consent: Add ability to share data from login to consent request (ory…

…#1353)

Closes ory#1003

Signed-off-by: aeneasr <[email protected]>

Makefile

@@ -64,11 +64,13 @@ sdk:
 		GO111MODULE=off swagger generate spec -m -o ./docs/api.swagger.json
 		GO111MODULE=off swagger validate ./docs/api.swagger.json
 
-		rm -rf ./sdk/go/hydra/*
+		rm -rf ./sdk/go/hydra
 		rm -rf ./sdk/js/swagger
 		rm -rf ./sdk/php/swagger
 		rm -rf ./sdk/java
 
+		mkdir ./sdk/go/hydra
+
 		GO111MODULE=off swagger generate client -f ./docs/api.swagger.json -t sdk/go/hydra -A Ory_Hydra
 		java -jar scripts/swagger-codegen-cli-2.2.3.jar generate -i ./docs/api.swagger.json -l javascript -o ./sdk/js/swagger
 		java -jar scripts/swagger-codegen-cli-2.2.3.jar generate -i ./docs/api.swagger.json -l php -o sdk/php/ \

consent/doc.go

@@ -66,7 +66,7 @@ type swaggerAcceptAuthenticationRequest struct {
 	Challenge string `json:"challenge"`
 
 	// in: body
-	Body HandledAuthenticationRequest
+	Body HandledLoginRequest
 }
 
 // swagger:parameters acceptConsentRequest

consent/handler.go

@@ -294,7 +294,7 @@ func (h *Handler) GetLoginRequest(w http.ResponseWriter, r *http.Request, ps htt
 func (h *Handler) AcceptLoginRequest(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	challenge := r.URL.Query().Get("challenge")
 
-	var p HandledAuthenticationRequest
+	var p HandledLoginRequest
 	d := json.NewDecoder(r.Body)
 	d.DisallowUnknownFields()
 	if err := d.Decode(&p); err != nil {
@@ -387,7 +387,7 @@ func (h *Handler) RejectLoginRequest(w http.ResponseWriter, r *http.Request, ps
 		return
 	}
 
-	request, err := h.r.ConsentManager().HandleAuthenticationRequest(r.Context(), challenge, &HandledAuthenticationRequest{
+	request, err := h.r.ConsentManager().HandleAuthenticationRequest(r.Context(), challenge, &HandledLoginRequest{
 		Error:       &p,
 		Challenge:   challenge,
 		RequestedAt: ar.RequestedAt,

consent/handler_test.go

@@ -115,7 +115,7 @@ func TestGetLoginRequest(t *testing.T) {
 			reg := internal.NewRegistry(conf)
 
 			if tc.exists {
-				require.NoError(t, reg.ConsentManager().CreateAuthenticationRequest(context.TODO(), &AuthenticationRequest{
+				require.NoError(t, reg.ConsentManager().CreateAuthenticationRequest(context.TODO(), &LoginRequest{
 					Client:     &client.Client{ClientID: "client" + key},
 					Challenge:  challenge,
 					WasHandled: tc.handled,

consent/manager.go

@@ -45,10 +45,10 @@ type Manager interface {
 	DeleteAuthenticationSession(ctx context.Context, id string) error
 	RevokeUserAuthenticationSession(ctx context.Context, user string) error
 
-	CreateAuthenticationRequest(ctx context.Context, req *AuthenticationRequest) error
-	GetAuthenticationRequest(ctx context.Context, challenge string) (*AuthenticationRequest, error)
-	HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledAuthenticationRequest) (*AuthenticationRequest, error)
-	VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledAuthenticationRequest, error)
+	CreateAuthenticationRequest(ctx context.Context, req *LoginRequest) error
+	GetAuthenticationRequest(ctx context.Context, challenge string) (*LoginRequest, error)
+	HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledLoginRequest) (*LoginRequest, error)
+	VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledLoginRequest, error)
 
 	CreateForcedObfuscatedAuthenticationSession(ctx context.Context, session *ForcedObfuscatedAuthenticationSession) error
 	GetForcedObfuscatedAuthenticationSession(ctx context.Context, client, obfuscated string) (*ForcedObfuscatedAuthenticationSession, error)

consent/manager_memory.go

@@ -35,8 +35,8 @@ import (
 type MemoryManager struct {
 	consentRequests        map[string]ConsentRequest
 	handledConsentRequests map[string]HandledConsentRequest
-	authRequests           map[string]AuthenticationRequest
-	handledAuthRequests    map[string]HandledAuthenticationRequest
+	authRequests           map[string]LoginRequest
+	handledAuthRequests    map[string]HandledLoginRequest
 	authSessions           map[string]AuthenticationSession
 	pairwise               []ForcedObfuscatedAuthenticationSession
 	m                      map[string]*sync.RWMutex
@@ -47,8 +47,8 @@ func NewMemoryManager(r InternalRegistry) *MemoryManager {
 	return &MemoryManager{
 		consentRequests:        map[string]ConsentRequest{},
 		handledConsentRequests: map[string]HandledConsentRequest{},
-		authRequests:           map[string]AuthenticationRequest{},
-		handledAuthRequests:    map[string]HandledAuthenticationRequest{},
+		authRequests:           map[string]LoginRequest{},
+		handledAuthRequests:    map[string]HandledLoginRequest{},
 		authSessions:           map[string]AuthenticationSession{},
 		pairwise:               []ForcedObfuscatedAuthenticationSession{},
 		r:                      r,
@@ -318,7 +318,7 @@ func (m *MemoryManager) DeleteAuthenticationSession(ctx context.Context, id stri
 	return nil
 }
 
-func (m *MemoryManager) CreateAuthenticationRequest(ctx context.Context, a *AuthenticationRequest) error {
+func (m *MemoryManager) CreateAuthenticationRequest(ctx context.Context, a *LoginRequest) error {
 	m.m["authRequests"].Lock()
 	defer m.m["authRequests"].Unlock()
 	if _, ok := m.authRequests[a.Challenge]; ok {
@@ -328,7 +328,7 @@ func (m *MemoryManager) CreateAuthenticationRequest(ctx context.Context, a *Auth
 	return nil
 }
 
-func (m *MemoryManager) GetAuthenticationRequest(ctx context.Context, challenge string) (*AuthenticationRequest, error) {
+func (m *MemoryManager) GetAuthenticationRequest(ctx context.Context, challenge string) (*LoginRequest, error) {
 	m.m["authRequests"].RLock()
 	defer m.m["authRequests"].RUnlock()
 
@@ -346,14 +346,14 @@ func (m *MemoryManager) GetAuthenticationRequest(ctx context.Context, challenge
 	return &c, nil
 }
 
-func (m *MemoryManager) HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledAuthenticationRequest) (*AuthenticationRequest, error) {
+func (m *MemoryManager) HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledLoginRequest) (*LoginRequest, error) {
 	m.m["handledAuthRequests"].Lock()
 	m.handledAuthRequests[r.Challenge] = *r
 	m.m["handledAuthRequests"].Unlock()
 	return m.GetAuthenticationRequest(ctx, challenge)
 }
 
-func (m *MemoryManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledAuthenticationRequest, error) {
+func (m *MemoryManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledLoginRequest, error) {
 	for _, c := range m.authRequests {
 		if c.Verifier == verifier {
 			for _, h := range m.handledAuthRequests {
@@ -368,7 +368,7 @@ func (m *MemoryManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Con
 					}
 
 					c.Client.ClientID = c.Client.GetID()
-					h.AuthenticationRequest = &c
+					h.LoginRequest = &c
 					return &h, nil
 				}
 			}

consent/manager_sql.go

@@ -237,7 +237,7 @@ func (m *SQLManager) GetConsentRequest(ctx context.Context, challenge string) (*
 	return d.toConsentRequest(c)
 }
 
-func (m *SQLManager) CreateAuthenticationRequest(ctx context.Context, c *AuthenticationRequest) error {
+func (m *SQLManager) CreateAuthenticationRequest(ctx context.Context, c *LoginRequest) error {
 	d, err := newSQLAuthenticationRequest(c)
 	if err != nil {
 		return err
@@ -254,7 +254,7 @@ func (m *SQLManager) CreateAuthenticationRequest(ctx context.Context, c *Authent
 	return nil
 }
 
-func (m *SQLManager) GetAuthenticationRequest(ctx context.Context, challenge string) (*AuthenticationRequest, error) {
+func (m *SQLManager) GetAuthenticationRequest(ctx context.Context, challenge string) (*LoginRequest, error) {
 	var d sqlAuthenticationRequest
 	err := m.DB.GetContext(ctx, &d, m.DB.Rebind("SELECT r.*, COALESCE(hr.was_used, false) as was_handled FROM hydra_oauth2_authentication_request r "+
 		"LEFT JOIN hydra_oauth2_authentication_request_handled hr ON r.challenge = hr.challenge WHERE r.challenge=?"), challenge)
@@ -335,8 +335,8 @@ func (m *SQLManager) VerifyAndInvalidateConsentRequest(ctx context.Context, veri
 	return d.toHandledConsentRequest(r)
 }
 
-func (m *SQLManager) HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledAuthenticationRequest) (*AuthenticationRequest, error) {
-	d, err := newSQLHandledAuthenticationRequest(r)
+func (m *SQLManager) HandleAuthenticationRequest(ctx context.Context, challenge string, r *HandledLoginRequest) (*LoginRequest, error) {
+	d, err := newSQLHandledLoginRequest(r)
 	if err != nil {
 		return nil, err
 	}
@@ -352,8 +352,8 @@ func (m *SQLManager) HandleAuthenticationRequest(ctx context.Context, challenge
 	return m.GetAuthenticationRequest(ctx, challenge)
 }
 
-func (m *SQLManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledAuthenticationRequest, error) {
-	var d sqlHandledAuthenticationRequest
+func (m *SQLManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Context, verifier string) (*HandledLoginRequest, error) {
+	var d sqlHandledLoginRequest
 	var challenge string
 
 	// This can be solved more elegantly with a join statement, but it works for now
@@ -379,7 +379,7 @@ func (m *SQLManager) VerifyAndInvalidateAuthenticationRequest(ctx context.Contex
 		return nil, err
 	}
 
-	return d.toHandledAuthenticationRequest(r)
+	return d.toHandledLoginRequest(r)
 }
 
 func (m *SQLManager) GetAuthenticationSession(ctx context.Context, id string) (*AuthenticationSession, error) {

consent/manager_test_helpers.go

@@ -57,6 +57,7 @@ func MockConsentRequest(key string, remember bool, rememberFor int, hasError boo
 		ACR:                    "1",
 		AuthenticatedAt:        time.Now().UTC().Add(-time.Hour),
 		RequestedAt:            time.Now().UTC().Add(-time.Hour),
+		Context:                map[string]interface{}{"foo": "bar" + key},
 	}
 
 	var err *RequestDeniedError
@@ -91,8 +92,8 @@ func MockConsentRequest(key string, remember bool, rememberFor int, hasError boo
 	return c, h
 }
 
-func MockAuthRequest(key string, authAt bool) (c *AuthenticationRequest, h *HandledAuthenticationRequest) {
-	c = &AuthenticationRequest{
+func MockAuthRequest(key string, authAt bool) (c *LoginRequest, h *HandledLoginRequest) {
+	c = &LoginRequest{
 		OpenIDConnectContext: &OpenIDConnectContext{
 			ACRValues: []string{"1" + key, "2" + key},
 			UILocales: []string{"fr" + key, "de" + key},
@@ -123,8 +124,8 @@ func MockAuthRequest(key string, authAt bool) (c *AuthenticationRequest, h *Hand
 		time.Now().UTC().Add(-time.Minute)
 	}
 
-	h = &HandledAuthenticationRequest{
-		AuthenticationRequest:  c,
+	h = &HandledLoginRequest{
+		LoginRequest:           c,
 		RememberFor:            120,
 		Remember:               true,
 		Challenge:              "challenge" + key,
@@ -152,7 +153,7 @@ func ManagerTests(m Manager, clientManager client.Manager, fositeManager x.Fosit
 					Subject:         fmt.Sprintf("subject-%s", k),
 				}))
 
-				require.NoError(t, m.CreateAuthenticationRequest(context.TODO(), &AuthenticationRequest{
+				require.NoError(t, m.CreateAuthenticationRequest(context.TODO(), &LoginRequest{
 					Challenge:       fmt.Sprintf("fk-login-challenge-%s", k),
 					Verifier:        fmt.Sprintf("fk-login-verifier-%s", k),
 					Client:          &client.Client{ClientID: fmt.Sprintf("fk-client-%s", k)},
@@ -247,7 +248,7 @@ func ManagerTests(m Manager, clientManager client.Manager, fositeManager x.Fosit
 
 					got2, err := m.VerifyAndInvalidateAuthenticationRequest(context.TODO(), "verifier"+tc.key)
 					require.NoError(t, err)
-					compareAuthenticationRequest(t, c, got2.AuthenticationRequest)
+					compareAuthenticationRequest(t, c, got2.LoginRequest)
 					assert.Equal(t, c.Challenge, got2.Challenge)
 
 					_, err = m.VerifyAndInvalidateAuthenticationRequest(context.TODO(), "verifier"+tc.key)
@@ -533,7 +534,7 @@ func ManagerTests(m Manager, clientManager client.Manager, fositeManager x.Fosit
 	}
 }
 
-func compareAuthenticationRequest(t *testing.T, a, b *AuthenticationRequest) {
+func compareAuthenticationRequest(t *testing.T, a, b *LoginRequest) {
 	assert.EqualValues(t, a.Client.GetID(), b.Client.GetID())
 	assert.EqualValues(t, a.Challenge, b.Challenge)
 	assert.EqualValues(t, *a.OpenIDConnectContext, *b.OpenIDConnectContext)

consent/migrations/sql/mysql/8.sql

@@ -0,0 +1,13 @@
+-- +migrate Up
+ALTER TABLE hydra_oauth2_authentication_request_handled ADD context TEXT NULL;
+ALTER TABLE hydra_oauth2_consent_request ADD context TEXT NULL;
+
+UPDATE hydra_oauth2_authentication_request_handled SET context='{}';
+UPDATE hydra_oauth2_consent_request SET context='{}';
+
+ALTER TABLE hydra_oauth2_authentication_request_handled MODIFY context TEXT NOT NULL;
+ALTER TABLE hydra_oauth2_consent_request MODIFY context TEXT NOT NULL;
+
+-- +migrate Down
+ALTER TABLE hydra_oauth2_authentication_request_handled DROP COLUMN context;
+ALTER TABLE hydra_oauth2_consent_request DROP COLUMN context;

consent/migrations/sql/postgres/8.sql

@@ -0,0 +1,7 @@
+-- +migrate Up
+ALTER TABLE hydra_oauth2_authentication_request_handled ADD context TEXT NOT NULL DEFAULT '{}';
+ALTER TABLE hydra_oauth2_consent_request ADD context TEXT NOT NULL DEFAULT '{}';
+
+-- +migrate Down
+ALTER TABLE hydra_oauth2_authentication_request_handled DROP COLUMN context;
+ALTER TABLE hydra_oauth2_consent_request DROP COLUMN context;

consent/migrations/sql/tests/8_test.sql

@@ -0,0 +1,36 @@
+-- +migrate Up
+INSERT INTO hydra_client (id, allowed_cors_origins, client_name, client_secret, redirect_uris, grant_types, response_types, scope, owner, policy_uri, tos_uri, client_uri, logo_uri, contacts, client_secret_expires_at, sector_identifier_uri, jwks, jwks_uri, token_endpoint_auth_method, request_uris, request_object_signing_alg, userinfo_signed_response_alg, subject_type, audience)
+VALUES
+  ('8-client', 'http://localhost|http://google', 'some-client', 'abcdef', 'http://localhost|http://google', 'authorize_code|implicit', 'token|id_token', 'foo|bar', 'aeneas', 'http://policy', 'http://tos', 'http://client', 'http://logo', 'aeneas|foo', 0, 'http://sector', '{"keys": []}', 'http://jwks', 'none', 'http://uri1|http://uri2', 'rs256', 'rs526', 'public', 'https://www.ory.sh/api');
+
+INSERT INTO
+	hydra_oauth2_authentication_session (id, authenticated_at, subject)
+VALUES
+	('8-login-session-id', NOW(), '8-sub');
+
+INSERT INTO
+	hydra_oauth2_authentication_request (challenge, verifier, client_id, subject, request_url, skip, requested_scope, csrf, authenticated_at, requested_at, oidc_context, login_session_id, requested_at_audience)
+VALUES
+	('8-challenge', '8-verifier', '8-client', '8-subject', '8-redirect', false, '8-scope', '8-csrf', NOW(), NOW(), '{}', '8-login-session-id', '8-aud');
+
+INSERT INTO
+	hydra_oauth2_consent_request (challenge, verifier, client_id, subject, request_url, skip, requested_scope, csrf, authenticated_at, requested_at, oidc_context, forced_subject_identifier, login_session_id, login_challenge, requested_at_audience, acr, context)
+VALUES
+	('8-challenge', '8-verifier', '8-client', '8-subject', '8-redirect', false, '8-scope', '8-csrf', NOW(), NOW(), '{}', '8-forced-sub', '8-login-session-id', '8-challenge', '8-aud', '8-acr', '{"foo":"bar"}');
+
+INSERT INTO
+	hydra_oauth2_consent_request_handled (challenge, granted_scope, remember, remember_for, error, requested_at, session_access_token, session_id_token, authenticated_at, was_used, granted_at_audience)
+VALUES
+	('8-challenge', '8-scope', true, 3600, '{}', NOW(), '{}', '{}', NOW(), false, '8-aud');
+
+INSERT INTO
+	hydra_oauth2_authentication_request_handled (challenge, subject, remember, remember_for, error, acr, requested_at, authenticated_at, was_used, forced_subject_identifier, context)
+VALUES
+	('8-challenge', '8-sub', true, 3600, '{}', '1', NOW(), NOW(), false, '8-forced-sub', '{"foo":"bar"}');
+
+INSERT INTO
+	hydra_oauth2_obfuscated_authentication_session (subject, client_id, subject_obfuscated)
+VALUES
+	('8-sub', '8-client', '8-obfuscated');
+
+-- +migrate Down

consent/sdk_test.go

@@ -129,7 +129,7 @@ func TestSDK(t *testing.T) {
 	assert.Equal(t, 0, len(csGot.Payload))
 }
 
-func compareSDKLoginRequest(t *testing.T, expected *AuthenticationRequest, got models.AuthenticationRequest) {
+func compareSDKLoginRequest(t *testing.T, expected *LoginRequest, got models.LoginRequest) {
 	assert.EqualValues(t, expected.Challenge, got.Challenge)
 	assert.EqualValues(t, expected.Subject, got.Subject)
 	assert.EqualValues(t, expected.Skip, got.Skip)