feat: add support for trust grants that can issue tokens for any subject

[jagobagascon]

Previously, a trust relationship had to be setup for every subject
before the issuer could sign a JWT token for it. This change will allow
setting up token services that can issue tokens with any value in the
subject field.

Related issue(s)

#2930

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Implementation details

REST api

This PR adds a new field to the trust creation request called allow_any_subject, and as long as this flag is set to false (or unset), the trust relationship creation service will behave just like it did before this change: the subject field will be required.

{
  "issuer": "https://jwt-idp.example.com",
  "subject": "[email protected]",
  "...": "..."
}

When allow_any_subject is set to true, then the issuer will be allowed to sign tokens for any subject. Also, as a safety measure, the subject field MUST be empty (or unset), otherwise the validation will fail. This is done to avoid creating an issuer that can sign tokens for any subject by mistake.

{
  "issuer": "https://jwt-idp.example.com",
  "allow_any_subject": true,
  "...": "..."
}

Database

When allow_any_subject is set to true, then the subject field is stored with an empty string value in the database. This allows us to keep (and benefit from) the UNIQUE constraint that the hydra_oauth2_trusted_jwt_bearer_issuer table has, requires no changes to the database schema and makes the database query used to find an issuer's public key really simple: subject = ? or subject = ''.

[jagobagascon]

I've seen that the documentation is now in another repository, and I'm not sure if I should update the docs now or wait for this PR to be merged in case there's any changes.

[codecov]

Codecov Report

Merging #3012 (4257ff6) into master (00100a1) will increase coverage by 0.19%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #3012      +/-   ##
==========================================
+ Coverage   79.40%   79.60%   +0.19%     
==========================================
  Files         112      112              
  Lines        7890     7957      +67     
==========================================
+ Hits         6265     6334      +69     
+ Misses       1223     1222       -1     
+ Partials      402      401       -1     

Impacted Files	Coverage Δ
oauth2/trust/manager.go	100.00% <ø> (ø)
oauth2/fosite_store_helpers.go	100.00% <100.00%> (ø)
oauth2/trust/handler.go	76.27% <100.00%> (+0.40%)	⬆️
oauth2/trust/validator.go	100.00% <100.00%> (ø)
persistence/sql/persister_grant_jwk.go	81.41% <100.00%> (+0.33%)	⬆️
oauth2/handler.go	68.27% <0.00%> (-0.09%)	⬇️
persistence/sql/persister_oauth2.go	81.85% <0.00%> (+0.84%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 00100a1...4257ff6. Read the comment docs.

[jagobagascon]

Hi @aeneasr, I'm not sure why e2e tests are failing. I just ran them locally and everything seems to be working fine. The error it's throwing is

"error": "missing_required_parameter",
"error_description": "One of the required parameters is missing. Check your request parameters. Field 'subject' is required."

But that string has been deleted from the code, it's almost as if it was running on an older binary. Could it be related to the actions/cache@v2 GitHub action used in the end-to-end tests setup? I'm a bit confused right now.

[aeneasr]

Thank you! Sorry for the late review! This looks really good. The one thing I would like to change is that we store this "any" relationship explicitly in the database. An empty string could get into the DB with a number of things (e.g. broken migrations, rollbacks, ...) and we really need to prevent that this feature is enabled "on accident". Therefore, please add a SQL column to store this state :)

[glerchundi]

Thanks @jagobagascon for your time & effort 👏 👏

[aeneasr]

Thank you so much! This looks great!

[aeneasr]

@grantzvolsky please take note that this PR introduces a schema change. We'll squash merge it so that it's just one commit which hopefully will make it easier to rebase.

[jagobagascon]

I added the tests as requested.

[aeneasr]

Thank you so much for your great work @jagobagascon ! I added a small test, and now this is ready to be merged! But, one last ask - could you please update the document https://github.com/ory/docs/edit/master/docs/hydra/guides/oauth2-grant-type-jwt-bearer.mdx to include your changes so that others know about this feature? Thank you so much!

[jagobagascon]

Thank you @aeneasr! I updated the docs as requested: ory/docs#764

[aeneasr]

🥳

[vinckr]

Hello @jagobagascon
Congrats on merging your first PR in Ory 🎉 !
Your contribution will soon be helping secure millions of identities around the globe 🌏.
As a small token of appreciation we send all our first time contributors a gift package to welcome them to the community.
Please drop me an email and I will forward you the form to claim your Ory swag!

[jagobagascon]

Thank you @vinckr but I already received my gift for helping on a previous PR 😊.
Also thanks to @aeneasr for all the help and effort put on this. I can't wait to add this feature to our project!

If it's not too much to ask, are there any plans for the next Hydra release anytime soon?

[vinckr]

Oh thanks for being so honest @jagobagascon, for some reason this showed up as your first PR 😅.
hackerman is currently on vacation, but I am sure we will do a Ory Hydra release very soon / once he is back 🙏

[glerchundi]

Great job to all!! Cannot wait to see this working in prod! 🎉 🎉