Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add skip_logout_consent option to clients #3705

Merged
merged 3 commits into from
Jan 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"foo": "bar"
},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"client_name": "",
"client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
"redirect_uris": [
"http://localhost:3000/cb"
],
"grant_types": null,
"response_types": null,
"scope": "offline_access offline openid",
"audience": [],
"owner": "",
"policy_uri": "",
"allowed_cors_origins": [],
"tos_uri": "",
"client_uri": "",
"logo_uri": "",
"contacts": null,
"client_secret_expires_at": 0,
"subject_type": "public",
"jwks": {},
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": true,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
"client_credentials_grant_access_token_lifespan": null,
"implicit_grant_access_token_lifespan": null,
"implicit_grant_id_token_lifespan": null,
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"error": "The request was malformed or contained invalid parameters",
"error_description": "It is not allowed to choose your own OAuth2 Client secret."
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"client_name": "",
"client_secret": "averylongsecret",
"redirect_uris": [
"http://localhost:3000/cb"
],
"grant_types": null,
"response_types": null,
"scope": "offline_access offline openid",
"audience": [],
"owner": "",
"policy_uri": "",
"allowed_cors_origins": [],
"tos_uri": "",
"client_uri": "",
"logo_uri": "",
"contacts": null,
"client_secret_expires_at": 0,
"subject_type": "public",
"jwks": {},
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
"client_credentials_grant_access_token_lifespan": null,
"implicit_grant_access_token_lifespan": null,
"implicit_grant_id_token_lifespan": null,
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
}
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"metadata": {},
"registration_client_uri": "http://localhost:4444/oauth2/register/not-a-uuid",
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"metadata": {},
"registration_client_uri": "http://localhost:4444/oauth2/register/98941dac-f963-4468-8a23-9483b1e04e3c",
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"client_name": "",
"client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
"redirect_uris": [
"http://localhost:3000/cb"
],
"grant_types": null,
"response_types": null,
"scope": "offline_access offline openid",
"audience": [],
"owner": "",
"policy_uri": "",
"allowed_cors_origins": [],
"tos_uri": "",
"client_uri": "",
"logo_uri": "",
"contacts": null,
"client_secret_expires_at": 0,
"subject_type": "public",
"jwks": {},
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": true,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
"client_credentials_grant_access_token_lifespan": null,
"implicit_grant_access_token_lifespan": null,
"implicit_grant_id_token_lifespan": null,
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"error": "invalid_request",
"error_description": "'skip_logout_consent' cannot be set for dynamic client registration"
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none",
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": "31h0m0s",
"authorization_code_grant_id_token_lifespan": "32h0m0s",
"authorization_code_grant_refresh_token_lifespan": "33h0m0s",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
"userinfo_signed_response_alg": "none",
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"jwks": {},
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"jwks": {},
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"jwks": {},
"metadata": {},
"skip_consent": false,
"skip_logout_consent": null,
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
Expand Down
4 changes: 4 additions & 0 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,10 @@ type Client struct {
// be set from the admin API.
SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`

// SkipLogoutConsent skips the logout consent screen for this client. This field can only
// be set from the admin API.
SkipLogoutConsent sqlxx.NullBool `json:"skip_logout_consent" db:"skip_logout_consent" faker:"-"`

Lifespans
}

Expand Down
25 changes: 23 additions & 2 deletions client/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ import (
"net/http/httptest"
"testing"

"github.com/ory/x/sqlxx"

"github.com/ory/x/httprouterx"

"github.com/tidwall/sjson"
Expand Down Expand Up @@ -347,11 +349,30 @@ func TestHandler(t *testing.T) {
statusCode: http.StatusBadRequest,
},
{
d: "setting skip_consent suceeds for admin registration",
d: "setting skip_consent succeeds for admin registration",
payload: &client.Client{
RedirectURIs: []string{"http://localhost:3000/cb"},
SkipConsent: true,
Secret: "2SKZkBf2P5g4toAXXnCrr~_sDM",
SkipConsent: true,
},
path: client.ClientsHandlerPath,
statusCode: http.StatusCreated,
},
{
d: "setting skip_logout_consent fails for dynamic registration",
payload: &client.Client{
RedirectURIs: []string{"http://localhost:3000/cb"},
SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
},
path: client.DynClientsHandlerPath,
statusCode: http.StatusBadRequest,
},
{
d: "setting skip_logout_consent succeeds for admin registration",
payload: &client.Client{
RedirectURIs: []string{"http://localhost:3000/cb"},
SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
Secret: "2SKZkBf2P5g4toAXXnCrr~_sDM",
},
path: client.ClientsHandlerPath,
statusCode: http.StatusCreated,
Expand Down
3 changes: 3 additions & 0 deletions client/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,9 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client)
if c.SkipConsent {
return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
}
if c.SkipLogoutConsent.Bool {
return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_logout_consent" cannot be set for dynamic client registration`))
}

return v.Validate(ctx, c)
}
Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ require (
github.com/ory/hydra-client-go/v2 v2.1.1
github.com/ory/jsonschema/v3 v3.0.8
github.com/ory/kratos-client-go v0.13.1
github.com/ory/x v0.0.607
github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d
github.com/pborman/uuid v1.2.1
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.16.0
Expand Down Expand Up @@ -225,8 +225,8 @@ require (
github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
go.mongodb.org/mongo-driver v1.12.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect
go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect
go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
Expand Down
13 changes: 6 additions & 7 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -601,8 +601,8 @@ github.com/ory/jsonschema/v3 v3.0.8 h1:Ssdb3eJ4lDZ/+XnGkvQS/te0p+EkolqwTsDOCxr/F
github.com/ory/jsonschema/v3 v3.0.8/go.mod h1:ZPzqjDkwd3QTnb2Z6PAS+OTvBE2x5i6m25wCGx54W/0=
github.com/ory/kratos-client-go v0.13.1 h1:o+pFV9ZRMFSBa4QeNJYbJeLz036UWU4p+7yfKghK+0E=
github.com/ory/kratos-client-go v0.13.1/go.mod h1:hkrFJuHSBQw+qN6Ks0faOAYhAKwtpjvhCZzsQ7g/Ufc=
github.com/ory/x v0.0.607 h1:qNP1gU6RWVtsEB04rPht+1rV2DqQhvOAN2sF+4eqVWo=
github.com/ory/x v0.0.607/go.mod h1:fCYvVVHo8wYrCwLyU8+9hFY3IRo4EZM3KI30ysDsDYY=
github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d h1:Kbt7Wj0vLSDSUcwGRvoqJVRtae8g4NCBe54t9XjOODc=
github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d/go.mod h1:uH065puz8neija0neqwIN3PmXXfDsB9VbZTZ20Znoos=
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
Expand Down Expand Up @@ -767,10 +767,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
go.opentelemetry.io/contrib/propagators/b3 v1.20.0 h1:Yty9Vs4F3D6/liF1o6FNt0PvN85h/BJJ6DQKJ3nrcM0=
go.opentelemetry.io/contrib/propagators/b3 v1.20.0/go.mod h1:On4VgbkqYL18kbJlWsa18+cMNe6rYpBnPi1ARI/BrsU=
go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 h1:iVhNKkMIpzyZqxk8jkDU2n4DFTD+FbpGacvooxEvyyc=
go.opentelemetry.io/contrib/propagators/jaeger v1.20.0/go.mod h1:cpSABr0cm/AH/HhbJjn+AudBVUMgZWdfN3Gb+ZqxSZc=
go.opentelemetry.io/contrib/propagators/b3 v1.21.0 h1:uGdgDPNzwQWRwCXJgw/7h29JaRqcq9B87Iv4hJDKAZw=
go.opentelemetry.io/contrib/propagators/b3 v1.21.0/go.mod h1:D9GQXvVGT2pzyTfp1QBOnD1rzKEWzKjjwu5q2mslCUI=
go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 h1:f4beMGDKiVzg9IcX7/VuWVy+oGdjx3dNJ72YehmtY5k=
go.opentelemetry.io/contrib/propagators/jaeger v1.21.1/go.mod h1:U9jhkEl8d1LL+QXY7q3kneJWJugiN3kZJV2OWz3hkBY=
go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 h1:Qb+5A+JbIjXwO7l4HkRUhgIn4Bzz0GNS2q+qdmSx+0c=
go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1/go.mod h1:G4vNCm7fRk0kjZ6pGNLo5SpLxAUvOfSrcaegnT8TPck=
go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
Expand Down Expand Up @@ -912,7 +912,6 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand Down
10 changes: 10 additions & 0 deletions internal/httpclient/api/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2593,6 +2593,7 @@ components:
sector_identifier_uri: sector_identifier_uri
frontchannel_logout_session_required: true
frontchannel_logout_uri: frontchannel_logout_uri
skip_logout_consent: true
refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
client_secret_expires_at: 0
Expand Down Expand Up @@ -2885,6 +2886,11 @@ components:
SkipConsent skips the consent screen for this client. This field can only
be set from the admin API.
type: boolean
skip_logout_consent:
description: |-
SkipLogoutConsent skips the logout consent screen for this client. This field can only
be set from the admin API.
type: boolean
subject_type:
description: |-
OpenID Connect Subject Type
Expand Down Expand Up @@ -3077,6 +3083,7 @@ components:
sector_identifier_uri: sector_identifier_uri
frontchannel_logout_session_required: true
frontchannel_logout_uri: frontchannel_logout_uri
skip_logout_consent: true
refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
client_secret_expires_at: 0
Expand Down Expand Up @@ -3306,6 +3313,7 @@ components:
sector_identifier_uri: sector_identifier_uri
frontchannel_logout_session_required: true
frontchannel_logout_uri: frontchannel_logout_uri
skip_logout_consent: true
refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
client_secret_expires_at: 0
Expand Down Expand Up @@ -3454,6 +3462,7 @@ components:
sector_identifier_uri: sector_identifier_uri
frontchannel_logout_session_required: true
frontchannel_logout_uri: frontchannel_logout_uri
skip_logout_consent: true
refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
client_secret_expires_at: 0
Expand Down Expand Up @@ -3584,6 +3593,7 @@ components:
sector_identifier_uri: sector_identifier_uri
frontchannel_logout_session_required: true
frontchannel_logout_uri: frontchannel_logout_uri
skip_logout_consent: true
refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
client_secret_expires_at: 0
Expand Down
Loading
Loading