This release bumps Hydra to version 0.7.0. We expect this release to be the forelast release before the stable 1.0.0. Version 0.8.0 is anticipated to include #297 .
This release includes the following changes:
- cmd: add configuration options for
hydra token user#327 - warden: add group management and group based policy checks #68
- docs: improve 5 min tutorial
- sql: include a migration routine for databases #194
- oidc: at_hash / c_hash mismatch - closes #338
- policy: provide rest endpoint for policy updates - closes #305
This PR includes the follwoing breaking changes:
sql: deleting policies does not delete associated records with mysql driver #326
MySQL has a 12 year old bug that ignores shorthand foreign key constraints in CREATE TABLE statements. Those were used in ladon, the library responsible for access control policies. This patch resolves this issue by replacing shorthand constraints with explicit indices. You will be able to run your existing database with this patch, but it will not resolve the bug described in #326. However, you can easily update the foreign key constraints manually in your database, the schema is here.
Postgres is not affected.
oauth2/consent: force jti echo in consent response #322
Previously, Hydra accepted signed consent tokens without requiring a special JSON Token ID in the JWT payload. This was deemed secure enough, as expiry times are usually short and OAuth2 clients use random states. However, to make things more secure, the consent app has to include the jti value from the consent challenge in the payload of the consent response. Hydra sets a cookie when redirecting to the consent app with the JTI value for validation of the consent response. The cookie is encrypted with a secret passphrase given by COOKIE_SECRET and if none is given, falls back to SYSTEM_SECRET. We recommend using a dedicated COOKIE_SECRET in production.
Read more here.
policy: provide rest endpoint for policy updates - closes #305
The policy management commands for the CLI have changed, as hydra policy <action|resource|subject> delete has been renamed to hydra policy <action|resource|subject> remove.