Merge remote-tracking branch 'origin/master' into hperl/improve-batch…

…-patch-identities-error-messages
ory · Sep 16, 2024 · afd8d6a · afd8d6a
2 parents 9484feb + 3215792
commit afd8d6a
Show file tree

Hide file tree

Showing 10 changed files with 521 additions and 200 deletions.
diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -567,6 +567,13 @@
           "enum": ["id_token", "userinfo"],
           "default": "id_token",
           "examples": ["id_token", "userinfo"]
+        },
+        "pkce": {
+          "title": "Proof Key for Code Exchange",
+          "description": "PKCE controls if the OpenID Connect OAuth2 flow should use PKCE (Proof Key for Code Exchange). IMPORTANT: If you set this to `force`, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of <base-url>/self-service/methods/oidc/callback/<provider>, you must use <base-url>/self-service/methods/oidc/callback",
+          "type": "string",
+          "enum": ["auto", "never", "force"],
+          "default": "auto"
         }
       },
       "additionalProperties": false,

diff --git a/go.mod b/go.mod
@@ -256,7 +256,7 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/runc v1.1.13 // indirect
+	github.com/opencontainers/runc v1.1.14 // indirect
 	github.com/openzipkin/zipkin-go v0.4.2 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect

diff --git a/go.sum b/go.sum
@@ -618,8 +618,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs=
-github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA=
+github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w=
+github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA=
 github.com/openzipkin/zipkin-go v0.4.2 h1:zjqfqHjUpPmB3c1GlCvvgsM1G4LkvqQbBDueDOCg/jA=
 github.com/openzipkin/zipkin-go v0.4.2/go.mod h1:ZeVkFjuuBiSy13y8vpSDCjMi9GoI3hPpCJSBx/EYFhY=
 github.com/ory/analytics-go/v5 v5.0.1 h1:LX8T5B9FN8KZXOtxgN+R3I4THRRVB6+28IKgKBpXmAM=

diff --git a/identity/.snapshots/TestSchemaExtensionCredentials-case=12.json b/identity/.snapshots/TestSchemaExtensionCredentials-case=12.json
@@ -0,0 +1,22 @@
+{
+  "type": "code",
+  "config": {
+    "addresses": [
+      {
+        "channel": "sms",
+        "address": "+4917667111638"
+      },
+      {
+        "channel": "email",
+        "address": "[email protected]"
+      },
+      {
+        "channel": "email",
+        "address": "[email protected]"
+      }
+    ]
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/extension_credentials.go b/identity/extension_credentials.go
@@ -22,9 +22,10 @@ import (
 )
 
 type SchemaExtensionCredentials struct {
-	i *Identity
-	v map[CredentialsType][]string
-	l sync.Mutex
+	i         *Identity
+	v         map[CredentialsType][]string
+	addresses []CredentialsCodeAddress
+	l         sync.Mutex
 }
 
 func NewSchemaExtensionCredentials(i *Identity) *SchemaExtensionCredentials {
@@ -79,17 +80,7 @@ func (r *SchemaExtensionCredentials) Run(ctx jsonschema.ValidationContext, s sch
 		})
 
 		var conf CredentialsCode
-		if len(cred.Config) > 0 {
-			// Only decode the config if it is not empty.
-			if err := json.Unmarshal(cred.Config, &conf); err != nil {
-				return &jsonschema.ValidationError{Message: "unable to unmarshal identity credentials"}
-			}
-		}
-
-		if conf.Addresses == nil {
-			conf.Addresses = []CredentialsCodeAddress{}
-		}
-
+		conf.Addresses = r.addresses
 		value, err := x.NormalizeIdentifier(fmt.Sprintf("%s", value), string(via))
 		if err != nil {
 			return &jsonschema.ValidationError{Message: err.Error()}
@@ -120,6 +111,7 @@ func (r *SchemaExtensionCredentials) Run(ctx jsonschema.ValidationContext, s sch
 				return item.Address
 			})...,
 		))
+		r.addresses = conf.Addresses
 
 		cred.Identifiers = r.v[CredentialsTypeCodeAuth]
 		cred.Config, err = json.Marshal(conf)

diff --git a/identity/extension_credentials_test.go b/identity/extension_credentials_test.go
@@ -9,6 +9,8 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/ory/x/sqlxx"
+
 	"github.com/ory/x/snapshotx"
 
 	"github.com/ory/jsonschema/v3"
@@ -25,103 +27,117 @@ var ctx = context.Background()
 
 func TestSchemaExtensionCredentials(t *testing.T) {
 	for k, tc := range []struct {
-		expectErr error
-		schema    string
-		doc       string
-		expect    []string
-		existing  *identity.Credentials
-		ct        identity.CredentialsType
+		expectErr           error
+		schema              string
+		doc                 string
+		expectedIdentifiers []string
+		existing            *identity.Credentials
+		ct                  identity.CredentialsType
 	}{
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypePassword,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]", "foobar"},
-			ct:     identity.CredentialsTypePassword,
+			doc:                 `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]", "foobar"},
+			ct:                  identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]"},
-			ct:     identity.CredentialsTypeWebAuthn,
+			doc:                 `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]"},
+			ct:                  identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]", "foobar"},
+			doc:                 `{"emails":["[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]", "foobar"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/webauthn.schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypeWebAuthn,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/webauthn.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/webauthn.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/webauthn.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypeCodeAuth,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
+			},
+			ct: identity.CredentialsTypeCodeAuth,
+		},
+		{
+			doc:                 `{"email":"[email protected]","email2":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
+			existing: &identity.Credentials{
+				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","email2":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","email2":"FOO@ory.sh","email3":"bar@ory.sh","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "foo@ory.sh", "bar@ory.sh"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
@@ -148,7 +164,7 @@ func TestSchemaExtensionCredentials(t *testing.T) {
 
 			credentials, ok := i.GetCredentials(tc.ct)
 			require.True(t, ok)
-			assert.ElementsMatch(t, tc.expect, credentials.Identifiers)
+			assert.ElementsMatch(t, tc.expectedIdentifiers, credentials.Identifiers)
 			snapshotx.SnapshotT(t, credentials, snapshotx.ExceptPaths("identifiers"))
 		})
 	}

diff --git a/identity/stub/extension/credentials/code-phone-email.schema.json b/identity/stub/extension/credentials/code-phone-email.schema.json
@@ -37,6 +37,24 @@
         }
       }
     },
+    "email3": {
+      "type": "string",
+      "format": "email",
+      "ory.sh/kratos": {
+        "credentials": {
+          "password": {
+            "identifier": true
+          },
+          "webauthn": {
+            "identifier": true
+          },
+          "code": {
+            "identifier": true,
+            "via": "email"
+          }
+        }
+      }
+    },
     "phone": {
       "type": "string",
       "format": "tel",

diff --git a/selfservice/flow/verification/flow.go b/selfservice/flow/verification/flow.go
@@ -185,6 +185,7 @@ func NewPostHookFlow(conf *config.Config, exp time.Duration, csrf string, r *htt
 	if err != nil {
 		return nil, err
 	}
+	f.TransientPayload = original.GetTransientPayload()
 	requestURL, err := url.ParseRequestURI(original.GetRequestURL())
 	if err != nil {
 		requestURL = new(url.URL)