feat: add skip_logout_consent option to clients

client/.snapshots/TestHandler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json

@@ -21,6 +21,7 @@
  "userinfo_signed_response_alg": "none",
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json

@@ -24,6 +24,7 @@
  "foo": "bar"
  },
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json

@@ -0,0 +1,36 @@
+{
+ "client_name": "",
+ "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "skip_consent": false,
+ "skip_logout_consent": true,
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=11-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "The request was malformed or contained invalid parameters",
+ "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json

@@ -0,0 +1,36 @@
+{
+ "client_name": "",
+ "client_secret": "averylongsecret",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "skip_consent": false,
+ "skip_logout_consent": null,
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=4-description=non-uuid_works.json

@@ -24,6 +24,7 @@
  "metadata": {},
  "registration_client_uri": "http://localhost:4444/oauth2/register/not-a-uuid",
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=5-description=setting_client_id_as_uuid_works.json

@@ -24,6 +24,7 @@
  "metadata": {},
  "registration_client_uri": "http://localhost:4444/oauth2/register/98941dac-f963-4468-8a23-9483b1e04e3c",
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=8-description=setting_skip_consent_succeeds_for_admin_registration.json

@@ -0,0 +1,36 @@
+{
+ "client_name": "",
+ "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+ "redirect_uris": [
+ "http://localhost:3000/cb"
+ ],
+ "grant_types": null,
+ "response_types": null,
+ "scope": "offline_access offline openid",
+ "audience": [],
+ "owner": "",
+ "policy_uri": "",
+ "allowed_cors_origins": [],
+ "tos_uri": "",
+ "client_uri": "",
+ "logo_uri": "",
+ "contacts": null,
+ "client_secret_expires_at": 0,
+ "subject_type": "public",
+ "jwks": {},
+ "token_endpoint_auth_method": "client_secret_basic",
+ "userinfo_signed_response_alg": "none",
+ "metadata": {},
+ "skip_consent": true,
+ "skip_logout_consent": null,
+ "authorization_code_grant_access_token_lifespan": null,
+ "authorization_code_grant_id_token_lifespan": null,
+ "authorization_code_grant_refresh_token_lifespan": null,
+ "client_credentials_grant_access_token_lifespan": null,
+ "implicit_grant_access_token_lifespan": null,
+ "implicit_grant_id_token_lifespan": null,
+ "jwt_bearer_grant_access_token_lifespan": null,
+ "refresh_token_grant_id_token_lifespan": null,
+ "refresh_token_grant_access_token_lifespan": null,
+ "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=9-description=setting_skip_logout_consent_fails_for_dynamic_registration.json

@@ -0,0 +1,4 @@
+{
+ "error": "invalid_request",
+ "error_description": "'skip_logout_consent' cannot be set for dynamic client registration"
+}

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=admin.json

@@ -22,6 +22,7 @@
  "userinfo_signed_response_alg": "none",
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=selfservice.json

@@ -21,6 +21,7 @@
  "token_endpoint_auth_method": "client_secret_basic",
  "userinfo_signed_response_alg": "none",
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json

@@ -22,6 +22,7 @@
  "userinfo_signed_response_alg": "none",
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": "31h0m0s",
  "authorization_code_grant_id_token_lifespan": "32h0m0s",
  "authorization_code_grant_refresh_token_lifespan": "33h0m0s",

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=admin.json

@@ -24,6 +24,7 @@
  "userinfo_signed_response_alg": "none",
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=dynamic_client_registration.json

@@ -23,6 +23,7 @@
  "userinfo_signed_response_alg": "none",
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=0-dynamic=true.json

@@ -17,6 +17,7 @@
  "jwks": {},
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=1-dynamic=false.json

@@ -17,6 +17,7 @@
  "jwks": {},
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json

@@ -18,6 +18,7 @@
  "jwks": {},
  "metadata": {},
  "skip_consent": false,
+ "skip_logout_consent": null,
  "authorization_code_grant_access_token_lifespan": null,
  "authorization_code_grant_id_token_lifespan": null,
  "authorization_code_grant_refresh_token_lifespan": null,

client/client.go

@@ -311,6 +311,10 @@ type Client struct {
  // be set from the admin API.
  SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`
 
+ // SkipLogoutConsent skips the logout consent screen for this client. This field can only
+ // be set from the admin API.
+ SkipLogoutConsent sqlxx.NullBool `json:"skip_logout_consent" db:"skip_logout_consent" faker:"-"`
+
  Lifespans
 }
 

client/handler_test.go

@@ -13,6 +13,8 @@ import (
  "net/http/httptest"
  "testing"
 
+ "github.com/ory/x/sqlxx"
+
  "github.com/ory/x/httprouterx"
 
  "github.com/tidwall/sjson"
@@ -347,11 +349,30 @@ func TestHandler(t *testing.T) {
  statusCode: http.StatusBadRequest,
  },
  {
- d: "setting skip_consent suceeds for admin registration",
+ d: "setting skip_consent succeeds for admin registration",
  payload: &client.Client{
  RedirectURIs: []string{"http://localhost:3000/cb"},
- SkipConsent: true,
  Secret: "2SKZkBf2P5g4toAXXnCrr~_sDM",
+ SkipConsent: true,
+ },
+ path: client.ClientsHandlerPath,
+ statusCode: http.StatusCreated,
+ },
+ {
+ d: "setting skip_logout_consent fails for dynamic registration",
+ payload: &client.Client{
+ RedirectURIs: []string{"http://localhost:3000/cb"},
+ SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+ },
+ path: client.DynClientsHandlerPath,
+ statusCode: http.StatusBadRequest,
+ },
+ {
+ d: "setting skip_logout_consent succeeds for admin registration",
+ payload: &client.Client{
+ RedirectURIs: []string{"http://localhost:3000/cb"},
+ SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+ Secret: "2SKZkBf2P5g4toAXXnCrr~_sDM",
  },
  path: client.ClientsHandlerPath,
  statusCode: http.StatusCreated,

client/validator.go

@@ -207,6 +207,9 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client)
  if c.SkipConsent {
  return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
  }
+ if c.SkipLogoutConsent.Bool {
+ return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_logout_consent" cannot be set for dynamic client registration`))
+ }
 
  return v.Validate(ctx, c)
 }

go.mod

@@ -44,7 +44,7 @@ require (
  github.com/ory/hydra-client-go/v2 v2.1.1
  github.com/ory/jsonschema/v3 v3.0.8
  github.com/ory/kratos-client-go v0.13.1
- github.com/ory/x v0.0.607
+ github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d
  github.com/pborman/uuid v1.2.1
  github.com/pkg/errors v0.9.1
  github.com/prometheus/client_golang v1.16.0
@@ -225,8 +225,8 @@ require (
  github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
  go.mongodb.org/mongo-driver v1.12.1 // indirect
  go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
- go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect
- go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 // indirect
+ go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect
+ go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect
  go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect
  go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
  go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect

go.sum

@@ -601,8 +601,8 @@ github.com/ory/jsonschema/v3 v3.0.8 h1:Ssdb3eJ4lDZ/+XnGkvQS/te0p+EkolqwTsDOCxr/F
 github.com/ory/jsonschema/v3 v3.0.8/go.mod h1:ZPzqjDkwd3QTnb2Z6PAS+OTvBE2x5i6m25wCGx54W/0=
 github.com/ory/kratos-client-go v0.13.1 h1:o+pFV9ZRMFSBa4QeNJYbJeLz036UWU4p+7yfKghK+0E=
 github.com/ory/kratos-client-go v0.13.1/go.mod h1:hkrFJuHSBQw+qN6Ks0faOAYhAKwtpjvhCZzsQ7g/Ufc=
-github.com/ory/x v0.0.607 h1:qNP1gU6RWVtsEB04rPht+1rV2DqQhvOAN2sF+4eqVWo=
-github.com/ory/x v0.0.607/go.mod h1:fCYvVVHo8wYrCwLyU8+9hFY3IRo4EZM3KI30ysDsDYY=
+github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d h1:Kbt7Wj0vLSDSUcwGRvoqJVRtae8g4NCBe54t9XjOODc=
+github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d/go.mod h1:uH065puz8neija0neqwIN3PmXXfDsB9VbZTZ20Znoos=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
@@ -767,10 +767,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
-go.opentelemetry.io/contrib/propagators/b3 v1.20.0 h1:Yty9Vs4F3D6/liF1o6FNt0PvN85h/BJJ6DQKJ3nrcM0=
-go.opentelemetry.io/contrib/propagators/b3 v1.20.0/go.mod h1:On4VgbkqYL18kbJlWsa18+cMNe6rYpBnPi1ARI/BrsU=
-go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 h1:iVhNKkMIpzyZqxk8jkDU2n4DFTD+FbpGacvooxEvyyc=
-go.opentelemetry.io/contrib/propagators/jaeger v1.20.0/go.mod h1:cpSABr0cm/AH/HhbJjn+AudBVUMgZWdfN3Gb+ZqxSZc=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.0 h1:uGdgDPNzwQWRwCXJgw/7h29JaRqcq9B87Iv4hJDKAZw=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.0/go.mod h1:D9GQXvVGT2pzyTfp1QBOnD1rzKEWzKjjwu5q2mslCUI=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 h1:f4beMGDKiVzg9IcX7/VuWVy+oGdjx3dNJ72YehmtY5k=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1/go.mod h1:U9jhkEl8d1LL+QXY7q3kneJWJugiN3kZJV2OWz3hkBY=
 go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 h1:Qb+5A+JbIjXwO7l4HkRUhgIn4Bzz0GNS2q+qdmSx+0c=
 go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1/go.mod h1:G4vNCm7fRk0kjZ6pGNLo5SpLxAUvOfSrcaegnT8TPck=
 go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
@@ -912,7 +912,6 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
 golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/httpclient/api/openapi.yaml

@@ -2593,6 +2593,7 @@ components:
  sector_identifier_uri: sector_identifier_uri
  frontchannel_logout_session_required: true
  frontchannel_logout_uri: frontchannel_logout_uri
+ skip_logout_consent: true
  refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
  implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
  client_secret_expires_at: 0
@@ -2885,6 +2886,11 @@ components:
  SkipConsent skips the consent screen for this client. This field can only
  be set from the admin API.
  type: boolean
+ skip_logout_consent:
+ description: |-
+ SkipLogoutConsent skips the logout consent screen for this client. This field can only
+ be set from the admin API.
+ type: boolean
  subject_type:
  description: |-
  OpenID Connect Subject Type
@@ -3077,6 +3083,7 @@ components:
  sector_identifier_uri: sector_identifier_uri
  frontchannel_logout_session_required: true
  frontchannel_logout_uri: frontchannel_logout_uri
+ skip_logout_consent: true
  refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
  implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
  client_secret_expires_at: 0
@@ -3306,6 +3313,7 @@ components:
  sector_identifier_uri: sector_identifier_uri
  frontchannel_logout_session_required: true
  frontchannel_logout_uri: frontchannel_logout_uri
+ skip_logout_consent: true
  refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
  implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
  client_secret_expires_at: 0
@@ -3454,6 +3462,7 @@ components:
  sector_identifier_uri: sector_identifier_uri
  frontchannel_logout_session_required: true
  frontchannel_logout_uri: frontchannel_logout_uri
+ skip_logout_consent: true
  refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
  implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
  client_secret_expires_at: 0
@@ -3584,6 +3593,7 @@ components:
  sector_identifier_uri: sector_identifier_uri
  frontchannel_logout_session_required: true
  frontchannel_logout_uri: frontchannel_logout_uri
+ skip_logout_consent: true
  refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
  implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
  client_secret_expires_at: 0