v1.18.0 patches two auth security bugs and fixes MySQL case-sensitivity. MySQL users must plan a maintenance window before upgrading — auto-migration will lock tuple/changelog tables.
securitySilent OIDC audience bypass — check your auth config before upgrading
If authn.oidc.audience was previously omitted, any validly-signed token from your trusted issuer was accepted regardless of intended audience. After upgrading, OpenFGA will refuse to start without both issuer and audience set. Verify your deployment config has authn.oidc.audience explicitly set, or the service will not come up.
securityPreshared key timing side-channel fixed — no action needed if you rotate keys
The prior map lookup for preshared key auth could reveal valid key bytes via timing differences. Now fixed with constant-time comparison. No immediate action required, but if this key has been exposed to untrusted network paths for a long time, rotating the preshared key is a reasonable precaution.
breakingMySQL users: do not auto-migrate on startup
Migration 008 acquires a shared lock on tuple and changelog tables. On large datasets this can block Write operations for an extended period. Read the operator runbook at the collation_migrations.md guide, schedule a maintenance window, and run the migration manually rather than letting OpenFGA auto-migrate on startup.
Key changes (4)
- MySQL schema migration 008 changes collation to enforce case-sensitive identifier comparison; acquires a shared lock on tuple and changelog tables during migration
- Preshared key auth now uses constant-time comparison, closing a timing side-channel that could leak information about valid key bytes
- OIDC config validation tightened: OpenFGA now refuses to start if authn.oidc.issuer or authn.oidc.audience is missing, preventing silent JWT audience bypass
- MySQL identifier comparison now matches Postgres and SQLite behavior (case-sensitive)