feat: custom client token ttl (#3206)

This change introduces a new endpoint that allows you to control how long client tokens last. Now you can configure the lifespan for each valid combination of Client, GrantType, and TokenType. See #3157 Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com> Co-authored-by: Andreas Bucksteeg <andreas@bucksteeg.de>
ory · Aug 1, 2022 · 1e68614 · 1e68614
1 parent 9b17887
commit 1e68614
Show file tree

Hide file tree

Showing 106 changed files with 9,320 additions and 4,225 deletions.
diff --git a/.schema/openapi/patches/oauth2.yaml b/.schema/openapi/patches/oauth2.yaml
@@ -6,3 +6,17 @@
   path: /components/schemas/acceptOAuth2ConsentRequestSession/properties/id_token/additionalProperties
 - op: remove
   path: /components/schemas/acceptOAuth2ConsentRequestSession/properties/id_token/type
+- op: replace
+  path: /components/schemas/nullDuration
+  value:
+    title: "Time duration"
+    description: "Specify a time duration in milliseconds, seconds, minutes, hours."
+    type: string
+    pattern: "^([0-9]+(ns|us|ms|s|m|h))*$"
+- op: replace
+  path: /components/schemas/NullDuration
+  value:
+    title: "Time duration"
+    description: "Specify a time duration in milliseconds, seconds, minutes, hours."
+    type: string
+    pattern: "^([0-9]+(ns|us|ms|s|m|h))*$"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -714,16 +714,24 @@ autogen: pin v1.11.9-pre.0 release commit
 
 # [1.11.8](https://github.com/ory/hydra/compare/v1.11.7...v1.11.8) (2022-05-04)
 
-This release resolves issues in the log module, improves the SDK type definitions, and introduces new configuration options to HSM.
-
-
-
+This release resolves issues in the log module, improves the SDK type
+definitions, and introduces new configuration options to HSM.
 
 ## Breaking Changes
 
-This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that *there are no down migrations*, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://tld/TODO-MIGRATION-GUIDE).
+This patch merges four SQL Tables into a new table, deleting the old tables in
+the process. The migrations in this patch are expected to be applied offline.
+Please be aware that _there are no down migrations_, and if something goes
+wrong, data loss is possible. Always back up your database before applying
+migrations. For more information, see
+[Hydra 2.x Migration Guide](https://tld/TODO-MIGRATION-GUIDE).
 
-Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.
+Rows with NULL login_challenge in `hydra_oauth2_consent_request` and
+corresponding `hydra_oauth2_consent_request_handled` are deleted as a side
+effect of the merge migration. This is done with the assumption that only a very
+small number of sessions, issued by pre-1.0 Hydra, will be affected. Please
+contact us if this assumption doesn't apply or if the deletion adversely affects
+your deployment.
 
 ### Bug Fixes
 
@@ -1345,22 +1353,46 @@ Please note that the location of our Homebrew tap has changed for Ory Hydra from
 
 ### Features
 
-* Add EdDSA support ([#2782](https://github.com/ory/hydra/issues/2782)) ([2ea49da](https://github.com/ory/hydra/commit/2ea49daca624ede51fba604ddf1f2c5ded9c523a))
-* Add method to detect public keys without prefixing ([#2758](https://github.com/ory/hydra/issues/2758)) ([b12e70c](https://github.com/ory/hydra/commit/b12e70c9a08ad62490731f57b5bfcb52c64217f0)), closes [#2459](https://github.com/ory/hydra/issues/2459)
-* Include amr claim in ID token ([#2770](https://github.com/ory/hydra/issues/2770)) ([f701310](https://github.com/ory/hydra/commit/f701310a8b78eef1f0fb090509ae9385150e1424)), closes [#1756](https://github.com/ory/hydra/issues/1756)
-* Introduce cve scanning ([#2772](https://github.com/ory/hydra/issues/2772)) ([e5295c6](https://github.com/ory/hydra/commit/e5295c6bb7188978ba6310c049f33c47a407d7a7))
-* Making use of the updated instrumentedsql version ([#2713](https://github.com/ory/hydra/issues/2713)) ([0a9df15](https://github.com/ory/hydra/commit/0a9df1579bb3196134c8b3ede8f28977365518e3))
-* Refresh token hook to update claims ([#2649](https://github.com/ory/hydra/issues/2649)) ([1a7dcd1](https://github.com/ory/hydra/commit/1a7dcd1c464a9707237108a894f7b1d10f27c79a)), closes [#2570](https://github.com/ory/hydra/issues/2570):
-
-    This patch adds a new feature to Ory Hydra which allows the updating of access and ID tokens during the refresh flow. To set it up, use the `oauth2.refresh_token_hook` configuration to set up a HTTP(S) endpoint which receives a POST request when a refresh token is about to be issued.
-
-* Support updating keys in CLI ([#2460](https://github.com/ory/hydra/issues/2460)) ([e874f4f](https://github.com/ory/hydra/commit/e874f4f300012f363c0bdf685458d0c56c5a8477)), closes [#2436](https://github.com/ory/hydra/issues/2436)
+- Add EdDSA support ([#2782](https://github.com/ory/hydra/issues/2782))
+  ([2ea49da](https://github.com/ory/hydra/commit/2ea49daca624ede51fba604ddf1f2c5ded9c523a))
+- Add method to detect public keys without prefixing
+  ([#2758](https://github.com/ory/hydra/issues/2758))
+  ([b12e70c](https://github.com/ory/hydra/commit/b12e70c9a08ad62490731f57b5bfcb52c64217f0)),
+  closes [#2459](https://github.com/ory/hydra/issues/2459)
+- Include amr claim in ID token
+  ([#2770](https://github.com/ory/hydra/issues/2770))
+  ([f701310](https://github.com/ory/hydra/commit/f701310a8b78eef1f0fb090509ae9385150e1424)),
+  closes [#1756](https://github.com/ory/hydra/issues/1756)
+- Introduce cve scanning ([#2772](https://github.com/ory/hydra/issues/2772))
+  ([e5295c6](https://github.com/ory/hydra/commit/e5295c6bb7188978ba6310c049f33c47a407d7a7))
+- Making use of the updated instrumentedsql version
+  ([#2713](https://github.com/ory/hydra/issues/2713))
+  ([0a9df15](https://github.com/ory/hydra/commit/0a9df1579bb3196134c8b3ede8f28977365518e3))
+- Refresh token hook to update claims
+  ([#2649](https://github.com/ory/hydra/issues/2649))
+  ([1a7dcd1](https://github.com/ory/hydra/commit/1a7dcd1c464a9707237108a894f7b1d10f27c79a)),
+  closes [#2570](https://github.com/ory/hydra/issues/2570):
+
+  This patch adds a new feature to Ory Hydra which allows the updating of access
+  and ID tokens during the refresh flow. To set it up, use the
+  `oauth2.refresh_token_hook` configuration to set up a HTTP(S) endpoint which
+  receives a POST request when a refresh token is about to be issued.
+
+- Support updating keys in CLI
+  ([#2460](https://github.com/ory/hydra/issues/2460))
+  ([e874f4f](https://github.com/ory/hydra/commit/e874f4f300012f363c0bdf685458d0c56c5a8477)),
+  closes [#2436](https://github.com/ory/hydra/issues/2436)
 
 ### Dev Tools
 
-* Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.
+- Introduce the `hydra sql gen` command and a convenience Make target with
+  autocompletion. The command reads migration templates from a source directory
+  and produces migration files in a target directory. Its main function is to
+  split a single source file into multiple files using split marks.
 
-* Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.
+- Introduce the `hack/db-diff.sh` command to generate database schema diffs at
+  different commits. This script is used to view and review the impact of
+  migrations on the database schema.
 
 # [1.10.6](https://github.com/ory/hydra/compare/v1.10.5...v1.10.6) (2021-08-28)
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -174,13 +174,12 @@ request, go through this checklist:
 1. Create a feature branch off of `master` so that changes do not get mixed up.
 1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local
    changes against the `master` branch.
-1. Run the full project test suite with the `go test -tags sqlite,json1 ./...` (or
-   equivalent) command and confirm that it passes.
+1. Run the full project test suite with the `go test -tags sqlite,json1 ./...`
+   (or equivalent) command and confirm that it passes.
 1. Run `make format` if a `Makefile` is available, `gofmt -s` if the project is
    written in Go, `npm run format` if the project is written for NodeJS.
 1. Add a descriptive prefix to commits. This ensures a uniform commit history
-   and helps structure the changelog.
-   Please refer to this
+   and helps structure the changelog. Please refer to this
    [list of prefixes for Hydra](https://github.com/ory/hydra/blob/master/.github/semantic.yml)
    for an overview.
 1. Sign-up with CircleCI so that it has access to your repository with the

diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@ define make-go-dependency
 endef
 
 .bin/golangci-lint: Makefile
-		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh  | sh -s -- -b .bin v1.46.2
+		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b .bin v1.46.2
 
 $(foreach dep, $(GO_DEPENDENCIES), $(eval $(call make-go-dependency, $(dep))))
 

diff --git a/README.md b/README.md
@@ -554,8 +554,8 @@ It is recommended to use the make file to run your tests using `make quicktest`
 
 **Please note**:
 
-All tests run against a sqlite in-memory database,
-thus it is required to use the `-tags sqlite,json1` build tag.
+All tests run against a sqlite in-memory database, thus it is required to use
+the `-tags sqlite,json1` build tag.
 
 Short tests run fairly quickly. You can either test all of the code at once:
 
@@ -690,10 +690,21 @@ docker compose -f quickstart.yml up # ....
 #### Add a new migration
 
 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/`
-2. Put the migration files into this directory, following the standard naming conventions. If you wish to execute different parts of a migration in separate transactions, add split marks (lines with the text `--split`) where desired. Why this might be necessary is explained in https://github.com/gobuffalo/fizz/issues/104.
-3. Run `make persistence/sql/migrations/<migration_id>` to generate migration fragments.
-4. If an update causes the migration to have fewer fragments than the number already generated, run `make persistence/sql/migrations/<migration_id>-clean`. This is equivalent to a `rm` command with the right parameters, but comes with better tab completion.
-5. Before committing generated migration fragments, run the above clean command and generate a fresh copy of migration fragments to make sure the `sql/src` and `sql/migrations` directories are consistent.
+2. Put the migration files into this directory, following the standard naming
+   conventions. If you wish to execute different parts of a migration in
+   separate transactions, add split marks (lines with the text `--split`) where
+   desired. Why this might be necessary is explained in
+   https://github.com/gobuffalo/fizz/issues/104.
+3. Run `make persistence/sql/migrations/<migration_id>` to generate migration
+   fragments.
+4. If an update causes the migration to have fewer fragments than the number
+   already generated, run
+   `make persistence/sql/migrations/<migration_id>-clean`. This is equivalent to
+   a `rm` command with the right parameters, but comes with better tab
+   completion.
+5. Before committing generated migration fragments, run the above clean command
+   and generate a fresh copy of migration fragments to make sure the `sql/src`
+   and `sql/migrations` directories are consistent.
 
 ## Libraries and third-party projects
 

diff --git a/...s/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json b/...s/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json
@@ -22,5 +22,17 @@
   "userinfo_signed_response_alg": "none",
   "metadata": {
     "foo": "bar"
-  }
+  },
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "password_grant_access_token_lifespan": null,
+  "password_grant_refresh_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
 }
diff --git a/...napshots/TestHandler-common-case=create_clients-case=7-description=empty_ID_succeeds.json b/...napshots/TestHandler-common-case=create_clients-case=7-description=empty_ID_succeeds.json
@@ -20,5 +20,17 @@
   "jwks": {},
   "token_endpoint_auth_method": "client_secret_basic",
   "userinfo_signed_response_alg": "none",
-  "metadata": {}
+  "metadata": {},
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "password_grant_access_token_lifespan": null,
+  "password_grant_refresh_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
 }
diff --git a/client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json b/client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json
@@ -1,7 +1,6 @@
 {
   "body": {
-    "client_id": "update-existing-client-lifespans",
-    "client_name": "",
+    "client_name": "update-existing-client-lifespans",
     "redirect_uris": [
       "http://localhost:3000/cb"
     ],

diff --git a/client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json b/client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json
@@ -16,5 +16,17 @@
   "client_secret_expires_at": 0,
   "subject_type": "",
   "jwks": {},
-  "metadata": {}
+  "metadata": {},
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "password_grant_access_token_lifespan": null,
+  "password_grant_refresh_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
 }
diff --git a/client/client.go b/client/client.go
@@ -408,7 +408,7 @@ func (c *Client) GetEffectiveLifespan(gt fosite.GrantType, tt fosite.TokenType,
 		} else if tt == fosite.IDToken && c.ImplicitGrantIDTokenLifespan.Valid {
 			cl = &c.ImplicitGrantIDTokenLifespan.Duration
 		}
-	} else if gt == fosite.GrantTypeJwtBearer {
+	} else if gt == fosite.GrantTypeJWTBearer {
 		if tt == fosite.AccessToken && c.JwtBearerGrantAccessTokenLifespan.Valid {
 			cl = &c.JwtBearerGrantAccessTokenLifespan.Duration
 		}