feat: allow skipping consent for trusted clients

This adds a new boolean parameter `skip_consent` to the admin APIs of
the OAuth clients. When set, the consent flow will instruct the
consent app to skip user consent. It is up to the consent app to
act on this parameter, but the canonical implementation accepts the
consent on the user's behalf.

client/.snapshots/TestHandler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json

@@ -20,6 +20,7 @@
   "token_endpoint_auth_method": "client_secret_basic",
   "userinfo_signed_response_alg": "none",
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json

@@ -23,6 +23,7 @@
   "metadata": {
     "foo": "bar"
   },
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=2-description=metadata_fails_for_dynamic_client_registration.json

@@ -1,4 +1,4 @@
 {
   "error": "invalid_client_metadata",
-  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. metadata cannot be set for dynamic client registration'"
+  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. 'metadata' cannot be set for dynamic client registration"
 }

client/.snapshots/TestHandler-common-case=create_clients-case=6-description=setting_skip_consent_fails.json

@@ -0,0 +1,4 @@
+{
+  "error": "invalid_request",
+  "error_description": "'skip_consent' cannot be set for dynamic client registration"
+}

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+  "error": "The request was malformed or contained invalid parameters",
+  "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=8-description=empty_ID_succeeds.json

@@ -0,0 +1,35 @@
+{
+  "client_name": "",
+  "client_secret": "averylongsecret",
+  "redirect_uris": [
+    "http://localhost:3000/cb"
+  ],
+  "grant_types": null,
+  "response_types": null,
+  "scope": "offline_access offline openid",
+  "audience": [],
+  "owner": "",
+  "policy_uri": "",
+  "allowed_cors_origins": [],
+  "tos_uri": "",
+  "client_uri": "",
+  "logo_uri": "",
+  "contacts": null,
+  "client_secret_expires_at": 0,
+  "subject_type": "public",
+  "jwks": {},
+  "token_endpoint_auth_method": "client_secret_basic",
+  "userinfo_signed_response_alg": "none",
+  "metadata": {},
+  "skip_consent": false,
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=admin.json

@@ -21,6 +21,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=selfservice.json

@@ -20,6 +20,7 @@
     "jwks": {},
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json

@@ -21,6 +21,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": "31h0m0s",
     "authorization_code_grant_id_token_lifespan": "32h0m0s",
     "authorization_code_grant_refresh_token_lifespan": "33h0m0s",

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=admin.json

@@ -23,6 +23,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=dynamic_client_registration.json

@@ -22,6 +22,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=updating_existing_client_fails_with_metadata_on_self_service.json

@@ -1,7 +1,7 @@
 {
   "body": {
     "error": "invalid_client_metadata",
-    "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. metadata cannot be set for dynamic client registration'"
+    "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. 'metadata' cannot be set for dynamic client registration"
   },
   "status": 400
 }

client/.snapshots/TestHandler-create_client_registration_tokens-case=0-dynamic=true.json

@@ -16,6 +16,7 @@
   "subject_type": "",
   "jwks": {},
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=1-dynamic=false.json

@@ -16,6 +16,7 @@
   "subject_type": "",
   "jwks": {},
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json

@@ -17,6 +17,7 @@
   "subject_type": "",
   "jwks": {},
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/client.go

@@ -12,7 +12,7 @@ import (
 	"github.com/gobuffalo/pop/v6"
 	"github.com/gofrs/uuid"
 
-	jose "gopkg.in/square/go-jose.v2" // Naming the dependency jose is important for go-swagger to work, see https://github.com/go-swagger/go-swagger/issues/1587
+	"gopkg.in/square/go-jose.v2" // Naming the dependency jose is important for go-swagger to work, see https://github.com/go-swagger/go-swagger/issues/1587
 
 	"github.com/ory/fosite"
 	"github.com/ory/hydra/v2/x"
@@ -291,6 +291,10 @@ type Client struct {
 	// RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.
 	RegistrationClientURI string `json:"registration_client_uri,omitempty" db:"-"`
 
+	// SkipConsent skips the consent screen for this client. This field can only
+	// be set from the admin API.
+	SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`
+
 	Lifespans
 }
 

client/error.go

@@ -20,3 +20,9 @@ var ErrInvalidRedirectURI = &fosite.RFC6749Error{
 	ErrorField:       "invalid_redirect_uri",
 	CodeField:        http.StatusBadRequest,
 }
+
+var ErrInvalidRequest = &fosite.RFC6749Error{
+	DescriptionField: "The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.",
+	ErrorField:       "invalid_request",
+	CodeField:        http.StatusBadRequest,
+}

client/handler_test.go

@@ -328,6 +328,15 @@ func TestHandler(t *testing.T) {
 					path:       client.ClientsHandlerPath,
 					statusCode: http.StatusBadRequest,
 				},
+				{
+					d: "setting skip_consent fails",
+					payload: &client.Client{
+						RedirectURIs: []string{"http://localhost:3000/cb"},
+						SkipConsent:  true,
+					},
+					path:       client.DynClientsHandlerPath,
+					statusCode: http.StatusBadRequest,
+				},
 				{
 					d: "basic dynamic client registration",
 					payload: &client.Client{

client/validator.go

@@ -179,9 +179,12 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
 func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client) error {
 	if c.Metadata != nil {
 		return errorsx.WithStack(ErrInvalidClientMetadata.
-			WithHint(`metadata cannot be set for dynamic client registration'`),
+			WithHint(`"metadata" cannot be set for dynamic client registration`),
 		)
 	}
+	if c.SkipConsent {
+		return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
+	}
 
 	return v.Validate(ctx, c)
 }

consent/handler.go

@@ -588,6 +588,10 @@ func (h *Handler) getOAuth2ConsentRequest(w http.ResponseWriter, r *http.Request
 		request.RequestedAudience = []string{}
 	}
 
+	if request.Client.SkipConsent {
+		request.Skip = true
+	}
+
 	request.Client = sanitizeClient(request.Client)
 	h.r.Writer().Write(w, r, request)
 }

cypress/integration/oauth2/authorize_code.js

@@ -1,19 +1,22 @@
 // Copyright © 2022 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { prng } from "../../helpers"
+import {
+  prng,
+} from "../../helpers"
 
-describe("The OAuth 2.0 Authorization Code Grant", function () {
-  const nc = () => ({
+describe("The OAuth 2.0 Authorization Code Grant", function() {
+  const nc = (extradata) => ({
     client_secret: prng(),
     scope: "offline_access openid",
     subject_type: "public",
     token_endpoint_auth_method: "client_secret_basic",
     redirect_uris: [`${Cypress.env("client_url")}/oauth2/callback`],
     grant_types: ["authorization_code", "refresh_token"],
+    ...extradata,
   })
 
-  it("should return an Access, Refresh, and ID Token when scope offline_access and openid are granted", function () {
+  it("should return an Access, Refresh, and ID Token when scope offline_access and openid are granted", function() {
     const client = nc()
     cy.authCodeFlow(client, {
       consent: { scope: ["offline_access", "openid"] },
@@ -24,7 +27,11 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       .then((content) => {
         const {
           result,
-          token: { access_token, id_token, refresh_token },
+          token: {
+            access_token,
+            id_token,
+            refresh_token,
+          },
         } = JSON.parse(content)
 
         expect(result).to.equal("success")
@@ -34,7 +41,7 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       })
   })
 
-  it("should return an Access and Refresh Token when scope offline_access is granted", function () {
+  it("should return an Access and Refresh Token when scope offline_access is granted", function() {
     const client = nc()
     cy.authCodeFlow(client, { consent: { scope: ["offline_access"] } })
 
@@ -43,7 +50,11 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       .then((content) => {
         const {
           result,
-          token: { access_token, id_token, refresh_token },
+          token: {
+            access_token,
+            id_token,
+            refresh_token,
+          },
         } = JSON.parse(content)
 
         expect(result).to.equal("success")
@@ -53,7 +64,7 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       })
   })
 
-  it("should return an Access and ID Token when scope offline_access is granted", function () {
+  it("should return an Access and ID Token when scope offline_access is granted", function() {
     const client = nc()
     cy.authCodeFlow(client, { consent: { scope: ["openid"] } })
 
@@ -62,7 +73,11 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       .then((content) => {
         const {
           result,
-          token: { access_token, id_token, refresh_token },
+          token: {
+            access_token,
+            id_token,
+            refresh_token,
+          },
         } = JSON.parse(content)
 
         expect(result).to.equal("success")
@@ -72,7 +87,7 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       })
   })
 
-  it("should return an Access Token when no scope is granted", function () {
+  it("should return an Access Token when no scope is granted", function() {
     const client = nc()
     cy.authCodeFlow(client, { consent: { scope: [] } })
 
@@ -81,7 +96,11 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
       .then((content) => {
         const {
           result,
-          token: { access_token, id_token, refresh_token },
+          token: {
+            access_token,
+            id_token,
+            refresh_token,
+          },
         } = JSON.parse(content)
 
         expect(result).to.equal("success")
@@ -90,4 +109,29 @@ describe("The OAuth 2.0 Authorization Code Grant", function () {
         expect(refresh_token).to.be.undefined
       })
   })
+
+  it("should skip consent if the client is confgured thus", function() {
+    const client = nc({ skip_consent: true })
+    cy.authCodeFlow(client, {
+      consent: { scope: ["offline_access", "openid"], skip: true },
+    })
+
+    cy.get("body")
+      .invoke("text")
+      .then((content) => {
+        const {
+          result,
+          token: {
+            access_token,
+            id_token,
+            refresh_token,
+          },
+        } = JSON.parse(content)
+
+        expect(result).to.equal("success")
+        expect(access_token).to.not.be.empty
+        expect(id_token).to.not.be.empty
+        expect(refresh_token).to.not.be.empty
+      })
+  })
 })

package.json

@@ -5,7 +5,7 @@
   "scripts": {
     "lint": "standard --fix \"test/**/*.js\" \"cypress/**/*.js\"",
     "openapi-generator-cli": "openapi-generator-cli",
-    "test": "cypress run",
+    "test": "cypress run --spec \"cypress/integration/oauth2/authorize_code.js\"",
     "test:watch": "cypress open",
     "wait-on": "wait-on"
   },

persistence/sql/migratest/fixtures/hydra_client/client-0001.json

@@ -92,6 +92,7 @@
   "Secret": "secret-0001",
   "SecretExpiresAt": 0,
   "SectorIdentifierURI": "",
+  "SkipConsent": false,
   "SubjectType": "",
   "TermsOfServiceURI": "http://tos/0001",
   "TokenEndpointAuthMethod": "none",

persistence/sql/migratest/fixtures/hydra_client/client-0002.json

@@ -92,6 +92,7 @@
   "Secret": "secret-0002",
   "SecretExpiresAt": 0,
   "SectorIdentifierURI": "",
+  "SkipConsent": false,
   "SubjectType": "",
   "TermsOfServiceURI": "http://tos/0002",
   "TokenEndpointAuthMethod": "none",

persistence/sql/migratest/fixtures/hydra_client/client-0003.json

@@ -92,6 +92,7 @@
   "Secret": "secret-0003",
   "SecretExpiresAt": 0,
   "SectorIdentifierURI": "",
+  "SkipConsent": false,
   "SubjectType": "",
   "TermsOfServiceURI": "http://tos/0003",
   "TokenEndpointAuthMethod": "none",

persistence/sql/migratest/fixtures/hydra_client/client-0004.json

@@ -94,6 +94,7 @@
   "Secret": "secret-0004",
   "SecretExpiresAt": 0,
   "SectorIdentifierURI": "http://sector_id/0004",
+  "SkipConsent": false,
   "SubjectType": "",
   "TermsOfServiceURI": "http://tos/0004",
   "TokenEndpointAuthMethod": "none",

persistence/sql/migratest/fixtures/hydra_client/client-0005.json

@@ -94,6 +94,7 @@
   "Secret": "secret-0005",
   "SecretExpiresAt": 0,
   "SectorIdentifierURI": "http://sector_id/0005",
+  "SkipConsent": false,
   "SubjectType": "",
   "TermsOfServiceURI": "http://tos/0005",
   "TokenEndpointAuthMethod": "token_auth-0005",