search

ProgrammingLab / prolab-accounts

部員紹介、認証基盤
MIT License
3 stars 3 forks source link

Bump github.com/ory/hydra from 1.6.0 to 1.7.0 #254

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps github.com/ory/hydra from 1.6.0 to 1.7.0.

Release notes

Sourced from github.com/ory/hydra's releases.

v1.7.0

The new SameSite attribute is now enforced on Google Chrome and may cause issues with your current ORY Hydra deployment:

SameSite=None no longer works without secure flag cookies. If you are using the --dangerous-force-http flag and have not configured SameSite=Lax your users will no longer be able to perform OAuth2 flows.

The next FireFox release will follow this implementation as well. To prevent your users from experiencing issues:

  • Remove --dangerous-force-http from your deployment. This flag should never be set outside of local development machines anyways!
  • Set environment variable SERVE_COOKIES_SAME_SITE_MODE=Lax or configuration value serve.cookies.same_site_mode = Lax.

By applying this release, the above recommendations will be set per default, for example using Lax when --dangerous-force-http is set.

Many of you reached out in the past asking about managed / SaaS offerings from ORY, for more support, automated updates, and automated fixes for issues like the SameSite behavior above. We would like to invite those interested in that kind of an offering and service to engage in a dialogue to better help us understand how you are using ORY, what requirements your businesses have and how we can better help and service you. Together, we can shape some of this journey together. If you like to be part of this conversation please send an email to jared@ory.sh so we can get in touch directly and begin talking about what an ideal and fully supported offering from ORY would look like for you.

This patch additionally includes a breaking API change for the "Revoke Consent Sessions API endpoint" - please check the breaking changes below. Bugfixes are included in this release as well - such as pretty JSON format logging, fixes to Jaeger configuration, and more!

1.7.0 (2020-08-14)

Bug Fixes

Code Refactoring

Documentation

  • Access token time config (#1966) (f066cc1):

    Adds a short guide how to configure access token expiration time.

  • Add expiry-time sidebar item (#1967) (5f8e58b):

    Adds token-expiration to sidebar.

  • Add sdk samples for tls termination and tls verify skip (#1968) (6619e59)

  • Add section on oauth2 limitations at beginning (4254363)

  • Adopt new sidebar.json (8faf070)

Changelog

Sourced from github.com/ory/hydra's changelog.

Changelog

Table of Contents

Commits
  • ff4b81e autogen: pin v1.7.0 release commit
  • 5cb4bb4 autogen(docs): generate and format documentation
  • 2d47224 ci: fix goreleaser config
  • 1f6d49a ci: bump ci versions
  • cd76524 Merge pull request #1990 from ory/fix-e2e-cookie
  • 69d4af7 Merge branch 'master' into fix-e2e-cookie
  • 08813b3 feat: add audit and debug logs for cookies
  • 6e75638 tests: whitelist new session cookies and set log level to trace
  • 53f3645 chore: add cypress screenshots to gitignore
  • cc96359 fix: add json_pretty to possible log.format values
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)