Skip to main content

โ€‹
Overview

Major refactoring release: Standardizes authentication on Ory Hydra OAuth2, removes legacy providers (Auth0, Cognito, Kratos), implements hybrid OAuth2 + DID authentication, and pins all dependency versions for reproducible builds. Version: 2026.6.6
Date: February 7, 2026
Author: Raahul Dutta

โ€‹
Breaking Changes

Auth0 and Cognito providers removed
  • Only Hydra is now supported as the authentication provider
  • Existing Auth0/Cognito configurations will need to migrate to Hydra
OAuth client authentication method changed
  • Changed from client_secret_basic to client_secret_post
  • DIDs containing colons are now properly supported as client_ids
Removed modules
  • bindu/utils/auth_utils.py (Auth0 JWT utilities)
  • bindu/server/middleware/auth/auth0.py
  • bindu/server/middleware/auth/cognito.py
  • Kratos, Vault, and user OAuth management modules

โ€‹
New Features

โ€‹
๐Ÿ” Hybrid OAuth2 + DID Authentication

  • Combines OAuth2 tokens with DID-based signatures
  • DID used as stable key for credential storage
  • Automatic client registration in Hydra with DID as client_id
  • Public key metadata stored in Hydra client for verification

โ€‹
๐Ÿ”‘ Improved Hydra Client Registration

  • Verifies client exists in Hydra before returning cached credentials
  • Automatically recreates client if local credentials are stale
  • Uses client_secret_post for token endpoint authentication
  • Proper URL encoding for DIDs with special characters

โ€‹
๐Ÿ“ฆ Pinned Dependency Versions

All dependencies now use exact versions (==) instead of minimum (>=):
CategoryPackage Count
Core runtime15 packages
Telemetry7 packages
Payments/x4025 packages
Storage4 packages
CLI tools2 packages
Security1 package

โ€‹
๐Ÿ–ฅ๏ธ New Web UI Infrastructure

  • Static file serving for agent web interface
  • Modular JavaScript architecture:
    • api/client.js - HTTP client utilities
    • state/store.js - State management
    • chat/chat.js - Chat functionality
    • core/ - Protocol, events, constants

โ€‹
๐Ÿ’ฌ Startup Display Improvements

  • OAuth token retrieval curl command shown at startup
  • Client secret path displayed (not exposed directly)
  • Clear instructions for obtaining access tokens

โ€‹
Improvements

โ€‹
๐Ÿ—๏ธ Authentication Architecture

  • Single auth provider (Hydra) simplifies configuration
  • HydraMiddleware handles OAuth2 token introspection
  • DID signature verification for enhanced security
  • Cleaner separation between auth and middleware layers

โ€‹
๐Ÿ“ Configuration Validation

  • Simplified config validator for Hydra-only setup
  • Removed Auth0/Cognito validation logic
  • Better error messages for invalid configurations

โ€‹
๐Ÿงช Test Simplification

  • Removed complex mocking in auth tests
  • Simplified hybrid auth client tests
  • Removed outdated registration tests
  • 565 tests passing with 68.59% coverage

โ€‹
๐Ÿ“š Documentation Updates

  • examples/README.md updated for Hydra-only setup
  • Removed Auth0 token retrieval examples
  • Added Hydra token retrieval instructions

โ€‹
Technical Details

Files Changed: 60+ files
  • Added: 25+ files (Hydra client, registration, middleware, UI)
  • Modified: 20+ files (settings, config, applications)
  • Deleted: 15+ files (Auth0, Cognito, Kratos, Vault modules)

โ€‹
New Modules

ModuleLinesPurpose
bindu/auth/hydra/client.py272Hydra Admin API client
bindu/auth/hydra/registration.py220Agent registration
bindu/server/middleware/auth/hydra.py397OAuth2 middleware
bindu/utils/agent_token_utils.py178Token utilities
bindu/utils/did_signature.py234DID signature utilities
bindu/ui/static/-Web UI static files

โ€‹
Removed Modules

  • bindu/utils/auth_utils.py - Auth0 JWT utilities
  • bindu/server/middleware/auth/auth0.py - Auth0 middleware
  • bindu/server/middleware/auth/cognito.py - Cognito middleware
  • Kratos configuration and migration scripts

โ€‹
Dependency Changes

โ€‹
Core Dependencies (pinned versions)

uvicorn==0.34.1
starlette==0.48.0
pydantic==2.11.3
loguru==0.7.3
rich==13.9.4
cryptography==44.0.2
httpx==0.28.1
pyjwt[crypto]==2.10.1

โ€‹
Removed Dependencies

  • openai, agno, ddgs (AI/search - not needed)
  • numpy (heavy - not needed)
  • ty (dev tool - moved to dev deps)

โ€‹
Testing

565 tests passing
Coverage: 68.59%
All Hydra authentication flows tested
DID signature verification tested
Token introspection and refresh tested

โ€‹
Migration Guide

โ€‹
For existing Auth0 deployments

1

Set up Ory Hydra server

Use https://hydra.getbindu.com or deploy your own
2

Update environment variables

# Remove
AUTH0_DOMAIN=...
AUTH0_AUDIENCE=...
AUTH0_CLIENT_ID=...
AUTH0_CLIENT_SECRET=...

# Add
HYDRA__ADMIN_URL=https://hydra-admin.getbindu.com
HYDRA__PUBLIC_URL=https://hydra.getbindu.com
AUTH__ENABLED=true
AUTH__PROVIDER=hydra
3

Update agent config

auth:
  enabled: true
  provider: hydra  # Only option now
4

Agent auto-registration

Agent will auto-register in Hydra on startup with DID as client_id
5

Get token

curl 'https://hydra.getbindu.com/oauth2/token' \
  -d 'grant_type=client_credentials' \
  -d 'client_id=YOUR_DID' \
  -d 'client_secret=YOUR_SECRET'

โ€‹
For Cognito deployments

  • Full migration to Hydra required
  • No direct migration path available

โ€‹
Commit Details

Merge Commit: c80026cadef48ed3bee675fdf811619c7a8c99cd
PR: #135 (Feature/hydra migration v2)
Branch: feature/hydra-migration-v2
Commits: 36

โ€‹
Key Commits

CommitDescription
add4d56Remove Auth0/Cognito, standardize on Hydra
2108e97Pin all dependency versions
4da6c58Improve Hydra registration, switch to client_secret_post
979d836Implement hybrid OAuth2 + DID authentication
31f4388Remove Kratos, OAuth, Vault modules
93c92ecUse DID as stable key for credential storage