feat: add token hooks for all grants types#3254
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3254 +/- ##
==========================================
+ Coverage 76.75% 76.77% +0.02%
==========================================
Files 123 123
Lines 9076 9111 +35
==========================================
+ Hits 6966 6995 +29
- Misses 1668 1674 +6
Partials 442 442
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
fehrnah
changed the title
aeneasr
left a comment
aeneasr
left a comment
There was a problem hiding this comment.
Great stuff! Could you please also add some tests for this?
| } | ||
|
|
||
| // AuthorizationCodeHook is an AccessRequestHook called for `authorization_code` grant type. | ||
| func AuthorizationCodeHook(reg interface { |
There was a problem hiding this comment.
Could you please DRY up the code a bit, it looks like we're re-using most of it across the functions!
There was a problem hiding this comment.
I am unsure about how this kind os factorisation should be done.
My first instinct is to abuse generics. Is that OK with you ?
There was a problem hiding this comment.
@fehrnah Every function here has 2 points that are different - get a hookURL and check the grant type from the requester. The rest of the function body is the same for all new functions. Basically lines 213 - 299 could be moved into a separate function and reused.
There was a problem hiding this comment.
With that approach you could also get rid of repeating struct definitions around *Request and *Response since they are the same (at least for now)
There was a problem hiding this comment.
Thank you for the input.
This has not been my priority for the las few moth, but I'm still interested in getting things through.
I made the changes you suggested and things are much better looking !
There was a problem hiding this comment.
@fehrnah Awesome work! Could please add a hook for https://www.ory.sh/docs/hydra/guides/jwt#exchanging-jwts-for-access-tokens?
There was a problem hiding this comment.
@fehrnah Awesome work! Could please add a hook for https://www.ory.sh/docs/hydra/guides/jwt#exchanging-jwts-for-access-tokens?
I think this is what I called JWTProfile.
I renamed it and related conf to JWTBearer to be consistant.
So after this, tthere are hooks for the following grant_types:
- refresh_token
- authorization_code
- client_credentials
- urn:ietf:params:oauth:grant-type:jwt-bearer
Are there more I should support ?
The only case not supported would be the implicit flow, but IIRC it is considered legacy
There was a problem hiding this comment.
No, I think it is fine to support the ones you added and skip the implicit flow. @aeneasr what do you think?
driver/config/provider.go
Outdated
| KeyOAuth2GrantJWTMaxDuration = "oauth2.grant.jwt.max_ttl" | ||
| KeyRefreshTokenHookURL = "oauth2.refresh_token_hook" // #nosec G101 | ||
| KeyRefreshTokenHookURL = "oauth2.refresh_token_hook" // #nosec G101 | ||
| KeyAuthorizationCodeTokenURL = "oauth2.authorization_code_hook" // #nosec G101 |
There was a problem hiding this comment.
| KeyAuthorizationCodeTokenURL = "oauth2.authorization_code_hook" // #nosec G101 | |
| KeyAuthorizationCodeHookURL = "oauth2.authorization_code_hook" // #nosec G101 |
There was a problem hiding this comment.
Not sure if it is a typo, but it should be consistent with other keys that represent hook URLs
There was a problem hiding this comment.
Was a typo, should be fixed.
fehrnah
force-pushed
the
dev/v2.x/token_hooks
branch
2 times, most recently
from
7da54c4 to
aa4a43e
Compare
fehrnah
force-pushed
the
dev/v2.x/token_hooks
branch
3 times, most recently
from
a2b248f to
606bea0
Compare
spec/config.json
Outdated
| "format": "uri", | ||
| "examples": ["https://my-example.app/token-client-credentials-hook"] | ||
| }, | ||
| "jwt_profile_hook": { |
There was a problem hiding this comment.
For consistency with other places
| "jwt_profile_hook": { | |
| "jwt_bearer_hook": { |
fehrnah
force-pushed
the
dev/v2.x/token_hooks
branch
from
606bea0 to
53f0588
Compare
spec/config.json
Outdated
| }, | ||
| "jwt_bearer_hook": { | ||
| "type": "string", | ||
| "description": "Sets the client credentials hook endpoint. If set it will be called during token refresh to receive updated token claims.", |
There was a problem hiding this comment.
This needs to be updated - seems like a copy-paste from client_credentials section
spec/config.json
Outdated
| "type": "string", | ||
| "description": "Sets the client credentials hook endpoint. If set it will be called during token refresh to receive updated token claims.", | ||
| "format": "uri", | ||
| "examples": ["https://my-example.app/token-jwt-profile-hook"] |
There was a problem hiding this comment.
| "examples": ["https://my-example.app/token-jwt-profile-hook"] | |
| "examples": ["https://my-example.app/token-jwt-bearer-hook"] |
fehrnah
force-pushed
the
dev/v2.x/token_hooks
branch
from
53f0588 to
f57f44c
Compare
add client_credentials token hook add authorization_code token hook add jwt_profile token hook add relevant configuration
fehrnah
force-pushed
the
dev/v2.x/token_hooks
branch
from
f57f44c to
fbc185c
Compare
|
@fehrnah Do you have anything else that you would like to add to this? |
No, this is all the functionality I wanted to add. |
|
@fehrnah Could you please add some tests to cover new cases? I think you can use |
Sure, I'll try to do it for the end of next week. |
|
@fehrnah In my company, we are currently relying on this change to be able to run the native factors login flow. With that, I took the liberty to complete your change (along with an extra thing) in a separate PR - #3427. I assumed that you are tied up with work on other things to focus on this, so I took over. I hope it's ok. I did keep all your changes intact and added tests to make sure they are working as expected. Would love to have your review in my PR! |
|
That's great ! I'll take a bit of time to have a look. |
|
The follow up was merged: #3427 |
3 participants
add client_credentials token hook
add authorization_code token hook
add jwt_profile token hook
add relevant configuration
Related issue(s)
#3244
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works. => I am unsure how to test hooks, the refresh hook doesn't have tests I could look at