-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Token refresh hook #2649
feat: Token refresh hook #2649
Conversation
2325f95
to
653cead
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking great, I think a few more tests and a bit of config changes and we can merge this! Sorry for the late review :)
t.Skip() | ||
} | ||
|
||
hs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add tests:
- Where the server responds with a non-ok status code
- Where the server responds with malformed (e.g. empty / unset / incorrect) payloads
Thank you :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added more tests.
@aeneasr Thanks for the comments, I will update the PR this week. |
653cead
to
4a4779a
Compare
Updated PR. Some tests seem flaky. |
Codecov Report
@@ Coverage Diff @@
## master #2649 +/- ##
==========================================
+ Coverage 52.68% 52.80% +0.12%
==========================================
Files 234 235 +1
Lines 14040 14113 +73
==========================================
+ Hits 7397 7453 +56
- Misses 6016 6029 +13
- Partials 627 631 +4
Continue to review full report at Codecov.
|
@aeneasr Please review when you've got time, don't want to leave this hanging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! 🎉
Apologies if this isn't the right place, but could this hook be extended to update consent/OIDC claims like ACR and AMR? This could support step-up or forced re-authn. For example, a user logs in with basic credentials and the identity provider's initial flow grants an If the RefreshHookResponse included these "non-Extra" fields, we could strengthen or modify the authenticator assurance level of the token's session. These fields are already delegated to the identity provider and taken at face value by Hydra. |
@alee792 Yeah, makes sense to me, will figure out how to plug it in in spare time and see how it works. I am just not sure if it is not confusing to the consumer if the ID Token. I would probably allow setting ACR, but not AMR, as AMR actually tells you original method of authentication used. We should either append new AMRs or pass original AMRs in hook request so you handle the merge. You will also probably need a Ideally your authentication always goes through identity provider through auth code grant or you use some custom grant for that instead of such adhoc scheme. |
Good point on AMR. I'm skimming through RFC8176 and this seems to be their overarching guidance:
With this in mind, we may want to just keep it as malleable as possible. It's a bit contrived, but imagine there's a forced re-authn event where the user authenticates with an entirely different set of factors. The original factors lose significance and it could be unnecessary to keep them. As the RFC suggests, that meaning is up to the CSP and RP to decide.
Your last point makes sense as well. If the IDP is maintaining it's own cookie-based session, the RP could just go through the auth code grant for step-up or reauthn. It's a bit more chatty going through the entire flow again, but there's less risk of skew. |
@svrakitin I just noticed that this feature was released in v1.10.7. I'm trying to understand -- does this hook get called also on the initial flow, when the caller gets the access token for the first time? If not, is there already a way to customize access token claims with hooks during the initial flow? |
@kszafran You pass initial claims when you accept consent request. Hook is only triggered on refresh. |
oauth2.refresh_token_hook
to configure an endpoint which will be called duringrefresh_token
grant to retrieve updated token claims. Hook will be noop if not configured.AccessRequestHook
interface andRefreshTokenHook
implementation.Related issue(s)
#2570
Checklist
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments
I added
github.com/hashicorp/go-cleanhttp
as a dependency, but I can avoid it if necessary.