nbycomp · fenech · May 14, 2024 · May 14, 2024
diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/sessiontokenexchange"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/container"
 	"github.com/ory/kratos/ui/node"
@@ -36,7 +37,7 @@ type (
 	}
 
 	PostHookExecutor interface {
-		ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session) error
+		ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session, c *claims.Claims) error
 	}
 
 	HooksProvider interface {
@@ -66,6 +67,7 @@ type (
 	}
 	HookExecutor struct {
 		d executorDependencies
+		c *claims.Claims
 	}
 	HookExecutorProvider interface {
 		LoginHookExecutor() *HookExecutor
@@ -123,6 +125,14 @@ func (e *HookExecutor) handleLoginError(_ http.ResponseWriter, r *http.Request,
 	return flowError
 }
 
+type PostLoginHookOpt func(*HookExecutor)
+
+func WithClaims(c *claims.Claims) PostLoginHookOpt {
+	return func(h *HookExecutor) {
+		h.c = c
+	}
+}
+
 func (e *HookExecutor) PostLoginHook(
 	w http.ResponseWriter,
 	r *http.Request,
@@ -131,6 +141,7 @@ func (e *HookExecutor) PostLoginHook(
 	i *identity.Identity,
 	s *session.Session,
 	provider string,
+	opts ...PostLoginHookOpt,
 ) (err error) {
 	ctx := r.Context()
 	ctx, span := e.d.Tracer(ctx).Tracer().Start(ctx, "HookExecutor.PostLoginHook")
@@ -149,15 +160,15 @@ func (e *HookExecutor) PostLoginHook(
 		return err
 	}
 
-	c := e.d.Config()
+	cfg := e.d.Config()
 	// Verify the redirect URL before we do any other processing.
 	returnTo, err := redir.SecureRedirectTo(r,
-		c.SelfServiceBrowserDefaultReturnTo(ctx),
+		cfg.SelfServiceBrowserDefaultReturnTo(ctx),
 		redir.SecureRedirectReturnTo(f.ReturnTo),
 		redir.SecureRedirectUseSourceURL(f.RequestURL),
-		redir.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains(ctx)),
-		redir.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(ctx)),
-		redir.SecureRedirectOverrideDefaultReturnTo(c.SelfServiceFlowLoginReturnTo(ctx, f.Active.String())),
+		redir.SecureRedirectAllowURLs(cfg.SelfServiceBrowserAllowedReturnToDomains(ctx)),
+		redir.SecureRedirectAllowSelfServiceURLs(cfg.SelfPublicURL(ctx)),
+		redir.SecureRedirectOverrideDefaultReturnTo(cfg.SelfServiceFlowLoginReturnTo(ctx, f.Active.String())),
 	)
 	if err != nil {
 		return err
@@ -175,6 +186,10 @@ func (e *HookExecutor) PostLoginHook(
 	classified := s
 	s = s.Declassified()
 
+	for _, o := range opts {
+		o(e)
+	}
+
 	e.d.Logger().
 		WithRequest(r).
 		WithField("identity_id", i.ID).
@@ -185,7 +200,7 @@ func (e *HookExecutor) PostLoginHook(
 		return err
 	}
 	for k, executor := range hooks {
-		if err := executor.ExecuteLoginPostHook(w, r, g, f, s); err != nil {
+		if err := executor.ExecuteLoginPostHook(w, r, g, f, s, e.c); err != nil {
 			if errors.Is(err, ErrHookAbortFlow) {
 				e.d.Logger().
 					WithRequest(r).

diff --git a/selfservice/hook/error.go b/selfservice/hook/error.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/ory/kratos/selfservice/flow/recovery"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/ui/node"
 
 	"github.com/ory/kratos/identity"
@@ -64,7 +65,7 @@ func (e Error) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http.Req
 	return e.err("ExecuteSettingsPostPersistHook", settings.ErrHookAbortFlow)
 }
 
-func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session) error {
+func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session, c *claims.Claims) error {
 	return e.err("ExecuteLoginPostHook", login.ErrHookAbortFlow)
 }
 

diff --git a/selfservice/hook/require_verified_address.go b/selfservice/hook/require_verified_address.go
@@ -9,6 +9,7 @@ import (
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/x"
 	"github.com/ory/kratos/x/nosurfx"
@@ -50,7 +51,7 @@ func NewAddressVerifier(r addressVerifierDependencies) *AddressVerifier {
 	}
 }
 
-func (e *AddressVerifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session) (err error) {
+func (e *AddressVerifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session, _ *claims.Claims) (err error) {
 	ctx, span := e.r.Tracer(r.Context()).Tracer().Start(r.Context(), "selfservice.hook.Verifier.do")
 	r = r.WithContext(ctx)
 	defer otelx.End(span, &err)

diff --git a/selfservice/hook/require_verified_address_test.go b/selfservice/hook/require_verified_address_test.go
@@ -101,7 +101,7 @@ func TestAddressVerifier(t *testing.T) {
 							ID:       x.NewUUID(),
 							Identity: &identity.Identity{ID: x.NewUUID(), VerifiableAddresses: uc.verifiableAddresses},
 						}
-						err := verifier.ExecuteLoginPostHook(nil, httptest.NewRequest("GET", "http://example.com", nil), node.DefaultGroup, tc.flow, sessions)
+						err := verifier.ExecuteLoginPostHook(nil, httptest.NewRequest("GET", "http://example.com", nil), node.DefaultGroup, tc.flow, sessions, nil)
 						if tc.neverError || uc.expectedError == nil {
 							assert.NoError(t, err)
 						} else {
@@ -158,7 +158,7 @@ func TestAddressVerifier(t *testing.T) {
 			}
 
 			// Expect verification flow creation and ErrHookAbortFlow
-			err := verifier.ExecuteLoginPostHook(mockResponse, mockJSONReq, node.DefaultGroup, loginFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(mockResponse, mockJSONReq, node.DefaultGroup, loginFlow, sessions, nil)
 			assert.ErrorIs(t, err, login.ErrHookAbortFlow)
 
 			// Verify response contains continueWith and ErrAddressNotVerified
@@ -216,7 +216,7 @@ func TestAddressVerifier(t *testing.T) {
 			}
 
 			// Expect verification flow creation and redirect
-			err := verifier.ExecuteLoginPostHook(mockResponse, mockBrowserReq, node.DefaultGroup, browserFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(mockResponse, mockBrowserReq, node.DefaultGroup, browserFlow, sessions, nil)
 			assert.ErrorIs(t, err, login.ErrHookAbortFlow)
 
 			// Verify redirect occurred
@@ -254,7 +254,7 @@ func TestAddressVerifier(t *testing.T) {
 				Identity: identity,
 			}
 
-			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, verifiedFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, verifiedFlow, sessions, nil)
 			assert.NoError(t, err)
 		})
 
@@ -279,7 +279,7 @@ func TestAddressVerifier(t *testing.T) {
 				Identity: identity,
 			}
 
-			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, noAddressFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, noAddressFlow, sessions, nil)
 			assert.ErrorIs(t, err, herodot.ErrMisconfiguration)
 		})
 	})

diff --git a/selfservice/hook/session_destroyer.go b/selfservice/hook/session_destroyer.go
@@ -11,14 +11,17 @@ import (
 	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/selfservice/flow/recovery"
 	"github.com/ory/kratos/selfservice/flow/settings"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/x/otelx"
 )
 
-var _ login.PostHookExecutor = new(SessionDestroyer)
-var _ recovery.PostHookExecutor = new(SessionDestroyer)
-var _ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+var (
+	_ login.PostHookExecutor               = new(SessionDestroyer)
+	_ recovery.PostHookExecutor            = new(SessionDestroyer)
+	_ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+)
 
 type (
 	sessionDestroyerDependencies interface {
@@ -34,7 +37,7 @@ func NewSessionDestroyer(r sessionDestroyerDependencies) *SessionDestroyer {
 	return &SessionDestroyer{r: r}
 }
 
-func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session) error {
+func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session, _ *claims.Claims) error {
 	return otelx.WithSpan(r.Context(), "selfservice.hook.SessionDestroyer.ExecuteLoginPostHook", func(ctx context.Context) error {
 		if _, err := e.r.SessionPersister().RevokeSessionsIdentityExcept(ctx, s.Identity.ID, s.ID); err != nil {
 			return err

diff --git a/selfservice/hook/session_destroyer_test.go b/selfservice/hook/session_destroyer_test.go
@@ -52,6 +52,7 @@ func TestSessionDestroyer(t *testing.T) {
 					node.DefaultGroup,
 					nil,
 					&session.Session{Identity: i},
+					nil,
 				)
 			},
 		},

diff --git a/selfservice/hook/show_verification_ui.go b/selfservice/hook/show_verification_ui.go
@@ -17,6 +17,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/selfservice/flow/registration"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/kratos/x"
@@ -59,7 +60,7 @@ func (e *ShowVerificationUIHook) ExecutePostRegistrationPostPersistHook(_ http.R
 
 // ExecuteLoginPostHook adds redirect headers and status code if the request is a browser request.
 // If the request is not a browser request, this hook does nothing.
-func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session) error {
+func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session, _ *claims.Claims) error {
 	return e.execute(r, f)
 }
 

diff --git a/selfservice/hook/show_verification_ui_test.go b/selfservice/hook/show_verification_ui_test.go
@@ -85,7 +85,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			browserRequest := httptest.NewRequest("GET", "/", nil)
 			f := &login.Flow{}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
 			require.Equal(t, 200, rec.Code)
 		})
 
@@ -96,7 +96,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			browserRequest.Header.Add("Accept", "application/json")
 			f := &login.Flow{}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
 			require.Equal(t, 200, rec.Code)
 		})
 
@@ -113,7 +113,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 				flow.NewContinueWithVerificationUI(vf.ID, "some@ory.sh", ""),
 			}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 			assert.Equal(t, "/verification?flow="+vf.ID.String(), rf.ReturnToVerification)
 		})
@@ -128,7 +128,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 				flow.NewContinueWithSetToken("token"),
 			}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 		})
 	})
@@ -201,7 +201,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			lf.InternalContext = internalContext
 
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 			assert.Equal(t, "/verification?flow="+vfID.String(), lf.ReturnToVerification)
 		})
@@ -220,7 +220,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			lf.InternalContext = internalContext
 
 			rec := httptest.NewRecorder()
-			err = h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil)
+			err = h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil, nil)
 			require.Error(t, err)
 		})
 	})

diff --git a/selfservice/hook/stub/test_body.jsonnet b/selfservice/hook/stub/test_body.jsonnet
@@ -1,10 +1,14 @@
 function(ctx) std.prune({
   flow_id: ctx.flow.id,
-  identity_id: if std.objectHas(ctx, "identity") then ctx.identity.id,
-  session_id: if std.objectHas(ctx, "session") then ctx.session.id,
+  identity_id: if std.objectHas(ctx, 'identity') then ctx.identity.id,
+  session_id: if std.objectHas(ctx, 'session') then ctx.session.id,
   headers: ctx.request_headers,
   url: ctx.request_url,
   method: ctx.request_method,
   cookies: ctx.request_cookies,
-  transient_payload: if std.objectHas(ctx.flow, "transient_payload") then ctx.flow.transient_payload,
+  transient_payload: if std.objectHas(ctx.flow, 'transient_payload') then ctx.flow.transient_payload,
+  nickname: if std.objectHas(ctx, 'claims') then ctx.claims.nickname,
+  groups: if std.objectHas(ctx, 'claims') &&
+             std.objectHas(ctx.claims, 'raw_claims') &&
+             std.objectHas(ctx.claims.raw_claims, 'groups') then ctx.claims.raw_claims.groups,
 })
diff --git a/selfservice/hook/verification.go b/selfservice/hook/verification.go
@@ -21,6 +21,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow/registration"
 	"github.com/ory/kratos/selfservice/flow/settings"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
@@ -72,7 +73,7 @@ func (e *Verifier) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http
 	})
 }
 
-func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session) (err error) {
+func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session, c *claims.Claims) (err error) {
 	ctx, span := e.r.Tracer(r.Context()).Tracer().Start(r.Context(), "selfservice.hook.Verifier.ExecuteLoginPostHook")
 	r = r.WithContext(ctx)
 	defer otelx.End(span, &err)

diff --git a/selfservice/hook/verification_test.go b/selfservice/hook/verification_test.go
@@ -53,7 +53,7 @@ func TestVerifier(t *testing.T) {
 			name: "login",
 			execHook: func(h *hook.Verifier, i *identity.Identity, f flow.Flow) error {
 				return h.ExecuteLoginPostHook(
-					httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i})
+					httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i}, nil)
 			},
 			originalFlow: func() interface {
 				flow.InternalContexter
@@ -158,7 +158,7 @@ func TestVerifier(t *testing.T) {
 		h := hook.NewVerifier(reg)
 		i := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
 		f := &login.Flow{RequestedAAL: "aal2"}
-		require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}))
+		require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}, nil))
 
 		messages, err := reg.CourierPersister().NextMessages(context.Background(), 12)
 		require.EqualError(t, err, "queue is empty")

diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go
@@ -34,6 +34,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow/registration"
 	"github.com/ory/kratos/selfservice/flow/settings"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
@@ -85,6 +86,7 @@ type (
 		RequestCookies map[string]string  `json:"request_cookies"`
 		Identity       *identity.Identity `json:"identity,omitempty"`
 		Session        *session.Session   `json:"session,omitempty"`
+		Claims         *claims.Claims     `json:"claims,omitempty"`
 	}
 
 	WebHook struct {
@@ -135,7 +137,7 @@ func (e *WebHook) ExecuteLoginPreHook(_ http.ResponseWriter, req *http.Request,
 	})
 }
 
-func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request, _ node.UiNodeGroup, flow *login.Flow, session *session.Session) error {
+func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request, _ node.UiNodeGroup, flow *login.Flow, session *session.Session, claims *claims.Claims) error {
 	return otelx.WithSpan(req.Context(), "selfservice.hook.WebHook.ExecuteLoginPostHook", func(ctx context.Context) error {
 		return e.execute(ctx, &templateContext{
 			Flow:           flow,
@@ -145,6 +147,7 @@ func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request,
 			RequestCookies: cookies(req),
 			Identity:       session.Identity,
 			Session:        session,
+			Claims:         claims,
 		})
 	})
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,6 +52,7 @@ func TestSessionDestroyer(t *testing.T) { @@
     					node.DefaultGroup,
     					nil,
     					&session.Session{Identity: i},
+    					nil,
     				)
     			},
     		},
@@ Expand Down @@