0.7.0: SQL Migrate, Groups, Hardening #329
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR bumps Hydra to version 0.7.0. We expect this release to be the forelast release before the stable 1.0.0. Version 0.8.0 is anticipated to include #297 .
This PR includes the following changes:
hydra token user
cmd: add configuration options forhydra token user
#327This PR includes the follwoing breaking changes:
sql: deleting policies does not delete associated records with mysql driver #326
MySQL has a 12 year old bug that ignores shorthand foreign key constraints in
CREATE TABLE
statements. Those were used in ladon, the library responsible for access control policies. This patch resolves this issue by replacing shorthand constraints with explicit indices. You will be able to run your existing database with this patch, but it will not resolve the bug described in #326. However, you can easily update the foreign key constraints manually in your database, the schema is here.Postgres is not affected.
oauth2/consent: force jti echo in consent response #322
Previously, Hydra accepted signed consent tokens without requiring a special JSON Token ID in the JWT payload. This was deemed secure enough, as expiry times are usually short and OAuth2 clients use random states. However, to make things more secure, the consent app has to include the
jti
value from the consent challenge in the payload of the consent response. Hydra sets a cookie when redirecting to the consent app with the JTI value for validation of the consent response. The cookie is encrypted with a secret passphrase given byCOOKIE_SECRET
and if none is given, falls back toSYSTEM_SECRET
. We recommend using a dedicatedCOOKIE_SECRET
in production.Read more here.