Skip to content

Commit

Permalink
oauth2: Resolve refresh flow issues with audience, scope (ory#1156)
Browse files Browse the repository at this point in the history
Closes ory#1153
  • Loading branch information
aeneasr authored Nov 5, 2018
1 parent 4a8cf84 commit ccc34de
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 16 deletions.
44 changes: 29 additions & 15 deletions UPGRADE.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,11 +105,36 @@ before finalizing the upgrade process.

## 1.0.0-rc.1

### Customise login and consent flow timeout
### Non-breaking Changes

#### Access Token Audience

This patch adds the access token audience feature. For more information on this, head over to [the docs](https://www.ory.sh/docs/guides/master/hydra/6-how-to/3-advanced.html).

#### Refresh Grant

Previously, the refresh grant did not check whether a client's allowed scope or audience changed. This has now been added.
If an OAuth 2.0 Client performs the refresh flow but the requested token includes a scope which has not been whitelisted
at the client, the flow will fail and no refresh token will be granted.

#### Customise login and consent flow timeout

You can now set the login and consent flow timeout using environment variable `LOGIN_CONSENT_REQUEST_LIFESPAN`.

### JSON Web Token formatted Access Token data
#### Schema Changes

This patch introduces database schema changes. Before you apply it, you must run `hydra migrate sql` against
your database.

In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) during the refresh token flow, the following indices were added:
- Unique index on the `request_id` column in the `hydra_oauth2_access` & `hydra_oauth2_refresh` tables

In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) when flushing expired tokens, the following index was added:
- Index on the `requested_at` column in the `hydra_oauth2_access` table

### Breaking Changes

#### JSON Web Token formatted Access Token data

Previously, extra fields coming from `session.access_token` where directly embedded in the OAuth 2.0 Access Token when
the JSON Web Token strategy was used. However, the token introspection response returned the extra data as a field `ext: {...}`.
Expand All @@ -119,26 +144,15 @@ Tokens formatted as JSON Web Tokens.

This change does not impact the opaque strategy, which is the default one.

### CLI Changes
#### CLI Changes

Flags `https-tls-key-path` and `https-tls-cert-path` have been removed from the `hydra serve *` commands.
Use environment variables `HTTPS_TLS_CERT_PATH` and `HTTPS_TLS_KEY_PATH` instead.

### API Changes
#### API Changes

Endpoint `/health/status`, which redirected to `/health/alive` and was deprecated has been removed.

### Schema Changes

This patch introduces database schema changes. Before you apply it, you must run `hydra migrate sql` against
your database.

In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) during the refresh token flow, the following indices were added:
- Unique index on the `request_id` column in the `hydra_oauth2_access` & `hydra_oauth2_refresh` tables

In order to [resolve table locking](https://github.com/ory/hydra/issues/1067) when flushing expired tokens, the following index was added:
- Index on the `requested_at` column in the `hydra_oauth2_access` table

## 1.0.0-beta.9

### CORS is disabled by default
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ require (
github.com/oleiade/reflections v1.0.0
github.com/opentracing/opentracing-go v1.0.2
github.com/ory/dockertest v3.3.2+incompatible
github.com/ory/fosite v0.27.0
github.com/ory/fosite v0.27.1
github.com/ory/go-convenience v0.1.0
github.com/ory/graceful v0.1.0
github.com/ory/herodot v0.4.1
Expand Down
1 change: 1 addition & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ github.com/ory/fosite v0.26.2-0.20181031085642-e2441d231a19 h1:8jQrkb3nO4nG5Dzpb
github.com/ory/fosite v0.26.2-0.20181031085642-e2441d231a19/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
github.com/ory/fosite v0.27.0 h1:QYHW+asgRRIw5uk8a42/VpiwMQqQMPwZ4TP4xKNIMEA=
github.com/ory/fosite v0.27.0/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
github.com/ory/fosite v0.27.1/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw=
github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8=
github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
github.com/ory/graceful v0.1.0 h1:zilpYtcR5vp4GubV4bN2GFJewHaSkMFnnRiJxyH8FAc=
Expand Down

0 comments on commit ccc34de

Please sign in to comment.