oauth2: Add audience and improve refresh flow

Closes #1153

UPGRADE.md

@@ -105,11 +105,36 @@ before finalizing the upgrade process.
 
 ## 1.0.0-rc.1
 
-### Customise login and consent flow timeout
+### Non-breaking Changes
+
+#### Access Token Audience
+
+This patch adds the access token audience feature. For more information on this, head over to [the docs](https://www.ory.sh/docs/guides/master/hydra/6-how-to/3-advanced.html).
+
+#### Refresh Grant
+
+Previously, the refresh grant did not check whether a client's allowed scope or audience changed. This has now been added.
+If an OAuth 2.0 Client performs the refresh flow but the requested token includes a scope which has not been whitelisted
+at the client, the flow will fail and no refresh token will be granted.
+
+#### Customise login and consent flow timeout
 
 You can now set the login and consent flow timeout using environment variable `LOGIN_CONSENT_REQUEST_LIFESPAN`.
 
-### JSON Web Token formatted Access Token data
+#### Schema Changes
+
+This patch introduces database schema changes. Before you apply it, you must run `hydra migrate sql` against
+your database.
+
+In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) during the refresh token flow, the following indices were added:
+- Unique index on the `request_id` column in the `hydra_oauth2_access` & `hydra_oauth2_refresh` tables
+
+In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) when flushing expired tokens, the following index was added:
+- Index on the `requested_at` column in the `hydra_oauth2_access` table
+
+### Breaking Changes
+
+#### JSON Web Token formatted Access Token data
 
 Previously, extra fields coming from `session.access_token` where directly embedded in the OAuth 2.0 Access Token when
 the JSON Web Token strategy was used. However, the token introspection response returned the extra data as a field `ext: {...}`.
@@ -119,26 +144,15 @@ Tokens formatted as JSON Web Tokens.
 
 This change does not impact the opaque strategy, which is the default one.
 
-### CLI Changes
+#### CLI Changes
 
 Flags `https-tls-key-path` and `https-tls-cert-path` have been removed from the `hydra serve *` commands.
 Use environment variables `HTTPS_TLS_CERT_PATH` and `HTTPS_TLS_KEY_PATH` instead.
 
-### API Changes
+#### API Changes
 
 Endpoint `/health/status`, which redirected to `/health/alive` and was deprecated has been removed.
 
-### Schema Changes
-
-This patch introduces database schema changes. Before you apply it, you must run `hydra migrate sql` against
-your database.
-
-In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) during the refresh token flow, the following indices were added:
-- Unique index on the `request_id` column in the `hydra_oauth2_access` & `hydra_oauth2_refresh` tables
-
-In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) when flushing expired tokens, the following index was added:
-- Index on the `requested_at` column in the `hydra_oauth2_access` table
-
 ## 1.0.0-beta.9
 
 ### CORS is disabled by default

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/oleiade/reflections v1.0.0
 	github.com/opentracing/opentracing-go v1.0.2
 	github.com/ory/dockertest v3.3.2+incompatible
-	github.com/ory/fosite v0.27.0
+	github.com/ory/fosite v0.27.1
 	github.com/ory/go-convenience v0.1.0
 	github.com/ory/graceful v0.1.0
 	github.com/ory/herodot v0.4.1

go.sum

@@ -144,6 +144,7 @@ github.com/ory/fosite v0.26.2-0.20181031085642-e2441d231a19 h1:8jQrkb3nO4nG5Dzpb
 github.com/ory/fosite v0.26.2-0.20181031085642-e2441d231a19/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
 github.com/ory/fosite v0.27.0 h1:QYHW+asgRRIw5uk8a42/VpiwMQqQMPwZ4TP4xKNIMEA=
 github.com/ory/fosite v0.27.0/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
+github.com/ory/fosite v0.27.1/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
 github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8=
 github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
 github.com/ory/graceful v0.1.0 h1:zilpYtcR5vp4GubV4bN2GFJewHaSkMFnnRiJxyH8FAc=