Merge branch 'master' into go-faker

CHANGELOG.md

@@ -5,11 +5,12 @@
 
 **Table of Contents**
 
-- [ (2023-10-30)](#2023-10-30)
+- [ (2023-11-08)](#2023-11-08)
   - [Breaking Changes](#breaking-changes)
     - [Bug Fixes](#bug-fixes)
     - [Documentation](#documentation)
     - [Features](#features)
+    - [Reverts](#reverts)
     - [Tests](#tests)
 - [1.0.0 (2023-07-12)](#100-2023-07-12)
   - [Bug Fixes](#bug-fixes-1)
@@ -44,7 +45,7 @@
     - [Code Refactoring](#code-refactoring-1)
     - [Documentation](#documentation-4)
     - [Features](#features-5)
-    - [Reverts](#reverts)
+    - [Reverts](#reverts-1)
     - [Tests](#tests-4)
     - [Unclassified](#unclassified-2)
 - [0.10.1 (2022-06-01)](#0101-2022-06-01)
@@ -113,7 +114,7 @@
     - [Code Refactoring](#code-refactoring-5)
     - [Documentation](#documentation-12)
     - [Features](#features-11)
-    - [Reverts](#reverts-1)
+    - [Reverts](#reverts-2)
     - [Tests](#tests-10)
     - [Unclassified](#unclassified-5)
 - [0.7.6-alpha.1 (2021-09-12)](#076-alpha1-2021-09-12)
@@ -313,7 +314,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-10-30)
+# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-11-08)
 
 ## Breaking Changes
 
@@ -807,6 +808,19 @@ https://github.com/ory/kratos/pull/3480
 - Improve performance by computing password hashes while validating
   ([#3508](https://github.com/ory/kratos/issues/3508))
   ([a9786c5](https://github.com/ory/kratos/commit/a9786c599d09f61e2e07df5066ce94feb2d99bac))
+- Link oidc credentials when login
+  ([#3563](https://github.com/ory/kratos/issues/3563))
+  ([b784949](https://github.com/ory/kratos/commit/b784949d03b849d9d1d594977f75f5843b7b5da8)),
+  closes [#2727](https://github.com/ory/kratos/issues/2727)
+  [#3222](https://github.com/ory/kratos/issues/3222):
+
+  When user tries to login with OIDC for the first time but has already
+  registered before with email/password a credentials identifier conflict may be
+  detected by Kratos. In this case user needs to login with email/password first
+  and then link OIDC credentials on a settings screen. This PR simplifies UX and
+  allows user to link OIDC credentials to existing account right in the login
+  flow, without switching to settings flow.
+
 - Login with code on any credential type
   ([#3549](https://github.com/ory/kratos/issues/3549))
   ([ceed7d5](https://github.com/ory/kratos/commit/ceed7d5478c5cca894587698c57f676dda100b27)):
@@ -890,6 +904,14 @@ https://github.com/ory/kratos/pull/3480
 - Webhook analytic events
   ([9c8a25e](https://github.com/ory/kratos/commit/9c8a25eb0d3e06df182565d3d959d57e5dccfed8))
 
+### Reverts
+
+- Revert "chore: simplify courier code (#3603)"
+  ([7c54c9f](https://github.com/ory/kratos/commit/7c54c9f36c86142c8e071a5359c71cf6213a1a69)),
+  closes [#3603](https://github.com/ory/kratos/issues/3603):
+
+  This reverts commit 316cd4aacfe31efafa7d737a7c476e2c794e9c9b.
+
 ### Tests
 
 - **e2e:** Logout return_to ([#3418](https://github.com/ory/kratos/issues/3418))

cmd/clidoc/main.go

@@ -119,10 +119,13 @@ func init() {
 		"NewInfoLoginTOTPLabel":                                   text.NewInfoLoginTOTPLabel(),
 		"NewInfoLoginLookupLabel":                                 text.NewInfoLoginLookupLabel(),
 		"NewInfoLogin":                                            text.NewInfoLogin(),
+		"NewInfoLoginAndLink":                                     text.NewInfoLoginAndLink(),
+		"NewInfoLoginLinkMessage":                                 text.NewInfoLoginLinkMessage("{duplicteIdentifier}", "{provider}", "{newLoginUrl}"),
 		"NewInfoLoginTOTP":                                        text.NewInfoLoginTOTP(),
 		"NewInfoLoginLookup":                                      text.NewInfoLoginLookup(),
 		"NewInfoLoginVerify":                                      text.NewInfoLoginVerify(),
 		"NewInfoLoginWith":                                        text.NewInfoLoginWith("{provider}"),
+		"NewInfoLoginWithAndLink":                                 text.NewInfoLoginWithAndLink("{provider}"),
 		"NewErrorValidationLoginFlowExpired":                      text.NewErrorValidationLoginFlowExpired(aSecondAgo),
 		"NewErrorValidationLoginNoStrategyFound":                  text.NewErrorValidationLoginNoStrategyFound(),
 		"NewErrorValidationRegistrationNoStrategyFound":           text.NewErrorValidationRegistrationNoStrategyFound(),
@@ -144,6 +147,7 @@ func init() {
 		"NewErrorValidationRecoveryStateFailure":                  text.NewErrorValidationRecoveryStateFailure(),
 		"NewInfoNodeInputEmail":                                   text.NewInfoNodeInputEmail(),
 		"NewInfoNodeResendOTP":                                    text.NewInfoNodeResendOTP(),
+		"NewInfoNodeLoginAndLinkCredential":                       text.NewInfoNodeLoginAndLinkCredential(),
 		"NewInfoNodeLabelContinue":                                text.NewInfoNodeLabelContinue(),
 		"NewInfoSelfServiceSettingsRegisterWebAuthn":              text.NewInfoSelfServiceSettingsRegisterWebAuthn(),
 		"NewInfoLoginWebAuthnPasswordless":                        text.NewInfoLoginWebAuthnPasswordless(),
@@ -163,6 +167,7 @@ func init() {
 		"NewInfoSelfServiceLoginCode":                             text.NewInfoSelfServiceLoginCode(),
 		"NewErrorValidationRegistrationRetrySuccessful":           text.NewErrorValidationRegistrationRetrySuccessful(),
 		"NewInfoSelfServiceRegistrationRegisterCode":              text.NewInfoSelfServiceRegistrationRegisterCode(),
+		"NewErrorValidationLoginLinkedCredentialsDoNotMatch":      text.NewErrorValidationLoginLinkedCredentialsDoNotMatch(),
 	}
 }
 

identity/manager.go

@@ -110,12 +110,7 @@ func (m *Manager) Create(ctx context.Context, i *Identity, opts ...ManagerOption
 	return nil
 }
 
-func (m *Manager) findExistingAuthMethod(ctx context.Context, e error, i *Identity) (err error) {
-	if !m.r.Config().SelfServiceFlowRegistrationLoginHints(ctx) {
-		return &ErrDuplicateCredentials{error: e}
-	}
-	// First we try to find the conflict in the identifiers table. This is most likely to have a conflict.
-	var found *Identity
+func (m *Manager) ConflictingIdentity(ctx context.Context, i *Identity) (found *Identity, foundConflictAddress string, err error) {
 	for ct, cred := range i.Credentials {
 		for _, id := range cred.Identifiers {
 			found, _, err = m.r.PrivilegedIdentityPool().FindByCredentialsIdentifier(ctx, ct, id)
@@ -125,53 +120,65 @@ func (m *Manager) findExistingAuthMethod(ctx context.Context, e error, i *Identi
 
 			// FindByCredentialsIdentifier does not expand identity credentials.
 			if err = m.r.PrivilegedIdentityPool().HydrateIdentityAssociations(ctx, found, ExpandCredentials); err != nil {
-				return err
+				return nil, "", err
 			}
+
+			return found, id, nil
 		}
 	}
 
 	// If the conflict is not in the identifiers table, it is coming from the verifiable or recovery address.
-	var foundConflictAddress string
-	if found == nil {
-		for _, va := range i.VerifiableAddresses {
-			conflictingAddress, err := m.r.PrivilegedIdentityPool().FindVerifiableAddressByValue(ctx, va.Via, va.Value)
-			if errors.Is(err, sqlcon.ErrNoRows) {
-				continue
-			} else if err != nil {
-				return err
-			}
+	for _, va := range i.VerifiableAddresses {
+		conflictingAddress, err := m.r.PrivilegedIdentityPool().FindVerifiableAddressByValue(ctx, va.Via, va.Value)
+		if errors.Is(err, sqlcon.ErrNoRows) {
+			continue
+		} else if err != nil {
+			return nil, "", err
+		}
 
-			foundConflictAddress = conflictingAddress.Value
-			found, err = m.r.PrivilegedIdentityPool().GetIdentity(ctx, conflictingAddress.IdentityID, ExpandCredentials)
-			if err != nil {
-				return err
-			}
+		foundConflictAddress = conflictingAddress.Value
+		found, err = m.r.PrivilegedIdentityPool().GetIdentity(ctx, conflictingAddress.IdentityID, ExpandCredentials)
+		if err != nil {
+			return nil, "", err
 		}
+
+		return found, foundConflictAddress, nil
 	}
 
 	// Last option: check the recovery address
-	if found == nil {
-		for _, va := range i.RecoveryAddresses {
-			conflictingAddress, err := m.r.PrivilegedIdentityPool().FindRecoveryAddressByValue(ctx, va.Via, va.Value)
-			if errors.Is(err, sqlcon.ErrNoRows) {
-				continue
-			} else if err != nil {
-				return err
-			}
+	for _, va := range i.RecoveryAddresses {
+		conflictingAddress, err := m.r.PrivilegedIdentityPool().FindRecoveryAddressByValue(ctx, va.Via, va.Value)
+		if errors.Is(err, sqlcon.ErrNoRows) {
+			continue
+		} else if err != nil {
+			return nil, "", err
+		}
 
-			foundConflictAddress = conflictingAddress.Value
-			found, err = m.r.PrivilegedIdentityPool().GetIdentity(ctx, conflictingAddress.IdentityID, ExpandCredentials)
-			if err != nil {
-				return err
-			}
+		foundConflictAddress = conflictingAddress.Value
+		found, err = m.r.PrivilegedIdentityPool().GetIdentity(ctx, conflictingAddress.IdentityID, ExpandCredentials)
+		if err != nil {
+			return nil, "", err
 		}
+
+		return found, foundConflictAddress, nil
 	}
 
-	// Still not found? Return generic error.
-	if found == nil {
+	return nil, "", sqlcon.ErrNoRows
+}
+
+func (m *Manager) findExistingAuthMethod(ctx context.Context, e error, i *Identity) (err error) {
+	if !m.r.Config().SelfServiceFlowRegistrationLoginHints(ctx) {
 		return &ErrDuplicateCredentials{error: e}
 	}
 
+	found, foundConflictAddress, err := m.ConflictingIdentity(ctx, i)
+	if err != nil {
+		if errors.Is(err, sqlcon.ErrNoRows) {
+			return &ErrDuplicateCredentials{error: e}
+		}
+		return err
+	}
+
 	// We need to sort the credentials for the error message to be deterministic.
 	var creds []Credentials
 	for _, cred := range found.Credentials {

identity/manager_test.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/ory/x/pointerx"
+	"github.com/ory/x/sqlcon"
 
 	"github.com/gofrs/uuid"
 
@@ -556,6 +557,68 @@ func TestManager(t *testing.T) {
 			checkExtensionFields(fromStore, "[email protected]")(t)
 		})
 	})
+
+	t.Run("method=ConflictingIdentity", func(t *testing.T) {
+		ctx := context.Background()
+
+		conflicOnIdentifier := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+		conflicOnIdentifier.Traits = identity.Traits(`{"email":"[email protected]"}`)
+		require.NoError(t, reg.IdentityManager().Create(ctx, conflicOnIdentifier))
+
+		conflicOnVerifiableAddress := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+		conflicOnVerifiableAddress.Traits = identity.Traits(`{"email":"[email protected]", "email_verify":"[email protected]"}`)
+		require.NoError(t, reg.IdentityManager().Create(ctx, conflicOnVerifiableAddress))
+
+		conflicOnRecoveryAddress := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+		conflicOnRecoveryAddress.Traits = identity.Traits(`{"email":"[email protected]", "email_recovery":"[email protected]"}`)
+		require.NoError(t, reg.IdentityManager().Create(ctx, conflicOnRecoveryAddress))
+
+		t.Run("case=returns not found if no conflict", func(t *testing.T) {
+			found, foundConflictAddress, err := reg.IdentityManager().ConflictingIdentity(ctx, &identity.Identity{
+				Credentials: map[identity.CredentialsType]identity.Credentials{
+					identity.CredentialsTypePassword: {Identifiers: []string{"[email protected]"}},
+				},
+			})
+			assert.ErrorIs(t, err, sqlcon.ErrNoRows)
+			assert.Nil(t, found)
+			assert.Empty(t, foundConflictAddress)
+		})
+
+		t.Run("case=conflict on identifier", func(t *testing.T) {
+			found, foundConflictAddress, err := reg.IdentityManager().ConflictingIdentity(ctx, &identity.Identity{
+				Credentials: map[identity.CredentialsType]identity.Credentials{
+					identity.CredentialsTypePassword: {Identifiers: []string{"[email protected]"}},
+				},
+			})
+			require.NoError(t, err)
+			assert.Equal(t, conflicOnIdentifier.ID, found.ID)
+			assert.Equal(t, "[email protected]", foundConflictAddress)
+		})
+
+		t.Run("case=conflict on verifiable address", func(t *testing.T) {
+			found, foundConflictAddress, err := reg.IdentityManager().ConflictingIdentity(ctx, &identity.Identity{
+				VerifiableAddresses: []identity.VerifiableAddress{{
+					Value: "[email protected]",
+					Via:   "email",
+				}},
+			})
+			require.NoError(t, err)
+			assert.Equal(t, conflicOnVerifiableAddress.ID, found.ID)
+			assert.Equal(t, "[email protected]", foundConflictAddress)
+		})
+
+		t.Run("case=conflict on recovery address", func(t *testing.T) {
+			found, foundConflictAddress, err := reg.IdentityManager().ConflictingIdentity(ctx, &identity.Identity{
+				RecoveryAddresses: []identity.RecoveryAddress{{
+					Value: "[email protected]",
+					Via:   "email",
+				}},
+			})
+			require.NoError(t, err)
+			assert.Equal(t, conflicOnRecoveryAddress.ID, found.ID)
+			assert.Equal(t, "[email protected]", foundConflictAddress)
+		})
+	})
 }
 
 func TestManagerNoDefaultNamedSchema(t *testing.T) {

schema/errors.go

@@ -349,3 +349,13 @@ func NewLoginCodeInvalid() error {
 		Messages: new(text.Messages).Add(text.NewErrorValidationLoginCodeInvalidOrAlreadyUsed()),
 	})
 }
+
+func NewLinkedCredentialsDoNotMatch() error {
+	return errors.WithStack(&ValidationError{
+		ValidationError: &jsonschema.ValidationError{
+			Message:     `linked credentials do not match; please start a new flow`,
+			InstancePtr: "#/",
+		},
+		Messages: new(text.Messages).Add(text.NewErrorValidationLoginLinkedCredentialsDoNotMatch()),
+	})
+}

selfservice/flow/continue_with.go

@@ -17,9 +17,8 @@ type ContinueWith any
 // swagger:enum ContinueWithActionSetOrySessionToken
 type ContinueWithActionSetOrySessionToken string
 
-// #nosec G101 -- only a key constant
 const (
-	ContinueWithActionSetOrySessionTokenString ContinueWithActionSetOrySessionToken = "set_ory_session_token"
+	ContinueWithActionSetOrySessionTokenString ContinueWithActionSetOrySessionToken = "set_ory_session_token" // #nosec G101 -- only a key constant
 )
 
 var _ ContinueWith = new(ContinueWithSetOrySessionToken)

selfservice/flow/duplicate_credentials.go

@@ -0,0 +1,61 @@
+// Copyright © 2023 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package flow
+
+import (
+	"encoding/json"
+
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+
+	"github.com/ory/kratos/identity"
+	"github.com/ory/x/sqlxx"
+)
+
+const internalContextDuplicateCredentialsPath = "registration_duplicate_credentials"
+
+type DuplicateCredentialsData struct {
+	CredentialsType     identity.CredentialsType
+	CredentialsConfig   sqlxx.JSONRawMessage
+	DuplicateIdentifier string
+}
+
+type InternalContexter interface {
+	EnsureInternalContext()
+	GetInternalContext() sqlxx.JSONRawMessage
+	SetInternalContext(sqlxx.JSONRawMessage)
+}
+
+// SetDuplicateCredentials sets the duplicate credentials data in the flow's internal context.
+func SetDuplicateCredentials(flow InternalContexter, creds DuplicateCredentialsData) error {
+	if flow.GetInternalContext() == nil {
+		flow.EnsureInternalContext()
+	}
+	bytes, err := sjson.SetBytes(
+		flow.GetInternalContext(),
+		internalContextDuplicateCredentialsPath,
+		creds,
+	)
+	if err != nil {
+		return err
+	}
+	flow.SetInternalContext(bytes)
+
+	return nil
+}
+
+// DuplicateCredentials returns the duplicate credentials data from the flow's internal context.
+func DuplicateCredentials(flow InternalContexter) (*DuplicateCredentialsData, error) {
+	if flow.GetInternalContext() == nil {
+		flow.EnsureInternalContext()
+	}
+	raw := gjson.GetBytes(flow.GetInternalContext(), internalContextDuplicateCredentialsPath)
+	if !raw.IsObject() {
+		return nil, nil
+	}
+	var creds DuplicateCredentialsData
+	err := json.Unmarshal([]byte(raw.Raw), &creds)
+
+	return &creds, err
+}

selfservice/flow/flow.go

@@ -8,15 +8,13 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
 
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/ui/container"
 	"github.com/ory/kratos/x"
-
-	"github.com/gofrs/uuid"
-
 	"github.com/ory/x/urlx"
 )