RATATOSKRATATOSK
Sign in

OpenFGA

v1.17.0Security
Jun 3, 2026

v1.17.0 hardens cache key generation against hash-flooding attacks and adds configurable OpenTelemetry trace sampling, including parent-based propagation.

  • securityUpgrade to get hash-flooding protection in cache keys

    The old string-concatenation cache key approach was vulnerable to hash-flooding attacks and key collisions. The new TLV encoding with per-process hash seeding closes both issues. There are no config changes required — just upgrade. If you run OpenFGA in a multi-tenant or public-facing setup, this is a meaningful security improvement that warrants prioritizing the upgrade.

  • enhancementConfigure parent-based trace sampling if OpenFGA runs behind an API gateway or service mesh

    Previously, OpenFGA couldn't honor upstream sampling decisions, meaning traces could be captured inconsistently across your stack. Set `OPENFGA_TRACE_SAMPLER=parentbased_always_on` (or `parentbased_traceidratio`) so OpenFGA respects the sampling decision made by the calling service. This is especially useful when OpenFGA is a downstream dependency in a larger traced system — it reduces trace noise and aligns sampling with your existing observability strategy.

Key changes (5)

  • Cache key generation switched from string concatenation to TLV binary encoding, eliminating collision risk
  • Per-process hash seeding added to cache keys to prevent hash-flooding attacks
  • New configurable trace sampler via `trace.sampler` / `OPENFGA_TRACE_SAMPLER` / `OTEL_TRACES_SAMPLER`
  • Supports all standard OTel sampling strategies including parent-based variants
  • Default trace sampler is `traceidratio`, preserving previous behavior