This is a list of breaking changes. As long as 1.0.0
is not released, breaking changes will be addressed as minor version
bumps (0.1.0
-> 0.2.0
).
- 0.15.0
- 0.14.0
- 0.13.0
- 0.12.0
- 0.11.0
- Non-breaking changes
- Breaking Changes
fosite/handler/oauth2.AuthorizeCodeGrantStorage
was removedfosite/handler/oauth2.RefreshTokenGrantStorage
was removedfosite/handler/oauth2.AuthorizeCodeGrantStorage
was removed- WildcardScopeStrategy
- Refresh tokens and authorize codes are no longer JWTs
- Delete access tokens when persisting refresh session
- 0.10.0
- 0.9.0
- 0.8.0
- 0.7.0
- 0.6.0
- 0.5.0
- 0.4.0
- 0.3.0
- 0.2.0
- 0.1.0
This patch introduces SendDebugMessagesToClients
to the Fosite struct which enables/disables sending debug information to
clients. Debug information may contain sensitive information as it forwards error messages from, for example, storage
implementations. For this reason, RevealDebugPayloads
defaults to false. Keep in mind that the information may be
very helpful when specific OAuth 2.0 requests fail and we generally recommend displaying debug information.
Additionally, error keys for JSON changed which caused a new minor version, speicifically
statusCode
was changed to status_code
.
This release focuses on improving compatibility with OpenID Connect Certification and better error context.
- Error handling is improved by explicitly adding debug information (e.g. "Token invalid because it was not found in the database") to the error object. Previously, the original error was prepended which caused weird formatting issues.
- Allows client credentials in POST body at the
/oauth2/token
endpoint. Please note that this method is not recommended to be used, unless the client making the request is unable to use HTTP Basic Authorization. - Allows public clients (without secret) to access the
/oauth2/token
endpoint which was previously only possible by adding an arbitrary secret.
This release has no breaking changes to the external API but due to the nature of the changes, it is released as a new major version.
Improves error contexts. A breaking code changes to the public API was reverted with 0.14.1.
glide
was replaced with dep
.
- The minimum required secret length used to generate signatures of access tokens has increased from 16 to 32 byte.
- The algorithm used to generate access tokens using the HMAC-SHA strategy has changed from HMAC-SHA256 to HMAC-SHA512.
To simplify the storage adapter logic, and also reduce the likelihoods of bugs within the storage adapter, the interface was greatly simplified. Specifically, these two methods have been removed:
PersistRefreshTokenGrantSession(ctx context.Context, requestRefreshSignature, accessSignature, refreshSignature string, request fosite.Requester) error
PersistAuthorizeCodeGrantSession(ctx context.Context, authorizeCode, accessSignature, refreshSignature string, request fosite.Requester) error
For this change, you don't need to do anything. You can however simply delete those two methods from your store.
In the long term, fosite should remove all gomocks and instead test against the internal implementations. This will increase iterations per line during tests and reduce annoying mock updates.
AuthorizeCodeGrantStorage
was used specifically in the composer. Refactor references to AuthorizeCodeGrantStorage
with CoreStorage
.
RefreshTokenGrantStorage
was used specifically in the composer. Refactor references to RefreshTokenGrantStorage
with CoreStorage
.
AuthorizeCodeGrantStorage
was used specifically in the composer. Refactor references to AuthorizeCodeGrantStorage
with CoreStorage
.
A new scope strategy was introduced called WildcardScopeStrategy
. This strategy is now the default when using
the composer. To set the HierarchicScopeStrategy strategy, do:
import "github.com/ory/fosite/compose"
var config = &compose.Config{
ScopeStrategy: fosite.HierarchicScopeStrategy,
}
Using JWTs for refresh tokens and authorize codes did not make sense:
- Refresh tokens are long-living credentials, JWTs require an expiry date.
- Refresh tokens are never validated client-side, only server-side. Thus access to the store is available.
- Authorize codes are never validated client-side, only server-side.
Also, one compose method changed due to this:
package compose
// ..
- func NewOAuth2JWTStrategy(key *rsa.PrivateKey) *oauth2.RS256JWTStrategy
+ func NewOAuth2JWTStrategy(key *rsa.PrivateKey, strategy *oauth2.HMACSHAStrategy) *oauth2.RS256JWTStrategy
Please delete access tokens in your store when you persist a refresh session. This increases security. Here is an example of how to do that using only existing methods:
func (s *MemoryStore) PersistRefreshTokenGrantSession(ctx context.Context, originalRefreshSignature, accessSignature, refreshSignature string, request fosite.Requester) error {
if ts, err := s.GetRefreshTokenSession(ctx, originalRefreshSignature, nil); err != nil {
return err
} else if err := s.RevokeAccessToken(ctx, ts.GetID()); err != nil {
return err
} else if err := s.RevokeRefreshToken(ctx, ts.GetID()); err != nil {
return err
} else if err := s.CreateAccessTokenSession(ctx, accessSignature, request); err != nil {
return err
} else if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
return err
}
return nil
}
It is no longer possible to introspect authorize codes, and passing scopes to the introspector now also checks refresh token scopes.
This patch adds the ability to pass a custom hasher to compose.Compose
, which is a breaking change. You can pass nil for the fosite default hasher:
package compose
-func Compose(config *Config, storage interface{}, strategy interface{}, factories ...Factory) fosite.OAuth2Provider {
+func Compose(config *Config, storage interface{}, strategy interface{}, hasher fosite.Hasher, factories ...Factory) fosite.OAuth2Provider {
This patch addresses some inconsistencies in the public interfaces. Also
remaining references to the old repository location at ory-am/fosite
where updated to ory/fosite
.
The ClientManager
interface
changed, as a context parameter was added:
type ClientManager interface {
// GetClient loads the client by its ID or returns an error
// if the client does not exist or another error occurred.
- GetClient(id string) (Client, error)
+ GetClient(ctx context.Context, id string) (Client, error)
}
The OAuth2Provider interface changed,
as the need for passing down *http.Request
was removed. This is justifiable
because NewAuthorizeRequest
and NewAccessRequest
already contain *http.Request
.
The public api of those two methods changed:
- NewAuthorizeResponse(ctx context.Context, req *http.Request, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
+ NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
- NewAccessResponse(ctx context.Context, req *http.Request, requester AccessRequester) (AccessResponder, error)
+ NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
Breaking changes:
- Replaced
"golang.org/x/net/context"
with"context"
. - Move the repo from
github.com/ory-am/fosite
togithub.com/ory/fosite
A bug related to refresh tokens was found. To mitigate it, a Clone()
method has been introduced to the fosite.Session
interface.
If you use a custom session object, this will be a breaking change. Fosite's default sessions have been upgraded and no additional
work should be required. If you use your own session struct, we encourage using package gob/encoding
to deep-copy it in Clone()
.
Breaking changes:
compose.OpenIDConnectExplicit
is nowcompose.OpenIDConnectExplicitFactory
compose.OpenIDConnectImplicit
is nowcompose.OpenIDConnectImplicitFactory
compose.OpenIDConnectHybrid
is nowcompose.OpenIDConnectHybridFactory
- The token introspection handler is no longer added automatically by
compose.OAuth2*
. Addcompose.OAuth2TokenIntrospectionFactory
to your composer if you need token introspection. - Session refactor:
- The HMACSessionContainer was removed and replaced by
fosite.Session
/fosite.DefaultSession
. All sessions must now implement this signature. The new session interface allows for better expiration time handling. - The OpenID
DefaultSession
signature changed as well, it is now implementing thefosite.Session
interface
- The HMACSessionContainer was removed and replaced by
Breaking changes:
./fosite-example
is now a separate repository: https://github.com/ory-am/fosite-examplegithub.com/ory-am/fosite/fosite-example/pkg.Store
is nowgithub.com/ory-am/fosite/storage.MemoryStore
fosite.Client
has now a new method calledIsPublic()
which can be used to identify public clients who do not own a client secret- All grant types except the client_credentials grant now allow public clients. public clients are usually mobile apps and single page apps.
TokenValidator
is nowTokenIntrospector
,TokenValidationHandlers
is nowTokenIntrospectionHandlers
.TokenValidator.ValidateToken
is nowTokenIntrospector.IntrospectToken
fosite.OAuth2Provider.NewIntrospectionRequest()
has been addedfosite.OAuth2Provider.WriteIntrospectionError()
has been addedfosite.OAuth2Provider.WriteIntrospectionResponse()
has been added
- Updated jwt-go from 2.7.0 to 3.0.0
Breaking changes:
- Token validation refactored:
ValidateRequestAuthorization
is nowValidate
and does not require a http request but instead a token and a token hint. A token can be anything, including authorization codes, refresh tokens, id tokens, ... - Remove mandatory scope: The mandatory scope (
fosite
) has been removed as it has proven impractical. - Allowed OAuth2 Client scopes are now being set with
scope
instead ofgranted_scopes
when using the DefaultClient. - There is now a scope matching strategy that can be replaced.
- OAuth2 Client scopes are now checked on every grant type.
- Handler subpackages such as
core/client
oroidc/explicit
have been merged and moved one level up handler/oidc
is nowhandler/openid
handler/core
is nowhandler/oauth2
Initial release