-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass current session (access token extensions) to refresh token hook #3082
Comments
That makes total sense - PRs snd contributions welcomed! |
Hey @aeneasr, I can work on this and extend the payload of refresh token hook request. |
Awesome! If you do, please make your changes against the v2.x branch :) |
@aeneasr I wonder if such session data could be passed to login phase too? I want to build an OIDC broker and it would be handy to get the connector id to upstream IDP without |
Hi all, I'm facing this after enabling the refresh hook. Hydra always throws to my users I saw https://www.ory.sh/docs/hydra/cli/hydra-clients-create where it's specified:
but I'm not sure this is the right way of doing it since https://github.com/ory/hydra/blob/master/consent/strategy_default.go#L823-L826 I'm on Thank you, |
I investigated more about the refresh hook and I wanted to manually patch the sessionID into the refreshed tokens claims... but there is no way since Hydra does not give me the initial loginChallenge ^^... Solutions from now:
cc @aeneasr |
Hi, I'm just experiencing same problem and I've decided to go with option I've made a small change here: https://github.com/ory/hydra/blob/master/oauth2/hook.go#L122 Would be nice to have proper solution as it seems like a bug - but I don't know which solution works best. |
@kruczjak I saw yesterday it was fixed into
To avoid this the workaround I made is to duplicate properly structs: package hook
import (
"time"
"github.com/go-openapi/strfmt"
)
type IDTokenClaims struct {
Acr *string `json:"acr,omitempty"`
Amr []string `json:"amr,omitempty"`
AtHash *string `json:"at_hash,omitempty"`
Aud []string `json:"aud,omitempty"`
AuthTime *time.Time `json:"auth_time,omitempty"`
CHash *string `json:"c_hash,omitempty"`
Exp *time.Time `json:"exp,omitempty"`
// Ext map[string]map[string]interface{} `json:"ext,omitempty"`
Ext map[string]interface{} `json:"ext,omitempty"`
Iat *time.Time `json:"iat,omitempty"`
Iss *string `json:"iss,omitempty"`
Jti *string `json:"jti,omitempty"`
Nonce *string `json:"nonce,omitempty"`
Rat *time.Time `json:"rat,omitempty"`
Sub *string `json:"sub,omitempty"`
}
type Headers struct {
// Extra map[string]map[string]interface{} `json:"extra,omitempty"`
Extra map[string]interface{} `json:"extra,omitempty"`
}
type DefaultSession struct {
ExpiresAt map[string]strfmt.DateTime `json:"expires_at,omitempty"`
Headers *Headers `json:"headers,omitempty"`
IDTokenClaims *IDTokenClaims `json:"id_token_claims,omitempty"`
Subject string `json:"subject,omitempty"`
Username string `json:"username,omitempty"`
}
type Session struct {
*DefaultSession `json:"id_token"`
Extra map[string]interface{} `json:"extra"`
KID string `json:"kid"`
ClientID string `json:"client_id"`
ConsentChallenge string `json:"consent_challenge"`
ExcludeNotBeforeClaim bool `json:"exclude_not_before_claim"`
AllowedTopLevelClaims []string `json:"allowed_top_level_claims"`
}
type Requester struct {
ClientID string `json:"client_id"`
GrantedScopes []string `json:"granted_scopes"`
GrantedAudience []string `json:"granted_audience"`
GrantTypes []string `json:"grant_types"`
}
type RefreshTokenHookRequest struct {
Subject string `json:"subject"`
Session *Session `json:"session"`
Requester Requester `json:"requester"`
ClientID string `json:"client_id"`
GrantedScopes []string `json:"granted_scopes"`
GrantedAudience []string `json:"granted_audience"`
} In my hook I just added: // WORKAROUND: include manually `sid` because it's not passed otherwise
// Ref: https://github.com/ory/hydra/issues/3082#issuecomment-1190556162
if hookReq.Session != nil {
previousClaims := hookReq.Session.IDTokenClaims
if sid, ok := previousClaims.Ext["sid"]; ok {
claims["sid"] = sid
}
}
hookResp := hydra_oauth2.RefreshTokenHookResponse{
Session: hydra_consent.ConsentRequestSessionData{
IDToken: claims,
},
} Tested on my side and everything works then! |
Thank you for confirming the fix! Closing this :) |
Preflight checklist
Describe your problem
I am adding custom session extensions to access token when accepting consent request:
And JWT token looks like this:
Normally when token is refreshed "ext" field remain the same after each refresh which is good, "sid" remains the same which is what I want. However when using refresh token hook (a webhook which is called before token refresh to refresh claims described here https://www.ory.sh/docs/hydra/guides/claims-at-refresh#webhook-configuration) there is no option to keep "ext" field the same.
I could return extensions from refresh token webhook, but the problem is that previous extensions are not passed to the webhook payload which looks like this:
So it's not possible to set same
{ "sid": "14628d10-8c63-4c7f-8a9c-3e37318ce7d6" }
extension.Describe your ideal solution
Refresh token hook payload should contain previous session data / extensions:
This would allow to return exactly same session data as in "previous" access token (return from refresh token webhook)
Workarounds or alternatives
If refresh token hook returned 204 No Content Hydra would not override session data (which is default behaviour when refresh token hook is not being used at all).
Version
v1.10.7
Additional Context
No response
The text was updated successfully, but these errors were encountered: