feat: add session and requester to refresh token webhook data

[sgal]

Related issue(s)

Feature: This patch adds session and requester data to the refresh webhook for session tracking by integrators. Fixes #3203.

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I am following the contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security. vulnerability,
  I confirm that I got green light (please contact security@ory.sh) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added or changed the documentation. - see feat: add docs for session and requester fields in Hydra refresh webhook docs#932

Further Comments

Changes outside of hook.go are created by running make sdk.

[CLAassistant]

All committers have signed the CLA.

[aeneasr]

Epic :) I think we can send the whole session in the payload!

To ensure that the change has the desired effect, can you please add the appropriate assertions to the test case:

hydra/oauth2/oauth2_auth_code_test.go

Line 916 in ceada19

t.Run("should call refresh token hook if configured", func(t *testing.T) {

The documentation will also need to explain the new key, the appropriate document for that should be: https://github.com/ory/docs/blob/45a1f9268d693b164d169e16272a30327860c4e9/docs/hydra/guides/updating-claims-at-refresh.mdx

[sgal]

@aeneasr Is there a good approach to make Session into a JSON and Swagger-friendly representation? I tried to use it as is, but it generates a lot of new files for fosite.DefaultSession and IDTokenClaims to map them to Swagger. I feel like there should be a better way to do it, but not sure where to look for examples. Could you please point me in the right direction?
Same question for requester.

[aeneasr]

A common practice, if the types don't work in swagger, is to create a replacement / patch like here:

hydra/.schema/openapi/patches/oauth2.yaml

Lines 3 to 4 in c9be891

	- op: remove
	path: /components/schemas/consentRequestSession/properties/access_token/type

Basically, this will patch the given path in

https://github.com/ory/hydra/blob/master/spec/api.json

with the value you provide. This can be helpful in scenarios where go-swagger creates types that just aren't correct.

Regarding the files generated, that is fine and sometimes expected with OpenAPI generator - feel free to push your changes if you want me to take a look.

[codecov]

Codecov Report

Merging #3204 (0c50c15) into master (e66ba3c) will increase coverage by 0.04%.
The diff coverage is 100.00%.

❗ Current head 0c50c15 differs from pull request most recent head 6508ceb. Consider uploading reports for the commit 6508ceb to get more accurate results

@@            Coverage Diff             @@
##           master    #3204      +/-   ##
==========================================
+ Coverage   79.28%   79.32%   +0.04%     
==========================================
  Files         111      111              
  Lines        8077     8084       +7     
==========================================
+ Hits         6404     6413       +9     
+ Misses       1259     1258       -1     
+ Partials      414      413       -1     

Impacted Files	Coverage Δ
oauth2/session.go	89.74% <ø> (ø)
oauth2/hook.go	68.11% <100.00%> (+3.59%)	⬆️
persistence/sql/persister_oauth2.go	79.91% <0.00%> (+0.81%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us.

[aeneasr]

Great, this looks really good already! :)

Once finished, could you please also update the docs PR accordingly? Thank you!

[aeneasr]

If you use snapshotx. it will create a JSON file on the disk which makes the content a bit easier to read:

	snapshotx.SnapshotT(t, json.RawMessage("..."), snapshotx.ExceptPaths("...") )

To update snapshots set env var UPDATE_SNAPSHOTS=true

[sgal]

It looks like snapshotx.SnapshotT is not available in the version of snapshotx that hydra uses (0.0.368). Tried to bump to lastest - 0.0.450 - a lot of tests fail. So I used SnapshotTExcept.

Also, it generated 6 snapshots with the same content - probably because tests are run in parallel.

[sgal]

This is indeed tidier, thanks for pointing me into snapshotx!

[sgal]

Docs PR is also updated with the latest schema.

[vinckr]

Hello @sgal
Congrats on merging your first PR in Ory 🎉 !
Your contribution will soon be helping secure millions of identities around the globe 🌏.
As a small token of appreciation we send all our first time contributors a gift package to welcome them to the community.
Please drop me an email and I will forward you the form to claim your Ory swag!

[mih-kopylov]

Hey @aeneasr
I've reaslized that oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_<_auth_time-should_call_refresh_token_hook_if_configured.json file, that is added in this pull request, breaks ability to checkout the repository on Windows OS.

Is there a chance to rename the files so that Windows contributors are not blocked?

[aeneasr]

Yes it’s already fixed on master!

[mih-kopylov]

Sorry @aeneasr, but these two files are still in master:

• https://github.com/ory/hydra/blob/master/oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy%3Djwt-case%3D2-description%3Dshould_pass_because_prompt%3Dnone_and_max_age_%3C_auth_time-should_call_refresh_token_hook_if_configured.json
• https://github.com/ory/hydra/blob/master/oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy%3Dopaque-case%3D2-description%3Dshould_pass_because_prompt%3Dnone_and_max_age_%3C_auth_time-should_call_refresh_token_hook_if_configured.json

Their names contain < symbol which is reserved in Windows

• TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_<_auth_time-should_call_refresh_token_hook_if_configured.json
• TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_<_auth_time-should_call_refresh_token_hook_if_configured.json

Am I missing anything?

[aeneasr]

Oh I see, then it's only fixed on the v2.x branch!

[mih-kopylov]

Is there a chance to get the changes backported to master?

[aeneasr]

Sure, can you maybe just cherry-pick the commit and make a PR?

[mih-kopylov]

Sure, will do.

[mih-kopylov]

@aeneasr #3229 here it is

[aeneasr]

👍