Merge branch 'master' into use-constructor

ory · Nov 23, 2020 · 07a90f1 · 07a90f1
2 parents d681bd9 + c4c1e6f
commit 07a90f1
Show file tree

Hide file tree

Showing 85 changed files with 3,788 additions and 1,006 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -13,14 +13,11 @@ jobs:
     steps:
       - checkout
       - setup_remote_docker
-      -
-        restore_cache:
+      - restore_cache:
           keys:
             - go-github-ory-fosite-v1-{{ checksum "go.sum" }}
-      -
-        run: go mod download
-      -
-        save_cache:
+      - run: go mod download
+      - save_cache:
           key: go-github-ory-fosite-v1-{{ checksum "go.sum" }}
           paths:
             - "/go/pkg/mod"

diff --git a/.github/semantic.yml b/.github/semantic.yml
@@ -1,5 +1,5 @@
-titleOnly: true
-commitsOnly: false
+titleOnly: false
+commitsOnly: true
 titleAndCommits: false
 
 types:

diff --git a/.github/workflows/oidc-conformity.yml b/.github/workflows/oidc-conformity.yml
@@ -0,0 +1,24 @@
+name: "OpenID Connect Conformity Tests"
+
+on:
+  push:
+
+jobs:
+  oidc-conformity:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+          repository: ory/hydra
+          ref: master
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.0'
+      - name: Update fosite
+        run: go get github.com/ory/fosite@${{ github.sha }}
+      - name: Start service
+        run: ./test/conformance/start.sh
+      - name: Run tests
+        run: ./test/conformance/test.sh -v -short -parallel 16
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,34 +4,37 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [Unreleased (2020-10-25)](#unreleased-2020-10-25)
+- [Unreleased (2020-11-18)](#unreleased-2020-11-18)
+- [0.36.0 (2020-11-16)](#0360-2020-11-16)
     - [Bug Fixes](#bug-fixes)
+    - [Code Refactoring](#code-refactoring)
     - [Documentation](#documentation)
     - [Features](#features)
+    - [BREAKING CHANGES](#breaking-changes)
   - [0.35.1 (2020-10-11)](#0351-2020-10-11)
     - [Bug Fixes](#bug-fixes-1)
     - [Documentation](#documentation-1)
     - [Features](#features-1)
 - [0.35.0 (2020-10-06)](#0350-2020-10-06)
     - [Bug Fixes](#bug-fixes-2)
-    - [BREAKING CHANGES](#breaking-changes)
+    - [BREAKING CHANGES](#breaking-changes-1)
   - [0.34.1 (2020-10-02)](#0341-2020-10-02)
     - [Bug Fixes](#bug-fixes-3)
     - [Documentation](#documentation-2)
 - [0.34.0 (2020-09-24)](#0340-2020-09-24)
     - [Bug Fixes](#bug-fixes-4)
     - [Features](#features-2)
     - [Unclassified](#unclassified)
-    - [BREAKING CHANGES](#breaking-changes-1)
+    - [BREAKING CHANGES](#breaking-changes-2)
 - [0.33.0 (2020-09-16)](#0330-2020-09-16)
     - [Features](#features-3)
-    - [BREAKING CHANGES](#breaking-changes-2)
+    - [BREAKING CHANGES](#breaking-changes-3)
   - [0.32.4 (2020-09-15)](#0324-2020-09-15)
-    - [Code Refactoring](#code-refactoring)
+    - [Code Refactoring](#code-refactoring-1)
     - [Documentation](#documentation-3)
   - [0.32.3 (2020-09-12)](#0323-2020-09-12)
     - [Bug Fixes](#bug-fixes-5)
-    - [Code Refactoring](#code-refactoring-1)
+    - [Code Refactoring](#code-refactoring-2)
     - [Documentation](#documentation-4)
     - [Features](#features-4)
   - [0.32.2 (2020-06-22)](#0322-2020-06-22)
@@ -316,28 +319,106 @@
 - [0.2.0 (2016-08-06)](#020-2016-08-06)
     - [Unclassified](#unclassified-118)
 - [0.1.0 (2016-08-01)](#010-2016-08-01)
-    - [Code Refactoring](#code-refactoring-2)
+    - [Code Refactoring](#code-refactoring-3)
     - [Documentation](#documentation-26)
     - [Unclassified](#unclassified-119)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [Unreleased](https://github.com/ory/fosite/compare/v0.35.1...5f2cae3eabb83da898e1b5515176e65dda4da862) (2020-10-25)
+# Unreleased (2020-11-18)
+
+No significant changes have been made for this release.
+
+
+# [0.36.0](https://github.com/ory/fosite/compare/v0.35.1...v0.36.0) (2020-11-16)
 
 
 ### Bug Fixes
 
+* Allow all request object algs when client value is unset ([1d14636](https://github.com/ory/fosite/commit/1d14636e61b2047e5eee6d1d740249b819fc0794)):
+
+    > Allows all request object signing algorithms when the client has not explicitly allowed a certain algorithm. This follows the spec:
+    > 
+    > > *request_object_signing_alg - OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
 * Always return non-error response for inactive tokens ([#517](https://github.com/ory/fosite/issues/517)) ([5f2cae3](https://github.com/ory/fosite/commit/5f2cae3eabb83da898e1b5515176e65dda4da862))
+* Be more permissive in time checks ([839d000](https://github.com/ory/fosite/commit/839d00093a2ed8c590d910f113186cd96fad9185)):
+
+    > Time equality should not cause failures in OpenID Connect validation.
+* Do not accidentally leak jwks fetching errors ([6d2092d](https://github.com/ory/fosite/commit/6d2092da1e8699e43fd6dccb4c3a33b885cec7f8)), closes [/github.com/ory/fosite/pull/526#discussion_r517491738](https://github.com//github.com/ory/fosite/pull/526/issues/discussion_r517491738)
+* Do not require nonce for hybrid flows ([de5c8f9](https://github.com/ory/fosite/commit/de5c8f90e8ccae0849fa6426d53563ef7520880d)):
+
+    > This patch resolves an issue where nonce was required for hybrid flows, which does not comply with the OpenID Connect conformity test suite, specifically the `oidcc-ensure-request-without-nonce-succeeds-for-code-flow` test.
+* Guess default response mode in `NewAuthorizeRequest` ([a2952d7](https://github.com/ory/fosite/commit/a2952d7ad09fbd83a354b22dbcc0cef8a15f50f7))
+* Improve claims handling for jwts ([a72ca9a](https://github.com/ory/fosite/commit/a72ca9a978e60d7c4b000c41357719f0e2b61f8e))
+* Improve error stack wrapping ([620d4c1](https://github.com/ory/fosite/commit/620d4c148307f7be7b2674fe420141b33aef6075))
+* Kid header is not required for key lookup ([27cc5c0](https://github.com/ory/fosite/commit/27cc5c0e935ecb8bca23dd8c2670c8a93f7b829d))
+* Modernized JWT stateless introspection ([#519](https://github.com/ory/fosite/issues/519)) ([a6bfb92](https://github.com/ory/fosite/commit/a6bfb921ebc746ba7a1215e32fb42a2c0530a2bf))
+* Only use allowed characters in error_description ([431f9a5](https://github.com/ory/fosite/commit/431f9a56ed03648ea4ef637fe6c2b6d74e765dad)), closes [#525](https://github.com/ory/fosite/issues/525):
+
+    > Replace LF and quotes with `.` and `'` to match allowed and recommended character set defined in various RFCs.
+* Prevent debug details from leaking during key lookup ([c0598fb](https://github.com/ory/fosite/commit/c0598fb8d8ce75b7f0ad645420caea641e64a4d2)), closes [/github.com/ory/fosite/pull/526#discussion_r517490461](https://github.com//github.com/ory/fosite/pull/526/issues/discussion_r517490461)
+* Reset jti and hash ID token claims on refresh ([#523](https://github.com/ory/fosite/issues/523)) ([ce2de73](https://github.com/ory/fosite/commit/ce2de73ff979b02be32d850c1c695067a35576c7))
+* Use state from request object ([8cac1a0](https://github.com/ory/fosite/commit/8cac1a00a6f87523b88fea6962ab1194049cbacd)):
+
+    > Resolves failing OIDC conformity test "oidcc-request-uri-unsigned".
+
+
+### Code Refactoring
+
+* Use rfc compliant error formating ([edbbda3](https://github.com/ory/fosite/commit/edbbda3c4cf70a77cdcd1383c55762c73613f87e))
 
 
 ### Documentation
 
 * Document Session interface methods ([#512](https://github.com/ory/fosite/issues/512)) ([11a95ba](https://github.com/ory/fosite/commit/11a95ba00f562b3864fc0d6878c9d93943cc4273))
+* Updates banner in readme.md ([#529](https://github.com/ory/fosite/issues/529)) ([9718eb6](https://github.com/ory/fosite/commit/9718eb6ce63983ade0689908b5cce3e27c8838bc))
 
 
 ### Features
 
+* Add support for response_mode=form_post ([#509](https://github.com/ory/fosite/issues/509)) ([3e3290f](https://github.com/ory/fosite/commit/3e3290f811f849881f1c6bafabc1c765d9a42ac7)):
+
+    > This patch introduces support for `response_mode=form_post` as well as `response_mode` of `none` and `query` and `fragment`.
+    > 
+    >  To support this new feature your OAuth2 Client must implement the `fosite.ResponseModeClient` interface. We suggest to always return all response modes there unless you want to explicitly disable one of the response modes:
+    > 
+    > ```go
+    > func (c *Client) GetResponseModes() []fosite.ResponseModeType {
+    > 	return []fosite.ResponseModeType{
+    > 		fosite.ResponseModeDefault,
+    > 		fosite.ResponseModeFormPost,
+    > 		fosite.ResponseModeQuery,
+    > 		fosite.ResponseModeFragment,
+    > 	}
+    > }
+    > ```
 * Improve error messages ([#513](https://github.com/ory/fosite/issues/513)) ([fcac5a6](https://github.com/ory/fosite/commit/fcac5a6457c92d1eb1a389192cd0c7fb590ab8b3))
+* Introduce WithExposeDebug to error interface ([625a521](https://github.com/ory/fosite/commit/625a5214c4a002b4d0f86e49555edf8755703968))
+* Support passing repeated audience parameter in URL query ([#518](https://github.com/ory/fosite/issues/518)) ([47f2a31](https://github.com/ory/fosite/commit/47f2a31fbed137b58e4866f78ec8b9f591134f98)), closes [#504](https://github.com/ory/fosite/issues/504):
+
+    > Added `GetAudiences` helper function which tries to have current behavior and also support multiple/repeated audience parameters. If there are parameter is repeated, then it is not split by space. If there is only one then it is split by space. I think this is the best balance between standard/backwards behavior and allowing repeated parameter and allowing also URIs/audiences with spaces in them (which we probably all agree is probably not something anyone should be doing).
+    > 
+    > Also added `ExactAudienceMatchingStrategy` which is slightly more suitable to use for audiences which are not URIs. In [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html) audience is described as:
+    > 
+    > > Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string. 
+    > 
+    > `client_id` is generally not an URI, but some UUID or some other random string.
+
+
+### BREAKING CHANGES
+
+* This patch removes fields `error_hint`, `error_debug` from error responses. To use the legacy error format where these fields are included, set `UseLegacyErrorFormat` to true in your compose config or directly on the `Fosite` struct. If `UseLegacyErrorFormat` is set, the `error_description` no longer merges `error_hint` nor `error_debug` messages which reverts a change introduced in `v0.33.0`. Instead, `error_hint` and `error_debug` are included and the merged message can be constructed from those fields.
+* As part of this change, the error interface and its fields have changed:
+
+- `RFC6749Error.Name` was renamed to `RFC6749Error.ErrorField`.
+- `RFC6749Error.Description` was renamed to `RFC6749Error.DescriptionField`.
+- `RFC6749Error.Hint` was renamed to `RFC6749Error.HintField`.
+- `RFC6749Error.Code` was renamed to `RFC6749Error.CodeField`.
+- `RFC6749Error.Hint` was renamed to `RFC6749Error.HintField`.
+- `RFC6749Error.WithCause()` was renamed to `RFC6749Error.WithWrap() *RFC6749Error` and alternatively to `RFC6749Error.Wrap()` (without return value) to standardize naming conventions around the new Go 1.14+ error interfaces.
+* As part of this change, methods `GetResponseMode`, `SetDefaultResponseMode`, `GetDefaultResponseMode ` where added to interface `AuthorizeRequester`. Also, methods `GetQuery`, `AddQuery`, and `GetFragment` were merged into one function `GetParameters` and `AddParameter` on the `AuthorizeResponder` interface. Methods on `AuthorizeRequest` and `AuthorizeResponse` changed accordingly and will need to be updated in your codebase. Additionally, the field `Debug` was renamed to `DebugField` and a new method `Debug() string` was added to `RFC6749Error`.
+
+Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>