Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0.7.0: SQL Migrate, Groups, Hardening #329

Merged
merged 21 commits into from
Dec 30, 2016
Merged

0.7.0: SQL Migrate, Groups, Hardening #329

merged 21 commits into from
Dec 30, 2016

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Dec 19, 2016
edited
Loading

This PR bumps Hydra to version 0.7.0. We expect this release to be the forelast release before the stable 1.0.0. Version 0.8.0 is anticipated to include #297 .

This PR includes the following changes:

This PR includes the follwoing breaking changes:

sql: deleting policies does not delete associated records with mysql driver #326

MySQL has a 12 year old bug that ignores shorthand foreign key constraints in CREATE TABLE statements. Those were used in ladon, the library responsible for access control policies. This patch resolves this issue by replacing shorthand constraints with explicit indices. You will be able to run your existing database with this patch, but it will not resolve the bug described in #326. However, you can easily update the foreign key constraints manually in your database, the schema is here.

Postgres is not affected.

oauth2/consent: force jti echo in consent response #322

Previously, Hydra accepted signed consent tokens without requiring a special JSON Token ID in the JWT payload. This was deemed secure enough, as expiry times are usually short and OAuth2 clients use random states. However, to make things more secure, the consent app has to include the jti value from the consent challenge in the payload of the consent response. Hydra sets a cookie when redirecting to the consent app with the JTI value for validation of the consent response. The cookie is encrypted with a secret passphrase given by COOKIE_SECRET and if none is given, falls back to SYSTEM_SECRET. We recommend using a dedicated COOKIE_SECRET in production.

Read more here.

@aeneasr aeneasr added bug Something is not working. feat New feature or request. labels Dec 19, 2016
@aeneasr aeneasr self-assigned this Dec 19, 2016
@aeneasr aeneasr changed the title 0.6.9 0.6.10 Dec 20, 2016
@aeneasr aeneasr changed the title 0.6.10 0.7.0 Dec 20, 2016
@aeneasr aeneasr added this to the 0.7.0: Stability improvements milestone Dec 20, 2016
@aeneasr aeneasr changed the title 0.7.0 0.7.0: SQL Migrate, Groups, Hardening Dec 23, 2016
@aeneasr aeneasr added the breaking change Changes behavior in a breaking manner. label Dec 26, 2016
@aeneasr
Copy link
Member Author

aeneasr commented Dec 26, 2016

If you have open questions regarding this release, feel free to post them here.

@aeneasr
Copy link
Member Author

aeneasr commented Dec 27, 2016

Currently, the group check ignores ladon.DenyAccess if one of the other groups has ladon.AllowAccess. Same goes for subjects. But the order should be deny > allow > none

@aeneasr aeneasr mentioned this pull request Dec 29, 2016
Closed
@aeneasr aeneasr merged commit fcdf664 into master Dec 30, 2016
@aeneasr aeneasr deleted the prepare-0.6.9 branch December 30, 2016 09:23
@aeneasr aeneasr mentioned this pull request Dec 31, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aeneasr aeneasr

Labels
breaking change Changes behavior in a breaking manner. bug Something is not working. feat New feature or request.
Projects
None yet
Milestone
0.7.0: Stability improvements
Development

Successfully merging this pull request may close these issues.
1 participant
@aeneasr