For the resource owner password grant, the Kratos identity ID is now written to the sub claim, and the username is written to the ext.username claim. Further, token hooks are called for the initial token issuance as well as refresh flows for access tokens issued via the resource owner password grant, allowing users to customize the fields present in the access token (for the jwt strategy) as well as on introspection.
---------
Co-authored-by: Arne Luenser <arne.luenser@ory.sh>
Adding custom claims with numerical types (think JavaScript Number) previously did not
round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims
would end up as floating points in exponential notation in the final token. That, in turn,
confused or broke downstream consumers of the token, including Kratos.
Ref https://github.com/go-jose/go-jose/issues/144
This PR introduces another config option called `oauth2:mirror_top_level_claims` which may be used to disable the mirroring of custom claims into the `ext` claim of the jwt.
This new config option is an opt-in. If unused the behavior remains as-is to ensure backwards compatibility.
Example:
```yaml
oauth2:
allowed_top_level_claims:
- test_claim
mirror_top_level_claims: false # -> this will prevent test_claim to be mirrored within ext
```
Closes https://github.com/ory/hydra/issues/3348
This patch optimizes the performance of authorization code grant flows by minimizing the number of database queries. We acheive this by storing the flow in an AEAD-encoded cookie and AEAD-encoded request parameters for the authentication and consent screens.
BREAKING CHANGE:
* The client that is used as part of the authorization grant flow is stored in the AEAD-encoding. Therefore, running flows will not observe updates to the client after they were started.
* Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
This patch adds the ability to whitelist and request an audience
when performing any OAuth 2.0 Flow. The audience is useful in multi-
tenant environments where access tokens should be restricted to certain
resources.
Closes#883Closes#1144
Signed-off-by: arekkas <aeneas@ory.am>
This patch fixes missing session data in OAuth2 Access Tokens formatted as JSON Web Tokens. It also improves e2e tests which now test if claims and data are set correctly, including after refreshes.
Related #1106
Signed-off-by: aeneasr <aeneas@ory.sh>
This patch adds the (experimental) ability to issue JSON Web Tokens instead of ORY Hydra's opaque access tokens. Please be aware that this feature has had little real-world and unit testing and may not be suitable for production.
Simple integration tests using the JWT strategy have been added to ensure functionality.
To use the new JWT strategy, set environment variable `OAUTH2_ACCESS_TOKEN_STRATEGY` to `jwt`. For example: `export OAUTH2_ACCESS_TOKEN_STRATEGY=jwt`.
Please be aware that we (ORY) do not recommend using the JWT strategy for various reasons. If you can, use the default and recommended "opaque" strategy instead.
Closes#248
Signed-off-by: arekkas <aeneas@ory.am>
This patch makes significant changes to the consent flow. First,
the consent flow is being renamed to "User Login and Consent Flow"
and is split into two redirection flows, the "User Login Redirection Flow"
and the "User Consent Flow".
Conceptually, not a lot has changed but the APIs have been cleaned up
and the new flow is a huge step towards OpenID Connect Certification.
Besides easier implementation on the (previously known as) consent app,
this patch introduces a new set of features which lets ORY Hydra
detect previous logins and previously accepted consent requests. In turn,
the user does not need to login or consent on every OAuth2 Authorize Code
Flow.
This patch additionally lays the foundation for revoking tokens per
user or per user and client.
Awesome.
Closes#771Closes#772
* oauth2: scopes should be separated by %20 and not +, to ensure javascript compatibility - closes#277
* oauth2/introspect: make endpoint rfc7662 compatible - closes#289
* warden: make it clear that ladon.Request.Subject is not required or break bc and remove it - closes#270
* travis: execute gox build only when new commit is a new tag - closes#285
* docs: improve introduction (#267)
* core: (health) monitoring endpoint - closes#216
* oauth2/introspect: make endpoint rfc7662 compatible - closes#289
* connections: remove connections API - closes#265
* oauth2: token revocation endpoint - closes#233
* vendor: update to fosite 0.5.0
* core: add sql support #292
* connections: remove connections API - closes#265
* all: coverage report is missing covered lines of nested packages - closes#296
* cmd: prettify the `hydra token user` output - closes#281
* travis: make it possible for travis-ci to build forked repos - closes#295
Henning Perl
Arne Luenser
dastein1
Kevin Goslar
aeneasr
Nicolas F
Serhii Halchenko
Flori
lauri
arekkas
Aeneas
Aeneas