Pass OIDC claims into post-login flow to include in web hook context

The login flow doesn't trigger a refresh of the identity when the OIDC claims have changed. By passing the claims through to the web hook context, this means that an external handler can be configured to update the identity as appropriate, when there are changes.
ory · Jun 4, 2024 · 90747f5 · 90747f5
1 parent 3c06689
commit 90747f5
Show file tree

Hide file tree

Showing 49 changed files with 290 additions and 210 deletions.
diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -822,7 +822,7 @@ continueLogin:
  return
  }
 
- if err := h.d.LoginHookExecutor().PostLoginHook(w, r, group, f, i, sess, ""); err != nil {
+ if err := h.d.LoginHookExecutor().PostLoginHook(w, r, group, f, i, sess, nil, ""); err != nil {
  if errors.Is(err, ErrAddressNotVerified) {
  h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, errors.WithStack(schema.NewAddressNotVerifiedError()))
  return

diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -20,6 +20,7 @@ import (
  "github.com/ory/kratos/schema"
  "github.com/ory/kratos/selfservice/flow"
  "github.com/ory/kratos/selfservice/sessiontokenexchange"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
  "github.com/ory/kratos/ui/container"
  "github.com/ory/kratos/ui/node"
@@ -34,7 +35,7 @@ type (
  }
 
  PostHookExecutor interface {
- ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session) error
+ ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session, c *claims.Claims) error
  }
 
  HooksProvider interface {
@@ -125,6 +126,7 @@ func (e *HookExecutor) PostLoginHook(
  f *Flow,
  i *identity.Identity,
  s *session.Session,
+ c *claims.Claims,
  provider string,
 ) (err error) {
  ctx := r.Context()
@@ -140,15 +142,15 @@ func (e *HookExecutor) PostLoginHook(
  return err
  }
 
- c := e.d.Config()
+ cfg := e.d.Config()
  // Verify the redirect URL before we do any other processing.
  returnTo, err := x.SecureRedirectTo(r,
- c.SelfServiceBrowserDefaultReturnTo(r.Context()),
+ cfg.SelfServiceBrowserDefaultReturnTo(r.Context()),
  x.SecureRedirectReturnTo(f.ReturnTo),
  x.SecureRedirectUseSourceURL(f.RequestURL),
- x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains(r.Context())),
- x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(r.Context())),
- x.SecureRedirectOverrideDefaultReturnTo(c.SelfServiceFlowLoginReturnTo(r.Context(), f.Active.String())),
+ x.SecureRedirectAllowURLs(cfg.SelfServiceBrowserAllowedReturnToDomains(r.Context())),
+ x.SecureRedirectAllowSelfServiceURLs(cfg.SelfPublicURL(r.Context())),
+ x.SecureRedirectOverrideDefaultReturnTo(cfg.SelfServiceFlowLoginReturnTo(r.Context(), f.Active.String())),
  )
  if err != nil {
  return err
@@ -168,7 +170,7 @@ func (e *HookExecutor) PostLoginHook(
  WithField("flow_method", f.Active).
  Debug("Running ExecuteLoginPostHook.")
  for k, executor := range e.d.PostLoginHooks(r.Context(), f.Active) {
- if err := executor.ExecuteLoginPostHook(w, r, g, f, s); err != nil {
+ if err := executor.ExecuteLoginPostHook(w, r, g, f, s, c); err != nil {
  if errors.Is(err, ErrHookAbortFlow) {
  e.d.Logger().
  WithRequest(r).

diff --git a/selfservice/flow/login/hook_test.go b/selfservice/flow/login/hook_test.go
@@ -72,7 +72,7 @@ func TestLoginExecutor(t *testing.T) {
  }
 
  testhelpers.SelfServiceHookLoginErrorHandler(t, w, r,
- reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, ""))
+ reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, nil, ""))
  })
 
  ts := httptest.NewServer(router)

diff --git a/selfservice/hook/address_verifier.go b/selfservice/hook/address_verifier.go
@@ -14,6 +14,7 @@ import (
 
  "github.com/ory/kratos/identity"
  "github.com/ory/kratos/selfservice/flow/login"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
 )
 
@@ -25,7 +26,7 @@ func NewAddressVerifier() *AddressVerifier {
  return &AddressVerifier{}
 }
 
-func (e *AddressVerifier) ExecuteLoginPostHook(_ http.ResponseWriter, _ *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session) error {
+func (e *AddressVerifier) ExecuteLoginPostHook(_ http.ResponseWriter, _ *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session, _ *claims.Claims) error {
  // if the login happens using the password method, there must be at least one verified address
  if f.Active != identity.CredentialsTypePassword {
  return nil

diff --git a/selfservice/hook/address_verifier_test.go b/selfservice/hook/address_verifier_test.go
@@ -82,7 +82,7 @@ func TestAddressVerifier(t *testing.T) {
  Identity: &identity.Identity{ID: x.NewUUID(), VerifiableAddresses: uc.verifiableAddresses},
  }
 
- err := verifier.ExecuteLoginPostHook(nil, nil, node.DefaultGroup, tc.flow, sessions)
+ err := verifier.ExecuteLoginPostHook(nil, nil, node.DefaultGroup, tc.flow, sessions, nil)
 
  if tc.neverError || uc.expectedError == nil {
  assert.NoError(t, err)

diff --git a/selfservice/hook/error.go b/selfservice/hook/error.go
@@ -12,6 +12,7 @@ import (
 
  "github.com/ory/kratos/selfservice/flow/recovery"
  "github.com/ory/kratos/selfservice/flow/verification"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/ui/node"
 
  "github.com/ory/kratos/identity"
@@ -64,7 +65,7 @@ func (e Error) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http.Req
  return e.err("ExecuteSettingsPostPersistHook", settings.ErrHookAbortFlow)
 }
 
-func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session) error {
+func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session, c *claims.Claims) error {
  return e.err("ExecuteLoginPostHook", login.ErrHookAbortFlow)
 }
 

diff --git a/selfservice/hook/session_destroyer.go b/selfservice/hook/session_destroyer.go
@@ -11,14 +11,17 @@ import (
  "github.com/ory/kratos/selfservice/flow/login"
  "github.com/ory/kratos/selfservice/flow/recovery"
  "github.com/ory/kratos/selfservice/flow/settings"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
  "github.com/ory/kratos/ui/node"
  "github.com/ory/x/otelx"
 )
 
-var _ login.PostHookExecutor = new(SessionDestroyer)
-var _ recovery.PostHookExecutor = new(SessionDestroyer)
-var _ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+var (
+ _ login.PostHookExecutor = new(SessionDestroyer)
+ _ recovery.PostHookExecutor = new(SessionDestroyer)
+ _ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+)
 
 type (
  sessionDestroyerDependencies interface {
@@ -34,7 +37,7 @@ func NewSessionDestroyer(r sessionDestroyerDependencies) *SessionDestroyer {
  return &SessionDestroyer{r: r}
 }
 
-func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session) error {
+func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session, _ *claims.Claims) error {
  return otelx.WithSpan(r.Context(), "selfservice.hook.SessionDestroyer.ExecuteLoginPostHook", func(ctx context.Context) error {
  if _, err := e.r.SessionPersister().RevokeSessionsIdentityExcept(ctx, s.Identity.ID, s.ID); err != nil {
  return err

diff --git a/selfservice/hook/session_destroyer_test.go b/selfservice/hook/session_destroyer_test.go
@@ -52,6 +52,7 @@ func TestSessionDestroyer(t *testing.T) {
  node.DefaultGroup,
  nil,
  &session.Session{Identity: i},
+ nil,
  )
  },
  },

diff --git a/selfservice/hook/show_verification_ui.go b/selfservice/hook/show_verification_ui.go
@@ -11,6 +11,7 @@ import (
  "github.com/ory/kratos/selfservice/flow"
  "github.com/ory/kratos/selfservice/flow/login"
  "github.com/ory/kratos/selfservice/flow/registration"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
  "github.com/ory/kratos/ui/node"
  "github.com/ory/kratos/x"
@@ -52,7 +53,7 @@ func (e *ShowVerificationUIHook) ExecutePostRegistrationPostPersistHook(_ http.R
 
 // ExecuteLoginPostHook adds redirect headers and status code if the request is a browser request.
 // If the request is not a browser request, this hook does nothing.
-func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session) error {
+func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session, _ *claims.Claims) error {
  return otelx.WithSpan(r.Context(), "selfservice.hook.ShowVerificationUIHook.ExecutePostRegistrationPostPersistHook", func(ctx context.Context) error {
  return e.execute(r.WithContext(ctx), f)
  })

diff --git a/selfservice/hook/show_verification_ui_test.go b/selfservice/hook/show_verification_ui_test.go
@@ -84,7 +84,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
  browserRequest := httptest.NewRequest("GET", "/", nil)
  f := &login.Flow{}
  rec := httptest.NewRecorder()
- require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+ require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
  require.Equal(t, 200, rec.Code)
  })
 
@@ -95,7 +95,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
  browserRequest.Header.Add("Accept", "application/json")
  f := &login.Flow{}
  rec := httptest.NewRecorder()
- require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+ require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
  require.Equal(t, 200, rec.Code)
  })
 
@@ -112,7 +112,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
  flow.NewContinueWithVerificationUI(vf, "[email protected]", ""),
  }
  rec := httptest.NewRecorder()
- require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+ require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
  assert.Equal(t, 200, rec.Code)
  assert.Equal(t, "/verification?flow="+vf.ID.String(), rf.ReturnToVerification)
  })
@@ -127,7 +127,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
  flow.NewContinueWithSetToken("token"),
  }
  rec := httptest.NewRecorder()
- require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+ require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
  assert.Equal(t, 200, rec.Code)
  })
  })

diff --git a/selfservice/hook/stub/test_body.jsonnet b/selfservice/hook/stub/test_body.jsonnet
@@ -1,10 +1,14 @@
 function(ctx) std.prune({
  flow_id: ctx.flow.id,
- identity_id: if std.objectHas(ctx, "identity") then ctx.identity.id,
- session_id: if std.objectHas(ctx, "session") then ctx.session.id,
+ identity_id: if std.objectHas(ctx, 'identity') then ctx.identity.id,
+ session_id: if std.objectHas(ctx, 'session') then ctx.session.id,
  headers: ctx.request_headers,
  url: ctx.request_url,
  method: ctx.request_method,
  cookies: ctx.request_cookies,
- transient_payload: if std.objectHas(ctx.flow, "transient_payload") then ctx.flow.transient_payload,
+ transient_payload: if std.objectHas(ctx.flow, 'transient_payload') then ctx.flow.transient_payload,
+ nickname: if std.objectHas(ctx, 'claims') then ctx.claims.nickname,
+ groups: if std.objectHas(ctx, 'claims') &&
+ std.objectHas(ctx.claims, 'raw_claims') &&
+ std.objectHas(ctx.claims.raw_claims, 'groups') then ctx.claims.raw_claims.groups,
 })
diff --git a/selfservice/hook/verification.go b/selfservice/hook/verification.go
@@ -16,6 +16,7 @@ import (
  "github.com/ory/kratos/selfservice/flow/registration"
  "github.com/ory/kratos/selfservice/flow/settings"
  "github.com/ory/kratos/selfservice/flow/verification"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
  "github.com/ory/kratos/ui/node"
  "github.com/ory/kratos/x"
@@ -65,7 +66,7 @@ func (e *Verifier) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http
  })
 }
 
-func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session) (err error) {
+func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session, c *claims.Claims) (err error) {
  ctx, span := e.r.Tracer(r.Context()).Tracer().Start(r.Context(), "selfservice.hook.Verifier.ExecuteLoginPostHook")
  r = r.WithContext(ctx)
  defer otelx.End(span, &err)

diff --git a/selfservice/hook/verification_test.go b/selfservice/hook/verification_test.go
@@ -45,7 +45,7 @@ func TestVerifier(t *testing.T) {
  name: "login",
  execHook: func(h *hook.Verifier, i *identity.Identity, f flow.Flow) error {
  return h.ExecuteLoginPostHook(
- httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i})
+ httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i}, nil)
  },
  originalFlow: func() flow.FlowWithContinueWith {
  return &login.Flow{RequestURL: "http://foo.com/login", RequestedAAL: "aal1"}
@@ -126,7 +126,7 @@ func TestVerifier(t *testing.T) {
  h := hook.NewVerifier(reg)
  i := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
  f := &login.Flow{RequestedAAL: "aal2"}
- require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}))
+ require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}, nil))
 
  messages, err := reg.CourierPersister().NextMessages(context.Background(), 12)
  require.EqualError(t, err, "queue is empty")

diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go
@@ -32,6 +32,7 @@ import (
  "github.com/ory/kratos/selfservice/flow/registration"
  "github.com/ory/kratos/selfservice/flow/settings"
  "github.com/ory/kratos/selfservice/flow/verification"
+ "github.com/ory/kratos/selfservice/strategy/oidc/claims"
  "github.com/ory/kratos/session"
  "github.com/ory/kratos/text"
  "github.com/ory/kratos/ui/node"
@@ -82,6 +83,7 @@ type (
  RequestCookies map[string]string `json:"request_cookies"`
  Identity *identity.Identity `json:"identity,omitempty"`
  Session *session.Session `json:"session,omitempty"`
+ Claims *claims.Claims `json:"claims,omitempty"`
  }
 
  WebHook struct {
@@ -132,7 +134,7 @@ func (e *WebHook) ExecuteLoginPreHook(_ http.ResponseWriter, req *http.Request,
  })
 }
 
-func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request, _ node.UiNodeGroup, flow *login.Flow, session *session.Session) error {
+func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request, _ node.UiNodeGroup, flow *login.Flow, session *session.Session, claims *claims.Claims) error {
  return otelx.WithSpan(req.Context(), "selfservice.hook.WebHook.ExecuteLoginPostHook", func(ctx context.Context) error {
  return e.execute(ctx, &templateContext{
  Flow: flow,
@@ -142,6 +144,7 @@ func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request,
  RequestCookies: cookies(req),
  Identity: session.Identity,
  Session: session,
+ Claims: claims,
  })
  })
 }