New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add ability to allow token refresh from hook without overriding the session claims #3146
feat: add ability to allow token refresh from hook without overriding the session claims #3146
Conversation
Codecov Report
@@ Coverage Diff @@
## v2.x #3146 +/- ##
=======================================
Coverage ? 78.86%
=======================================
Files ? 113
Lines ? 8489
Branches ? 0
=======================================
Hits ? 6695
Misses ? 1398
Partials ? 396 Continue to review full report at Codecov.
|
… the session claims
bc9d317
to
f8eacb8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)
oauth2/oauth2_auth_code_test.go
Outdated
@@ -969,21 +969,40 @@ func TestAuthCodeWithMockStrategy(t *testing.T) { | |||
}) | |||
|
|||
t.Run("should not override session data if token refresh hook returns no content", func(t *testing.T) { | |||
if strat.d != "jwt" { | |||
t.Skip() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test would work for both JWT and opaque if you use:
accessTokenClaims := testhelpers.IntrospectToken(t, oauthConfig, &refreshedToken, ts)
82a919e#diff-6d883efffdabd9715dc9872121018df30a5843c81e25dc6c4af2c3edc13fb21cR957
The problem is that the JWT strategy works a bit different so we need to ensure this works as intended for both strategies :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, that's what I was missing. Thanks! Should be updated now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! 🎉 Your contribution makes Ory better :)
The refresh token hook currently requires a 200 response code with an updated session payload. There is no way to permit the token refresh without overriding the session data. It's useful, however, to be able to use the token refresh hook in order to accept/reject token refreshes without the need to update the session data.
This adds the ability for the token refresh hook to return a
204 No Content
response code to indicate that the token refresh is permitted, but not to update the session data.The documentation has also been updated with PR ory/docs#863
Related issue(s)
#3082
Checklist
vulnerability, I confirm that I got green light (please contact security@ory.sh) from the
maintainers to push the changes.
Further Comments
In the future, the token refresh hook request payload could be expanded to include the existing session data and allow for the
sid
to be set on the refreshed id token as described in #3082, but this is a quick workaround that'll continue to be useful even if that is implemented.