diff --git a/consent/manager_test.go b/consent/manager_test.go index 045bd458a52..592cb5c6ef9 100644 --- a/consent/manager_test.go +++ b/consent/manager_test.go @@ -65,6 +65,8 @@ func mockConsentRequest(key string, remember bool, rememberFor int, hasError boo CSRF: "csrf" + key, ForceSubjectIdentifier: "forced-subject", SubjectIdentifier: "forced-subject", + LoginSessionID: "login-session-id", + LoginChallenge: "login-challenge", } var err *RequestDeniedError @@ -112,6 +114,7 @@ func mockAuthRequest(key string, authAt bool) (c *AuthenticationRequest, h *Hand RequestedScope: []string{"scopea" + key, "scopeb" + key}, Verifier: "verifier" + key, CSRF: "csrf" + key, + SessionID: "login-session-id", } var err = &RequestDeniedError{ diff --git a/consent/sql_helper.go b/consent/sql_helper.go index dc04df2df09..db89e4ec34b 100644 --- a/consent/sql_helper.go +++ b/consent/sql_helper.go @@ -123,6 +123,19 @@ var migrations = &migrate.MemoryMigrationSource{ "DROP TABLE hydra_oauth2_obfuscated_authentication_session", }, }, + { + Id: "3", + Up: []string{ + `ALTER TABLE hydra_oauth2_consent_request ADD login_session_id VARCHAR(40) NULL DEFAULT ''`, + `ALTER TABLE hydra_oauth2_consent_request ADD login_challenge VARCHAR(40) NULL DEFAULT ''`, + `ALTER TABLE hydra_oauth2_authentication_request ADD login_session_id VARCHAR(40) NULL DEFAULT ''`, + }, + Down: []string{ + `ALTER TABLE hydra_oauth2_consent_request DROP COLUMN login_session_id`, + `ALTER TABLE hydra_oauth2_consent_request DROP COLUMN login_challenge`, + `ALTER TABLE hydra_oauth2_authentication_request DROP COLUMN login_session_id`, + }, + }, }, } @@ -151,9 +164,10 @@ var sqlParamsAuthenticationRequest = []string{ "requested_at", "csrf", "oidc_context", + "login_session_id", } -var sqlParamsConsentRequest = append(sqlParamsAuthenticationRequest, "forced_subject_identifier") +var sqlParamsConsentRequest = append(sqlParamsAuthenticationRequest, "forced_subject_identifier", "login_challenge") var sqlParamsConsentRequestHandled = []string{ "challenge", @@ -186,10 +200,13 @@ type sqlAuthenticationRequest struct { CSRF string `db:"csrf"` AuthenticatedAt *time.Time `db:"authenticated_at"` RequestedAt time.Time `db:"requested_at"` + SessionID string `db:"login_session_id"` } type sqlConsentRequest struct { sqlAuthenticationRequest + LoginChallenge string `db:"login_challenge"` + LoginSessionID string `db:"login_session_id"` ForcedSubjectIdentifier string `db:"forced_subject_identifier"` } @@ -226,7 +243,10 @@ func newSQLConsentRequest(c *ConsentRequest) (*sqlConsentRequest, error) { CSRF: c.CSRF, AuthenticatedAt: toMySQLDateHack(c.AuthenticatedAt), RequestedAt: c.RequestedAt, + SessionID: c.LoginSessionID, }, + LoginSessionID: c.LoginSessionID, + LoginChallenge: c.LoginChallenge, ForcedSubjectIdentifier: c.ForceSubjectIdentifier, }, nil } @@ -249,6 +269,7 @@ func newSQLAuthenticationRequest(c *AuthenticationRequest) (*sqlAuthenticationRe CSRF: c.CSRF, AuthenticatedAt: toMySQLDateHack(c.AuthenticatedAt), RequestedAt: c.RequestedAt, + SessionID: c.SessionID, }, nil } diff --git a/consent/strategy_default.go b/consent/strategy_default.go index 7ff2cfb1d43..2d10bf40a5e 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -102,24 +102,24 @@ var ErrNoPreviousConsentFound = errors.New("No previous OAuth 2.0 Consent could func (s *DefaultStrategy) requestAuthentication(w http.ResponseWriter, r *http.Request, ar fosite.AuthorizeRequester) error { prompt := stringsx.Splitx(ar.GetRequestForm().Get("prompt"), " ") if stringslice.Has(prompt, "login") { - return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) + return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}, nil) } // We try to open the session cookie. If it does not exist (indicated by the error), we must authenticate the user. cookie, err := s.CookieStore.Get(r, cookieAuthenticationName) if err != nil { //id.L.WithError(err).Debug("No OAuth2 authentication session was found, performing consent authentication flow") - return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) + return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}, nil) } sessionID := mapx.GetStringDefault(cookie.Values, cookieAuthenticationSIDName, "") if sessionID == "" { - return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) + return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}, nil) } session, err := s.M.GetAuthenticationSession(sessionID) if errors.Cause(err) == pkg.ErrNotFound { - return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) + return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}, nil) } else if err != nil { return err } @@ -137,12 +137,12 @@ func (s *DefaultStrategy) requestAuthentication(w http.ResponseWriter, r *http.R if stringslice.Has(prompt, "none") { return errors.WithStack(fosite.ErrLoginRequired.WithDebug("Request failed because prompt is set to \"none\" and authentication time reached max_age")) } - return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}) + return s.forwardAuthenticationRequest(w, r, ar, "", time.Time{}, nil) } idTokenHint := ar.GetRequestForm().Get("id_token_hint") if idTokenHint == "" { - return s.forwardAuthenticationRequest(w, r, ar, session.Subject, session.AuthenticatedAt) + return s.forwardAuthenticationRequest(w, r, ar, session.Subject, session.AuthenticatedAt, session) } token, err := s.JWTStrategy.Decode(idTokenHint) @@ -170,11 +170,11 @@ func (s *DefaultStrategy) requestAuthentication(w http.ResponseWriter, r *http.R if hintSub != session.Subject && hintSub != obfuscatedUserID && hintSub != forcedObfuscatedUserID { return errors.WithStack(fosite.ErrLoginRequired.WithDebug("Request failed because subject claim from id_token_hint does not match subject from authentication session")) } else { - return s.forwardAuthenticationRequest(w, r, ar, session.Subject, session.AuthenticatedAt) + return s.forwardAuthenticationRequest(w, r, ar, session.Subject, session.AuthenticatedAt, session) } } -func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r *http.Request, ar fosite.AuthorizeRequester, subject string, authenticatedAt time.Time) error { +func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r *http.Request, ar fosite.AuthorizeRequester, subject string, authenticatedAt time.Time, session *AuthenticationSession) error { if (subject != "" && authenticatedAt.IsZero()) || (subject == "" && !authenticatedAt.IsZero()) { return errors.WithStack(fosite.ErrServerError.WithDebug("Consent strategy returned a non-empty subject with an empty auth date, or an empty subject with a non-empty auth date")) } @@ -212,6 +212,11 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r } } + sessionID := "" + if session != nil { + sessionID = session.ID + } + // Set the session if err := s.M.CreateAuthenticationRequest( &AuthenticationRequest{ @@ -225,6 +230,7 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r RequestURL: iu.String(), AuthenticatedAt: authenticatedAt, RequestedAt: time.Now().UTC(), + SessionID: sessionID, OpenIDConnectContext: &OpenIDConnectContext{ IDTokenHintClaims: idTokenHintClaims, ACRValues: stringsx.Splitx(ar.GetRequestForm().Get("acr_values"), " "), @@ -505,6 +511,8 @@ func (s *DefaultStrategy) forwardConsentRequest(w http.ResponseWriter, r *http.R RequestedAt: as.RequestedAt, ForceSubjectIdentifier: as.ForceSubjectIdentifier, OpenIDConnectContext: as.AuthenticationRequest.OpenIDConnectContext, + LoginSessionID: as.AuthenticationRequest.SessionID, + LoginChallenge: as.AuthenticationRequest.Challenge, }, ); err != nil { return errors.WithStack(err) diff --git a/consent/strategy_default_test.go b/consent/strategy_default_test.go index 3c9c8272a4c..27f7afa3f78 100644 --- a/consent/strategy_default_test.go +++ b/consent/strategy_default_test.go @@ -265,6 +265,8 @@ func TestStrategy(t *testing.T) { assert.Contains(t, lr.RequestUrl, "/oauth2/auth?login_verifier=&consent_verifier=&") assert.EqualValues(t, false, lr.Skip) assert.EqualValues(t, "user", lr.Subject) + assert.NotEmpty(t, lr.LoginChallenge) + assert.Empty(t, lr.LoginSessionId) assert.EqualValues(t, swagger.OpenIdConnectContext{AcrValues: []string{"1", "2"}, Display: "page", UiLocales: []string{"de", "en"}}, lr.OidcContext) w.WriteHeader(http.StatusNoContent) } @@ -346,6 +348,66 @@ func TestStrategy(t *testing.T) { }, }, }, + { + d: "This should pass because login was remembered and session id should be set", + req: fosite.AuthorizeRequest{Request: fosite.Request{Client: &client.Client{ClientID: "client-id"}, Scopes: []string{"scope-a"}}}, + jar: persistentCJ, + lph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + lr, res, err := apiClient.GetLoginRequest(r.URL.Query().Get("login_challenge")) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + assert.True(t, lr.Skip) + assert.NotEmpty(t, lr.SessionId) + v, res, err := apiClient.AcceptLoginRequest(r.URL.Query().Get("login_challenge"), swagger.AcceptLoginRequest{ + Subject: "user", + Remember: false, + RememberFor: 0, + Acr: "1", + }) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + require.NotEmpty(t, v.RedirectTo) + http.Redirect(w, r, v.RedirectTo, http.StatusFound) + } + }, + cph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + cr, res, err := apiClient.GetConsentRequest(r.URL.Query().Get("consent_challenge")) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + assert.True(t, cr.Skip) + assert.NotEmpty(t, cr.LoginSessionId) + assert.NotEmpty(t, cr.LoginChallenge) + v, res, err := apiClient.AcceptConsentRequest(r.URL.Query().Get("consent_challenge"), swagger.AcceptConsentRequest{ + GrantScope: []string{"scope-a"}, + Remember: false, + RememberFor: 0, + Session: swagger.ConsentRequestSession{ + AccessToken: map[string]interface{}{"foo": "bar"}, + IdToken: map[string]interface{}{"bar": "baz"}, + }, + }) + require.NoError(t, err) + require.EqualValues(t, http.StatusOK, res.StatusCode) + require.NotEmpty(t, v.RedirectTo) + http.Redirect(w, r, v.RedirectTo, http.StatusFound) + } + }, + expectFinalStatusCode: http.StatusOK, + expectErrType: []error{ErrAbortOAuth2Request, ErrAbortOAuth2Request, nil}, + expectErr: []bool{true, true, false}, + expectSession: &HandledConsentRequest{ + ConsentRequest: &ConsentRequest{Subject: "user", SubjectIdentifier: "user"}, + GrantedScope: []string{"scope-a"}, + Remember: false, + RememberFor: 0, + Session: &ConsentRequestSessionData{ + AccessToken: map[string]interface{}{"foo": "bar"}, + IDToken: map[string]interface{}{"bar": "baz"}, + }, + }, + }, { d: "This should fail because prompt=none, client is public, and redirection scheme is not HTTPS but a custom scheme", req: fosite.AuthorizeRequest{RedirectURI: mustParseURL(t, "custom://redirection-scheme/path"), Request: fosite.Request{Client: &client.Client{TokenEndpointAuthMethod: "none", ClientID: "client-id"}, Scopes: []string{"scope-a"}}}, diff --git a/consent/types.go b/consent/types.go index 98d85f08664..311299b8cac 100644 --- a/consent/types.go +++ b/consent/types.go @@ -253,6 +253,10 @@ type AuthenticationRequest struct { // might come in handy if you want to deal with additional request parameters. RequestURL string `json:"request_url"` + // SessionID is the authentication session ID. It is set if the browser had a valid authentication session at + // ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + SessionID string `json:"session_id"` + ForceSubjectIdentifier string `json:"-"` // this is here but has no meaning apart from sql_helper working properly. Verifier string `json:"-"` CSRF string `json:"-"` @@ -292,6 +296,14 @@ type ConsentRequest struct { // might come in handy if you want to deal with additional request parameters. RequestURL string `json:"request_url"` + // LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate + // a login and consent request in the login & consent app. + LoginChallenge string `json:"login_challenge"` + + // LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at + // ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + LoginSessionID string `json:"login_session_id"` + // ForceSubjectIdentifier is the value from authentication (if set). ForceSubjectIdentifier string `json:"-"` SubjectIdentifier string `json:"-"` diff --git a/docs/api.swagger.json b/docs/api.swagger.json index a3d922b6ae3..695a2be8246 100644 --- a/docs/api.swagger.json +++ b/docs/api.swagger.json @@ -2111,6 +2111,16 @@ "client": { "$ref": "#/definitions/oAuth2Client" }, + "login_challenge": { + "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", + "type": "string", + "x-go-name": "LoginChallenge" + }, + "login_session_id": { + "description": "LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at\nORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user.", + "type": "string", + "x-go-name": "LoginSessionID" + }, "oidc_context": { "$ref": "#/definitions/openIDConnectContext" }, @@ -2371,6 +2381,11 @@ }, "x-go-name": "RequestedScope" }, + "session_id": { + "description": "SessionID is the authentication session ID. It is set if the browser had a valid authentication session at\nORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user.", + "type": "string", + "x-go-name": "SessionID" + }, "skip": { "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", "type": "boolean", @@ -2389,6 +2404,14 @@ "type": "object", "title": "Client represents an OAuth 2.0 Client.", "properties": { + "allowed_cors_origins": { + "description": "AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests\nto the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`)\nwill be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration.\nBe aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work.", + "type": "array", + "items": { + "type": "string" + }, + "x-go-name": "AllowedCORSOrigins" + }, "client_id": { "description": "ClientID is the id for this client.", "type": "string", diff --git a/sdk/go/hydra/swagger/consent_request.go b/sdk/go/hydra/swagger/consent_request.go index 7e6e295765a..275493ae2b7 100644 --- a/sdk/go/hydra/swagger/consent_request.go +++ b/sdk/go/hydra/swagger/consent_request.go @@ -17,6 +17,12 @@ type ConsentRequest struct { Client OAuth2Client `json:"client,omitempty"` + // LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. + LoginChallenge string `json:"login_challenge,omitempty"` + + // LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + LoginSessionId string `json:"login_session_id,omitempty"` + OidcContext OpenIdConnectContext `json:"oidc_context,omitempty"` // RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. diff --git a/sdk/go/hydra/swagger/docs/ConsentRequest.md b/sdk/go/hydra/swagger/docs/ConsentRequest.md index 2c02bd4709b..16de3751faf 100644 --- a/sdk/go/hydra/swagger/docs/ConsentRequest.md +++ b/sdk/go/hydra/swagger/docs/ConsentRequest.md @@ -5,6 +5,8 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- **Challenge** | **string** | Challenge is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. | [optional] [default to null] **Client** | [**OAuth2Client**](oAuth2Client.md) | | [optional] [default to null] +**LoginChallenge** | **string** | LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. | [optional] [default to null] +**LoginSessionId** | **string** | LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] [default to null] **OidcContext** | [**OpenIdConnectContext**](openIDConnectContext.md) | | [optional] [default to null] **RequestUrl** | **string** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] [default to null] **RequestedScope** | **[]string** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] [default to null] diff --git a/sdk/go/hydra/swagger/docs/LoginRequest.md b/sdk/go/hydra/swagger/docs/LoginRequest.md index d774bd21f3a..4bfb6762822 100644 --- a/sdk/go/hydra/swagger/docs/LoginRequest.md +++ b/sdk/go/hydra/swagger/docs/LoginRequest.md @@ -8,6 +8,7 @@ Name | Type | Description | Notes **OidcContext** | [**OpenIdConnectContext**](openIDConnectContext.md) | | [optional] [default to null] **RequestUrl** | **string** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] [default to null] **RequestedScope** | **[]string** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] [default to null] +**SessionId** | **string** | SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] [default to null] **Skip** | **bool** | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. | [optional] [default to null] **Subject** | **string** | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. | [optional] [default to null] diff --git a/sdk/go/hydra/swagger/docs/OAuth2Client.md b/sdk/go/hydra/swagger/docs/OAuth2Client.md index 0f7b799389a..202de75323e 100644 --- a/sdk/go/hydra/swagger/docs/OAuth2Client.md +++ b/sdk/go/hydra/swagger/docs/OAuth2Client.md @@ -3,6 +3,7 @@ ## Properties Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- +**AllowedCorsOrigins** | **[]string** | AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. | [optional] [default to null] **ClientId** | **string** | ClientID is the id for this client. | [optional] [default to null] **ClientName** | **string** | Name is the human-readable string name of the client to be presented to the end-user during authorization. | [optional] [default to null] **ClientSecret** | **string** | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. | [optional] [default to null] diff --git a/sdk/go/hydra/swagger/login_request.go b/sdk/go/hydra/swagger/login_request.go index 3043bc08e3e..b41913323dc 100644 --- a/sdk/go/hydra/swagger/login_request.go +++ b/sdk/go/hydra/swagger/login_request.go @@ -25,6 +25,9 @@ type LoginRequest struct { // RequestedScope contains all scopes requested by the OAuth 2.0 client. RequestedScope []string `json:"requested_scope,omitempty"` + // SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + SessionId string `json:"session_id,omitempty"` + // Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. Skip bool `json:"skip,omitempty"` diff --git a/sdk/go/hydra/swagger/o_auth2_client.go b/sdk/go/hydra/swagger/o_auth2_client.go index 889aba7a637..3faf1e00c10 100644 --- a/sdk/go/hydra/swagger/o_auth2_client.go +++ b/sdk/go/hydra/swagger/o_auth2_client.go @@ -12,6 +12,9 @@ package swagger type OAuth2Client struct { + // AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. + AllowedCorsOrigins []string `json:"allowed_cors_origins,omitempty"` + // ClientID is the id for this client. ClientId string `json:"client_id,omitempty"` diff --git a/sdk/js/swagger/docs/ConsentRequest.md b/sdk/js/swagger/docs/ConsentRequest.md index 51e023b5479..ce643cebae8 100644 --- a/sdk/js/swagger/docs/ConsentRequest.md +++ b/sdk/js/swagger/docs/ConsentRequest.md @@ -5,6 +5,8 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- **challenge** | **String** | Challenge is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. | [optional] **client** | [**OAuth2Client**](OAuth2Client.md) | | [optional] +**loginChallenge** | **String** | LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. | [optional] +**loginSessionId** | **String** | LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] **oidcContext** | [**OpenIDConnectContext**](OpenIDConnectContext.md) | | [optional] **requestUrl** | **String** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] **requestedScope** | **[String]** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] diff --git a/sdk/js/swagger/docs/LoginRequest.md b/sdk/js/swagger/docs/LoginRequest.md index 40055a30a75..0d0d038ed14 100644 --- a/sdk/js/swagger/docs/LoginRequest.md +++ b/sdk/js/swagger/docs/LoginRequest.md @@ -8,6 +8,7 @@ Name | Type | Description | Notes **oidcContext** | [**OpenIDConnectContext**](OpenIDConnectContext.md) | | [optional] **requestUrl** | **String** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] **requestedScope** | **[String]** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] +**sessionId** | **String** | SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] **skip** | **Boolean** | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. | [optional] **subject** | **String** | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. | [optional] diff --git a/sdk/js/swagger/docs/OAuth2Client.md b/sdk/js/swagger/docs/OAuth2Client.md index 7961e3f0b50..021dc7b5712 100644 --- a/sdk/js/swagger/docs/OAuth2Client.md +++ b/sdk/js/swagger/docs/OAuth2Client.md @@ -3,6 +3,7 @@ ## Properties Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- +**allowedCorsOrigins** | **[String]** | AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. | [optional] **clientId** | **String** | ClientID is the id for this client. | [optional] **clientName** | **String** | Name is the human-readable string name of the client to be presented to the end-user during authorization. | [optional] **clientSecret** | **String** | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. | [optional] diff --git a/sdk/js/swagger/src/model/ConsentRequest.js b/sdk/js/swagger/src/model/ConsentRequest.js index 79ef9cce148..5dfc3ed0da7 100644 --- a/sdk/js/swagger/src/model/ConsentRequest.js +++ b/sdk/js/swagger/src/model/ConsentRequest.js @@ -75,6 +75,18 @@ if (data.hasOwnProperty('client')) { obj['client'] = OAuth2Client.constructFromObject(data['client']) } + if (data.hasOwnProperty('login_challenge')) { + obj['login_challenge'] = ApiClient.convertToType( + data['login_challenge'], + 'String' + ) + } + if (data.hasOwnProperty('login_session_id')) { + obj['login_session_id'] = ApiClient.convertToType( + data['login_session_id'], + 'String' + ) + } if (data.hasOwnProperty('oidc_context')) { obj['oidc_context'] = OpenIDConnectContext.constructFromObject( data['oidc_context'] @@ -111,6 +123,16 @@ * @member {module:model/OAuth2Client} client */ exports.prototype['client'] = undefined + /** + * LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. + * @member {String} login_challenge + */ + exports.prototype['login_challenge'] = undefined + /** + * LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + * @member {String} login_session_id + */ + exports.prototype['login_session_id'] = undefined /** * @member {module:model/OpenIDConnectContext} oidc_context */ diff --git a/sdk/js/swagger/src/model/LoginRequest.js b/sdk/js/swagger/src/model/LoginRequest.js index da7aa19491e..80280a83b95 100644 --- a/sdk/js/swagger/src/model/LoginRequest.js +++ b/sdk/js/swagger/src/model/LoginRequest.js @@ -92,6 +92,12 @@ ['String'] ) } + if (data.hasOwnProperty('session_id')) { + obj['session_id'] = ApiClient.convertToType( + data['session_id'], + 'String' + ) + } if (data.hasOwnProperty('skip')) { obj['skip'] = ApiClient.convertToType(data['skip'], 'Boolean') } @@ -125,6 +131,11 @@ * @member {Array.} requested_scope */ exports.prototype['requested_scope'] = undefined + /** + * SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + * @member {String} session_id + */ + exports.prototype['session_id'] = undefined /** * Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. * @member {Boolean} skip diff --git a/sdk/js/swagger/src/model/OAuth2Client.js b/sdk/js/swagger/src/model/OAuth2Client.js index 53c14b679d7..7e07851b0ec 100644 --- a/sdk/js/swagger/src/model/OAuth2Client.js +++ b/sdk/js/swagger/src/model/OAuth2Client.js @@ -63,6 +63,12 @@ if (data) { obj = obj || new exports() + if (data.hasOwnProperty('allowed_cors_origins')) { + obj['allowed_cors_origins'] = ApiClient.convertToType( + data['allowed_cors_origins'], + ['String'] + ) + } if (data.hasOwnProperty('client_id')) { obj['client_id'] = ApiClient.convertToType(data['client_id'], 'String') } @@ -172,6 +178,11 @@ return obj } + /** + * AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. + * @member {Array.} allowed_cors_origins + */ + exports.prototype['allowed_cors_origins'] = undefined /** * ClientID is the id for this client. * @member {String} client_id diff --git a/sdk/php/swagger/docs/Model/ConsentRequest.md b/sdk/php/swagger/docs/Model/ConsentRequest.md index bd784f2a898..56d46f78cfb 100644 --- a/sdk/php/swagger/docs/Model/ConsentRequest.md +++ b/sdk/php/swagger/docs/Model/ConsentRequest.md @@ -5,6 +5,8 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- **challenge** | **string** | Challenge is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. | [optional] **client** | [**\Hydra\SDK\Model\OAuth2Client**](OAuth2Client.md) | | [optional] +**login_challenge** | **string** | LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. | [optional] +**login_session_id** | **string** | LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] **oidc_context** | [**\Hydra\SDK\Model\OpenIDConnectContext**](OpenIDConnectContext.md) | | [optional] **request_url** | **string** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] **requested_scope** | **string[]** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] diff --git a/sdk/php/swagger/docs/Model/LoginRequest.md b/sdk/php/swagger/docs/Model/LoginRequest.md index 309a44bd926..a28736e3b90 100644 --- a/sdk/php/swagger/docs/Model/LoginRequest.md +++ b/sdk/php/swagger/docs/Model/LoginRequest.md @@ -8,6 +8,7 @@ Name | Type | Description | Notes **oidc_context** | [**\Hydra\SDK\Model\OpenIDConnectContext**](OpenIDConnectContext.md) | | [optional] **request_url** | **string** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | [optional] **requested_scope** | **string[]** | RequestedScope contains all scopes requested by the OAuth 2.0 client. | [optional] +**session_id** | **string** | SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. | [optional] **skip** | **bool** | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. | [optional] **subject** | **string** | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. | [optional] diff --git a/sdk/php/swagger/docs/Model/OAuth2Client.md b/sdk/php/swagger/docs/Model/OAuth2Client.md index 564841cba49..0d55d4c7a64 100644 --- a/sdk/php/swagger/docs/Model/OAuth2Client.md +++ b/sdk/php/swagger/docs/Model/OAuth2Client.md @@ -3,6 +3,7 @@ ## Properties Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- +**allowed_cors_origins** | **string[]** | AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. | [optional] **client_id** | **string** | ClientID is the id for this client. | [optional] **client_name** | **string** | Name is the human-readable string name of the client to be presented to the end-user during authorization. | [optional] **client_secret** | **string** | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. | [optional] diff --git a/sdk/php/swagger/lib/Model/ConsentRequest.php b/sdk/php/swagger/lib/Model/ConsentRequest.php index 134e4df14a0..1033ce4f4df 100644 --- a/sdk/php/swagger/lib/Model/ConsentRequest.php +++ b/sdk/php/swagger/lib/Model/ConsentRequest.php @@ -56,6 +56,8 @@ class ConsentRequest implements ArrayAccess protected static $swaggerTypes = [ 'challenge' => 'string', 'client' => '\Hydra\SDK\Model\OAuth2Client', + 'login_challenge' => 'string', + 'login_session_id' => 'string', 'oidc_context' => '\Hydra\SDK\Model\OpenIDConnectContext', 'request_url' => 'string', 'requested_scope' => 'string[]', @@ -70,6 +72,8 @@ class ConsentRequest implements ArrayAccess protected static $swaggerFormats = [ 'challenge' => null, 'client' => null, + 'login_challenge' => null, + 'login_session_id' => null, 'oidc_context' => null, 'request_url' => null, 'requested_scope' => null, @@ -94,6 +98,8 @@ public static function swaggerFormats() protected static $attributeMap = [ 'challenge' => 'challenge', 'client' => 'client', + 'login_challenge' => 'login_challenge', + 'login_session_id' => 'login_session_id', 'oidc_context' => 'oidc_context', 'request_url' => 'request_url', 'requested_scope' => 'requested_scope', @@ -109,6 +115,8 @@ public static function swaggerFormats() protected static $setters = [ 'challenge' => 'setChallenge', 'client' => 'setClient', + 'login_challenge' => 'setLoginChallenge', + 'login_session_id' => 'setLoginSessionId', 'oidc_context' => 'setOidcContext', 'request_url' => 'setRequestUrl', 'requested_scope' => 'setRequestedScope', @@ -124,6 +132,8 @@ public static function swaggerFormats() protected static $getters = [ 'challenge' => 'getChallenge', 'client' => 'getClient', + 'login_challenge' => 'getLoginChallenge', + 'login_session_id' => 'getLoginSessionId', 'oidc_context' => 'getOidcContext', 'request_url' => 'getRequestUrl', 'requested_scope' => 'getRequestedScope', @@ -164,6 +174,8 @@ public function __construct(array $data = null) { $this->container['challenge'] = isset($data['challenge']) ? $data['challenge'] : null; $this->container['client'] = isset($data['client']) ? $data['client'] : null; + $this->container['login_challenge'] = isset($data['login_challenge']) ? $data['login_challenge'] : null; + $this->container['login_session_id'] = isset($data['login_session_id']) ? $data['login_session_id'] : null; $this->container['oidc_context'] = isset($data['oidc_context']) ? $data['oidc_context'] : null; $this->container['request_url'] = isset($data['request_url']) ? $data['request_url'] : null; $this->container['requested_scope'] = isset($data['requested_scope']) ? $data['requested_scope'] : null; @@ -238,6 +250,48 @@ public function setClient($client) return $this; } + /** + * Gets login_challenge + * @return string + */ + public function getLoginChallenge() + { + return $this->container['login_challenge']; + } + + /** + * Sets login_challenge + * @param string $login_challenge LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. + * @return $this + */ + public function setLoginChallenge($login_challenge) + { + $this->container['login_challenge'] = $login_challenge; + + return $this; + } + + /** + * Gets login_session_id + * @return string + */ + public function getLoginSessionId() + { + return $this->container['login_session_id']; + } + + /** + * Sets login_session_id + * @param string $login_session_id LoginSessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + * @return $this + */ + public function setLoginSessionId($login_session_id) + { + $this->container['login_session_id'] = $login_session_id; + + return $this; + } + /** * Gets oidc_context * @return \Hydra\SDK\Model\OpenIDConnectContext diff --git a/sdk/php/swagger/lib/Model/LoginRequest.php b/sdk/php/swagger/lib/Model/LoginRequest.php index 2698fc78690..8ef5991a317 100644 --- a/sdk/php/swagger/lib/Model/LoginRequest.php +++ b/sdk/php/swagger/lib/Model/LoginRequest.php @@ -59,6 +59,7 @@ class LoginRequest implements ArrayAccess 'oidc_context' => '\Hydra\SDK\Model\OpenIDConnectContext', 'request_url' => 'string', 'requested_scope' => 'string[]', + 'session_id' => 'string', 'skip' => 'bool', 'subject' => 'string' ]; @@ -73,6 +74,7 @@ class LoginRequest implements ArrayAccess 'oidc_context' => null, 'request_url' => null, 'requested_scope' => null, + 'session_id' => null, 'skip' => null, 'subject' => null ]; @@ -97,6 +99,7 @@ public static function swaggerFormats() 'oidc_context' => 'oidc_context', 'request_url' => 'request_url', 'requested_scope' => 'requested_scope', + 'session_id' => 'session_id', 'skip' => 'skip', 'subject' => 'subject' ]; @@ -112,6 +115,7 @@ public static function swaggerFormats() 'oidc_context' => 'setOidcContext', 'request_url' => 'setRequestUrl', 'requested_scope' => 'setRequestedScope', + 'session_id' => 'setSessionId', 'skip' => 'setSkip', 'subject' => 'setSubject' ]; @@ -127,6 +131,7 @@ public static function swaggerFormats() 'oidc_context' => 'getOidcContext', 'request_url' => 'getRequestUrl', 'requested_scope' => 'getRequestedScope', + 'session_id' => 'getSessionId', 'skip' => 'getSkip', 'subject' => 'getSubject' ]; @@ -167,6 +172,7 @@ public function __construct(array $data = null) $this->container['oidc_context'] = isset($data['oidc_context']) ? $data['oidc_context'] : null; $this->container['request_url'] = isset($data['request_url']) ? $data['request_url'] : null; $this->container['requested_scope'] = isset($data['requested_scope']) ? $data['requested_scope'] : null; + $this->container['session_id'] = isset($data['session_id']) ? $data['session_id'] : null; $this->container['skip'] = isset($data['skip']) ? $data['skip'] : null; $this->container['subject'] = isset($data['subject']) ? $data['subject'] : null; } @@ -301,6 +307,27 @@ public function setRequestedScope($requested_scope) return $this; } + /** + * Gets session_id + * @return string + */ + public function getSessionId() + { + return $this->container['session_id']; + } + + /** + * Sets session_id + * @param string $session_id SessionID is the authentication session ID. It is set if the browser had a valid authentication session at ORY Hydra during the login flow. It can be used to associate consecutive login requests by a certain user. + * @return $this + */ + public function setSessionId($session_id) + { + $this->container['session_id'] = $session_id; + + return $this; + } + /** * Gets skip * @return bool diff --git a/sdk/php/swagger/lib/Model/OAuth2Client.php b/sdk/php/swagger/lib/Model/OAuth2Client.php index 43b99298abc..a1789640503 100644 --- a/sdk/php/swagger/lib/Model/OAuth2Client.php +++ b/sdk/php/swagger/lib/Model/OAuth2Client.php @@ -54,6 +54,7 @@ class OAuth2Client implements ArrayAccess * @var string[] */ protected static $swaggerTypes = [ + 'allowed_cors_origins' => 'string[]', 'client_id' => 'string', 'client_name' => 'string', 'client_secret' => 'string', @@ -83,6 +84,7 @@ class OAuth2Client implements ArrayAccess * @var string[] */ protected static $swaggerFormats = [ + 'allowed_cors_origins' => null, 'client_id' => null, 'client_name' => null, 'client_secret' => null, @@ -122,6 +124,7 @@ public static function swaggerFormats() * @var string[] */ protected static $attributeMap = [ + 'allowed_cors_origins' => 'allowed_cors_origins', 'client_id' => 'client_id', 'client_name' => 'client_name', 'client_secret' => 'client_secret', @@ -152,6 +155,7 @@ public static function swaggerFormats() * @var string[] */ protected static $setters = [ + 'allowed_cors_origins' => 'setAllowedCorsOrigins', 'client_id' => 'setClientId', 'client_name' => 'setClientName', 'client_secret' => 'setClientSecret', @@ -182,6 +186,7 @@ public static function swaggerFormats() * @var string[] */ protected static $getters = [ + 'allowed_cors_origins' => 'getAllowedCorsOrigins', 'client_id' => 'getClientId', 'client_name' => 'getClientName', 'client_secret' => 'getClientSecret', @@ -237,6 +242,7 @@ public static function getters() */ public function __construct(array $data = null) { + $this->container['allowed_cors_origins'] = isset($data['allowed_cors_origins']) ? $data['allowed_cors_origins'] : null; $this->container['client_id'] = isset($data['client_id']) ? $data['client_id'] : null; $this->container['client_name'] = isset($data['client_name']) ? $data['client_name'] : null; $this->container['client_secret'] = isset($data['client_secret']) ? $data['client_secret'] : null; @@ -293,6 +299,27 @@ public function valid() } + /** + * Gets allowed_cors_origins + * @return string[] + */ + public function getAllowedCorsOrigins() + { + return $this->container['allowed_cors_origins']; + } + + /** + * Sets allowed_cors_origins + * @param string[] $allowed_cors_origins AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`) will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration. Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work. + * @return $this + */ + public function setAllowedCorsOrigins($allowed_cors_origins) + { + $this->container['allowed_cors_origins'] = $allowed_cors_origins; + + return $this; + } + /** * Gets client_id * @return string