feat: oidc provider claims config option

[NickUfer]

Related issue

#735
@aeneasr

Proposed changes

Adds an option to oidc providers to request specific openid claims on an authorization request

Checklist

• I have read the contributing guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[zepatrik]

Thanks for your contribution 😉
I think it would be better to have the requested_claims as a JSON object. Is there some way to validate them further or are they proprietary?

[NickUfer]

Thanks for your contribution
I think it would be better to have the requested_claims as a JSON object. Is there some way to validate them further or are they proprietary?

The spec defines that on the top level can only be a userinfo and / or id_token JSON object. Once inside userinfo or id_token the keys are pretty much proprietary but the values are constrained. The values could be:

• null
• another JSON object with the keys:
  • essential which indicates if this claim is, well, essential to the requester. Value can only be a boolean.
  • value which indicates that the value in the id_token or the userinfo endpoint for this field must have that exact value
  • or values which is the same as value but only with multiple values

Example claims request:

  {
   "userinfo":
    {
     "given_name": {"essential": true},
     "nickname": null,
     "email": {"essential": true},
     "email_verified": {"essential": true},
     "picture": null,
     "http://example.info/claims/groups": null
    },
   "id_token":
    {
     "auth_time": {"essential": true},
     "acr": {"values": ["urn:mace:incommon:iap:silver"] }
    }
  }

If it is possible to define this in the schema without concrete key names then this should be possible.

[zepatrik]

Right, JSON schema can get a bit complicated. Here is my take:

{
      "additionalProperties": false,
      "patternProperties": {
        "^userinfo$|^id_token$": {
          "type": "object",
          "additionalProperties": false,
          "patternProperties": {
            ".*": {
              "oneOf": [
                {
                  "const": null,
                  "description": "Indicates that this Claim is being requested in the default manner"
                },
                {
                  "allOf": [
                    {
                      "propertyNames": {
                        "$comment": "This is to implement 'additionalProperties: false'",
                        "enum": [
                          "essential",
                          "value",
                          "values"
                        ]
                      }
                    },
                    {
                      "properties": {
                        "essential": {
                          "description": "Indicates whether the Claim being requested is an Essential Claim",
                          "type": "boolean"
                        }
                      }
                    },
                    {
                      "$comment": "Although not required by the spec, it makes no sense to allow both at the same time",
                      "oneOf": [
                        {
                          "properties": {
                            "value": {
                              "description": "Requests that the Claim be returned with a particular value",
                              "$comment": "There seem to be no constrains on value"
                            }
                          }
                        },
                        {
                          "properties": {
                            "values": {
                              "description": "Requests that the Claim be returned with one of a set of values, with the values appearing in order of preference",
                              "type": "array",
                              "items": {
                                "$comment": "There seem to be no constrains on individual items"
                              }
                            }
                          }
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          }
        }
      }
    }

Maybe you can check if it works as expected by adding schema tests for it 😉
Have a look in test/schema and define above schema under the definition key. If you need help with that, let me know.
And maybe you can also improve the descriptions/add titles? I just copied the spec which is not super understandable.
Thanks a lot 😉

[zepatrik]

When #757 is merged and you rebase, there should also be no timeout any more in the CI

[zepatrik]

When everything passes, this looks good to me 👍

[NickUfer]

I will quickly merge this PR from @zepatrik then I would be ready to merge too

[aeneasr]

Awesome 🎉

Thank you for your contribution!