This release improves production readiness by introducing better ways of dealing with secrets, certificates and debugging.
Feature spotlight
- System secrets must now be at least 16 byte long (32 byte before).
- Clients can be imported using the cli command
hydra clients import
. - The client secret can now be set using the CLI or the HTTP API. It must be at least 6 characters long.
- TLS over HTTP can now be configured to use a file or an environment variable instead of the internal key store. See
hydra help host
for more information
Backwards Compatibility
This release contains a breaking change. The system secret is now generated using sha256(secret)
instead of secret
. This reduces key length requirements which are 32byte for AES-GCM.
Additionally, you must now provide the offline
scope in order to receive OAuth2 refresh tokens
List of changes
- cli: key is now sha256(secret) - closes #86
- client: creating clients with predefined credentials - closes #91
- client: always autogenerate secrets when using clients create
- cli: CLI should have
-dry
option to show what the HTTP request looks like - closes #99 - cli: fix issue where tls certificate is regenerated on boot - closes #93
- cli: allow passing of tls certificates via env vars or files - closes #88
- oauth2: add offline scope for refresh tokens - closes #97
- jwk: support for x5c certificate chains - closes #92
- all: minor changes - closes #89
- client: resolved that secrets can not be set when using http or cli #102