly copy x-forwarded headers from upstream (#1121)

Artifacts can be verified with cosign using this public key.

v0.40.5

Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers was introduced to optionally enable the forwarding of X-Forwarded headers.

Code Generation

• Pin v0.40.5 release commit (ba1f90a)

Features

• Flag to disable hop-by-hop defenses (#1120) (fffe8ef):

  Ory Oathkeeper v0.44.4 uses the new Rewrite feature of Golang's reverse proxy. This will strip any X-Forwarded headers from upstream requests. This however is not always desirable which is why a new config flag serve.proxy.trust_forwarded_headers was introduced to optionally enable the forwarding of X-Forwarded headers.

Changelog

• 7a94b54 autogen(docs): generate and bump docs
• 07c1e3c autogen: add v0.40.4 to version.schema.json
• ba1f90a autogen: pin v0.40.5 release commit
• fffe8ef feat: flag to disable hop-by-hop defenses (#1120)

Artifacts can be verified with cosign using this public key.

v0.40.4

Added distroless image, fixed some bugs, and added support for JWKs key rotation in the ID token mutator.

Bug Fixes

• Apk install issue (08b2bfb)
• Ensure logger uses config (#1104) (d9b0965)
• Noop mutator don't overwrite session headers (#1091) (3a716f2)
• Use Query.Get when fetching QueryParameter (#1106) (c520e50)

Code Generation

• Pin v0.40.4 release commit (70d63f3)

Features

• Add distroless images (#1114) (8ac1dac)

• Sqa metrics v2 (#1110) (baeecc6)

• Support token rotation in ID token mutator (#1119) (5dd4571):

  Previously, only one JWK may be returned by the JWKS URL. This made token rotation impossible. This patch allows for multiple keys to be returned by the JWKS URL and the first key found will be used for signing.

Tests

• Use reliable upstream server (#1099) (af5ce29)

Changelog

• 48c90c1 autogen(docs): generate and bump docs
• 47e3d19 autogen(docs): regenerate and update changelog
• b7c57ca autogen(docs): regenerate and update changelog
• 6761be1 autogen(docs): regenerate and update changelog
• 64aed38 autogen(docs): regenerate and update changelog
• ccdf1e4 autogen(docs): regenerate and update changelog
• 9275dcd autogen(docs): regenerate and update changelog
• 1c333b9 autogen(docs): regenerate and update changelog
• 4f08af7 autogen(docs): regenerate and update changelog
• 3276408 autogen(openapi): regenerate swagger spec and internal client
• 97e9660 autogen(openapi): regenerate swagger spec and internal client
• 12d0aea autogen: add v0.40.3 to version.schema.json
• 70d63f3 autogen: pin v0.40.4 release commit
• c85d0a9 autogen: pin v0.40.4 release commit
• 596ad11 chore(deps): bump github.com/knadh/koanf to v2.0.1 (#1111)
• 0a767e7 chore(deps): update ory/x to v0.0.565 (#1113)
• 56779c4 chore: support in README (#1117)
• 91ae714 chore: update gRPC to v1.56.1 (#1118)
• 1857ba3 chore: update security scanners (#1107)
• 8ac1dac feat: add distroless images (#1114)
• baeecc6 feat: sqa metrics v2 (#1110)
• 5dd4571 feat: support token rotation in ID token mutator (#1119)
• 08b2bfb fix: apk install issue
• d9b0965 fix: ensure logger uses config (#1104)
• 3a716f2 fix: noop mutator don't overwrite session headers (#1091)
• c520e50 fix: use Query.Get when fetching QueryParameter (#1106)
• af5ce29 test: use reliable upstream server (#1099)

Artifacts can be verified with cosign using this public key.

v0.40.3

This release fixes a low-severity security vulnerability.

Bug Fixes

• Report 499, 502, or 504 (#1090) (360a03e)
• Sqa config values unified across projects (#1094) (9374d2f)
• Switch to httputil.ReverseProxy.Rewrite (#1098) (c5cc7f7)

Code Generation

• Pin v0.40.3 release commit (2ab7687)

Features

• Tracing for gRPC middleware (#1086) (c60e4ac)

Changelog

• d15dfa2 autogen(docs): generate and bump docs
• 4768d05 autogen(docs): regenerate and update changelog
• 2fd6a84 autogen(docs): regenerate and update changelog
• 271a666 autogen(docs): regenerate and update changelog
• b8c6261 autogen(docs): regenerate and update changelog
• 629247b autogen(openapi): regenerate swagger spec and internal client
• f3ec24a autogen: add v0.40.2 to version.schema.json
• 2ab7687 autogen: pin v0.40.3 release commit
• 310aa5f chore(deps): bump @nestjs/core and @openapitools/openapi-generator-cli (#1097)
• a615f7b chore(deps): bump github.com/docker/docker
• 37e2df8 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#1084)
• c60e4ac feat: tracing for gRPC middleware (#1086)
• 360a03e fix: report 499, 502, or 504 (#1090)
• 9374d2f fix: sqa config values unified across projects (#1094)
• c5cc7f7 fix: switch to httputil.ReverseProxy.Rewrite (#1098)

Artifacts can be verified with cosign using this public key.

v0.40.2

Resolves tracing and health monitoring issues.

Bug Fixes

• Add handlers in correct order to handle CORS requests properly (#1055) (0b5f6e6), closes ory/oathkeeper#1054

• Release pipeline (#1053) (878089d)

• Render complete config schema in CI and update tracing config (#1063) (e5e9d17)

• Rule readiness check should require at least one rule to be loaded (#1061) (daa2994):

  With this change, Oathkeeper now reports as "not ready" on the health check if not at least one valid rule is loaded.

Code Generation

• Pin v0.40.2 release commit (0f42d7c)

Documentation

• Update security email (#1077) (bba14ba)

Features

• Add cache to Koanf.validatePipelineConfig (#1042) (e7fb605)
• Expose health checks in middleware (#1058) (e1357f8)
• Forward config options in middleware (#1062) (f3c4386)
• Improved tracing for authorizers (#1079) (b3aa0c3)
• Tracing for authz remote (#1056) (7e7d45e)

Changelog

• 4e8f06e autogen(docs): generate and bump docs
• 9572b59 autogen(docs): regenerate and update changelog
• 46689fa autogen(docs): regenerate and update changelog
• f40b3f1 autogen(docs): regenerate and update changelog
• e29a26a autogen(docs): regenerate and update changelog
• 29c09de autogen(docs): regenerate and update changelog
• 12bdbe6 autogen(docs): regenerate and update changelog
• b342931 autogen(docs): regenerate and update changelog
• 34d1217 autogen(docs): regenerate and update changelog
• 5233025 autogen(docs): regenerate and update changelog
• 98da1a3 autogen(docs): regenerate and update changelog
• 3cd0550 autogen(docs): regenerate and update changelog
• 0f42d7c autogen: pin v0.40.2 release commit
• 2b13ac1 chore(deps): bump JWT deps (#1052)
• cd35bf8 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#1069)
• 0e3c249 chore: update alpine version (#1070)
• d305381 chore: use watcherx to watch access rule files (#1059)
• bba14ba docs: update security email (#1077)
• e7fb605 feat: add cache to Koanf.validatePipelineConfig (#1042)
• e1357f8 feat: expose health checks in middleware (#1058)
• f3c4386 feat: forward config options in middleware (#1062)
• b3aa0c3 feat: improved tracing for authorizers (#1079)
• 7e7d45e feat: tracing for authz remote (#1056)
• 0b5f6e6 fix: add handlers in correct order to handle CORS requests properly (#1055)
• 878089d fix: release pipeline (#1053)
• e5e9d17 fix: render complete config schema in CI and update tracing config (#1063)
• daa2994 fix: rule readiness check should require at least one rule to be loaded (#1061)

Artifacts can be verified with cosign using this public key.