Merge 2ec7a94 into f8d6542

.gitignore

@@ -1,5 +1,6 @@
 .bin/
 .idea/
+.vscode/
 node_modules/
 *.iml
 *.exe

Makefile

@@ -94,6 +94,10 @@ quicktest:
 quicktest-hsm:
  docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm .
 
+.PHONY: refresh
+refresh:
+ UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,json1 ./...
+
 authors: # updates the AUTHORS file
  curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash
 

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "The request was malformed or contained invalid parameters",
+ "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=10-description=empty_ID_succeeds.json

@@ -0,0 +1,35 @@
+{
+ "client_name": "",
+ "client_secret": "averylongsecret",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "skip_consent": false,
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=2-description=empty_ID_succeeds.json

@@ -0,0 +1,34 @@
+{
+ "client_name": "",
+ "client_secret": "averylongsecret",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=6-description=setting_access_token_strategy_fails.json

@@ -0,0 +1,4 @@
+{
+ "error": "The request was malformed or contained invalid parameters",
+ "error_description": "It is not allowed to choose your own access token strategy."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "The request was malformed or contained invalid parameters",
+ "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=setting_skip_consent_fails_for_dynamic_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "invalid_request",
+ "error_description": "'skip_consent' cannot be set for dynamic client registration"
+}

client/.snapshots/TestHandler-common-case=create_clients-case=8-description=empty_ID_succeeds.json

@@ -0,0 +1,34 @@
+{
+ "client_name": "",
+ "client_secret": "averylongsecret",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=8-description=setting_skip_consent_suceeds_for_admin_registration.json

@@ -0,0 +1,35 @@
+{
+ "client_name": "",
+ "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "skip_consent": true,
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=9-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "The request was malformed or contained invalid parameters",
+ "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/client.go

@@ -7,12 +7,13 @@ import (
  "strings"
  "time"
 
+ "github.com/ory/hydra/v2/driver/config"
  "github.com/ory/x/stringsx"
 
  "github.com/gobuffalo/pop/v6"
  "github.com/gofrs/uuid"
 
- "gopkg.in/square/go-jose.v2" // Naming the dependency jose is important for go-swagger to work, see https://github.com/go-swagger/go-swagger/issues/1587
+ "gopkg.in/square/go-jose.v2"
 
  "github.com/ory/fosite"
  "github.com/ory/hydra/v2/x"
@@ -291,6 +292,13 @@ type Client struct {
  // RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.
  RegistrationClientURI string `json:"registration_client_uri,omitempty" db:"-"`
 
+ // OAuth 2.0 Access Token Strategy
+ //
+ // AccessTokenStrategy is the strategy used to generate access tokens.
+ // Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
+ // Setting the stragegy here overrides the global setting in `strategies.access_token`.
+ AccessTokenStrategy string `json:"access_token_strategy,omitempty" db:"access_token_strategy" faker:"-"`
+
  // SkipConsent skips the consent screen for this client. This field can only
  // be set from the admin API.
  SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`
@@ -536,3 +544,17 @@ func (c *Client) GetEffectiveLifespan(gt fosite.GrantType, tt fosite.TokenType,
  }
  return *cl
 }
+
+func (c *Client) GetAccessTokenStrategy() config.AccessTokenStrategyType {
+ // We ignore the error here, because the empty string will default to
+ // the global access token strategy.
+ s, _ := config.ToAccessTokenStrategyType(c.AccessTokenStrategy)
+ return s
+}
+
+func AccessTokenStrategySource(client fosite.Client) config.AccessTokenStrategySource {
+ if source, ok := client.(config.AccessTokenStrategySource); ok {
+ return source
+ }
+ return nil
+}

client/handler_test.go

@@ -109,22 +109,22 @@ func TestHandler(t *testing.T) {
 
  t.Run("valid auth", func(t *testing.T) {
  actual, err := h.ValidDynamicAuth(&http.Request{Header: http.Header{"Authorization": {"Bearer " + expected.RegistrationAccessToken}}}, httprouter.Params{
- httprouter.Param{Key: "id", Value: expected.GetID()},
+ {Key: "id", Value: expected.GetID()},
  })
  require.NoError(t, err, "authentication with registration access token works")
  assert.EqualValues(t, expected.GetID(), actual.GetID())
  })
 
  t.Run("missing auth", func(t *testing.T) {
  _, err := h.ValidDynamicAuth(&http.Request{}, httprouter.Params{
- httprouter.Param{Key: "id", Value: expected.GetID()},
+ {Key: "id", Value: expected.GetID()},
  })
  require.Error(t, err, "authentication without registration access token fails")
  })
 
  t.Run("incorrect auth", func(t *testing.T) {
  _, err := h.ValidDynamicAuth(&http.Request{Header: http.Header{"Authorization": {"Bearer invalid"}}}, httprouter.Params{
- httprouter.Param{Key: "id", Value: expected.GetID()},
+ {Key: "id", Value: expected.GetID()},
  })
  require.Error(t, err, "authentication with invalid registration access token fails")
  })
@@ -328,6 +328,15 @@ func TestHandler(t *testing.T) {
  path: client.ClientsHandlerPath,
  statusCode: http.StatusBadRequest,
  },
+ {
+ d: "setting access token strategy fails",
+ payload: &client.Client{
+ RedirectURIs: []string{"http://localhost:3000/cb"},
+ AccessTokenStrategy: "jwt",
+ },
+ path: client.DynClientsHandlerPath,
+ statusCode: http.StatusBadRequest,
+ },
  {
  d: "setting skip_consent fails for dynamic registration",
  payload: &client.Client{
@@ -383,7 +392,7 @@ func TestHandler(t *testing.T) {
  assert.NotEmpty(t, gjson.Get(body, key).String(), "%s in %s", key, body)
  }
  }
- snapshotx.SnapshotTExcept(t, json.RawMessage(body), exclude)
+ snapshotx.SnapshotT(t, json.RawMessage(body), snapshotx.ExceptPaths(exclude...))
  })
  }
  })

client/validator.go

@@ -10,6 +10,7 @@ import (
  "net/url"
  "strings"
 
+ "github.com/ory/herodot"
  "github.com/ory/hydra/v2/driver/config"
  "github.com/ory/hydra/v2/x"
  "github.com/ory/x/ipx"
@@ -140,14 +141,14 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
  }
 
  if c.SubjectType != "" {
- if !stringslice.Has(v.r.Config().SubjectTypesSupported(ctx), c.SubjectType) {
- return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("Subject type %s is not supported by server, only %v are allowed.", c.SubjectType, v.r.Config().SubjectTypesSupported(ctx)))
+ if !stringslice.Has(v.r.Config().SubjectTypesSupported(ctx, c), c.SubjectType) {
+ return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("Subject type %s is not supported by server, only %v are allowed.", c.SubjectType, v.r.Config().SubjectTypesSupported(ctx, c)))
  }
  } else {
- if stringslice.Has(v.r.Config().SubjectTypesSupported(ctx), "public") {
+ if stringslice.Has(v.r.Config().SubjectTypesSupported(ctx, c), "public") {
  c.SubjectType = "public"
  } else {
- c.SubjectType = v.r.Config().SubjectTypesSupported(ctx)[0]
+ c.SubjectType = v.r.Config().SubjectTypesSupported(ctx, c)[0]
  }
  }
 
@@ -173,6 +174,16 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
  }
  }
 
+ if c.AccessTokenStrategy != "" {
+ s, err := config.ToAccessTokenStrategyType(c.AccessTokenStrategy)
+ if err != nil {
+ return errorsx.WithStack(ErrInvalidClientMetadata.
+ WithHintf("invalid access token strategy: %v", err))
+ }
+ // Canonicalize, just in case.
+ c.AccessTokenStrategy = string(s)
+ }
+
  return nil
 }
 
@@ -182,6 +193,9 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client)
  WithHint(`"metadata" cannot be set for dynamic client registration`),
  )
  }
+ if c.AccessTokenStrategy != "" {
+ return errorsx.WithStack(herodot.ErrBadRequest.WithReasonf("It is not allowed to choose your own access token strategy."))
+ }
  if c.SkipConsent {
  return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
  }