Merge branch 'master' into fix-concurrent-retry

SECURITY.md

@@ -3,51 +3,54 @@
 
 # Ory Security Policy
 
-## Overview
+This policy outlines Ory's security commitments and practices for users across
+different licensing and deployment models.
 
-This security policy outlines the security support commitments for different
-types of Ory users.
+To learn more about Ory's security service level agreements (SLAs) and
+processes, please [contact us](https://www.ory.sh/contact/).
 
-[Get in touch](https://www.ory.sh/contact/) to learn more about Ory's security
-SLAs and process.
-
-## Apache 2.0 License Users
+## Ory Network Users
 
-- **Security SLA:** No security Service Level Agreement (SLA) is provided.
-- **Release Schedule:** Releases are planned every 3 to 6 months. These releases
-  will contain all security fixes implemented up to that point.
-- **Version Support:** Security patches are only provided for the current
-  release version.
+- **Security SLA:** Ory addresses vulnerabilities in the Ory Network according
+  to the following guidelines:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are deployed to the Ory Network as
+  vulnerabilities are resolved.
+- **Version Support:** The Ory Network always runs the latest version, ensuring
+  up-to-date security fixes.
 
 ## Ory Enterprise License Customers
 
-- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
-- **Release Schedule:** Updates are provided as soon as vulnerabilities are
-  resolved, adhering to the above SLA.
-- **Version Support:** Depending on the Ory Enterprise License agreement
-  multiple versions can be supported.
+- **Security SLA:** Ory addresses vulnerabilities based on their severity:
+  - Critical: Typically addressed within 14 days.
+  - High: Typically addressed within 30 days.
+  - Medium: Typically addressed within 90 days.
+  - Low: Typically addressed within 180 days.
+  - Informational: Addressed as necessary.  
+    These timelines are targets and may vary based on specific circumstances.
+- **Release Schedule:** Updates are made available as vulnerabilities are
+  resolved. Ory works closely with enterprise customers to ensure timely updates
+  that align with their operational needs.
+- **Version Support:** Ory may provide security support for multiple versions,
+  depending on the terms of the enterprise agreement.
 
-## Ory Network Users
+## Apache 2.0 License Users
 
-- **Security SLA:** The following timelines apply for security vulnerabilities
-  based on their severity:
-  - Critical: Resolved within 14 days.
-  - High: Resolved within 30 days.
-  - Medium: Resolved within 90 days.
-  - Low: Resolved within 180 days.
-  - Informational: Addressed as needed.
-- **Release Schedule:** Updates are automatically deployed to Ory Network as
-  soon as vulnerabilities are resolved, adhering to the above SLA.
-- **Version Support:** Ory Network always runs the most current version.
+- **Security SLA:** Ory does not provide a formal SLA for security issues under
+  the Apache 2.0 License.
+- **Release Schedule:** Releases prioritize new functionality and include fixes
+  for known security vulnerabilities at the time of release. While major
+  releases typically occur one to two times per year, Ory does not guarantee a
+  fixed release schedule.
+- **Version Support:** Security patches are only provided for the latest release
+  version.
 
 ## Reporting a Vulnerability
 
-Please head over to our
-[security policy](https://www.ory.sh/docs/ecosystem/security) to learn more
-about reporting security vulnerabilities.
+For details on how to report security vulnerabilities, visit our
+[security policy documentation](https://www.ory.sh/docs/ecosystem/security).

persistence/sql/persister_client.go

@@ -6,6 +6,8 @@ package sql
 import (
 	"context"
 
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/ory/hydra/v2/x/events"
 
 	"github.com/gobuffalo/pop/v6"
@@ -20,7 +22,9 @@ import (
 )
 
 func (p *Persister) GetConcreteClient(ctx context.Context, id string) (c *client.Client, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetConcreteClient")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetConcreteClient",
+		trace.WithAttributes(events.ClientID(id)),
+	)
 	defer otelx.End(span, &err)
 
 	var cl client.Client
@@ -35,7 +39,9 @@ func (p *Persister) GetClient(ctx context.Context, id string) (fosite.Client, er
 }
 
 func (p *Persister) UpdateClient(ctx context.Context, cl *client.Client) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateClient")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateClient",
+		trace.WithAttributes(events.ClientID(cl.ID)),
+	)
 	defer otelx.End(span, &err)
 
 	return p.Transaction(ctx, func(ctx context.Context, c *pop.Connection) error {
@@ -77,7 +83,9 @@ func (p *Persister) UpdateClient(ctx context.Context, cl *client.Client) (err er
 }
 
 func (p *Persister) AuthenticateClient(ctx context.Context, id string, secret []byte) (_ *client.Client, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AuthenticateClient")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AuthenticateClient",
+		trace.WithAttributes(events.ClientID(id)),
+	)
 	defer otelx.End(span, &err)
 
 	c, err := p.GetConcreteClient(ctx, id)
@@ -117,7 +125,9 @@ func (p *Persister) CreateClient(ctx context.Context, c *client.Client) (err err
 }
 
 func (p *Persister) DeleteClient(ctx context.Context, id string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteClient")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteClient",
+		trace.WithAttributes(events.ClientID(id)),
+	)
 	defer otelx.End(span, &err)
 
 	c, err := p.GetConcreteClient(ctx, id)

persistence/sql/persister_oauth2.go

@@ -366,7 +366,9 @@ func (p *Persister) InvalidateAuthorizeCodeSession(ctx context.Context, signatur
 }
 
 func (p *Persister) CreateAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateAccessTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateAccessTokenSession",
+		trace.WithAttributes(events.AccessTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 
 	events.Trace(ctx, events.AccessTokenIssued,
@@ -377,7 +379,9 @@ func (p *Persister) CreateAccessTokenSession(ctx context.Context, signature stri
 }
 
 func (p *Persister) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetAccessTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetAccessTokenSession",
+		trace.WithAttributes(events.AccessTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 
 	r := OAuth2RequestSQL{Table: sqlTableAccess}
@@ -406,7 +410,9 @@ func (p *Persister) GetAccessTokenSession(ctx context.Context, signature string,
 }
 
 func (p *Persister) DeleteAccessTokenSession(ctx context.Context, signature string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteAccessTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteAccessTokenSession",
+		trace.WithAttributes(events.AccessTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 
 	err = sqlcon.HandleError(
@@ -446,7 +452,9 @@ func toEventOptions(requester fosite.Requester) []trace.EventOption {
 }
 
 func (p *Persister) CreateRefreshTokenSession(ctx context.Context, signature string, accessTokenSignature string, requester fosite.Requester) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateRefreshTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateRefreshTokenSession",
+		trace.WithAttributes(events.RefreshTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 	events.Trace(ctx, events.RefreshTokenIssued, toEventOptions(requester)...)
 
@@ -476,7 +484,9 @@ func (p *Persister) CreateRefreshTokenSession(ctx context.Context, signature str
 }
 
 func (p *Persister) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetRefreshTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetRefreshTokenSession",
+		trace.WithAttributes(events.RefreshTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 
 	var row OAuth2RefreshTable
@@ -506,7 +516,9 @@ func (p *Persister) GetRefreshTokenSession(ctx context.Context, signature string
 }
 
 func (p *Persister) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteRefreshTokenSession")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteRefreshTokenSession",
+		trace.WithAttributes(events.RefreshTokenSignature(signature)),
+	)
 	defer otelx.End(span, &err)
 	return p.deleteSessionBySignature(ctx, signature, sqlTableRefresh)
 }
@@ -551,13 +563,17 @@ func (p *Persister) DeletePKCERequestSession(ctx context.Context, signature stri
 }
 
 func (p *Persister) RevokeRefreshToken(ctx context.Context, id string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeRefreshToken")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeRefreshToken",
+		trace.WithAttributes(events.ConsentRequestID(id)),
+	)
 	defer otelx.End(span, &err)
 	return p.deleteSessionByRequestID(ctx, id, sqlTableRefresh)
 }
 
 func (p *Persister) RevokeAccessToken(ctx context.Context, id string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeAccessToken")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeAccessToken",
+		trace.WithAttributes(events.ConsentRequestID(id)),
+	)
 	defer otelx.End(span, &err)
 	return p.deleteSessionByRequestID(ctx, id, sqlTableAccess)
 }
@@ -609,7 +625,9 @@ func (p *Persister) FlushInactiveRefreshTokens(ctx context.Context, notAfter tim
 }
 
 func (p *Persister) DeleteAccessTokens(ctx context.Context, clientID string) (err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteAccessTokens")
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteAccessTokens",
+		trace.WithAttributes(events.ClientID(clientID)),
+	)
 	defer otelx.End(span, &err)
 	/* #nosec G201 table is static */
 	return sqlcon.HandleError(

test/e2e/oauth2-client/package.json

@@ -11,7 +11,7 @@
   "dependencies": {
     "body-parser": "^1.20.1",
     "dotenv": "^7.0.0",
-    "express": "^4.21.0",
+    "express": "^4.21.2",
     "express-session": "^1.17.0",
     "express-winston": "^3.4.0",
     "hydra-login-consent-logout": "2.0.4-pre.2",