Data Passthrough to IDP

[caryfitzhugh]

I'm working on implementing an IDP which works with Hydra.
During login in the IDP we need to know a few pieces of information. And in many cases that information could be determined via a vanity URL.

an example would be an AWS login url.
123123123123.login.amazonaws.com

The login page pre-fills the account-id in for you, based on the domain.

In the same vein, I would like to have vanity URLs pass extra information to the
/oauth2/auth endpoint, which then gets sent through to the IDP /consent call.

I thought a simple and flexible approach might be to add to the JWT token

hydra/oauth2/consent_strategy.go

Line 131 in 868a02b

token.Claims = jwt.MapClaims{

a field called auth_url which contains the /oauth2/auth path in it's entirety (maybe this is a security hole?) The IDP could parse that out as it saw fit.

Another idea would be to pass along a special query parameter from /oauth2/auth. auth_extra or some such. One could put b64 data in there just as easily.

I'm more than happy to implement any of these solutions that would solve this problem.

Thoughts?

[aeneasr]

https://ory.gitbooks.io/hydra/content/oauth2.html#consent-app-flow

There are fields at_ext and id_ext for this

[caryfitzhugh]

Hi @arekkas - thanks.

Pardon me if I am incorrect, but I believe that those are fields (id_ext, and at_ext) are added by the IDP when replying back to Hydra after consent is given by the user.

I am trying to get data passed through the /oauth2/auth call to the /consent call.

User --> hydra/oauth2/auth?extra_info=123
redirect to IDP/consent?challenge=XXX

The second call there is what I would like to receive that extra information. It may be in the challenge token, or maybe in the /consent query parameters.

[caryfitzhugh]

@arekkas any ideas?

Thanks

[aeneasr]

Sorry for my inresponsiveness, it was a really stressful week. Ah I see, I misunderstood. Simply add the things you want in the IDP to the oauth2 url hydra/oauth2/auth?extra_info=123 and extract it from the redir parameter in the consent challenge.

Hope that helps.

[caryfitzhugh]

I'm sorry your week has been tough. :( Here's to better days 🥂

Your solution fits things perfectly. Thank you very much!

[aeneasr]

I'm sorry your week has been tough. :( Here's to better days 🥂

That cheered me up! :) Glad to be of help!

[impactmass]

I landed on this issue with the same need as the author, but the solution described here doesn't work as of v1.0.0-beta.9. Is this behavior now deprecated? The extra query fields I added to the auth URL to Hydra do not get passed to the /login IDP login redirect.

To achieve the same effect, I had to depend on the URL returned as part of getLoginReq call:

hydra.getLoginRequest(challenge)
  .then(async (getLoginRequestRes) => {
    console.log(getLoginRequestRes.request_url);

Is this the new/correct approach? Happy to make a PR to the docs/guide if so.

[aeneasr]

Yeah, this has actually come up in another question in the forum. I think we can add the original URL as part of the request payload, otherwise you'll have to first accept the login in order to get the URL. Please create a new issue to track this and feel free to create a PR!

[swdream]

Hi @aeneasr @impactmass
thanks for you guys for above comments and solutions

Yeah, this has actually come up in another question in the forum.

could you please help me to send the link about this?

I am using hydra v1.5.0 and also got this:

User --> hydra/oauth2/auth?extra_info=123
redirect to IDP/login?challenge=XXX

hydra does not redirect to IDP /login the param extra_info=123.
at the moment does hydra have any solution to do like that?
thanks

[swdream]

Hello, I found the extra_info in the Referer Header of request which Hydra redirects to IDP.
Thanks

[aeneasr]

When you check fetch the e.g. the login challenge (challenge=xxx) you will get a payload. The payload contains a request_url which is the original URL. This URL contains extra_info=1234.