feat(token_hook): pass associated oauth client data to token hook

ory · Jul 25, 2024 · 72d8556 · 72d8556
1 parent 0b3ecfc
commit 72d8556
Show file tree

Hide file tree

Showing 12 changed files with 299 additions and 20 deletions.
diff --git a/client/client.go b/client/client.go
@@ -580,3 +580,11 @@ type IDer interface{ GetID() string }
 func CookieSuffix(client IDer) string {
 	return strconv.Itoa(int(murmur3.Sum32([]byte(client.GetID()))))
 }
+
+func GetSanitizedCopy(c *Client) *Client {
+	cc := new(Client)
+	// Remove the hashed secret here
+	*cc = *c
+	cc.Secret = ""
+	return cc
+}
diff --git a/consent/handler.go b/consent/handler.go
@@ -9,6 +9,8 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/ory/hydra/v2/client"
+
 	"github.com/ory/hydra/v2/flow"
 	"github.com/ory/hydra/v2/oauth2/flowctx"
 	"github.com/ory/hydra/v2/x/events"
@@ -212,7 +214,7 @@ func (h *Handler) listOAuth2ConsentSessions(w http.ResponseWriter, r *http.Reque
 
 	var a []flow.OAuth2ConsentSession
 	for _, session := range s {
-		session.ConsentRequest.Client = sanitizeClient(session.ConsentRequest.Client)
+		session.ConsentRequest.Client = client.GetSanitizedCopy(session.ConsentRequest.Client)
 		a = append(a, flow.OAuth2ConsentSession(session))
 	}
 
@@ -372,7 +374,7 @@ func (h *Handler) getOAuth2LoginRequest(w http.ResponseWriter, r *http.Request,
 		request.RequestedAudience = []string{}
 	}
 
-	request.Client = sanitizeClient(request.Client)
+	request.Client = client.GetSanitizedCopy(request.Client)
 	h.r.Writer().Write(w, r, request)
 }
 
@@ -679,7 +681,7 @@ func (h *Handler) getOAuth2ConsentRequest(w http.ResponseWriter, r *http.Request
 		request.RequestedAudience = []string{}
 	}
 
-	request.Client = sanitizeClient(request.Client)
+	request.Client = client.GetSanitizedCopy(request.Client)
 	h.r.Writer().Write(w, r, request)
 }
 

diff --git a/consent/helper.go b/consent/helper.go
@@ -10,15 +10,7 @@ import (
 )
 
 func sanitizeClientFromRequest(ar fosite.AuthorizeRequester) *client.Client {
-	return sanitizeClient(ar.GetClient().(*client.Client))
-}
-
-func sanitizeClient(c *client.Client) *client.Client {
-	cc := new(client.Client)
-	// Remove the hashed secret here
-	*cc = *c
-	cc.Secret = ""
-	return cc
+	return client.GetSanitizedCopy(ar.GetClient().(*client.Client))
 }
 
 func matchScopes(scopeStrategy fosite.ScopeStrategy, previousConsent []flow.AcceptOAuth2ConsentRequest, requestedScope []string) *flow.AcceptOAuth2ConsentRequest {

diff --git a/contrib/quickstart/5-min/hydra.yml b/contrib/quickstart/5-min/hydra.yml
@@ -20,3 +20,5 @@ oidc:
       - public
     pairwise:
       salt: youReallyNeedToChangeThis
+oauth2:
+  token_hook: http://localhost:8080
diff --git a/...ass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json b/...ass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",

diff --git a/...max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json b/...max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",

diff --git a/..._authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json b/..._authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",

diff --git a/...ass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json b/...ass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",

diff --git a/...max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json b/...max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",

diff --git a/..._authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json b/..._authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json
@@ -35,6 +35,49 @@
   },
   "request": {
     "client_id": "app-client",
+    "client": {
+      "client_id": "app-client",
+      "client_name": "",
+      "grant_types": [
+        "implicit",
+        "refresh_token",
+        "authorization_code",
+        "password",
+        "client_credentials"
+      ],
+      "response_types": [
+        "id_token",
+        "code",
+        "token"
+      ],
+      "scope": "hydra.* offline openid",
+      "audience": [],
+      "owner": "",
+      "policy_uri": "",
+      "allowed_cors_origins": [],
+      "tos_uri": "",
+      "client_uri": "",
+      "logo_uri": "",
+      "contacts": [],
+      "client_secret_expires_at": 0,
+      "subject_type": "",
+      "jwks": {},
+      "metadata": {
+        "some-meta-key": "some-meta-value"
+      },
+      "skip_consent": false,
+      "skip_logout_consent": false,
+      "authorization_code_grant_access_token_lifespan": null,
+      "authorization_code_grant_id_token_lifespan": null,
+      "authorization_code_grant_refresh_token_lifespan": null,
+      "client_credentials_grant_access_token_lifespan": null,
+      "implicit_grant_access_token_lifespan": null,
+      "implicit_grant_id_token_lifespan": null,
+      "jwt_bearer_grant_access_token_lifespan": null,
+      "refresh_token_grant_id_token_lifespan": null,
+      "refresh_token_grant_access_token_lifespan": null,
+      "refresh_token_grant_refresh_token_lifespan": null
+    },
     "granted_scopes": [
       "offline",
       "openid",