feat: support OIDC on API flows

[jonas-jonas]

Based on changes in #2346

Related issue(s)

Related to https://github.com/ory-corp/cloud/issues/3496

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

The id_token flow looks as follows

sequenceDiagram
    participant Phone
    participant Kratos
    participant OIDC as OIDC Provider
    Phone->>+Kratos: Initialize API registration flow
    Kratos-->>-Phone: Return flow incl. UI/OIDC Nodes
    Phone->>+OIDC: Request id_token
    OIDC-->>Phone: Obtains consent from user
    OIDC-->>-Phone: Returns id_token
    Phone->>+Kratos: updateRegistrationFlow w/ id_token
    Kratos->>Kratos: Creates identity from data in id_token using JSONNet mapper from config
    Kratos-->>-Phone: Returns session (if session hook is set)

Loading

[codecov]

Codecov Report

Merging #3176 (57849f7) into master (1180c05) will decrease coverage by 0.43%.
The diff coverage is 63.60%.

❗ Current head 57849f7 differs from pull request most recent head d51ba70. Consider uploading reports for the commit d51ba70 to get more accurate results

@@            Coverage Diff             @@
##           master    #3176      +/-   ##
==========================================
- Coverage   77.95%   77.52%   -0.43%     
==========================================
  Files         320      319       -1     
  Lines       20428    20336      -92     
==========================================
- Hits        15924    15766     -158     
- Misses       3301     3354      +53     
- Partials     1203     1216      +13     

Impacted Files	Coverage Δ
selfservice/strategy/oidc/provider.go	100.00% <ø> (ø)
selfservice/strategy/oidc/provider_config.go	31.37% <ø> (ø)
selfservice/strategy/oidc/provider_google.go	93.33% <ø> (ø)
selfservice/strategy/oidc/provider_netid.go	75.00% <ø> (ø)
selfservice/strategy/oidc/strategy.go	67.09% <ø> (+3.38%)	⬆️
selfservice/flow/registration/error.go	55.55% <19.23%> (-15.22%)	⬇️
selfservice/strategy/oidc/strategy_settings.go	62.45% <50.00%> (-0.65%)	⬇️
selfservice/flow/flow.go	76.47% <60.00%> (-23.53%)	⬇️
selfservice/strategy/oidc/strategy_registration.go	62.28% <60.00%> (-2.81%)	⬇️
selfservice/flow/login/hook.go	85.71% <66.66%> (-2.53%)	⬇️
... and 8 more

... and 18 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[hperl]

From a security perspective, any client can become a WebView by adding the correct return_to parameter, even a malicious JS script.

[hperl]

Sending the session token in the clear degrades security, especially when the IsWebViewFlow can be faked by using the webview return_to parameter when creating the flow.

[hperl]

What are the security implications when we get the ID token from the user instead of the OIDC provider?

[aeneasr]

If I recall correctly, that should be fine. The ID token will be validated on our end and we will check both issuer and, more importantly, audience. By checking audience, we ensure that the ID token was issued on our behalf, and not someone elses behalf. That way we avoid the vulnerability that could be caused by instead accepting access tokens as proof of authentication, as access tokens don't have an audience and they could have been issued for any app.

Still, this allows a eve to trick adam into using eve's ID token. Would be good to know how others deal with that?

[jonas-jonas]

Superseded by #3216